Using a virtual security testbed for digital forensic reconstruction


André Årnes, Paul Haas, Giovanni Vigna, Richard A. Kemmerer


Journal in Computer Virology (Volume 2, Issue 4), January 2006


This paper presents ViSe, a virtual security testbed, and demonstrates how it can be used to efficiently study computer attacks and suspect tools as part of a computer crime reconstruction. Based on a hypothesis of the security incident in question, ViSe is configured with the appropriate operating systems, services, and exploits. Attacks are formulated as event chains and replayed on the testbed. The effects of each event are analyzed in order to support or refute the hypothesis. The purpose of the approach is to facilitate reconstruction experiments in digital forensics. Two examples are given to demonstrate the approach; one overview example based on the Trojan defense and one detailed example of a multi-step attack. Although a reconstruction can neither prove a hypothesis with absolute certainty nor exclude the correctness of other hypotheses, a standardized environment, such as ViSe, combined with event reconstruction and testing, can lend credibility to an investigation and can be a great asset in court.


  title    = {{Using a virtual security testbed for digital forensic reconstruction}},
  author   = {Årnes, André and Haas, Paul and Vigna, Giovanni and Kemmerer, Richard A.},
  month    = {December},
  year     = {2006},
  issn     = {1772-9890, 1772-9904},
  journal  = {Journal in Computer Virology},
  language = {en},
  number   = {4},
  pages    = {275--289},
  url      = {},
  volume   = {2}