Holmes: A data theft forensic framework

Ramya Jayaram Masti, Vincent Lenders, Mario Strasser, Stefan Engel, Bernhard Plattner
2011 2011 IEEE International Workshop on Information Forensics and Security  
This paper presents Holmes, a forensic framework for postmortem investigation of data theft incidents in enterprise networks. Holmes pro-actively collects potential evidence from hosts and the network for correlation analysis at a central location. In order to optimize the storage requirements for the collected data, Holmes relies on compact network and host data structures. We evaluate the theoretical storage requirements of Holmes in average networks and quantify the improvements compared to
more » ... aw data collection alternatives. Finally, we present the application of Holmes to two realistic data theft investigation scenarios and discuss how combining network and host data can improve the efficiency and reliability of these investigations.
doi:10.1109/wifs.2011.6123144 dblp:conf/wifs/MastiLSEP11 fatcat:f6oo3ifqxvhsjnkqenmlb5cnqe