incubator-alois-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache Wiki <wikidi...@apache.org>
Subject [Alois Wiki] Trivial Update of "IMF2011" by UrsLerch
Date Sun, 16 Jan 2011 22:15:05 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Alois Wiki" for change notification.

The "IMF2011" page has been changed by UrsLerch.
The comment on this change is: correction of 2 typing errors.
http://wiki.apache.org/alois/IMF2011?action=diff&rev1=21&rev2=22

--------------------------------------------------

  = Apache ALOIS - A true open source plattform for computer forensics =
  Urs Lerch
  
- ''Abstract: ''Although computer forensics is above all about recovering, collecting and
analyzing data, there is, at least as far as we know, no central platform for the integration
of all the varying data that is being created in a forensics process. Sure, there exist dozens
of valuable software tools, all specialized in one or more defined areas. But when it comes
to integration and consolidation of these data collections, often incompatibility of data
and the lack of interfaces form severe problems. In our opinion, a good part of this problem
lies in the nature of proprietary software. A community driven development can help to integrate
these data collections by providing interfaces to the varius software tools. Apache ALOIS
is an open source tool, originally designed as SIEM (Security Information and Event Management)
with Data Leakage Detection (DLD) in mind. But since its main tasks are collecting and analyzing
data as well as reporting, it could very well be used as an integration plattform for all
collected data within a computer forensics process.
+ ''Abstract: ''Although computer forensics is above all about recovering, collecting and
analyzing data, there is, at least as far as we know, no central platform for the integration
of all the varying data that is being created in a forensics process. Sure, there exist dozens
of valuable software tools, all specialized in one or more defined areas. But when it comes
to integration and consolidation of these data collections, often incompatibility of data
and the lack of interfaces form severe problems. In our opinion, a good part of this problem
lies in the nature of proprietary software. A community driven development can help to integrate
these data collections by providing interfaces to the various software tools. Apache ALOIS
is an open source tool, originally designed as SIEM (Security Information and Event Management)
with Data Leakage Detection (DLD) in mind. But since its main tasks are collecting and analyzing
data as well as reporting, it could very well be used as an integration plattform for all
collected data within a computer forensics process.
  
  == Introduction ==
  The aim of computer forensics is to acquire, analyze and evaluate digital tracks in the
context of an already conducted or yet only planned criminal act. This requires highly specialized
knowledge both in IT, and the field of the crime, as well as highly specialized tools. It
therefore makes sense that tasks are divided among specialists each using their own tools.
@@ -32, +32 @@

  == What does Apache ALOIS stand for? ==
  Apache ALOIS [http://incubator.apache.org/alois/] is a message collection, message splitting
and message correlation software with reporting and alarming functionalities. ALOIS stands
for "Advanced Log Data Insight System" and is meant to be a fully implemented open source
security information and event management system (SIEM). While almost all other SIEM software,
be it closed or open source, concentrate on the technological part of security monitoring,
Apache ALOIS is aimed to monitor the security of the content. It intends to be pro-active
in the detection of potential loss and theft (data leakage), mistaken modification or unauthorized
access. Apache ALOIS works on log messages and thus contains all the basic functionality of
a conventional SIEM, as centralized collecting, normalizing, aggregation, analyzing and correlating
of all messages, as well as reporting all security related events. Therefore it can be used
in place of any other SIEM.
  
- Since fall 2010 Apache ALOIS is an undergoing incubation at The Apache Software Foundation
(ASF). Incubation allows for a software system to reach a stability level equivalent to other
successful ASF projects, regarding infrastructure, communications, and decision making. The
ASF [http://www.apache.org] is made up of nearly 100 top level projects that cover a wide
range of technologies. While some of them are widely known by name, many more are in wide
use as part of may popular internet services. The best-known project ist the HTTP-Server,
which hosts more than two third of all internet websites [http://greatstatistics.com/]. Apache
projects are defined by collaborative, consensus-based processes, an open, pragmatic software
license and a desire to create high quality software that leads the way in its field. This
is known as the "Apache way".
+ Since fall 2010 Apache ALOIS is an undergoing incubation at The Apache Software Foundation
(ASF). Incubation allows for a software system to reach a stability level equivalent to other
successful ASF projects, regarding infrastructure, communications, and decision making. The
ASF [http://www.apache.org] is made up of nearly 100 top level projects that cover a wide
range of technologies. While some of them are widely known by name, many more are in wide
use as part of popular internet services. The best-known project ist the HTTP-Server, which
hosts more than two third of all internet websites [http://greatstatistics.com/]. Apache projects
are defined by collaborative, consensus-based processes, an open, pragmatic software license
and a desire to create high quality software that leads the way in its field. This is known
as the "Apache way".
  
