±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 2 Overall: 36290
New Yesterday: 4 Visitors: 169

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Starting research

Discussion of computer forensics employment and career issues.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

Gilbert
Newbie
 

Starting research

Post Posted: Nov 23, 06 14:07

Hi,
I am currently working as a research assistant (e.g. doing my dissertation) at an university in Vienna, Austria. I am (oviously) interested in computer forensics, and have been doing a litle literature / web research already. My main objective at the moment is identifying interesting "hard" problems in cf.
This forum seems like a cool additional information source, so I just wanted to say hi to the people here.
Do you guys think that the area of (web) application forensics is something that needs more research, or do you know of someone who has done a lot in that direction? Any other thoughts?

--Gilbert  
 
  

keydet89
Senior Member
 

Re: Starting research

Post Posted: Nov 23, 06 17:43

Gilbert,

It really depends on what you're referring to. If you're talking about identifying artifacts after a web application has been hacked, then no, there really isn't a great deal of data available on this sort of thing.

When a web application gets compromised and the application is still running (ie, hasn't crashed) then there is likely a good deal of information left in memory. I've done some work with regards to collecting data from memory dumps, and analyzing the web application process might be a really good avenue to pursue.

My one suggestion would be to make the data you're looking at relevant to forensic investigations.

HTH,

Harlan  
 
  

Gilbert
Newbie
 

Re: Starting research

Post Posted: Nov 23, 06 20:26

Hi,
thanks for the quick reply and your suggestions!
I am assuming that the typical IDS can been evaded by an attacker (as for example Brian Caswell and HD Moore wrote in a BH conference presentation). Also, I am not sure on the level of protection that web app firewalls can provide (like Ivan Ristic's work etc.).
So I am indeed thinking about looking at memory dumps and log files of web apps to find traces of intrusions (or maybe extrusions, not too sure yet if that is something interesting). The idea is to automate such a process, so that the need for user configuration is minimized (by applying statistical methods or machine learning).
As you can see, I still dont have a really concrete idea, but thank you for contributing!

Btw: It's really great to have an opportunity to reach experts so casually via this forum!

-- Gilbert  
 
  

keydet89
Senior Member
 

Re: Starting research

Post Posted: Nov 24, 06 17:24

> I am assuming that the typical IDS can been evaded by an attacker

Not sure what that has to do with this topic.

> I am not sure on the level of protection that web app firewalls can provide

Again, I'm not clear on where this comes into play, as I thought that the idea was that you were going to look for forensic artifacts from a successful attack. Using these technologies (which may or may not be implemented, at least not correctly) would hamper that.

Good luck with your project...depending upon how it's implemented, it may be a great help to the community.

H  
 

Page 1 of 1