Title: SBBox: A Tamper-Resistant Digital Archiving System

Issue Number: Vol. 5, No. 3
Year of Publication: Aug - 2016
Page Numbers: 122-131
Authors: Monjur Alam, Zhe Cheng Lee, Chrysostomos Nicopoulos, Kyu Hyung Lee, Jongman Kim, Junghee Lee
Journal Name: International Journal of Cyber-Security and Digital Forensics (IJCSDF)
- Hong Kong
DOI:  http://dx.doi.org/10.17781/P002085


Reliable forensic data (kernel, socket, audit, other user defined data, etc.) is imperative when investigating cybercrimes. While static and dynamic forensic data collection techniques have already been proposed, none of them pay attention to the process of storing the collected data securely. If the forensic data is tampered with while in storage – after collection – investigators cannot rely on the collected data. In this paper, we propose a hardware/software collaborative novel mechanism for capturing forensic data. The proposed BlackBox Engine ensures data integrity, whereby distorted data can be traced out. The BlackBox Engine runs on a proposed hardware device called Server BlackBox (SBBox). Compared with append-only storage, SBBox offers a more comprehensive solution for forensic data collection and storage, including capturing changes in any file, compressing data, and reconstructing distorted data. Due to close integration between application software, kernel, and proposed hardware, it is virtually impossible for an intruder to interfere with the system by any unfair means. After running standard benchmarks, we observe that the proposed solution incurs minimal overhead of 3.2%, 4.9%, and 1.4% for the CPU, memory, and network, respectively.