Holmes: A data theft forensic framework

Holmes: A data theft forensic framework

This paper presents Holmes, a forensic framework for postmortem investigation of data theft incidents in enterprise networks. Holmes pro-actively collects potential evidence from hosts and the network for correlation analysis at a central location. In order to optimize the storage requirements for t...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Hauptverfasser: Masti, R. J., Lenders, V., Strasser, M., Engel, S., Plattner, B.
Format: Tagungsbericht
Sprache:eng
Schlagworte:
Data structures
Forensics
IP networks
Memory management
Operating systems
Payloads
Servers
Online-Zugang:Volltext bestellen
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
Beschreibung
Zusammenfassung:This paper presents Holmes, a forensic framework for postmortem investigation of data theft incidents in enterprise networks. Holmes pro-actively collects potential evidence from hosts and the network for correlation analysis at a central location. In order to optimize the storage requirements for the collected data, Holmes relies on compact network and host data structures. We evaluate the theoretical storage requirements of Holmes in average networks and quantify the improvements compared to raw data collection alternatives. Finally, we present the application of Holmes to two realistic data theft investigation scenarios and discuss how combining network and host data can improve the efficiency and reliability of these investigations.
ISSN:2157-4766
DOI:10.1109/WIFS.2011.6123144