Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

A Push to Standards for Network Forensics

In the absence of formal standards for network forensics standards, many de facto standards and best practices have been implemented

Digital forensics is still a young science. That newness, coupled with the fast-changing world of computer technology, has resulted in a taxonomy and methodology for digital forensics that is poorly defined and confusing to computer security experts and law enforcement.

Network forensics, a subdiscipline of digital forensics, deals with computer network data that has become evidence. Network forensics can be used to check an organization's networks for vulnerabilities and thus keep them secure, and it can be used in the context of traditional law enforcement and the court system.

If no standards exist, researchers can't test new software to see if it meets those standards

We must anticipate that in the near future, network forensics will be a common component of trial cases. As a result, having credible standards for network forensics is vital to the continued speed and fairness of the US judicial system.

As forensic evidence, network data is slippery to collect: It resides neither with its sender nor with its receiver. Usually it is archived only by network service providers or by law enforcement. Who owns such evidence is one of numerous legal dilemmas created by the lack of standards. These issues could be resolved were standards bodies to create formal taxonomies, procedures and tools for network forensics. The US computer security community should assist in the creation and maintenance of formal standards. The most expedient way to implement these standards may be to use proprietary tools rather than open source software or freeware.

In the absence of formal standards for network forensics standards, many de facto standards and best practices have been implemented. In fact, de facto standards have been in use since network forensics has been part of the corporate and legal landscape.

The most general best practices in network forensics concern preservation, identification, extraction, documentation and interpretation. Each component of these best practices is broken down into smaller, commonsense procedures. For instance, the preservation best practice recommends working in teams and collecting maximum amounts of data. There's also an evidence-collection chronology best practice: Focus on network danger first, then collect the data. Although these practices represent a fraction of the network security corpus, they do signify a core knowledge base.

Lack of standards also creates recursive problems: If no standards exist, researchers can't test new software to see if it meets those standards. Nor can they create benchmarking tools to test software for standards applicability. In fact, researchers at the US National Institute of Standards and Technology (NIST) complained their methodology for testing tools for network forensics "was complicated by the lack of standards or specifications that describe what forensic tools should do", and subsequently have not revised their research.

Learning from the EU

In 2003 the European Union released the world's first network forensics standards, which it intended all EU nations to implement. These standards were clearly presented and strongly promoted, but they were unsuccessful nonetheless. Indeed, the EU's computer security community appears to have rejected or ignored these forensic tools, as well as the call to use them.

How did this happen? The solution could lie with the standards themselves. The EU's recommended forensic applications were Web-based freeware, written in XML. This design was well intentioned, even practical, given the EU member nations' varying rules of evidence. XML is slow, however, and quickly has become outmoded; a Web-based application's value depends on its browser and network connection; and as a way to gather evidence in a high-stakes judicial case, freeware is a dicey solution.

The corporate argument that "we shouldn't have to pay for commercial network forensic tools if we won't ever need them", theoretically is certainly valid. But in practice, if an organization's network data is subpoenaed, that organization should be prepared to present its best possible forensic evidence.

Commercial network forensic and analysis tools are common now, and need not be highly elaborate or expensive to provide users with complete and easy-to-understand data. Manufacturers of forensic and visibility tool kits should partner with standards bodies such as NIST to create functional and lasting standards for network forensics.

Network forensics is only growing more important. Standardized tools and methods will ease the job for network admins, researchers and expert witnesses, and will be an improvement to the judicial system.

Rosenberg is Sandstorm's editorial communications coordinator. Reach her at beth@sandstorm.net.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: Speed

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Whitepapers
Latest Stories
Community Comments
Latest Blog Posts
Whitepapers
  • Case Study: NZ Bus Develops Applications 60% Faster, Improves Database Performance by up to 35%
    Key Benefits: Developed applications 60% faster, Created development and test environments in minutes compared to days and weeks previously, Reduced server costs by 30% with server virtualisation, Saved NZ$40,000 in database administrator training costs, Provided high availability features that keep the database and core applications up and running in the event of a server failure, Introduced compression capabilities that improved database performance by 30% to 35%. Read on.
    Learn more »
  • Pay-As-You-Grow: Investment Protection and Elasticity for your Network
    Enterprise IT teams are being challenged to increase overall IT flexibility and business agility by incorporating emerging cloud technologies into their next generation datacentre architectures. Top of mind is how to embed a high degree of elasticity to properly handle increasingly unpredictable application traffic loads, while still meeting strict performance service level agreements (SLAs). Satisfying these often opposing goals requires that individual elements within the larger datacentre infrastructure provide a native capability to increase capacity and performance as conditions dictate. Read on.
    Learn more »
  • CSO Security Buyers Guide 2011
    Welcome to the 2011 /2012 CSO Security Buyers Guide CSO is keeping security professionals ahead of the evolving threats and challenges to their businesses. This resource for security professionals assists you in finding leading IT security vendors by their products and solutions. Happy Browsing! The 2011 CSO Buyers Guide team
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments

HP and IDG news, product videos and resources