A survey on forensic event reconstruction systems

Abstract

Security related incidents such as unauthorised system access, data tampering and theft have been noticeably rising. Tools such as firewalls, intrusion detection systems and anti-virus software strive to prevent these incidents. Since these tools only prevent an attack, once an illegal intrusion occurs, they cease to provide useful information beyond this point. Consequently, system administrators are interested in identifying the vulnerability in order to: 1) avoid future exploitation; 2) recover corrupted data; 3) present the attacker to law enforcement where possible. As such, forensic event reconstruction systems are used to provide the administrators with possible information. We present a survey on the current approaches towards forensic event reconstruction systems proposed over the past few years. Technical details are discussed, as well as analysis to their effectiveness, advantages and limitations. The presented tools are compared and assessed based on the primary principles that a forensic technique is expected to follow.