Network Forensic DB 4 & 5, Research Paper Example

Network behavior anomaly detection (NBAD) is a means to detect network threats early on.  It has the ability to monitor and detect trends or unusual activities as they begin, before excessive damage can be done.  Network behavior anomaly detection is an important part of network behavior analysis (NBA).  This offers protection such as spy-ware detection, firewall, and anti-virus software.  When dangerous traffic is detected the network behavior anomaly detection sends out an alarm.  It also has the ability to monitor an individual user as opposed to an entire network, depending on the company’s needs.

NBAD programs can track and monitor virtually any activity that is out of the realms set as normal.  Some of the more popular threats that NBAD addresses are Payload anomaly detection, MAC spoofing, IP spoofing, TCP/UDP fan out, IP fan out, Duplicate MAC, virus detection, bandwidth anomaly detection, and connection rate detection.                                                                                                                         Network behavior anomaly detection and network behavior analysis will benefit any company and their overall corporate monitoring systems.  It enhances their protection and security.  These programs can extract information such as user names, emails, login times and information, and data transfer.  It can, “Eliminating network blind spots and reducing total network and security management costs. And protecting networks against fast growing threats, such as application misuse, information theft and misconfigured devices.” (Lancope)  A company needs to protect its information and having the proper programs such as NBA and NBAD will enhance the overall company’s security.

DB 5 Forensic Networking

As a computer forensic investigator, it is essential to justify and defend all actions in court.  This includes the means and legal grounds to obtain as well as preserve this information.  An employee hacked into sensitive corporate information and sent this to competitors repeatedly, the company is seeking to take legal actions against this employee.  It is important for the forensic investigator to obtain the information that will hold up in court.

With disk-imaging along with every other area of forensic reporting, it is essential to maintain the chain of command.  That means in order for it to be admissible in court and handle cross examination, it cannot be altered in any form.  If an investigator does something as simple as opening a file, that can alter its original status, making its evidence invaluable.  This is why it is essential for the forensic reporter to make can exact copy prior to investigating the computer.  All examination needs to be done on the copy, that way the original has no altering and cannot be thrown out because of that.

In order for findings to be court admissible, there are also factors that the forensic investigators need to address.  Similar to disk-imaging, it is essential to preserve the change of command.  This means that it cannot and should not be examined by multiple parties.  All finding should be “extracted and possibly relevant evidence is properly handled and protected from later mechanical or electromagnetic damage.” (Davis 2001) In addition, “all procedures and findings are thoroughly documented.”(Cole 2010)  This will allow all findings to be accurate and cross examination will not be able to discredit the clearly documented findings.  Preserving all evidence, maintaining chain of command, and preventing any type of altering will provide credibility for forensic investigators in court.

References

Cole E. & Kolde J. (2010) “Disk Imaging.” SANS Security Essentials V: Windows Basics 5-8.

Davis, Richard A. (2001) “Internet Abuse in the Workplace.” Retrieved from:  http://www.internetaddiction.ca/cyberslacking.htm

Lancope.  Flow-based Network Behavior Analysis.  Retrieved from: http://www.lancope.com/solutions/security-operations/network-behavior-analysis/