Feed the Mind

Clock Descriptions

Tue, 26 Apr 2011 00:00:00 GMT

This is the final article in a series of articles related to analysing the Honeynet Log Mysteries Challenge data set by applying the Scientific Method (see Casey2009 and Carrier2006) and utilising data visualisation (see Conti2007 and Marty2008).

With this final blog article, we shall use the logging events present in sanitized_log/apache2/www-*.log to build a reference clock description (see An Improved Clock Model for Translating Timestamps by Florian Buchholz). In doing this, we are then able to provide date and time estimates to events in terms of a standard reference clock.

Wordpress Versioning: Part 2

Sat, 09 Apr 2011 00:00:00 GMT

This is part of a series of articles related to analysing the Honeynet Log Mysteries Challenge data set by applying the Scientific Method (see Casey2009 and Carrier2006) and utilising data visualisation (see Conti2007 and Marty2008).

Using just the logging events present in sanitized_log/apache2/www-*.log, this article explores how we might provide probability estimates (via naive Bayesian classifiers) for the version numbers of Wordpress and its plugins.

In the final blog article to this series, we shall look at how the work of Florian Buchholz (eg. see An Improved Clock Model for Translating Timestamps) can be used to measure logging event times relative to a suitable reference clock description.

Estimating Apache2 Restarts

Tue, 08 Mar 2011 00:00:00 GMT

Using just the logging events present in sanitized_log/apache2/www-*.log, this article explores how we might estimate the Apache2 restart times by reconstructing the scoreboard worker thread data structure.

Wordpress Versioning: Part 1

Mon, 28 Feb 2011 00:00:00 GMT

Using just the logging events present in sanitized_log/apache2/www-*.log, this article explores how we might estimate the version numbers for Wordpress and its plugins. A latter article will explore how to add probabilistic certainties to such versioning estimates.

Tagging and Timelines: Part 2

Sun, 27 Feb 2011 00:00:00 GMT

In Tagging and Timelines: Part 1 we had introduced a tagging algorithm that utilised Debian's package tags (ie. debtags). This blog post explores how we may use these tagging relationships, along with an interactive timeline (implemented using Protovis), to explore and analyse the auth.log sudo events.

Tagging and Timelines: Part 1

Thu, 17 Feb 2011 00:00:00 GMT

Using a tagging algorithm that utilises Debian's package tags (ie. debtags), this blog post explores how we may quickly and objectively classify logging events using tagging. The next post introduces an interactive timeline (implemented using Protovis) that we shall use to further explore and analyse the auth.log sudo events.

Apache2 Version Analysis: Ubuntu Packaging

Sun, 23 Jan 2011 00:00:00 GMT

During a recent attempt at answering the Honeynet Log Mysteries Challenge, I wrote a series of reasoned analyses for the supplied Honeynet logging data. Unfortunately, teaching workloads stopped me from submitting any realistic challenge answer.

Inspired by the idea of applying the Scientific Method to Digital Forensics (see Casey2009 and Carrier2006) and using data visualisation (see Conti2007 and Marty2008), I set about attempting to apply the same principles to analysing the Log Mysteries data sets.

In the blog post Apache2 Version Analysis: Data Visualisation, we estimated that Apache2 is at a revision < 596448 (ie. tag release is ≤ 2.2.6) and, under minimal additional assumptions, we also estimated that Apache2 was at a revision ≥ 420983 (ie. tag release is ≥ 2.2.3). Obviously, these revision and tag numbers are taken relative to the Apache2 subversion repository and not the Ubuntu package repository.

As Ubuntu packages (like Debian packages) essentially consist of the original (pristine!) upstream source code (eg. a tagged release straight from the Apache2 subversion repository) with a patch that is to be applied on installation, we clearly have some extra work to do here!

Apache2 Version Analysis: Data Visualisation

Fri, 21 Jan 2011 00:00:00 GMT

In the blog post Apache2 Version Analysis, we presented an argument that purported to provide an upper bound estimate on the version of Apache2 that was present on the Log Mysteries web server. It was pointed out, in that blog post, that this version estimate had a subtle error that needed to be located and fixed. In this article, we aim to rectify this situation by using a timeline to correctly estimate that Apache2 is at a revision < 596448 (ie. tag release is ≤ 2.2.6). Under minimal additional assumptions, we can also deduce that Apache2 is at a revision ≥ 420983 (ie. tag release is ≥ 2.2.3).

Apache2 Version Analysis

Thu, 20 Jan 2011 00:00:00 GMT

Inspired by the idea of applying the Scientific Method to Digital Forensics (see Casey2009 and Carrier2006), I set about attempting to apply the same principles to analysing the Log Mysteries data sets.

Using just the apache2/www-* logs from the Log Mysteries Honeynet challenge, this blog post demonstrates how we can define upper bounds on the version of Apache2 used and, more interestingly, data regarding Apache's worker threads. We are also able to establish how to obtain the log events with microsecond (instead of just second) timestamp accuracy.

Honeynet Memory Forensics Challenge

Thu, 13 May 2010 00:00:00 GMT

Using a modified version of the Volatility framework (see http://github.com/carlpulley/volatility and look at the honeynet tag on the main development branch) I've managed to attain third place in the Honeynet Forensics Challenge 2010/3 (Banking Troubles).