Abstract
The dictionary defines forensics as “the use of science and technology to investigate and establish facts in criminal or civil courts of law.” I am more interested, however, in the usage common in the computer world: using evidence remaining after an attack on a computer to determine how the attack was carried out and what the attacker did. The standard approach to forensics is to see what can be retrieved after an attack has been made, but this leaves a lot to be desired. The first and most obvious problem is that successful attackers often go to great lengths to ensure that they cover their trails. The second is that unsuccessful attacks often go unnoticed, and even when they are noticed, little information is available to assist with diagnosis.
- 1. For more on the Slapper story, see my rant: Security: Why do I bother? O'Reilly Network; http:// www.oreillynet.com/pub/wlg/2004.Google Scholar
- 2. The Coroner's Toolkit; see: http://www.porcupine.org/ forensics/tct.html.Google Scholar
- 3. Scheidler, B. syslog-ng. http://www.balabit.com/ products/syslog_ng/.Google Scholar
- 4. Bird, T., and Ranum, M. Loganalysis.org, http://www.loganalysis.org/.Google Scholar
Index Terms
- Network Forensics: Good detective work means paying attention before, during, and after the attack.
Recommendations
Emerging trends in network forensics
CASCON '10: Proceedings of the 2010 Conference of the Center for Advanced Studies on Collaborative ResearchAs a reliance on the Internet and network services grows in every corner of the world, more and more vulnerability of networks are exploited for illegitimate purposes. The steady rise in cyber crimes, has required the law enforcement agencies to keep up ...
Comments