Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

A Push to Standards for Network Forensics

In the absence of formal standards for network forensics standards, many de facto standards and best practices have been implemented

Digital forensics is still a young science. That newness, coupled with the fast-changing world of computer technology, has resulted in a taxonomy and methodology for digital forensics that is poorly defined and confusing to computer security experts and law enforcement.

Network forensics, a subdiscipline of digital forensics, deals with computer network data that has become evidence. Network forensics can be used to check an organization's networks for vulnerabilities and thus keep them secure, and it can be used in the context of traditional law enforcement and the court system.

If no standards exist, researchers can't test new software to see if it meets those standards

We must anticipate that in the near future, network forensics will be a common component of trial cases. As a result, having credible standards for network forensics is vital to the continued speed and fairness of the US judicial system.

As forensic evidence, network data is slippery to collect: It resides neither with its sender nor with its receiver. Usually it is archived only by network service providers or by law enforcement. Who owns such evidence is one of numerous legal dilemmas created by the lack of standards. These issues could be resolved were standards bodies to create formal taxonomies, procedures and tools for network forensics. The US computer security community should assist in the creation and maintenance of formal standards. The most expedient way to implement these standards may be to use proprietary tools rather than open source software or freeware.

In the absence of formal standards for network forensics standards, many de facto standards and best practices have been implemented. In fact, de facto standards have been in use since network forensics has been part of the corporate and legal landscape.

The most general best practices in network forensics concern preservation, identification, extraction, documentation and interpretation. Each component of these best practices is broken down into smaller, commonsense procedures. For instance, the preservation best practice recommends working in teams and collecting maximum amounts of data. There's also an evidence-collection chronology best practice: Focus on network danger first, then collect the data. Although these practices represent a fraction of the network security corpus, they do signify a core knowledge base.

Lack of standards also creates recursive problems: If no standards exist, researchers can't test new software to see if it meets those standards. Nor can they create benchmarking tools to test software for standards applicability. In fact, researchers at the US National Institute of Standards and Technology (NIST) complained their methodology for testing tools for network forensics "was complicated by the lack of standards or specifications that describe what forensic tools should do", and subsequently have not revised their research.

Learning from the EU

In 2003 the European Union released the world's first network forensics standards, which it intended all EU nations to implement. These standards were clearly presented and strongly promoted, but they were unsuccessful nonetheless. Indeed, the EU's computer security community appears to have rejected or ignored these forensic tools, as well as the call to use them.

How did this happen? The solution could lie with the standards themselves. The EU's recommended forensic applications were Web-based freeware, written in XML. This design was well intentioned, even practical, given the EU member nations' varying rules of evidence. XML is slow, however, and quickly has become outmoded; a Web-based application's value depends on its browser and network connection; and as a way to gather evidence in a high-stakes judicial case, freeware is a dicey solution.

The corporate argument that "we shouldn't have to pay for commercial network forensic tools if we won't ever need them", theoretically is certainly valid. But in practice, if an organization's network data is subpoenaed, that organization should be prepared to present its best possible forensic evidence.

Commercial network forensic and analysis tools are common now, and need not be highly elaborate or expensive to provide users with complete and easy-to-understand data. Manufacturers of forensic and visibility tool kits should partner with standards bodies such as NIST to create functional and lasting standards for network forensics.

Network forensics is only growing more important. Standardized tools and methods will ease the job for network admins, researchers and expert witnesses, and will be an improvement to the judicial system.

Rosenberg is Sandstorm's editorial communications coordinator. Reach her at beth@sandstorm.net.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: Speed

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Whitepapers
Latest Stories
Community Comments
Latest Blog Posts
Whitepapers
  • Protecting Generation Web
    From data privacy to personal safety issues, cyber-bullying, inappropriate content and malware, schools are facing an increasingly difficult task when it comes to allowing young people to spread their online wings without compromising their safety and personal development. The reality that most schools are catering to the needs of mixed age groups and abilities, and it’s easy to understand why a simple stop and block approach won’t work. Learning environments are, by nature, flexible. It stands to reason that the IT resources used in them should be flexible too. Read on.
    Learn more »
  • Fixing Your Dropbox Problem - How the Right Data Protection Strategy Can Help
    It’s estimated that more than 50 million people have used public cloud storage services such as Dropbox to share and exchange files. Public cloud services are so easy to use that their openness can undermine existing IT policies regarding the transmission of confidential data. With data volumes threatening to overwhelm onsite storage, IT managers are looking to find a solution that’s affordable and secure. This paper details a simple three-step approach to helping users manage access to the public cloud without placing your data or your business at risk. Read on.
    Learn more »
  • Using Application Control to Reduce Risk with Endpoint Security
    Unwanted applications, like games, result in productivity loss. This is often the primary consideration when applying application control. But unauthorized applications also increase your company’s risks of malware infection and data loss. This paper details how endpoint security solutions that incorporate application control provide the most efficient, comprehensive defense against unauthorized applications.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments