±Forensic Focus Partners

Become an advertising partner

±Your Account


Forgotten password/username?

Site Members:

New Today: 0 Overall: 34608
New Yesterday: 4 Visitors: 179

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars


Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page Previous  1, 2, 3  Next 

Re: Honeypots

Post Posted: Wed Feb 13, 2013 7:13 pm

- Sarah_Camp

Do you know if it is possible for an attacker/intruder to alter the logs created by the honeypot? Not using anything else but a honeypot. I.E. no network sniffers etc.
How would an investigator be able to tell if an attacker/intruder has altered the log files?

It really depends upon the logs being created.

For example, lets say that you have a Windows system with Process Tracking enabled. The attacker can gain access, and depending upon how they do so, disable process tracking. There used to be a tool that claimed to allow an attacker to delete specific entries from the Windows Event Log, but I don't think it works on Win7, and I also think that it horked XP boxes.

So, if the attacker could disable Process Tracking, the person setting up the honeypot would have set up some means for getting the logs off of the system, such as syslog.

Remember, the honeypot is a bait system left out there to attract and possibly engage the attacker. Clifford Stoll used honeypots during the events that he protrayed in his book "The Cuckoo's Egg". In that case, Clifford employed his "honeypot" in order to keep the intruders on the phone line long enough to get traces set up through the phone company. Modern day honeypots are often used in an attempt to observe the TTPs of an attacker, so you would want to have monitoring systems in place that would allow you to get logs before they are modified by the attacker.  

Senior Member

Re: Honeypots

Post Posted: Wed Feb 13, 2013 8:20 pm

- keydet89
- twjolson
Isn't any Windows PC connected to the internet a honeypot by default?

Nope. Honeypots are usually subjected to some sort of monitoring and/or analysis...

he's trying to be funny

Sarah, using harlans analogy, if i were a skilled attacker (and im not), i would steal the jewellery next door as stealthily as possible, then go right up to the twinkie, have a look and leave.
if anything i'd try to be as overt as possible whilst looking at the twinkie to hide my tracks at the jewellery. Hiding your tracks on a honeypot really only makes sense if youre trying to hone your skills.

But then again, im not a skilled attacker.  

Senior Member

Re: Honeypots

Post Posted: Thu Feb 14, 2013 5:29 am

- Sarah_Camp

Has anyone got any experience of working with honeypots on Windows OS?
I'm doing my university project on someone hiding their tracks on a honeypot. But there doesn't seem to be much literature on it. I know of Lance Spitzner's Honeypot Project. Do you know where I can find more information?

Many thanks!

Sarah_Camp there are numerous Honeypot Projects and Reports discoverable using web search engines e.g.

- Christian Döring Masterthesis paper Honeypot Project 2005

- Profs Baumann & Plattner Honeypots Open Systems 2002

- 2011 SCADA Honeynets: The attractiveness of honeypots as critical infrastructure security tools for the detection and analysis of advanced threats by Susan Marie Wade at Iowa State University

- Amit D. Lakhani Deception Techniques Using Honeypots 2004

- David Romero Barrero External Servers Security 2010

- John Børge Holen-Tjelta Honeypots in network perimeter defense systems 2011

- Vusal Aliyev Using honeypots to study skill level of attackers based on the exploited vulnerabilities in the network 2010

The report below (2011) states under High-Interaction Honeypots - "Balas et al. [9] implemented Sebek a Linux kernel module for monitoring an attacker’s keystrokes and related file accesses. Sebek uses the rootkit technology initially developed by attackers who wished to hide their presence on compromised machines."

- Gerard WAGENER Self-Adaptive Honeypots Coercing and Assessing Attacker Behaviour 2011

It is possible to produce an even longer list. But just as a representative example of what is readily available and downloadable, why would the above Projects and Reports not assist your research?
Institute for Digital Forensics (IDF) - www.linkedin.com/groups/2436720
Mobile Telephone Examination Board (MTEB) - www.linkedin.com/groups/141739
Universal Network Investigations - www.linkedin.com/groups/13536130
Mobile Telephone Evidence & Forensics trewmte.blogspot.com 

Senior Member

Re: Honeypots

Post Posted: Mon Feb 18, 2013 4:32 pm

Trewnte - Thank you very much for your list of references. They are very helpful for my project. I have came across a couple before you mentioned them, but not some of the others (which were more useful).

Randomaccess - So do you think that it's unlikely for a hacker to alter log files to hide their tracks?

Keydet89 - thank you for your explanation. My scenario for my project is going to be that they don't back up the honeypot logs or send them to a different location. During an investigation how would you go about examining to see if log files have been changed?

Thank you all for taking the time to respond.  


Re: Honeypots

Post Posted: Tue Feb 19, 2013 1:57 am

- Sarah_Camp
During an investigation how would you go about examining to see if log files have been changed?

- Missing records.
- Tools claiming that logfiles have been altered/corrupted.
- Bad or out of order timestamps.
- Changes to system time.
- Other logfiles indicating events that are missing.
- Indicators of anti-forensics software.
- Configuration changes to logging software.
- Missing or mismatching digital signatures.  

Senior Member

Re: Honeypots

Post Posted: Tue Feb 19, 2013 7:53 am

- Sarah_Camp
Randomaccess - So do you think that it's unlikely for a hacker to alter log files to hide their tracks?

Alter log files sure. but not on a honeypot. unless they didnt realise it was a honeypot and they thought it was the real deal.  

Senior Member

Re: Honeypots

Post Posted: Wed Feb 20, 2013 9:45 pm

Thanks, all your comments have been helpful.

My project scenario is a hacker not realising it's a honeypot.

Do you know if honeypot log files can be used as evidence in a UK court?  


Page 2 of 3
Go to page Previous  1, 2, 3  Next