Files
Abstract
As the pervasiveness of the Internet has increased over the last several decades so also have the prevalence of web-based cyber attacks. Unfortunately, performing detailed forensic analysis of web-based security incidents is a notoriously challenging task. Forensic analysts must often manually analyze disparate and often ephemeral information sources in an attempt to achieve a detailed view a security incident. This task is further aggravated by the shear volume of data generated by modern computer systems. Much of the difficulty associated with investigating web-based security incidents can be mitigated by utilizing systems which can replay such incidents from their recorded artifacts. Systems which can partially or fully replay security incidents can produce insights which would require a human analyst numerous hours of error prone manual analysis to replicate. To this end we present two novel Record and Replay systems, ClickMiner and WebCapsule, which are designed to aid in the forensic analysis of web security incidents.ClickMiner aims to automatically reconstruct user-browser interactions by replaying archived web traffic traces via an instrumented browser. This ability is useful in a number of web security scenarios including the postmortem analysis of user facing web attacks. Our evaluation demonstrates that ClickMiner can reconstruct between 82% and 90% of user-browser interactions with false positives between 0.74% and 1.16% outperforming previous reconstruction algorithms.WebCapsule is a forensic engine for web browsers which strives to record all non-deterministic inputs into the web rendering engine embedded in many popular browsers. WebCapsule enables the replay and analysis of past potentially harmful web browsing sessions in a controlled isolated environment. We evaluate WebCapsule on phishing attack instances and popular websites to demonstrate that both dangerous and benign web browsing sessions can be recorded and fully replayed while incurring reasonable overhead.