Skip to main content
"Forensix: A Robust, High-Performance Reconstruction System"
Distributed Computing Systems Workshops, 2005. 25th IEEE International Conference on (2005)
  • Jonathan Walpole, Portland State University
  • Ashvin Goel, University of Toronto
  • Wu-chang Feng, Portland State University
  • Wu-chi Feng, Portland State University
  • David Maier, Portland State University

When computer intrusions occur, one of the most costly, time-consuming, and human-intensive tasks is the analysis and recovery of the compromised system. At a time when the cost of human resources dominates the cost of CPU, network, and storage resources, we argue that computing systems should, in fact, be built with automated analysis and recovery as a primary goal. Towards this end, we describe the design, implementation, and evaluation of Forensix: a robust, high-precision reconstruction and analysis system for supporting the computer equivalent of "TiVo". Forensix uses three key mechanisms to improve the accuracy and reduce the human overhead of performing forensic analysis. First it performs comprehensive monitoring of the execution of a target system at the kernel event level, giving a high-resolution, application-independent view of all activity. Second, it streams the kernel event information, in real-time, to append-only storage on a separate, hardened, logging machine, making the system resilient to a wide variety of attacks. Third, it uses database technology to support high-level querying of the archived log, greatly reducing the human cost of performing forensic analysis.

  • Database management,
  • Electronic data processing -- Structured techniques,
  • High performance computing,
  • Data protection,
  • Data recovery (Computer science)
Publication Date
June, 2005
Citation Information
Jonathan Walpole, Ashvin Goel, Wu-chang Feng, Wu-chi Feng, et al.. ""Forensix: A Robust, High-Performance Reconstruction System"" Distributed Computing Systems Workshops, 2005. 25th IEEE International Conference on (2005)
Available at: