incubator-alois-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache Wiki <>
Subject [Alois Wiki] Update of "IMF2011" by UrsLerch
Date Sat, 15 Jan 2011 03:00:37 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Alois Wiki" for change notification.

The "IMF2011" page has been changed by UrsLerch.
The comment on this change is: added the chapter Extending Apache ALOIS to a platform for
computer forensics.


  ''[This is a working paper for the "6th International Conference on IT Security Incident
Management & IT Forensics", taking place in Stuttgart, Germany from May 10th to 12th,
2011. Deadline is on January 17th, 2011. Find the details for the RfP here:]''
  = Apache ALOIS - A true open source plattform for computer forensics =
- Urs Lerch & Marcus Holthaus
+ Urs Lerch
  ''Abstract: ''Although computer forensics is foremost all about recovering, collecting and
analyzing data, there is, at least as far as we know, no central platform for all of this.
Sure, there exists a dozen of software tools, all good in their defined area. But when it
comes to integration to a whole, often incompatibility of data and the lack of interfaces
are severe problems. In our opinion, a good part of this problem lies in the nature of proprietary
software. Although Open Source Software is not the "holy grail" and doesn't deliver a solution
to this problem per se, a community driven development can help to overcome a great part of
these issues. Apache ALOIS is an open source tool, originally designed as SIEM (Security Information
and Event Management). But since its main tasks are collecting and analyzing data as well
as reporting, it could very well help as integration plattform for all collected data within
a computer forensics process.
@@ -52, +52 @@

  Since an image explains more than a thousand words, here is an overview of the data flow
through the different modules:
- {{}}
+ {{}}
  Up to now, the creation of the input is not part of Apache ALOIS. On the one hand, the logs
are generated by the the different systems itself. On the other hand, by using the standard
interface SYSLOG, there was no need to care too much on this part so far. Other SIEM software
do include so called "agents", which create, collect and/or prepare information for the tool.
By using the technology of agents, Apache ALOIS could easily be extended for completly new
use cases.
  == Extending Apache ALOIS to a platform for computer forensics ==
- [Apache ALOIS vision]
+ As already mentioned above, although it is a SIEM, Apache ALOIS already fulfills a lot of
the functionality needed in computer forensics. The tasks of analysis, evaluating and reporting
is already included. Although the correlation functionality and a forensic console is a standard
within SIEM systems, Apache ALOIS sees its main strengths in these domains. The forensic console
has an easy to use web frontend, which will look familiar to most of the computer users:
+ {{}}
+ Of course, Apache ALOIS has to be configured to become a computer forensics platform. But
the configuration has to be done only once. And since it is an open source tool, configuration
can be reused. What has to be done, to make a true computer forensics tool out of Apache ALOIS,
is the task of the extraction of data. In a SIEM this is called an agent. Of course, we wouldn't
dare to propose to rewrite all the great tools used in this area. The meaning of an agent
is the one of a connector. Thus all the tools have to get a connector. This should done by
the vendor of the tool. To make this as easy as possible, Apache ALOIS plans to build a "service
bus" with standardized interfaces. The architecture of such a service bus could look like
+ {{}}
+ Therefore, it will not only be easy to connect a - proprietary or open source - application
to the system. It will also be possible to replace one or another standard moduls of Apache
ALOIS with the one that fits better the own special needs.
  == Conclusions ==

View raw message