  While incubation status is not necessarily a reflection of the completeness or stability
of the code, it does indicate that the project has reached a stable phase and has the potential
to be fully endorsed by the ASF. In fact, Apache ALOIS has shown its functioning over several
years in production. Apache ALOIS is aimed to be totally free and open for all contributions.
The openness provided for other programming languages is certainly proof of this. The plug-ability
- an active field of work in progress - is meant to guarantee that individual needs can be
realized without stressing the whole system. Furthermore, the basic functionality of ALOIS
may be extended in directions not yet foreseen. In our opinion, the Linux kernel is a good
example that this can work very well.
  
@@ -50, +50 @@

  
  Figure 1 shows an overview of the data flow through the different modules:
  
+ {{http://incubator.apache.org/alois/images/overview-3tier-flowchart.png}} [Figure 1: ALOIS
Message Flow and main components]
- {{http://incubator.apache.org/alois/images/overview-3tier-flowchart.png}}
- [Figure 1: ALOIS Message Flow and main components]
  
  Apache ALOIS is open to any type of input - whatever the system or tool at hand has as an
output. The standard interfaces are syslog, smtp and file upload. In SIEM context, "agents"
provide for various formats, and Apache ALOIS could easily be extended for any kind of input.
  
  == Using Apache ALOIS as a platform for computer forensics ==
- As already mentioned above, although it is a SIEM, Apache ALOIS already fulfills a lot of
the functionality needed in computer forensics. The tasks of analysis, evaluating and reporting
is already included. The correlation functionality and a forensic console are a common standard
within SIEM systems, and Apache ALOIS sees its main strengths in these domains. ALOIS has
source protection (it prevents the alteration of collected data) and further protects it using
hash functions. Anonymisation features have been prepared to meet data protection requirements,
as have functions to reverse anonymisation to allow for legal prosecution. The forensic console
has an easy to use web frontend, which will look familiar to most regular web interface users
(see figure 2). 
+ As already mentioned above, although it is a SIEM, Apache ALOIS already fulfills a lot of
the functionality needed in computer forensics. The tasks of analysis, evaluating and reporting
is already included. The correlation functionality and a forensic console are a common standard
within SIEM systems, and Apache ALOIS sees its main strengths in these domains. ALOIS has
source protection (it prevents the alteration of collected data) and further protects it using
hash functions. Anonymisation features have been prepared to meet data protection requirements,
as have functions to reverse anonymisation to allow for legal prosecution. The forensic console
has an easy to use web frontend, which will look familiar to most regular web interface users
(see figure 2).
  
- {{http://incubator.apache.org/alois/images/forensicConsole.png}}
+ {{http://incubator.apache.org/alois/images/forensicConsole.png}} [Figure 2: ALOIS Console]
- [Figure 2: ALOIS Console]
  
  Apache ALOIS can be configured to become any type of computer forensics platform. Configurations
can be shared, published and reused, and can be instantiated on a case-by-case basis, thus
separating date from several forensic cases. Separated databases can be combined to allow
for cross-case anaylsis. Many of the standard forensic tools have data export capabilities,
and import filters (ALOIS agents) for these filters are easy to create, though probably man
in number. Agents may be created by the vendor of the tool, or by the ALOIS team. Apache ALOIS
intends to build a "service bus" with standardized interfaces. The proposed architecture looks
like figure 3.
  
- {{http://incubator.apache.org/alois/images/Apache ALOIS Service Bus_small.png}}
+ {{http://incubator.apache.org/alois/images/Apache ALOIS Service Bus_small.png}} [Figure
3: ALOIS service bus]
- [Figure 3: ALOIS service bus]
  
  Therefore, it will not only be easy to connect a - proprietary or open source - application
to the system. It will also be possible to replace one or another standard modules of Apache
ALOIS with the one that fits better the own special needs.
  

Mime
View raw message