Network Forensics
A network crime is any criminal activity that uses a
computer network to facilitate the commission of a crime.
The computer network is the transmission media for the
criminal activity. The servers on the network as well as
the network connectivity are the typical victims.
Examples include:
- Phishing, pharming and vishing
- Computer network intrusions
- Denial of Service and Distributed Denial of Service
- Bots and Bot-Nets
- Database theft (credit cards, SSN, etc.)
- Website attacks and defacement
- Email threats and vulnerabilities
- Sypware, keystroke loggers and client side (web browser) attacks
Investigating Network Crimes
Investigating Network Crime is very different from traditional
computer investigations. Evidence of a network intrusion is found
in logs:
- Router
- Firewall
- Network and host intrusion detection systems
- Server and service logs
Comparing Network and Hard Drive Forensics
Network Forensics
- Unlimited in scope
-
Logs can be anywhere from 1K in size to several terabytes and
span several days of activity
- Multi-jurisdictional
- Attacks are launched from all around the world
- Multi-device
-
Evidence of the attack will be found across several different devices,
each with their own log format and time stamp
- Most crimes revolve on launching the attack or activity across a computer network
- The network is both the medium of the attack and the victim
Hard Drive Forensics
- Limited in scope
- Hard drive has a finite amount of storage
- Either the evidence will be on the drive and recoverable or it won't
- Limited in jurisdiction
- You either have physical jurisdiction to seize the hard drive or you do not
- Few devices
- One or two systems and hard drives
- Most crimes revolve around the possession of illegal materials
- Child pornography
- Copyrighted content
- Credit cards
- The hard drive is simply the repository for illegal material
