|
It is desirable to be able to gather more forensically valuable audit data from
computing systems than is currently done or possible. This is useful for the
reconstruction of events that took place on the system for the purpose of
digital forensic investigations. In this paper, we propose a mechanism that
allows arbitrary meta-information bound to principals on a system to be
propagated based on causality influenced by information flow. We further discuss
how to implement such a mechanism for the FreeBSD operating system and present
a proof-of-concept implementation that has little overhead compared to the
system without label propagation.
|