Australian Digital Forensics Conference

Document Type

Conference Proceeding


School of Computer and Information Science, Edith Cowan University, Perth, Western Australia


This paper discusses an experimental method for creating a 1st generation smart-phone honey-pot with the intention of discovering automated worms. A Honeyd low-interaction virtual honey-pot is conceived as a possible method of discovering automated smart-phone worms by emulating the operating system Windows Mobile 5 and Windows Mobile 6, along with the available TCP/UDP ports of each operating system. This is an experimental method as there are currently no known malicious smart-phone worms. Honeyd emulates devices by mimicking the devices operating system fingerprint which is created by the unique responses each operating system sends to a discrete series of TCP and UDP packets sent by the network scanner Nmap. Honeyd uses the Nmap fingerprint database for how it should emulate these responses each operating system. A significant obstacle was discovered during the implementation of the Honeyd smartphone honey-pot, as the format of fingerprints (2nd generation) utilised by Nmap are now different to the previous format (1st generation) which is utilised by Honeyd. Honeyd cannot make use of the new Nmap format of the smart-phone operating systems and thus a honeypot for smart-phones cannot be created. Future work forecasts the creation of a technique to convert the new Nmap format to one which can be utilised by Honeyd.


Originally published in the Proceedings of the 7th Australian Digital Forensics Conference, Edith Cowan University, Perth Western Australia, December 3rd 2009.