SRI Security Research Institute, Edith Cowan University, Perth, Western Australia
Once the system is compromised, the forensics and investigation are always executed after the attacks and the loss of some useful instant evidence. Since there is no log information necessary for analyzing an attack cause after the cyber incident occurs, it is difficult to analyze the cause of an intrusion even after an intrusion event is recognized. Moreover, in an advanced cyber incident such as advanced persistent threats, several months or more are expended in only analyzing a cause, and it is difficult to find the cause with conventional security equipment. In this paper, we introduce a network intrusion forensics system for collecting and preserving the evidence of an intrusion, it is called Cyber Black Box that is deployed in Local Area Network environment. It quickly analyzes a cause of an intrusion event when the intrusion event occurs, and provides a function of collecting evidence data of the intrusion event. The paper also describes the experimental results of the network throughput performance by deploying our proposed system in an experimental testbed environment.