Network Forensics

1
Network Forensics
2
What is it?

• Remote data acquisition (disk capture)
• Remote collection of live systems (memory)
• Traffic acquisition (cables and devices)
• Multiple examiners viewing single source

3
Technical

• Current tools dont cut it
• Validation integrity of data
• Multiple machine functions (network devices)
• Traffic Capture (non TCP/UDP)
• Data loss due to high traffic volumes
• Content ID and analysis (VoIP, IM)
• Traffic pattern recognition
• Data reduction
• Attribution (IP forgery, onion routing)
• False Positives
• Dynamic systems
• Speed and minimal system impact is a priority

4
Legal

• Privacy Issues
• Commingling of data
• Jurisdiction
• Interstate Warrants

5
Policy

• Banners and policy statements
• Logging requirements
• Third party tools to meet our needs?
• Pressure device vendors?
• Bill of rights
• Balance need for attribution with individual
  rights

6
Short Term Goals

• Define network forensics
• Tools
• Capture
• Analysis (data normalization, visualization and
  mining)
• Attribution
• Process
• Best practices
• Guidelines for various devices/situations

7
Long Term Goals

• Persuade Industry Provide Monitoring Ability
• OS development to enable capture of volatile data
• OS development to minimize commingling