ࡱ> >#( / 0DTimes New RomanІbb0bWo 0DArialNew RomanІbb0bWo 0" DWingdingsRomanІbb0bWo 00DArial Alternativebb0bWo 01@DSymbollternativebb0bWo 0PDMarlettternativebb0bWo 0 ` .  @n?" dd@  @@`` ;"         W*"jT ] P   !"   C x1?@!,@8 x~ ʚ;D6ʚ;g4gdgd0b:ppp<4!d!d 0bb<4dddd 0bb<4BdBd 0bbg4ZdZd0bTp@ pp___PPT9   '?  O =#Honeytraps, A Network Forensic Tool"$ $$hYanet Manzano Florida State University Computer Science Masters Information Assurance and Security Tracki[ Talk OutlineIntroduction Honeytraps State of the Art Honeytrap as Forensic Tools Architectures Forensic Investigation Making the Case Concluding Remarks"A  IntroductionTraditional security efforts Actions before attack to protect resources Recently Actions during suspected attacks to protect resources A+A A7AA #+# #6# Introduction (cont)?Prosecute Criminals(CNF) Create counter-measures (Honeytraps) TAZAZ&AZ@! CNF eComputer and Network Forensics(CNF) gathering information to legally link attacks and perpetrators BeAAe! HoneytrapsSystems designed to be compromised No real valuable data or information Collect data to learn about blackhat community level of skill methodology tactics tools other information\xAZDAZx##@#  Honeytraps (Specifics) host systems emulating a known vulnerability modified production systems caged environment a network of interconnected production and honeypot nodesA AAA<A## ##### #1# Why not used for forensic?MDesign to gather information Information security has been purely defensive BMAZAZN# N State of the Art  ArchitecturesSerial Architecture&A# Serial ArchitectureSrecognized users filtered to the production system blackhats stay in the honeytrap 4TAR## TSerial Architecture Greater monitoring capabilities on the blackhats actions Tracing capability, tailing the blackhat Very resource intensive&AZ! Parallel Architecture independent& A # Parallel Architecture Honeytrap completely independent of the production system Less resource intensive Loose tracing capabilities Additional Constrain: both system have to be attacked independently FAZt##1# Serial Forensic Model -""Parallel Model(Four Possibilities) Parallel Forensic Model Forensic Investigation] Honeytrap Forensic Investigation(HTFI) Production System Forensic Investigation(PSFI) A)A2AZA+!2#! ^! Honeytrap Forensic Investigation" Produce signature for blackhat A $#A#! #"*Production System Forensic Investigation* Produce partial signature for blackhat B $+A+! +#Making the caseF Blackhat A signature from HTFI \AZ AZAZ$# $0$Making the case (!Making the case 2&Making the case 3'Concluding Remarks`Security dream system 100% prevention CNF dream system 100% monitoring .aA`"More information /p*+,.Pb  ` f3|` 3f3` ___>?" dd@,?lPd@  d " @ `"  n?" dd@   @@``PV    @ ` ` p>>    "( @    fh?d @?"    6H?"P`     NPv2 @?"PP      f@u?'d @?"    NIgֳgֳ ?"P  T Click to edit Master title style! !<  HLgֳgֳ ?"  RClick to edit Master text styles Second level Third level Fourth level Fifth level!     S  NQgֳgֳ ?"0`P  @*   NRgֳgֳ ?"0P   B*   T`[gֳgֳ ?"0 P  B*f  Nvd޽h @? ? f3|  Project Overview    @ )(      f<3? @?"     f?'d @?"    Nxgֳgֳ ?"p  T Click to edit Master title style! !  Hgֳgֳ ?" p  W#Click to edit Master subtitle style$ $  Ngֳgֳ ?"0`P  @*  N"gֳgֳ ?"0P   B*  Tx&gֳgֳ ?"0 P  B*  6?"   f  Nv޽h @? ? f3| 0 jb( 0   Z 1 ?P    \*  X  C    @  Z e1 ? @  RClick to edit Master text styles Second level Third level Fourth level Fifth level!     S  Zt1 ?    ^*     `1 ?`P   \*     `˄1 ?`   ^*  B  s *޽h ? ̙33 PX( )pM P P  fw1 ?"P    B*   P  fL{1 ?"    D*   P # l1 ?"`P   B*   P # l1 ?"`   D*  H P 0޽h ? ̙33 0@( Br   S \1 "p    S 2 " p  B  s *޽h ? f3  P@(    S "P     S Dm"  B  s *޽h ? f3>    (      S T"P     c $"@    # ll1?  f$Computer and Network Forensics (CNF)&%(A2%:8  7  p @    # lo1?  L Perpetual & (A2    # l΄1?  `  YAction-Response-Reaction $ A2   C x1? 7 ECycle$ A2  C xӄ1? D G  B=>$ A2B  s *޽h ? f3  `XZ(  X X c $P"P    X c $"     X 3 rֳֳֳֳvd @?@ d$Gathering Info about Computer Crimes$% $B X s *޽h ? f3  p$5(  $ $ S :"P    $ S |4"   $ 3 rhֳֳֳֳvd @?P K Differences$   B $ s *޽h ? f3  dT(  d d c $|"P    d c $8"    d 3 rlֳֳֳֳvd @? @P  l4Profiling Specific Blackhat: Script Kiddie Signature5 5 d H@"gֳgֳ ?" ` 0,$D 0 0L-> low -> using scripts -> X vulnerability -> scripts used -> websiteM8AZ      MB d s *޽h ? f3  `K(  ` ` c $"P    ` c $ "    ` 3 r˄ֳֳֳֳvd @?@ ZHoneypots (computer based)$  ` 3 rd8ֳֳֳֳvd @?   QHoneynets (network based) B ` s *޽h ? f3o  h(  h h c $"P    h c $t"p   h 3 r ֳֳֳֳvd @?`   L Legal Issues$   k h # lpQ1? @) S Intrusion ? No real system Damage? No real users, or valuable data Entrapment? L A2S A2" S" TB h s *޽h ? f3+  ++OO7+(  B|  0 F <@Zp@fB G 6D0lB HB <Dp 0 fB I 6D0 0fB J 6DP|   p " <@RO # < #  Y Hgather evidence  D~  0 $ 6@  pfB % 6D0lB &B <Dp 0 fB ' 6D0 0fB ( 6DPB|  0 K <@ Zp fB L 6D0lB MB <Dp 0 fB N 6D0 0fB O 6DP  c $"P   >| P  <@? `>~ P  6@PfB B 6DPfB  6DPPfB  6DPfB B 6D lB   <D PB|  0   <@v  fB   6D0lB  B <Dp 0 fB   6D0 0fB  6DPB|  0  <@;  fB  6D0lB B <Dp 0 fB  6D0 0fB  6DP|    <@sPv  HP&p ?START    HL,   IATTACK UNDERWAY    H @   PINVESTIGATION UNDERWAY    HE   PINVESTIGATION COMPLETE    H|I@ C attack occurs    H\.   Eattack detected    HV0 0  Llast evidence gathered    <A P  Ggather evidence    <4  0 Ianalyze evidence    <\8Ia Hverdict/settlement  dB  <D5dB  <Dy  dB ! <D B |   p ) <@* >  * <h;*  Y Hgather evidence  D~  0 + 6@  pfB , 6D0lB -B <Dp 0 fB . 6D0 0fB / 6DP>| P 0 <@] `>~ P 1 6@PfB 2B 6DPfB 3 6DPPfB 4 6DPfB 5B 6D lB 6 <D P|   7 <@B 7_ 8 H8p ?START   9 Hܱ9   IATTACK UNDERWAY   : HH:@   KANALYSIS UNDERWAY   ; Hع;   PINVESTIGATION COMPLETE   < H<E 7 C attack occurs   = H= `   Eattack detected   > H>` b   Fpresent evidence   ? <?] "A Hverdict/settlement  dB @ <D] ] dB A <D ] ] dB B <D ] ]  C S C ^ FNew Forensic Model  D  `1?.. E S E p NTraditional Forensic Model B  s *޽h ? f3e    p(  p p c $"P    p c $@"   B  p  `D1? P0 B  p@  `D1?p P    p H0gֳgֳ ?" `  Parallel Architecture((A"   p 3 rֳֳֳֳvd @? 0@ UModify forensic Model$ B p  `D1?0B p  `D1?`0  p 3 rֳֳֳֳvd @?` e%facilitate the forensic investigation$& %B p s *޽h ? f3V  %)t(  t t c $"P    t c $" Pp  <8 yP  )t 0 TB t c $D  TB t c $DB vB TB t c $D h@TB  t c $Dh hTB  t c $DOhfhB  t c E`FNQ&UVWd))? XX6381-D81^ DS &{'LO^ D+ YL^0L8]T+ YL7Gn2H+IJ7GI:9]T:I:Q= qR&QJ 7JJ >:*;9>:+$.+] x!+] 6381$ 3-D^ D %D^0L8]TH+ YL^0L8]T7G@8Cn2H+IJI:B,= qR&N7#Q7JK J 7J>:8*;9+ +$ x!+ ] x!+$(,`C0*0*ITNT0*0* BCCloud"G  t s *$ t̙?  @Internet  l t <dyB t   EFQvUVWXX?""bBH`T>H; tA+computr1Z t s *t̙ @Blackhat  l t <dW P  t s *t̙W P  C Honeytrap   T @  t#  D B t   EFQvUVWXX?""bBH`T>H; tA+computr1 E B t   EFQvUVWXX?""bBH`T>H; tA+computr1 @  B t   EFQvUVWXX?""bBH`T>H; tA+computr1A @ a (tP@  't$@l t <dT @  t# DB t   EFQvUVWXX?""bBH`T>H; tA+computr1 E B t   EFQvUVWXX?""bBH`T>H; tA+computr1 @  B t   EFQvUVWXX?""bBH`T>H; tA+computr1A  t s *!t̙a KProduction System f@ ~ W  #t Z Q l t <d~  t s *%t̙ W  @Firewall  l  t <dD =  !t s *)!t̙P `  LPotential Evidence B "t | EF$QVUVW ##0*`T`T-`TK>;`TJ)`T`T-r9`Tr9r9r9BDr9`T} 4 4 } } }44}}}:4:4}}:@ `@@@@@ 0*`T`T-`TK>;`TJ)`T`T- XSxitower8 , hN ~ V  $t  f %t 6d~  &t c $.&t̙ V  @Firewall  B t s *޽h ? f3   2(    c $("P     c $H"     3 r8ֳֳֳֳvd @?` J Advantages$     3 r0<ֳֳֳֳvd @? `  HPitfalls$  B  s *޽h ? f3  0i|d(  |FB E| S D  ' H FB e| S DH  W  | c $0 "P   FB B| S D-rFB C| S Df FB F| S DH H B G| S zE`FNQ&UVWd))? XX6381-D81^ DS &{'LO^ D+ YL^0L8]T+ YL7Gn2H+IJ7GI:9]T:I:Q= qR&QJ 7JJ >:*;9>:+$.+] x!+] 6381$ 3-D^ D %D^0L8]TH+ YL^0L8]T7G@8Cn2H+IJI:B,= qR&N7#Q7JK J 7J>:8*;9+ +$ x!+ ] x!+$(,`C0*0*ITNT0*0* BCCloud"~  H| c $̉H|̙ w  @Internet  ^ I| 6d B J|   EFQvUVWXX?""bBH`T>H; tA+computr1:,  K| c $\K|̙ 'v  @Blackhat  ^ L| 6d   M| c $PM|̙ N G  C Honeytrap   L @  N|# 4  B O|   EFQvUVWXX?""bBH`T>H; tA+computr1 E B P|   EFQvUVWXX?""bBH`T>H; tA+computr1 @  B Q|   EFQvUVWXX?""bBH`T>H; tA+computr1A ^ [| 6d r \| c $V\|̙'r LPotential Evidence B ]| v EF$QVUVW ##0*`T`T-`TK>;`TJ)`T`T-r9`Tr9r9r9BDr9`T} 4 4 } } }44}}}:4:4}}:@ `@@@@@ 0*`T`T-`TK>;`TJ)`T`T- XSxitower 7B^ _| 6d p `| c $H`T>H; tA+computr1 E B c|   EFQvUVWXX?""bBH`T>H; tA+computr1 @  B d|   EFQvUVWXX?""bBH`T>H; tA+computr1A `F ~ V  f|  f g| 6d~  h| c $X_h|̙ V  @Firewall   i| Tagֳgֳ ?" @  B | s *޽h ? f3  @!x2(  x x c $g"P    x c $Dh"0     x 3 rdjֳֳֳֳvd @?p`0 J Advantages$    !x 3 rpֳֳֳֳvd @?@ `  HPitfalls$  B x s *޽h ? f3  P/S@(  L  0 F# P  NB G S D0TB HB c $Dp 0 NB I S D0 0NB J S DP  c $"P   L  0 ##   NB $ S D0TB %B c $Dp 0 NB & S D0 0NB ' S DP ( 0pF(̙   Ggather evidence  L  0 *#  RNB + S D0TB ,B c $Dp 0 NB - S D0 0NB . S DP / 0pJ/̙B P Hgather evidence  z` P 0# #" R N P 1 PNB 2B S DPNB 3 S DPPNB 4 S DPNB 5B S D TB 6 c $D P 7 NDI72fZ ?START   8 N82f KHONEYTRAP ENTERED   9 NhN92 f  WPRODUCTION SYSTEM COMPROMISED   : N:2( f  KANALYSIS UNDERWAY   ; <O;̙P P C attack occurs   < <@<̙  Dattack expands   = < =̙   Rresponse procedure activated   > 0>̙.t  Hverdict/settlement  RB ? s *DVRB @ s *D RB A s *D (  B NB2mf' PINVESTIGATION COMPLETE  RB C s *D e D 0tD̙F t  Fpresent evidence   K 0<K̙   Ggather evidence   L N|L2K Cp  XFORENSIC ALERT SYSTEM ACTIVATE   M N M2  ]#PRODUCTION SYSTEM ON FORENSIC ALERT$ $ LB N@ c $DfRB O s *DJ RB P s *Do   Q <Q̙ Gattack detected  B  s *޽h ? f3m  `(  r  S P     H$gֳgֳ ?"p uAttack: Honeytrap, then Production System Preferable Attack: Production System, then Honeytrap For future reference Attack: Honeytrap only For future attacks Attack: Production system only Use information already collectedP*8AZ 8AZ*8AZ8AZ8AZ8AZ8AZ"8AZ*" "*"""" " "" H  0޽h ? f3|c#  # #pF\"(   \ # B'CDEF' @ p 6 Z tBCFDE FFF@  6  c $"P   L  0 #  NB   S D0TB  B c $Dp 0 NB   S D0 0NB  S DP  s *< ̙2  Ggather evidence  L  0 #  RNB  S D0TB B c $Dp 0 NB  S D0 0NB  S DP  s *̙B2 P Hgather evidence  z` P # #" P N P  PNB B S DPNB  S DPPNB  S DPNB B S D TB  c $D P  H82 Z ?START    H<2  KHONEYTRAP ENTERED    Ht@2   KANALYSIS UNDERWAY    6D̙uP C attack occurs  LB # c $DVPPLB $ c $DPP  & HG&25   PINVESTIGATION COMPLETE  LB ' c $D PP5  * HK*2K p  XFORENSIC ALERT SYSTEM ACTIVATE   + H0O+2  ]#PRODUCTION SYSTEM ON FORENSIC ALERT$ $ FB ,@ S D;LB - c $D;;J LB . c $Do ;;  / 6S/̙^ Gattack detected  L  0 0# h NB 1 S D0TB 2B c $Dp 0 NB 3 S D0 0NB 4 S DP 5 s *Y5̙R`  Ggather evidence  L  0 6# "NB 7 S D0TB 8B c $Dp 0 NB 9 S D0 0NB : S DP ; s *^;̙  Hgather evidence  z` P <# #"   N P = PNB >B S DPNB ? S DPPNB @ S DPNB AB S D TB B c $D P C HcC2q + ?START   D H`D2 V WPRODUCTION SYSTEM COMPROMISED   E HiE2 {  KANALYSIS UNDERWAY   F 60gF̙| l  C attack occurs  LB G c $D& LB H c $DS  I H\I2   PINVESTIGATION COMPLETE  LB J c $D   K 6oK̙   b,attack detected response procedure activated- -  L 6\L̙   Fpresent evidence   M 6HM̙ t  Jverdict / settlement   N N`gֳgֳ ?"@ U(A) O Ngֳgֳ ?"p U(B) P HPP2  MHONEYTRAP DATABASE  B  s *޽h ? f3  @(    c $"P     c $h"`     3 rֳֳֳֳvd @?0`  J Two Parts $   B  s *޽h ? f3  F(    c $ɂ"P     c $8ʂ"``    3 r˂ֳֳֳֳvd @?p` 0 DGoal$   # lT҂1?@ w h| A Identity A Tactics A Tools A Targets A Other Info? A2" " " " " " ?B  s *޽h ? f3  {(    c $t݂"PP      c $0ނ"``    3 r߂ֳֳֳֳvd @?p` 0 DGoal$   # l<1?@  0b B Tactics B Tools B Targets B Other Info2 A2" " " " " 2  H|gֳgֳ ?"` } Damage Report ((A"  B  s *޽h ? f3   :2 (    c $"PP      c $"p     # l1?  0b B Tactics B Tools B Targets B Other Info2 A2" " " " " 2  # l 1?k0 `m t Blackhat B partial signature from PSFI Damage Report\0AZ20AZ20AZ2;" ;  # l\1?  