21C3 Schedule Release 1.1.7

21st Chaos Communication Congress
Lectures and workshops

Speakers
Picture of Krisztian Piller Krisztian Piller
Picture of Sebastian Wolfgarten Sebastian Wolfgarten
Schedule
Day 2
Location Saal 2
Start Time 22:00 h
Duration 02:00
INFO
ID 105
Type Lecture
Track Hacking
Language english
FEEDBACK

Honeypot Forensics

No stone unturned or: logs, what logs?

In the world of intrusion detection, intrusion prevention and hacker research honeypots are a quite a new and interesting technology. But only few know there is more to achieve with honeypots than just catch an intruders attention. Honeypots could reward you with versatile results and this presentation will be interesting to you even if you are familiar with deploying IDS/IPS/Honeypot systems. We will give an overview of the existing tools and provide you with a methodology to start your own forensic examinations.

In the world of intrusion detection, intrusion prevention and hacker research honeypots are a quite a new and interesting technology. But only few know there is more to achieve with honeypots than just catch an intruders attention. Honeypots could reward you with versatile results and this presentation will be interesting to you even if you are familiar with deploying IDS/IPS/Honeypot systems. We will give an overview of the existing tools and provide you with a methodology to start your own forensic examinations.

After an introduction to the world of honeypots, you will learn about existing tools for setting up and analyzing honeypots, common errors to avoid during the installation and maintenance process as well as typical results of a honeypot operation.

The central part of the presentation will cover two methods of honeypot forensics:

  • Analysis of a previously prepared/surveillanced system
  • Analysis of an unprepared system (also known as intrusion forensics)

This part provides you with a step-by-step methodology how to secure, identify and evaluate the data evidence in your hands, tries to show how to be ìcourt proofî and focuses on the information you are really looking for. Furthermore the presentation will cover hints for advancing your examination by looking at the right places a.k.a. what intruders often forgotÖ

The presentation will optionally include a case study of an examination of a high interaction-honeypot the speakers deployed for research purposes. Here you may get an impression on how our methodology works and get a good overview about the usage of the forensics tools for honeypot examination. Finally we will try to cover legal aspects of operating a honeypot and point out the regulations you should be aware of.

There will be approx. 5-10 minutes time at the end of the presentation to answer the questions of the participants.

The presentation can be extended with small session on remote and local detection of honeypot systems. The two authors developed a not yet publicized technique based on anomalies in the TCP stack responses to detect honeyd based honeypot systems.