Large Scale Network Forensics - Itís not just for Law Enforcement Anymore
by Melisa LaBancz - IT Journalist - Thursday, 20 March 2003.
Discussing the 'old school ' means of gathering evidence from the network, Fowler offers, "Logging is the cornerstone of any comprehensive security plan. The presence (and validity) of system logs can frequently mean the difference between suspect identification and suspect anonymity. Forensic tools are not meant to take the place of generating and maintaining system logs, they are intended to compliment and enhance that system, used in conjunction with the gleaned information. A forensic solution can track and correlate log reports of user activity on a given computer during simple or complex network investigations."

Customized Scripts

Also of note is the topic of scripting to perform investigations on a large scale network. Brought up as a possible solution to utilizing a forensic toolkit, customized scripts, coded by the IT sys. admin., have been talked about as a good alternative. While properly coded scripts are of great use to investigators in gathering data from unattended areas of the network, they are a compliment to, and not a fix for a good forensic solution.

Fowler adds, "The nice thing about using Perl scripts is that it automates many log and data collection activities that may otherwise be forgotten due to limited time on the part of the system administrator. Tedious tasks such as collecting, analyzing, and storing log files from a number of locations can often be overlooked. A properly created Perl script can free up a system administrator so he/she can concentrate their investigative efforts in areas of the network or system that sometimes forego attention due to time constraints."


The process behind most analytical tasks is based on a generally accepted "checklist" of duties and/or considerations to perform such a task. Proper methodology for computer forensics would involve a laundry-list of actions and thought processes that an investigator needs to consider in order to have the basics covered. While one would think forensics methodology would come naturally to most high level sys. admins., it's not that simple. Which part of training methodology deserves special attention and what should one already know and be practicing? Fowler explains, "The question of training methodology is a great one. We are hearing from investigators that testify during investigations. The consensus is that the focus on the product used, is of less concern than the methodology used during the investigation itself. When training Law Enforcement students, they are often seasoned veterans with years of experience dealing with issues such as evidence handling and investigative best practices. The transition to the computer forensic mindset is usually a painless one given that they possess the basic knowledge and can apply it to most investigations.

IT professionals present an additional challenge. Although they have years of knowledge dealing with computers and networked systems, frequently the methods of protecting items of evidentiary value and utilizing accepted evidence gathering practices have not been a part of their training.

I have always said, "Give me an investigator and I can train him in the technical issues in my class." Taking an IT professional and giving him the investigative mindset needed is something that cannot be covered in a 4 to 5 day class. What we can teach is sound forensic methodology that they can use while gaining the required investigative experience they need."

What Is Needed?


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 4th