h| A Identity A Tactics A Tools A Targets A Other Info? A2" " " " " " ?B  s *޽h ? f3p   (    c $<ٍ"PP      # lh1?p   0b B Tactics B Tools B Targets B Other Info2 A2" " " " " 2  # l+1?)0  h| A Identity A Tactics A Tools A Targets A Other Info? A2" " " " " " ?B  s *޽h ? f39    g(    c $쨒"PP <$D 0     # lTp1?` ,$D 0 x A Tactics B A Tools B A Targets B A Other Info B=(A2" """" "" "" =  # l1?U @ ,$D 0 8 A Identity = B Identityb A2" "" ;  C x$61?@0,$D 0 _Blackhat A = Blackhat B" B  s *޽h ? f3  F>(    c $B"PP <$D 0     # lĴ1?@@,$ 0 1) Collect Evidence : Damage Report Blackhat s identity 2) Take action: Prosecute Blackhat 3) Resolution: Verdict / Settlement A2$ A2 A2 A2 A2 A2"$"""" "  B  s *޽h ? f3    f(    c $"P     s * "Pp@    C x 1?f t  64  C x,q1? t  64  # l1? @,$D 0 *f Honeytraps monitoring tools, collecting evidence Architectures: Serial (more effective), Parallel A2' A2 A2# A2 &">l ,   , ,$D 0   TLֳֳֳֳ?@  <     f,1?,  f solution CNF Friendly system*!(A2!$   C xtR1? p  64B  s *޽h ? f3  kc( x   S X"P   >   Hgֳgֳ ?"` *http://www.cs.fsu.edu/~manzano/Research/ 0+) $,   NRgֳgֳ ?"` 0  oFurther Questions or Comments,B  s *޽h ? f3l 0 ,$(  X  C    $  S 3 @X  @8___PPT9 v$Script Kiddies: low skills blackhats that use script written by more advanced blackhats to break into system level of skills: low methodology: using scripts tactics: searching for X vulnerability tools: specific scripts used other information: site where scripts where downloaded from 6$A$" H  0޽h ? ̙33/  0 (  X  C      S 5 @T  <4___PPT9 = Host system: attract intruders to enter the host by emulating a known vulnerability Modified Production system: that create caged environments where the actions of intruders can be carefully monitored and documented 2A  H  0޽h ? ̙33 0 xp(  X  C    p  S `N @T  <4___PPT9 jDesign to gather information we do not want hoenytraps to be of treat to hackers. We want them to come in.,kAj"  hH  0޽h ? ̙33" 0  F(  X  C      S > @  tl___PPT9NF <Attack: Honeytrap, then Production System Preferable, use info from HT for the investigation Attack: Production System, then Honeytrap Info may still be of use, for future reference Attack: Honeytrap only Collect info for future reference Attack: Production system only May be able to use info already collected`*8 AZ38 AZ+8 AZ18 AZ8 AZ"8 AZ 8 AZ*8 AZ*"3"+"1"""" " *" =H  0޽h ? ̙33rP7F#\/1C@H3E5GQ 1>{N0YT]!^(b &(3*PLPESV0X.2 ;?[4ZOh+'0P= px ( L X d p|Honeytrap as Forensic ToolYanet ManzanoorFC:\Program Files\Microsoft Office\Templates\1033\Project Overview.potaYanet Manzanoes69eMicrosoft PowerPoint 7.0t O@u@@._s@@J5G;g  C& &&#TNPPD2OMi & TNPP &&TNPP    && "--/^- $ /_- $  0a- $1c- $((2e- $((224h- $22<<5k- $<<FF7n- $FFPP9r- $PPZZ;v- $ZZdd=z- $ddnn?