Friday, June 22, 2007

Article on Network Forensics

A colleague sent me a link to the following article in Network World. The article, to my dismay calls Digital Forensics a science, when I think we've established that we're not a science yet however the author rightly states that we have a poor(or non-existant) taxonomy and methodologies vary greatly.

To quote the article
There’s also an evidence-collection chronology best practice: Focus on network danger first, then collect the data

Sorry, but this is not an evidence-collection chronology, this is called business need based response. Proper methodology is to contain the threat or stop the bleeding. This is many times required because of the nature of the system at risk. If you note, the Forensic Incident Response groundwork I laid out before suggests network based collection to gather as much data as possible.

Interestingly enough, NIST says that their tool testing can't handle network forensics because the tool requirements are so strict. Well NIST..maybe it's time to realize that the strictness is going to rise up to bite you(and the rest of us) in the butt. Again...collection by its nature will modify the original.

I'm a bit perturbed by the notion that the author says the best way to standardize is through commercial network forensics tools. Maybe someone should inform the author that many commercial tools use open source libpcap libraries for their foundation? The tools don't need to be standardized for network forensics. We need a standard that is scientific in nature. This is exactly the same as the other Digital Forensic Science specialties. They're all lacking in a lot of the same ways.

So what's important when conducting network forensics?

A proper methodology
Standard format - I suggest libpcap of course.
Complete data - Full content collection is preferred.
Authenticity - There needs to be a way to authenticate the content - perhaps hashing each packet and the total packet capture.
Collection from multiple locations - due to the rate of dropped packets, it's best to at least have full content from one source and session data from another.
Collecting from the right point on the network.