| When intrusions occur, two of the most costly, time-consuming, and human-intensive tasks are the analysis and recovery of the compromised system. This thesis uses a complete log of all system activities for post-facto analysis and recovery, and it shows how historical analysis tools can be implemented easily and efficiently over this complete log. These tools allow detailed analysis of real attacks.; This thesis also describes a framework for efficiently recovering file-system data after an intrusion occurs or after some damage is caused by system management error. Our approach uses an efficient redo recovery approach and ensures that no legitimate data is lost after recovery by using automated conflict resolution algorithms to isolate compromised objects that are needed by legitimate operations. This framework is fully implemented and a detailed evaluation shows that it can correctly recover file-system data from a wide range of incidents. |
