Cost-benefit analysis of kernel tracing systems for forensic readiness

We present a cost-benefit analysis of kernel tracing systems for forensic readiness. We use the comprehensive coverage provided by kernel tracing systems as the indicator of benefit, and calculate the performance and storage overheads caused by collecting kernel traces as the cost metrics. Through utilizing kernel tracing systems to trace system calls exercised by a system call fuzzer, we present the comprehensive coverage provided by three kernel tracing systems: strace, SystemTap, and LTTng, along with their performance and storage overheads.