The goal of the Forensix ("4N6") Project is to allow a system to be
monitored so that, in the event of a security compromise, it is easy to
track the compromise back to its source and recover from it.
To facilitate this, Forensix performs a complete kernel event
audit on the target system and streams the high-definition audit
trail to a backend database that has been optimized for reconstruction
queries. Some applications of Forensix include:
Forensix is a joint project between the University of Toronto and Portland
State University. It has been supported by the National Science Foundation
(NSF) under Grant ANI-0230960. Any opinions, findings, conclusions or recommendations expressed in this material are those of the author and do not necessarily reflect the views of the National Science Foundation.
- Accurately replaying any and all system compromises.
- Determining what specific data (such as credit card numbers) has been accessed on the system as a result of a compromise.
- Automatically determining what modifications have been made to a system by
an illicit user.
- Selectively "undo"-ing illicit system modifications