BreachBytes

The security industry today is making big money on forensics. SANS alone has three different courses on the subject. Guidance Software has built a highly successful company by focusing solely on computer forensics. This is great but anyone that has ever done a computer forensic investigation knows that it is a time consuming, tedious process that is prone to human error. They also know that computer forensics is often not the end of an investigation but the beginning of a larger incident.

Often a computer forensic investigation will yield evidence showing that the compromised host was not an isolated compromise but part of something larger and nastier. This is where computer forensics meets network forensics. Surprisingly, the security industry is lagging far behind when it comes to network forensics. The focus has been on computer forensics but a shift towards network forensics in the industry is inevitable.

Once there is a determination that an incident has spanned more than one host on the network, a network forensic investigation begins to determine the scope of the incident. The key difference between computer forensics and network forensics is that the network must stay up during the investigation. Anyone familiar with computer forensics knows that your first step is to isolate the computer (unplug the network cable, block it at the switch, etc). This is approach doesn’t really work with a network. Unplugging the network from the Internet is one option, although certainly not good for business.

The reality of the situation is that networks cannot be isolated in the same way computers can in a forensic investigation - the costs are just too high. Network forensics must be performed on live networks. Incident response tools, packet captures, intrusion detection systems and NetFlow logs (and other network event logs) become key data sources under these circumstances. The process of performing network forensics on a live network is much too lengthy of a discussion for this post. We will revisit the topic down the road on future BreachBytes posts.

This entry was posted on Tuesday, January 8th, 2008 at 7:37 am and is filed under Network Forensics. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.