Large Scale Network Forensics - Itís not just for Law Enforcement Anymore
by Melisa LaBancz - IT Journalist - Thursday, 20 March 2003.
Computer forensics do not follow you home in your car. Enterprise Forensics, or "Large Scale Forensics", are installed on a base server with a specified number of licenses issued to monitor a specified number of systems on the network. The sys. admin. (or examiner as it may be) does not monitor all systems on the entire network. It isn't really possible and is very inefficient. The company chooses areas that it feels need monitoring, or a specific individual that is most likely committing some type of internal policy violation, and they monitor thusly.

Mirroring a system does not affect performance of that system. Copying down information gleaned from the system while it's in use may slow up the performance a bit, but again, it's highly specific information that an investigator is looking for, not random emails about Friday night's date.

Computer forensic tools can compile custom reports that run unattended 24-7 to monitor certain areas of concern. As an example, because of new regulations for American companies traded on the public market, the Security Exchange Commission (SEC) requires that all corporate heads personally vouch for their company's financial reports. To ensure that these reports are indeed accurate, a CFO might want to employ a forensic solution to monitor cash flow in and out of Sales or Finance. A custom report could be programmed that would glean specific information for the CFO through the network capabilities of the enterprise forensic tool. In this way, there is consistent visibility into areas of the company that might otherwise go unnoticed but may cause catastrophic downfall all the same. Read: Enron.

Also of note, enterprise computer forensics do not work across the internet. They are company network specific. The Administrator exchanges a digital key with the vendor company and the vendor company holds the master agreement in an extremely secure location off-site. This again leads back to the licenses, and how many a company is utilizing. There is the potential to have a license to mirror every system on the network, but this is defeating to any real purpose and there are definitely not enough IT folks in a single company to do the monitoring on that scale.

Log Files

Regardless of an existing computer forensic tool installed on the network, what can be audited on every system are its log files. Time consuming and difficult to synthesize in massive amounts, log files have always been available to sys. admins. for customization, long before the advent of computer forensics. This is where the perceived "evils" of computer forensics must be addressed. The ways and means to monitor workflow and information exchange on computers has been there since their inception, on every system and with every user. Most companies employ some sort of log file audit process of their own. As with forensics, actions and events are chosen to be log-worthy. Trying to log every event on a system would adversely affect performance and isn't practical. As for inferred human rights violations and or privacy violations of computer forensics, there isn't anything magical or nefarious about the process other than it's been made much easier to find critical data and it's been automated.

The purpose and use of log files have been a topic of discussion in most in-depth forensic articles I've read. To this end, I've called upon Mike Fowler, a master trainer at Guidance Software*, to speak on the topic of log files and forensics.

"What value do log files have to a forensic investigator using a forensic tool? In the case of EnCase Enterprise (Guidance Software's Enterprise tool), log files can be viewed regardless of whether or not they have been deleted or exist in allocated filespace. These details, commonly referred to as 'System Artifacts', assist the examiner in determining not only the breadth and scope of an investigation; but also allows them to target locations on the suspect drive that contain items of evidentiary value."

On the subject of performance sacrifice, Fowler continues, "Like any networked application, forensic tools will utilize as much bandwidth as the system administrator will allow it to accomplish its job. Performance is dependant more on network topology than on any bandwidth throttling issues."


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Mon, Feb 8th