Yonghwi Kwon (University of Virginia), Weihang Wang (University at Buffalo, SUNY), Jinho Jung (Georgia Institute of Technology), Kyu Hyung Lee (University of Georgia), Roberto Perdisci (Georgia Institute of Technology and University of Georgia)

Cybercrime scene reconstruction that aims to reconstruct a previous execution of the cyber attack delivery process is an important capability for cyber forensics (e.g., post mortem analysis of the cyber attack executions). Unfortunately, existing techniques such as log-based forensics or record-and-replay techniques are not suitable to handle complex and long-running modern applications for cybercrime scene reconstruction and post mortem forensic analysis. Specifically, log-based cyber forensics techniques often suffer from a lack of inspection capability and do not provide details of how the attack unfolded. Record-and-replay techniques impose significant runtime overhead, often require significant modifications on end-user systems, and demand to replay the entire recorded execution from the beginning. In this paper, we propose C^2SR, a novel technique that can reconstruct an attack delivery chain (i.e., cybercrime scene) for post-mortem forensic analysis. It provides a highly desired capability: interactable partial execution reconstruction. In particular, it reproduces a partial execution of interest from a large execution trace of a long-running program. The reconstructed execution is also interactable, allowing forensic analysts to leverage debugging and analysis tools that did not exist on the recorded machine. The key intuition behind C^2SR is partitioning an execution trace by resources and reproducing resource accesses that are consistent with the original execution. It tolerates user interactions required for inspections that do not cause inconsistent resource accesses. Our evaluation results on 26 real-world programs show that C^2SR has low runtime overhead (less than 5.47%) and acceptable space overhead. We also demonstrate with four realistic attack scenarios that C^2SR successfully reconstructs partial executions of long-running applications such as web browsers, and it can remarkably reduce the user's efforts to understand the incident.

View More Papers

Effects of Precise and Imprecise Value-Set Analysis (VSA) Information...

Laura Matzen, Michelle A Leger, Geoffrey Reedy (Sandia National Laboratories)

Read More

Dinosaur Resurrection: PowerPC Binary Patching for Base Station Analysis

Uwe Muller, Eicke Hauck, Timm Welz, Jiska Classen, Matthias Hollick (Secure Mobile Networking Lab, TU Darmstadt)

Read More

To Err.Is Human: Characterizing the Threat of Unintended URLs...

Beliz Kaleli (Boston University), Brian Kondracki (Stony Brook University), Manuel Egele (Boston University), Nick Nikiforakis (Stony Brook University), Gianluca Stringhini (Boston University)

Read More

From WHOIS to WHOWAS: A Large-Scale Measurement Study of...

Chaoyi Lu (Tsinghua University; Beijing National Research Center for Information Science and Technology), Baojun Liu (Tsinghua University; Beijing National Research Center for Information Science and Technology; Qi An Xin Group), Yiming Zhang (Tsinghua University; Beijing National Research Center for Information Science and Technology), Zhou Li (University of California, Irvine), Fenglu Zhang (Tsinghua University), Haixin Duan…

Read More