Notifications
Clear all

Starting research

4 Posts
2 Users
0 Likes
327 Views
(@gilbert)
Posts: 2
New Member
Topic starter
 

Hi,
I am currently working as a research assistant (e.g. doing my dissertation) at an university in Vienna, Austria. I am (oviously) interested in computer forensics, and have been doing a litle literature / web research already. My main objective at the moment is identifying interesting "hard" problems in cf.
This forum seems like a cool additional information source, so I just wanted to say hi to the people here.
Do you guys think that the area of (web) application forensics is something that needs more research, or do you know of someone who has done a lot in that direction? Any other thoughts?

–Gilbert

 
Posted : 23/11/2006 2:07 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Gilbert,

It really depends on what you're referring to. If you're talking about identifying artifacts after a web application has been hacked, then no, there really isn't a great deal of data available on this sort of thing.

When a web application gets compromised and the application is still running (ie, hasn't crashed) then there is likely a good deal of information left in memory. I've done some work with regards to collecting data from memory dumps, and analyzing the web application process might be a really good avenue to pursue.

My one suggestion would be to make the data you're looking at relevant to forensic investigations.

HTH,

Harlan

 
Posted : 23/11/2006 5:43 pm
(@gilbert)
Posts: 2
New Member
Topic starter
 

Hi,
thanks for the quick reply and your suggestions!
I am assuming that the typical IDS can been evaded by an attacker (as for example Brian Caswell and HD Moore wrote in a BH conference presentation). Also, I am not sure on the level of protection that web app firewalls can provide (like Ivan Ristic's work etc.).
So I am indeed thinking about looking at memory dumps and log files of web apps to find traces of intrusions (or maybe extrusions, not too sure yet if that is something interesting). The idea is to automate such a process, so that the need for user configuration is minimized (by applying statistical methods or machine learning).
As you can see, I still dont have a really concrete idea, but thank you for contributing!

Btw It's really great to have an opportunity to reach experts so casually via this forum!

– Gilbert

 
Posted : 23/11/2006 8:26 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

> I am assuming that the typical IDS can been evaded by an attacker

Not sure what that has to do with this topic.

> I am not sure on the level of protection that web app firewalls can provide

Again, I'm not clear on where this comes into play, as I thought that the idea was that you were going to look for forensic artifacts from a successful attack. Using these technologies (which may or may not be implemented, at least not correctly) would hamper that.

Good luck with your project…depending upon how it's implemented, it may be a great help to the community.

H

 
Posted : 24/11/2006 5:24 pm
Share: