StudentShare
Contact Us
Sign In / Sign Up for FREE
Search
Go to advanced search...
Free

Acquiring Network Forensic Evidence - Essay Example

Cite this document
Summary
The paper "Acquiring Network Forensic Evidence" concerns computer forensics in the context of law enforcement agencies or in corporate security, the utilization of computers to catalog physical evidence that is analyzed in forensics techniques including biometric identification, analyzing DNA, etc…
Download full paper File format: .doc, available for editing
GRAB THE BEST PAPER95.7% of users find it useful
Acquiring Network Forensic Evidence
Read Text Preview

Extract of sample "Acquiring Network Forensic Evidence"

Full Paper Introduction Discussing computer forensics in the context of law enforcement agencies or in corporate security, it will lead to a conclusion of a subject that covers the utilization of computers to catalog physical evidence that is analyzed in other forensics techniques including biometric identification, analyzing DNA and dental evidence. Current technological trends have revolutionized the methods of storing data along with different advanced access mechanisms. These systems facilitate law enforcement agencies by providing instant access to these characteristics. Although, computer forensics also facilitates in investigation of crimes within themselves in order to gather evidence associated with criminal activities that breaches violation of an organizations policy. The data can be extracted from storage devices including hard drives, flash drives, memory cards etc (Computer forensics – a critical need in computer, n.d ) Every online user leaves behind logs related to activities that he or she performs online. This digital traceability can reveal activities that are performed by the user on the Internet by identifying who has identified which files along with logs of each website visited. Temporary files can also reveal flash templates and buffered videos. These traceable logs, files, cookies, templates can facilitate a great deal to analyze crimes that are committed from computers and may provide solid evidence against the hacker or cyber-criminal. However, many users trust in files after deleting them from the hard drive but there are many ways and methods via which these files can be recovered. The operating system usually does not delete complete files from the hard drive, even if the user deletes the files from the recycling bin. The files are still present, until they are replaced or overwritten by new files. These traceability factors can lead to aid in forensic investigations and can track down criminals by investigating their computer. For instance, during the execution of a search warrant at the residence of John Robinson who was a serial killer, law enforcement agencies discovered two bodies that were badly decomposed along with seizing of five computers (Computer forensics, n.d ). After investigating computers, it was discovered that the serial killer John Robinson was using internet to find people to schedule a meeting. Afterwards they were killed by sexually assaulting them. These facts were only possible by forensic computing techniques and were not possible by physical evidence and investigation (Computer forensics, n.d ). However, many techniques are associated with forensic computing, few techniques are categorized in to two groups i.e. Graphical User Interface (GUI) based forensic tools and Command line forensic tools (Conklin 2005). The command line tools are relatively small, they can be stored in floppy disks as compared to heavy, and slow GUI based forensic tools. However, command line tools also share some disadvantages in terms of their limitations as they are not capable to identify .zip files and .cab files. GUI based tools provide a graphical user interface and is said to be user friendly because specialized knowledge is not required as compared to command line tools requiring commands on every operation. The disadvantage for GUI based tools is that they are large and cannot be saved in a floppy disk (Conklin 2005). Similarly, organizations also require a proactive approach for threats that may penetrate within the internal network and extracts or expose sensitive information. There are many ways of forensic data acquisition on a network; we will only consider best practices. Network-Based Evidence Acquisition Practices Network management is effective on many vital management functions. If any one of them is not properly configured, effective network management is not possible. Data acquisition is classified as a vital management process that needs to be addresses proficiently. Likewise, Wireshark will only utilize data that is available and produce reports that are in the scope of evidence. For instance, it is possible that Wireshark acquires the data in an imprecise manner because in certain cases, there is a replication in data transmission. Therefore, the metrics will not show the correct picture. Acquisition tools are tailored to detect and process various types of network traffic, if any additional traffic is transmitted to the tool, it will overload the process and many packets can be discarded. Moreover, if any tool initially saves the network traffic to process further, packet duplication can further degrade the packet capture process difficult. Data transmission in a network is received from many interfaces and is also transmitted via a single interface representing many to one relationship. This concludes that the buffer can be overrun on an interface available on a switch. Moreover, congestion will result in packet loss from the switch, as a result of discarded packets and consequently, the tool will identify packet loss and incorrect reports and metrics. Best practice is that the port that is replicating data needs to be configured on the module with the largest buffer size. By following this procedure of best practice, likelihood of packet loss that is residing on the switch port will be minimized and packets will be counted appropriately. Furthermore, this memo will address best practices for data acquisition