Authors: Pavol Sokol, Peter Pisarčík
Abstract
The network forensic analysis is the branch of the digital forensic analysis. It focuses on capturing and
analyzing network traffic in order to identify network threats and attackers and subsequently to obtain
legal evidence. There are lots of methods suggested for network forensic analysis, including honeypots and
honeynets. Both are common elements to achieve goals of digital forensic analysis. In this paper we focus
on virtual honeynets based on operating system-level virtualization. As a representative of this type of
virtualization, we choose, in order to develop virtual honeynets, an open-source virtualization platform –
OpenVZ and FreeBSD jail. Digital evidence is any type of documentation, which satisfies the
requirements of evidence in proceedings, and digital means that exists just in electronic form. This paper
offers a discussion about digital evidence, sources of digital evidence, as well as its most important
requirements, what is necessary for the fulfillment of the validity of digital evidence. Due to these
requirements, we consider integration of several sensors into the discussed type of virtual honeynet. Our
implementation of honeynet hence includes sensors in memory (includes buffers, caches, I/O ports etc.),
CPU, harddisk drives and network devices. Using these sensors, the digital evidence is stored at the safe
place. Using OpenVZ and FreeBSD jail technologies enables a user to access all memory blocks, mainly
the processes, and to identify honeypots (virtual machines, containers), on which the processes are
running. Thank to this information we are able to detect all changes in processes after intruder penetrated
the server. Actually, within CPU-based digital evidence we use direct access to CPU from hypervisor
kernel. We are able to read all registers and all instructions received from and sent to the computer
processor. This advantage provides malware intrusion detection and analysis. Within the storage-based
digital evidence we have direct access to the file system and we are able to identify all changes in file
system, such as file creation and its modification. In this paper we discuss the advantages of OpenVZ and
FreeBSD jail virtualization platform due to the implementation of the above-mentioned sensors. Since in
this type of virtualization all virtual environments (honeypots) share one kernel of operating system, it is
sufficient to implement the sensors in one place only – in the kernel. Moreover, we describe the high
effectiveness of such data collection in this paper, as well as we discuss the safe conditions of integral data
collection, which is necessary to obtain valid digital evidence.
Introduction
In the present, our everyday lives are becoming more and more dependent on information technologies.
Due to this fact, the network and information security are areas that require more attention and
improvement. Traditionally, these areas are primarily intended to be defensive. When the protection of
the information system is broken and the attacker controls the system, it is necessary to use the tools and
methods of the network forensic. Network forensics can be defined as the use of scientifically proved
techniques to collect, fuse, identify, examine, correlate, analyse, and document digital evidence from
multiple, actively processing and transmitting digital sources for the purpose of uncovering facts related to
the planned intent, or measured success of unauthorized activities meant to disrupt, corrupt, and or
compromise system components as well as providing information to assist in response to or recovery from
these activities [1] . There are lots of proposed models for network forensic that consist of many different
phases. One of them is honeypot framework, which is explained in detail bellow.
This paper is organized as follows: In section 2 the theoretical background of honeypots, honeynets,
virtualization and virtual honeynets is examined. Section 3 presents related works to virtual honeynets and
virtualization. In section 4 we provide an overview of OpenVZ and FreeBSD jail concept and approaches
to their implementation. In section 5 we propose virtual honeynets sensors. In section 6 we outline digital
evidence obtained by proposed sensors. Section 7 offers conclusion of this paper, as well as our opinion on
the future of these sensors.
