Using a virtual security testbed for digital forensic reconstruction

André Årnes, Paul Haas, Giovanni Vigna, Richard A. Kemmerer
2006 Journal in Computer Virology  
This paper presents ViSe, a virtual security testbed, and demonstrates how it can be used to efficiently study computer attacks and suspect tools as part of a computer crime reconstruction. Based on a hypothesis of the security incident in question, ViSe is configured with the appropriate operating systems, services, and exploits. Attacks are formulated as event chains and replayed on the testbed. The effects of each event are analyzed in order to support or refute the hypothesis. The purpose
more » ... the approach is to facilitate reconstruction experiments in digital forensics. Two examples are given to demonstrate the approach; one overview example based on the Trojan defense and one detailed example of a multi-step attack. Although a reconstruction can neither prove a hypothesis with absolute certainty, nor exclude the correctness of other hypotheses, a standardized environment, such as ViSe, combined with event reconstruction and testing, can A. Årnes (B) lend credibility to an investigation and can be a great asset in court.
doi:10.1007/s11416-006-0033-x fatcat:j2iq2ggfdvhupaa4cywucejrcm