Network Forensics What is it Remote data acquisition

  • Slides: 7
Download presentation
Network Forensics

Network Forensics

What is it? ► Remote data acquisition (disk capture) ► Remote collection of live

What is it? ► Remote data acquisition (disk capture) ► Remote collection of live systems (memory) ► Traffic acquisition (cables and devices) ► Multiple examiners viewing single source

Technical ► Current tools don’t cut it § § § § § ► Validation

Technical ► Current tools don’t cut it § § § § § ► Validation – integrity of data Multiple machine functions (network devices) Traffic Capture (non TCP/UDP) Data loss due to high traffic volumes Content ID and analysis (Vo. IP, IM) Traffic pattern recognition Data reduction Attribution (IP forgery, onion routing) False Positives Dynamic systems § Speed and minimal system impact is a priority

Legal ► Privacy Issues § Commingling of data ► Jurisdiction § Interstate Warrants

Legal ► Privacy Issues § Commingling of data ► Jurisdiction § Interstate Warrants

Policy ► Banners and policy statements ► Logging requirements § Third party tools to

Policy ► Banners and policy statements ► Logging requirements § Third party tools to meet our needs? § Pressure device vendors? ► Bill of rights § Balance need for attribution with individual rights

Short Term Goals ► Define network forensics ► Tools § Capture § Analysis (data

Short Term Goals ► Define network forensics ► Tools § Capture § Analysis (data normalization, visualization and mining) § Attribution ► Process § Best practices § Guidelines for various devices/situations

Long Term Goals ► Persuade Industry Provide Monitoring Ability ► OS development to enable

Long Term Goals ► Persuade Industry Provide Monitoring Ability ► OS development to enable capture of volatile data ► OS development to minimize commingling