C2SR: Cybercrime Scene Reconstruction for Post-mortem Forensic Analysis Yonghwi Kwon1, Weihang Wang2, Jinho Jung3, Kyu Hyung Lee4, and Roberto Perdisci3;4 1University of Virginia, 2University at Buffalo, SUNY, 3Georgia Institute of Technology, 4University of Georgia
[email protected],
[email protected],
[email protected], fkyuhlee,
[email protected] Abstract—Cybercrime scene reconstruction that aims to re- “the forensic science discipline that aims to gain explicit construct a previous execution of the cyber attack delivery process knowledge of the series of events that surround the commission is an important capability for cyber forensics (e.g., post mortem of a crime using deductive and inductive reasoning, physical analysis of the cyber attack executions). Unfortunately, existing evidence, scientific methods, and their interrelationships.” techniques such as log-based forensics or record-and-replay CSR is an invaluable component of post-mortem forensic techniques are not suitable to handle complex and long-running analysis because it reconstructs crime scenes, providing a modern applications for cybercrime scene reconstruction and post more intuitive understanding of the crime [15], [82]. mortem forensic analysis. Specifically, log-based cyber forensics techniques often suffer from a lack of inspection capability and do In the context of cybercrime, a similar capability to CSR is not provide details of how the attack unfolded. Record-and-replay techniques impose significant runtime overhead, often require highly desirable. Reconstructing an execution of the attack de- livery process to gain knowledge of the series of cyber events, significant modifications on end-user systems, and demand to which we call cybercrime scene, for post-mortem forensic replay the entire recorded execution from the beginning.