80 likes | 137 Views
Network Forensics. What is it?. Remote data acquisition (disk capture) Remote collection of live systems (memory) Traffic acquisition (cables and devices) Multiple examiners viewing single source. Technical. Current tools don’t cut it Validation – integrity of data
E N D
What is it? • Remote data acquisition (disk capture) • Remote collection of live systems (memory) • Traffic acquisition (cables and devices) • Multiple examiners viewing single source
Technical • Current tools don’t cut it • Validation – integrity of data • Multiple machine functions (network devices) • Traffic Capture (non TCP/UDP) • Data loss due to high traffic volumes • Content ID and analysis (VoIP, IM) • Traffic pattern recognition • Data reduction • Attribution (IP forgery, onion routing) • False Positives • Dynamic systems • Speed and minimal system impact is a priority
Legal • Privacy Issues • Commingling of data • Jurisdiction • Interstate Warrants
Policy • Banners and policy statements • Logging requirements • Third party tools to meet our needs? • Pressure device vendors? • Bill of rights • Balance need for attribution with individual rights
Short Term Goals • Define network forensics • Tools • Capture • Analysis (data normalization, visualization and mining) • Attribution • Process • Best practices • Guidelines for various devices/situations
Long Term Goals • Persuade Industry Provide Monitoring Ability • OS development to enable capture of volatile data • OS development to minimize commingling