from switches and by integrating required methods for effective filtering and customization. Consequently, by deploying these methods and methodologies of best practices, facilitate accurate illustration of network traffic, perfect metrics, minimized processing power and maximum data storage. Switch Port Analyzer (SPAN) As per network dictionary “Switched Port Analyzer (SPAN) is a feature of many managed switches that extends the monitoring capabilities of existing network analyzers into a switched Ethernet environment. SPAN mirrors the traffic at one switched segment onto a predefined SPAN port. A network analyzer attached to the SPAN port can monitor traffic from any of the other switched ports”. This is a feature that is available in Cisco network devices that gives options for network administrators to copy traffic from a physical layer i.e. port on a switch to another port. Likewise, span ports are configured by a session that includes a source and a destination. The monitor session includes two functions i.e. to monitor source of the session and session monitoring of destination. The monitor session source identifies the ports that are physical present for the SPAN to copy data. Moreover, it also illustrates the direction of the traffic that includes the RX and TX. The monitor session destination will also identify the physical ports that the SPAN will consider for copying data. The source of the monitor session is composed of three attributes (Expert data acquisition best practice, n.d): Monitor session number: Differentiates the monitor session from any others on the switch. Monitor session source: Specifies the ports or VLANs from which the SPAN will copy data. Monitor session direction: Specifies the monitor session direction: RX, TX, or both (both by default). Monitor session source defines that the replication of data to the destination includes the source ports that will be associated with L2 or L3 ports. However, both of these ports are usable simultaneously. There is also a constraint which restrict WAN interface to be a representation of a source port. For instance, ATM interface is a good example. Moreover, best practices also restrict the configuration of Ethernet channel ports to be represented as source ports. Furthermore, ports cannot be blended with VLAN to be represented as a source within the same session of monitoring; instead, they will be configured for a physical port or for the VLAN. When source information is configured by using a VLAN, this process is considered to be a VLAN SPAN. VLAN sourcing includes each and every interface on the VLAN that can be monitored effectively. Likewise, the destination data is composed of two separate categories i.e. (Expert data acquisition best practice, n.d) Monitor session number: Differentiates the monitor session from any others on the switch. Monitor session destination: Specifies the physical port(s) to which the data will be mirrored. Destination port caveats: (Expert data acquisition best practice, n.d) A destination port can be any physical port, with release 12.1(13)E and later of Cisco IOS, you can configure the destination port to be a trunk port. This allows you to forward VLAN tags to the data collection device for monitoring purposes. This technique can also be used to filter data leaving the destination port with the “switchport trunk allowed vlan” command. A destination port can only service a single SPAN session and cannot be an Ether Channel port. A monitor session can have up to 64 destination interfaces Port SPAN Port span will facilitate separate interfaces to be represented similar to sources, as it is recommended for an environment where access layer switches are installed. The monitoring of sessions should focus on the interfaces that are connecting the production servers or servers containing business critical applications. By following this best practice, data which is redirected to other servers is not visible to the analyzer and do not struggle on SPAN destination for bandwidth. Future of Digital Forensic Investigation During a presentation at Carnegie Mellon University’s CyLab Capacity Building Program, Dr. Roy Nutter differentiated between forensics and security. He concluded that security includes all the theory and mechanism that is required to design protection for people and resources. On the other hand, forensics triggers when any incident occurs. As security incidents are rising, there will be huge demand for forensic computing professionals in future (, Computer forensics). Moreover, Peterson also concluded that a professional related to forensic computing deals with highly technical subjects and must have patience of a photographer of wild life along with literary skills equivalent to Mark Twain (Computer forensics, n.d ). Reference Switched port analyzer. (2007). Network Dictionary, , 469-470. Expert data acquisition best practice, n.d Retrieved 10/23/2011, 2011, from http://www.scribd.com/doc/53797426/Expert-Data-Acquisition-Best-Practice Computer forensics – a critical need in computer Retrieved 10/23/2011, 2011, from http://www.scribd.com/doc/131838/Computer-Forensics-a-Critical-Need-in-Computer Computer forensics, n.d Retrieved 10/23/2011, 2011, from http://dl.acm.org/citation.cfm?id=1047894 Read More
Cite this document
  • APA
  • MLA
  • CHICAGO
(Acquiring Network Forensic Evidence Essay Example | Topics and Well Written Essays - 1500 words, n.d.)
Acquiring Network Forensic Evidence Essay Example | Topics and Well Written Essays - 1500 words. https://studentshare.org/information-technology/1758511-acquiring-network-forensic-evidence
(Acquiring Network Forensic Evidence Essay Example | Topics and Well Written Essays - 1500 Words)
Acquiring Network Forensic Evidence Essay Example | Topics and Well Written Essays - 1500 Words. https://studentshare.org/information-technology/1758511-acquiring-network-forensic-evidence.
“Acquiring Network Forensic Evidence Essay Example | Topics and Well Written Essays - 1500 Words”. https://studentshare.org/information-technology/1758511-acquiring-network-forensic-evidence.
  • Cited: 0 times

