A Live Digital Forensic system for Windows networks

This paper presents FOXP (computer FOrensic eXPerience), an open source project to support network Live Digital Forensics (LDF), where the network nodes run a Windows NT family Operating System (OS). In particular, the FOXP architecture is composed of a set of software sensors, once for every network node, that log node activities and then send these logs to a FOXP collector node; this collector node analyzes collected data and manages the sensors activities. Software sensors, implementing the technique called System Call Interposition for Win32, intercepts all the kernel API (native API) invoked by the OS of the node. Thanks to the fine granularity of the logs, FOXP can intercept malicious activities. Centralized logs collected in the collector node, allow to detect coordinated-attacks on network nodes: attacks that would not be detectable with a single node analysis only. Note that the implemented System Call Interposition technique has allowed to intercept and redirect all of the 284 Windows XP system calls. The technique is exposed in detail and could be considered a contribution on its own. Finally, an overview of next steps to complete the FOXP project is provided. Acknowledgements This work was partly supported by the Spanish Ministry of Science and Education through projects TSI2007-65406-C03-01 E-AEGIS and CONSOLIDER CSD200700004 ARES, and by the Government of Catalonia under grant 2005 SGR 00446. † “Sapienza” Università di Roma, Dipartimento di Informatica, Via Salaria n. 113, 00197 Roma, Italy; e-mail: {battistoni, dibiagio, formica, mancini}@di.uniroma1.it ‡ Università di Roma Tre, Dipartimento di Matematica, L.go S. Leonardo Murialdo n.1, 00146 Roma, Italy; e-mail: [email protected] ? Universitat Rovira i Virgili, UNESCO Chair in Data Privacy, Dept. of Computer Engineering and Maths, Av. Paı̈sos Catalans 26, E-43007 Tarragona, Catalonia; e-mail: [email protected]