Transcript Network Forensics

Network Forensics
What is it?
► Remote
data acquisition (disk capture)
► Remote collection of live systems (memory)
► Traffic acquisition (cables and devices)
► Multiple examiners viewing single source
Technical
►
Current tools don’t cut it









►
Validation – integrity of data
Multiple machine functions (network devices)
Traffic Capture (non TCP/UDP)
Data loss due to high traffic volumes
Content ID and analysis (VoIP, IM)
Traffic pattern recognition
Data reduction
Attribution (IP forgery, onion routing)
False Positives
Dynamic systems
 Speed and minimal system impact is a priority
Legal
► Privacy
Issues
 Commingling of data
► Jurisdiction
 Interstate Warrants
Policy
► Banners
and policy statements
► Logging requirements
 Third party tools to meet our needs?
 Pressure device vendors?
► Bill
of rights
 Balance need for attribution with individual
rights
Short Term Goals
► Define
network forensics
► Tools
 Capture
 Analysis (data normalization, visualization and
mining)
 Attribution
► Process
 Best practices
 Guidelines for various devices/situations
Long Term Goals
► Persuade
Industry Provide Monitoring Ability
► OS development to enable capture of
volatile data
► OS development to minimize commingling