CHECK THESE SAMPLES OF Acquiring Network Forensic Evidence

SSDD Forensics Issues

Civil Litigation… The types of data (digital evidence) can be found on a memory card are pictures, movies, audio Files, and documents.... Logical backups are considered a rich source of data files that can help build evidence.... But can also be used in GPS devices, portable audio players, video game consoles and expandable USB flash drives The logical acquisition approach is based on acquiring a logical bit-by-bit copy of the directories and various types of files (address files) found within the iPhone file system....
4 Pages (1000 words) Essay

Purpose of Incident Response in Business Environment

For instance, in what way the information has been passed to the applicable person, incident assessment, eliminating response strategy and damage, safeguarding information related to evidence and documentation (Incident response plan, n.... The next step will be to gather logs, as this will be a part of evidence collection.... After collecting the evidence, it will be reviewed by the investigators.... After reviewing the evidence, files will be dumped at SDK simulator Wired device Forensic Acquisition and Examination Forensic investigators will construct a methodology that will monitor attacks from inbound and outbound wired networks....
4 Pages (1000 words) Research Paper

Forensic Evidence

5 Pages (1250 words) Research Paper

The Challenges of the Forensic Recovery and Examination of Data from Mobile Devices

There is no full data recovery due to the quicksilver character nature of electronic evidence in mobile devices.... These devices can be connected to crime if they are: used as a communication tool in the act of crime, means of committing the crime, they contain information and a data warehouse device providing evidence.... Mobile devices forensics can be defined as the science of retrieval of digital evidence from mobile devices and entails methods that show how this evidence is retrieved....
14 Pages (3500 words) Research Proposal

The History of Computer Forensics

evidence derived from computer is been used in court for almost 30 years.... Initially, judges accepted the evidence as no different from forms of evidence they were been already seeing.... What is computer ForensicComputer forensic is a simple application of computer investigation and analysis techniques in the interests of determining potential legal evidence.... evidence might be sought in a wide range of Computer crime or misuse, including but not to theft of trade secrets, thefts of or destruction of Intellectual property and fraud....
24 Pages (6000 words) Essay

The Increased Need for Digital Forensics

he personal computer and the laptop provide a myriad of potential forensic evidence in the event that a crime has been perpetrated.... igital forensics, according to the Bureau of Labor Statistics, is a specialized private detective who examines various items of technology in the pursuit of locating evidence related to a criminal act (Tucker, 9).... A digital forensic scientist, searching the digital contents of a computer printer, would look for potential evidence such as time and date stamps, images still retrievable on the printer's paper roller, or even the specific network identity of the printer if it was, indeed, attached to an online network (Ashcroft, 18)....
10 Pages (2500 words) Essay

Forensic Computing and Identity Theft

Forensics is the structured procedure of gathering, examining and showing facts and evidences to the court of law, and thus, forensic computing is defined as “the discipline that combines elements of law and computer science to collect and analyze data from computer systems, networks, wireless communications, and storage devices in a way that is admissible as evidence in a court of law” (US-CERT 2008).... This involves the seeking, locating and securing the electronic data so as to provide evidence....
16 Pages (4000 words) Essay

Computer Forensics: Admissibility of Evidence in Criminal Cases

Through this discussion, the author brings… Newman then furthers the discussion by highlighting that wrong evidence can harm a court's admissibility.... This necessitates that a court Computer forensics: Admissibility of evidence Newman, R.... Computer Forensics: evidence Collection and Management.... Through this discussion, the author brings in the topic of admissibility of evidence, to answer the question of whether evidence ought to be scrutinized based on its country of origin....
1 Pages (250 words) Annotated Bibliography
sponsored ads
We use cookies to create the best experience for you. Keep on browsing if you are OK with that, or find out how to manage cookies.
Contact Us