~- $nnxxA- $xxD- $F- $I- $K- $N- $P- $R- $U- $W- $Y- $[- $\- $^- $_- $`- $a- $""b- $"",,c- $,,66d- $66@@d- $@@JJe- $JJTTe- $TT^^f- $^^hh $hhrre- $rr||e- $||d- $d- $c- $b- $a- $`- $_- $^- $\- $[- $Y- $W- $U- $R- $P- $N- $&&K- $&&00I- $00::F- $::DDD- $DDNNA- $NNXX?~- $XXbb=z- $bbll;v- $llvv9r- $vv7n- $5k- $4h- $2e- $1c- $0a- $/_- $/^- $- "--&&&(&--?~- $( ( ?- $( ( $((@- $((((A- $(((2(2B- $(22<(<C- $(<<F(FD- $(FFP(PE- $(PPZ(ZF- $(ZZd(dG- $(ddn(nI- $(nnx(xJ- $(xx(L- $((N- $((P- $((R- $((S- $((U- $((W- $((X- $((Z- $((\- $((]- $((^- $((_- $((`- $((a- $((b- $("("c- $("",(,d- $(,,6(6d- $(66@(@e- $(@@J(J $(JJT(Te- $(TT^(^f- $(^^h(h $(hhr(re- $(rr|(|e- $(||( $((d- $((d- $((c- $((b- $((a- $((`- $((_- $((^- $((]- $(([- $((Z- $((X- $((W- $((U- $((S- $(&(&R- $(&&0(0P- $(00:(:N- $(::D(DL- $(DDN(NJ- $(NNX(XI- $(XXb(bG- $(bbl(lF- $(llv(vE- $(vv(D- $((C- $((B- $((A- $((@- $((?- $(( $((?~- $((---&& - &HP&--e- $HRRPHP $R\\PRP $\ffP\Pe- $fppPfP $pzzPpP $zPzPd- $PP $PPd- $PP $PPc- $PP $PPc- $PPb- $PP $PPb- $PPa- $PPa- $PP`- $PP`- $PP_- $PP_- $$$PP^- $$..P$P]- $.88P.P]- $8BBP8P\- $BLLPBP[- $LVVPLPZ- $V``PVPZ- $`jjP`PY- $jttPjPX- $t~~PtPW- $~P~PV- $PPU- $PPT- $PPS- $PPR- $PPQ- $PPP- $PPO- $PPM- $PPL- $PPK- $PPJ- $PPH- $  PPG- $ P PE- $PPD- $((PPC- $(22P(PA- $2<<P2P@- $<FFP<P?~- $FPPPFP={- $PZZPPP;x- $ZddPZP:u- $dnnPdP8q- $nxxPnP7o- $xPxP6l- $PP4i- $PP3f- $PP1c- $PP0`- $PP.]- $PP-Z- $PP,X- $PP*U- $PP)R- $PP'O- $PP&L- $PP$I- $PP#F- $PP!D- $PP A- $""PP?- $",,P"P<- $,66P,P:- $6@@P6P7- $@JJP@P5- $JTTPJP2- $T^^PTP0- $^hhP^P.- $hrrPhP,- $r||PrP*- $|P|P(- $PP&- $PP$- $PP"- $PP - $PP- $PP---&& &y& @Times New Roman- . 2 e1 .&p&--&&- $pp&&& "- & $pp&ttb&-&& &&5B(UUUU-&&p&&- $pp&- --&& --ix-- @Times New Roman- .2 @ Honeytraps, #  . .2 > Honeytraps, #  . .*2 @yA Network Forensic Tool" # $    . .*2 >wA Network Forensic Tool" # $    .--iy-- @Times New Roman- .2  Yanet Manzano &.@Times New Roman- .+2 Florida State University          . .+2 'Computer Science Masters        . .C2 J\(Information Assurance and Security Track          .--"System-&TNPP &Z՜.+,0l    On-screen Shown-s[< !Times New RomanArial WingdingsArial AlternativeSymbolMarlettProject Overview$Honeytraps, A Network Forensic Tool Talk Outline IntroductionIntroduction (cont)CNF HoneytrapsHoneytraps (Specifics)Why not used for forensic?State of the ArtArchitecturesSerial ArchitectureSerial ArchitectureParallel ArchitectureParallel ArchitectureSerial Forensic Model#Parallel Model(Four Possibilities)Parallel Forensic ModelForensic Investigation!Honeytrap Forensic Investigation+Production System Forensic InvestigationMaking the caseMaking the caseMaking the caseMaking the caseConcluding RemarksMore information  Fonts UsedDesign Template Slide Titles%_[ Yanet ManzanoYanet Manzano  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~Root EntrydO)Current UserSummaryInformation(=PowerPoint Document([DocumentSummaryInformation8