Timescope: Time-traveling Forensic Analysis of VM-based High-interaction Honeypots

 

 

Overview

Timescope is a system that applies and extends deterministic record and replay to high-interaction honeypots for extensible, fine-grained forensic analysis. The current prototype is based on the open-source QEMU (version 0.12.3) software.

 

 

Timescope setup

You can download the research prototype source code here (~4.5 MB; md5sum: 8ab59bcb194c384b153dda7fc3561cc8).

1.      To compile, first do a "./configure --target-list=i386-softmmu" and "make" from the main source directory. The variable "rec_rep" in the source code controls whether Timescope is built in the VM Record or VM Replay mode.

2.      You will need to prepare VM disk images to use in Timescope. Follow the standard QEMU instructions for this.

3.      Timescope requires that a "VM snapshot" be available when a VM Record session is started. For this, run Timescope in recording mode and use the "savevm" command in the QEMU monitor. This will create the snapshot in a separate file in a default location that will be used by subsequent Timescope sessions. (Note: This is different from the default QEMU snapshot behavior.)

4.      If you require network support in the VM, you'll need to configure TUN/TAP networking on the host, following standard QEMU instructions.

 

 

Using Timescope

 

VM Record

After setting up Timescope using the instructions above, you can run a VM Record session using a command as shown here:

 

record -hda <name of VM disk image> -nographic –net nic,model=ne2k_pci -net tap,ifname=tap0<optional parameters> -icount 1 -snapshot -loadvm 1

 

(This is a sample command. Depending on your system configuration, you will need to vary the parameters. Regardless, you will need to provide the same parameters both during the VM Record and VM Replay sessions. The icount, snapshot and loadvm options are always required.)

 

VM Replay

To replay a previously recorded execution, you need to start a VM Replay session. A sample command is as follows:

 

replay -hda <name of VM disk image> -nographic –net nic,model=ne2k_pci -net tap,ifname=tap0<optional parameters> -icount 1 -snapshot -loadvm 1

 

The current source code includes one analysis module for use during a replay session (to capture system calls invoked by guest processes). For this, when starting a replay session, specify the "-d syscall" command-line argument:

 

replay -hda <name of VM disk image> -nographic –net nic,model=ne2k_pci -net tap,ifname=tap0<optional parameters> -icount 1 -snapshot -loadvm 1 -d syscall

 

Also, refer to the "rec1" and "rep1" scripts in the Timescope source tree for sample commands.

 

 

Guest OS Support

Timescope has been tested with 32-bit Linux running as the guest operating system. Currently, it does not support graphical interfaces for the guest OS.