1. Field of the Invention
The present invention generally relates to a system, method and program product for automatically collecting state information for computer system intrusion analysis. Specifically, the present invention allows state information to be automatically collected from a computer system regardless of the platform operating thereon.
2. Background Art
Computer system intrusion (e.g., hacking) has become a serious problem for governments and businesses. Specifically, a hacker can gain unauthorized access to a network by establishing a connection to a server (i.e., host). Once connected, the hacker can severely disrupt or crash the network. Each year, billions of dollars are lost to such hacker intrusions.
When hacker intrusion occurs, it is essential to be able to discern how the intrusion occurred and to what degree the network was affected. To this extent, state information regarding the server and its network environment is essential. State information relates to the condition of being of a system, and is subject to change (e.g., is dynamic). In general, the state of a system (e.g., a server) is maintained in various file locations as well as in volatile memory such as Random Access Memory (RAM). State information typically includes information such as network interface configuration, active environment variables, routing tables, active network services, etc. In the event of intrusion, state information is usually affected in a manner that can indicate the details of the intrusion. Accordingly, state information can be extremely valuable for intrusion analysis.
Heretofore, the collection of state information has been a time-consuming and inaccurate process as no tools currently exist to automatically collect the information. In contrast, existing tools typically focus on recovering non-state information such as files (e.g., memorandums, electronic mail messages, etc.) from a computer system's hard drive and/or file slack space. While such information may help show wrongdoing by an authorized user of the network, it provides little use in the event of intrusion. If state information is desired, it must be manually recovered by an intrusion investigator or a system administrator. Unfortunately, the manual recovery of state information yields mixed results. For example, different administrators might recover different types of information. Moreover, as platforms (operating systems) change, the manner in which state information is stored and retrieved may change as well. For example, the manner in which state information is recovered a computer system operating with UNIX version “A” might differ from the manner in which it is recovered from a computer system operating with UNIX version “B.” This makes collection of the necessary state information extremely difficult.
In view of the foregoing, there exists a need for a tool for automatically collecting state information for computer system intrusion analysis. In addition, a need exists for such a tool to be able to identify the type of a platform operating on a computer system so that the information can be more readily recovered. A further need exists for a tool that uses the utilities of the identified platform to locate the sought information.