Monitoring Access to Shared Memory-Mapped Files

@inproceedings{Sarmoria2005MonitoringAT,
  title={Monitoring Access to Shared Memory-Mapped Files},
  author={Christian G. Sarmoria and Steve J. Chapin},
  booktitle={DFRWS},
  year={2005}
}
The post-mortem state of a compromised system may not contain enough evidence regarding what transpired during an attack to explain the attacker’s modus operandi. Current systems that reconstruct sequences of events gather potential evidence at runtime by monitoring events and objects at the system call level. The reconstruction process starts with a detection point, such as a file with suspicious contents, and establishes a dependency chain with all the processes and files that could be… CONTINUE READING

From This Paper

Figures, tables, and topics from this paper.

References

Publications referenced by this paper.
Showing 1-10 of 20 references

Backtracking Intrusions

  • S. T. King, P. M. Chin
  • Proceedings of the 19 ACM Symposium on Operating…
  • 2003
Highly Influential
14 Excerpts

Catching Intruders with SNARE

  • R. C. Barnett
  • http://www.sans.org/rr/audittech/Ryan Barnett AT…
  • 2003
Highly Influential
5 Excerpts

SMART

  • ASR Data
  • http://www.asrdata.com/SMART/, February
  • 2005
1 Excerpt

Forensic Discovery

  • D. Darmer, W. Venema
  • Addison-Wesley Professional Computing Series…
  • 2004
2 Excerpts

Understanding The Linux Virtual Memory Manager

  • M. Gorman
  • Prentice Hall PTR, 1 edition, April 29,
  • 2004
3 Excerpts