First page Back Continue Last page Summary Graphics
Forensics
COW files
- Copy-on-write layer on top of readonly filesystem
- records changed blocks
- much smaller than full filesystem
Union filesystem
- hostfs hack
- COW filesystem will contain changed files
Notes:
There are several other aspects of UML which simplify the analysis of a break-in and subsequent activities.
UML COW files, which capture all the changed blocks in a filesystem, provide a compact representation of the modifications that were made to a system. It can be compressed to a very small fraction of the filesystem size, allowing the changes to be conveniently passed around.
A forthcoming improvement on this is a hostfs union filesystem. Like a COW file, this will capture the changes made to a system in the course of an intrusion. However, the changes are represented on a file basis, rather than a block basis. This makes it easier to see what files changed and to see exactly how they were changed.