Network-Based Evidence Acquisition Practices, Research Paper Example

Introduction

This memo is intended to address our companies concerns in Network-Based Evidence Acquisition Practices.  We will be discussing in detail the forensic methods used to access our network traffic for computer forensic data acquisitions.  In addition, we will discuss the four main types of network-based evidence which includes full content, alerts, statistical data, and session data.  This memo will also address the company’s use of hubs, TAPS, in-line devices, and SPAN ports to access our network traffic and its advantages and disadvantages.   Finally, I will wrap up with my recommendations of best practices for the company.

Acquiring Full Content, Alert, Statistical and Session Network Data

There are four main types of Network-based evidence; these are full content, alert, session data, and statistical data.  The details of each are as follows:

• Full content data requires a large amount of network memory and resources resulting in this form of monitoring not being used as frequently. This is when all data that passes through the network during a specific set time is recorded for data analysis and potential evidence.
• Alert data is set up by the network administrator to detect key phrases, words, and potentially malicious IP addresses. The use of any of the above requires the network to record all activities related to the unauthorized or unpermitted access.  This is done by using specific software set up by the company.   The same software can block users from accessing such sites and servers.  The only known downfall of using this type of network-based evidence is the potential to slow down the network due to blocking unnecessary sites because there is no way to differentiate between the harmless and malicious sites.
• Statistical data is analyzed through out the entire network, not just limited to one individual session. The network looks for unusual data transfers and areas that are abnormally accessed.  They also pinpoint excessive transferring.  This particular system analysis can notify the company of misuse of the network.  In order for this to be successful the host needs to create an activity profile to determine normal network patterns.  Deviation from these set patterns will determine potential network misuse.
• Session data is used to capture the information passed between two users or systems. This type of network-based evidence can also be called conversation or flow data. (Bejtich 2005)  This data can identify parties involved, the amount of transfers, and the time that is involved in it.  Session data can flag excessive duration and unusual data transfers, along with connections to nonstandard protocols.

Using Hubs, Taps, Inline Devices, and Span Ports to Access Network Traffic Threats

Hubs are devices that replicate a packet on every interface in the network.  The exclusion to this is that it does not repeat a packet on the interfaces transmitted to the packet.  The hosts, which can be multiple, connects to the hub and can, see the other user’s traffic.  Using a hub is very cost efficient and readily available.  The disadvantages to this however, is that it is very impractical in a switched network, no retransmission of collisions, and has a point of failure.

TAPS are test access ports.  This device is designed to mimic traffic for monitoring devices within the network.  TAPS provides access points between any two network devices for passive monitoring.  There are many advantages to using TAPS for accessing network traffic threats.  First, it increases connectivity options for monitoring.  It also does not introduce a point of failure.  This device can remain passive and it is device neutral, meaning it can be installed for any two devices.  And finally it preserves all full-duplex links.  The biggest and only real known disadvantage is the cost associated with implementing TAPS.

Inline devices are, “A very simple method of deploying security and monitoring devices is to place them in-line on the link.” (Weber 2006)  This makes layer 1 and 2 errors visible along with all traffic.  It keeps the entire duplex link.  There are no additional cables or access devices necessary to use inline devises in monitoring network traffic threats.  There are more disadvantages with inline devices.  Inline devices induce a point of failure.  The inline device can also set on one location and greatly limit the usefulness of the device. Relocating the device is not an easy task and often creates link down time.

The last option for accessing network traffic threats is SPAN ports.  This port is also referred to as port-mirroring or port-monitoring.  This provides traffic monitoring from more than one switch port.  A SPAN port can connect to a single port on the switch and because of a simple NIC on the sensor can provide easy access to the network.  SPAN port can also monitor traffic threats from multiple switch ports.  There are some SPAN port limitations as well.  “SPAN ports drop packets if they are over subscribed or when the switch gets busy.  They do not pass packets that are oversized, undersized or that contain CRC errors and such packets maybe involved in the problem being investigated.  And configuring a SPAN port changes the behavior of the switch which may change the nature of the problem.” (Net Optics)

Conclusion of Best Practices

In computer forensics and network-based evidence acquisition the best practices in conserving data are to utilize the following procedures.  “Shut down the computer.  Execute the chain of custody.  Make bit stream backup.  Mathematically authenticate data.  Document the system time and date.  Make a list of key search words.  Evaluate the windows swap file.  Evaluate file slack space.  Evaluate unallocated space which includes erased files. Search files, file slack space, and unallocated space.  Document file names, dates and times.  Identify files, program and storage anomalies.  Evaluate program functionality.  And finally document your findings.” (The Proper Acquisition, Preservation, & Analysis of Computer Evidence: Guidelines and Best-practices)  Shutting down the computer is as simple as unplugging it from the wall.  It is important to remember that there could be a malicious program running in the background of the computer.  That is why it is why unplugging is so important.  Chain of custody is as simple as evidence tags and creating ownership of the device at all times.  It is important to keep it in a secure location for evidence processing and to record exactly who is analyzing it.  Making a bit stream back up is essential for processing evidence and safeguarding all evidence.  This way the data is processed off of the copy and the original is preserved.  Mathematically authenticated documentation is uses a MD5 sum for authentication purposes.  Documenting the system date and time is important for accurate recording of network information in these best practices.  File time stamps needs to reflect the same time as the system clock shows.  Listing key search words can help target necessary data.  Computer hard drives are very large, creating a difficulty in evaluating all information on it, so this helps pinpoint evidence that is necessary and valuable for a particular investigation.  Evaluating the window swap file will provide valuable information, however often is utilized with forensic tools.  Evaluating file slack space is simply is a data storage area that houses a significant amount of data.  This includes raw memory dumps.  This again requires specific forensic tools to access, but can provide viable information for network securities and information recoveries.  Evaluating unallocated space shows when the user has deleted their information or history.  This information can be recovered and can provide valuable information for network threats.  Viewing files, file slack space, and unallocated space provides the ability to recover deleted information that could be pertinent.  It also allows keyword searches.  Document file names dates and times are important for computer forensics in order for information to be utilized.  Identifying file, program, and storage anomalies include encrypted, compress and graphic files.  Due to their content the files have to be manually evaluated to obtain network information.  Evaluating program functionality will allow us to evaluate software and its capabilities.  And finally, document our finding.  This ensures accurate information is being retained and shared.  Utilizing the procedures listed above, the network administrators will be able to preserve data for use now or for later purposes.  It will notify us of security issues and allow them to be addressed and rectified prior to damage being done.  We are using the best practices for acquiring digital evidence from the network.  By following these best practices in retaining and utilizing network-based evidence the company will be able to prevent unauthorized trafficking and search the network for information necessary to protect the company.

References

Bejtich, Richard. (2005) The Tao of Network Security Monitoring.  Beyond Intrusive Detection. Net Optics. Has Your Network Outgrown SPAN ports?  Retrieved from: http://www.netoptics.com

The Proper Acquisition, Preservation, & Analysis of Computer Evidence: Guidelines and Best-practices.  Retrieved from:  http://www.google.com/gwt/x?source=m&u=http%3A%2F%2Fwww.setecinvestigations.com/resources/whitepapers/Computer_Evidence_Guidelines.pdf&wsi=c8c4f1eaf3e364cf&ei=MJ4ETvSkOYKOmweDlpHwBA&wsc=vb&ct=pg1&whp=30

Weber, Joy. (2006) The Fundamentals of Passive Monitoring Access. Net Optics Inc.