Network ForensicsNetwork Forensics

What is it?What is it?

►Remote data acquisition (disk capture)Remote data acquisition (disk capture)►Remote collection of live systems Remote collection of live systems

(memory)(memory)►Traffic acquisition (cables and devices)Traffic acquisition (cables and devices)►Multiple examiners viewing single Multiple examiners viewing single

sourcesource

Technical Technical

► Current tools don’t cut itCurrent tools don’t cut it Validation – integrity of dataValidation – integrity of data Multiple machine functions (network devices)Multiple machine functions (network devices) Traffic Capture (non TCP/UDP)Traffic Capture (non TCP/UDP) Data loss due to high traffic volumesData loss due to high traffic volumes Content ID and analysis (VoIP, IM)Content ID and analysis (VoIP, IM) Traffic pattern recognitionTraffic pattern recognition Data reductionData reduction Attribution (IP forgery, onion routing)Attribution (IP forgery, onion routing) False PositivesFalse Positives

► Dynamic systemsDynamic systems Speed and minimal system impact is a prioritySpeed and minimal system impact is a priority

LegalLegal

►Privacy IssuesPrivacy Issues Commingling of dataCommingling of data

► JurisdictionJurisdiction Interstate WarrantsInterstate Warrants

PolicyPolicy

►Banners and policy statementsBanners and policy statements►Logging requirementsLogging requirements

Third party tools to meet our needs?Third party tools to meet our needs? Pressure device vendors?Pressure device vendors?

►Bill of rightsBill of rights Balance need for attribution with Balance need for attribution with

individual rightsindividual rights

Short Term GoalsShort Term Goals

►Define network forensicsDefine network forensics►ToolsTools

CaptureCapture Analysis (data normalization, visualization Analysis (data normalization, visualization

and mining)and mining) AttributionAttribution

►ProcessProcess Best practicesBest practices Guidelines for various devices/situationsGuidelines for various devices/situations

Long Term GoalsLong Term Goals

►Persuade Industry Provide Monitoring Persuade Industry Provide Monitoring AbilityAbility

►OS development to enable capture of OS development to enable capture of volatile datavolatile data

►OS development to minimize OS development to minimize comminglingcommingling