Abstract:
This seminar presents the use of a HoneyNet as a vehicle for computer Forensics. A Honeypot is an Internet-attached server designed to detect and monitor the activities of computer hackers while HoneyNet is a network of these honeypots. A HoneyNet I have deployed since June 2002 that enables one to identify specific procedures employed by hackers and to implement measures to track hackers will be presented. Hackerˇ¦s activities will be described and illustrated with live demonstrations through scene reconstruction. Forensic techniques used to examine the data obtained from HoneyNet will also be discussed. Attendees interested in further involvement will be provided with a forensic challenge and a proposal for establishing a computer forensic laboratory will be presented.

Seminar Outline:

1. Objectives
2. HoneyNet model and implementation
3. Live demonstration of hackers' activities
4. Computer forensics techniques for examining the data
5. The Forensic Challenge
6. A proposal for setting up a Computer Forensic Lab
7. Q & A

Presentation Slides ([PPT|PDF])

1. Decrypt a hacker's backdoor session
2. Analyze Apache/mod_ssl Worm
3. Analyze a hacker's rootkit

• A ssh CRC32 overflow NOOP attack
• Creating backdoor accounts in a root shell access
• An Apache/mod_ssl Worm attack
• A wuftpd break-in and backdoor setup
• A hacker keystroke record
  
  • sneak in by a backdoor account
  • Get root access by sudo
  • Check around the honeypot environment
  • Download a root kit and intsall it
  • Disable the honeypot anonymous ftp so as to keep out other hackers.
• A hacker started up a IRC bot
• A hacker killed other hacker backdoor daemon

• HoneyNet Project at www.honeynet.org
• SNORT NIDS
• Honeypots: Tracking Hackers
• Forensics tools on UNIX
• The Coroner's Toolkit (TCT)