The Difference between Forensic and Security Evidence - Literature review Example

Full Paper Introduction Computer forensic sets the circumstances to lead the law enforcement agencies and corporate security tosubject computers as catalyst for the physical evidence using some forensic techniques which includes analyzing of DNA traces, biometric identification .i.e., figure prints and dental evidence. Modern technology has advances the storage of user data along with different forensic techniques which help the law enforcement agencies to access these data using the features of a person whose data is to access. Computer forensic also helps in investigation of a crime and keeping an eye out for the transgression of organizational policies. The user data can be extracted from personal storage devices like computer hard disk, flash drive, memory cards etc (Computer forensics – a critical need in computer, n.d ) Whenever a person online on internet he/she leaves behind the logs on performed activities. This provides the digital traceability of the person’s activities which he/she has performed on internet by using these logs of visited websites. Flash templates and videos buffered can also be gathered from temporary file of the computer which the person was using. This accessibility to trace the logs, cookies, files and templates can help in analyzing the crime committed computers and may help in providing the strong evidence against the cyber-criminal or hacker. Many users think that after deleing data from hard drive it cannot be traced but there are many techniques and methods by which the deleted data can be recovered. The computer system does not usually thrash the data completely even if it is removed from recycle bin. These files remain alive until it is replaced or overwritten by new data. These methods of tracing can facilitate in forensic investigation to trace down the criminal by investigating the computer system used by the criminal. For instance, during the execution of search warrant of serial killer John Robinson at the residence, law enforcement agencies seize five computers along with badly decomposed two dead bodies (Computer forensics, n.d ). After investigating the computer used by the serial killer John Robinson, it was discovered that he used the internet to find them and then schedule the meeting, after sexual assault they were killed. These facts cannot be gathered with physical evidence techniques and evidence and without computer forensic technique (Computer forensics, n.d ). There are many computer forensic techniques which can be used to trace the criminal but they are usually categorized as two main types: Graphical User Interface (GUI) based and Command Line based Forensic Tools (Conklin 2005). The command line based tools is small and it can be store in Floppy drive while GUI based forensic tools are heavy and slow and store in drives having more space then floppy drive. Moreover, command line based tools have some drawbacks in terms of its limitation to file types i.e., it is not capable of identifying .zip and .cab files. GUI based forensic tools provides graphical user interface which is more user friendly and uses graphical icons unlike command line tools which require a special command to perform each operation. The GUI based forensic tools as only disadvantage that it cannot be saved in floppy drive because of its heavy size (Conklin 2005). An organization must acquire a proactive approach for the threats that may arise which the intranetworking environment of organization and may extract important and sensitive data and information. There are many methods of forensic data acquisition from a network but we will consider the best practice of them. Network-Based Evidence Acquisition Practices Network management is one of the important management functions. Effective network management is only possible through properly configuring the network. Data acquisition is vital management process and it has to be done expertly and skillfully. Likewise, Wireshark should only provide data which may help in generating the reports for the evidence. For instance, in some cases there is the repetition of data transmission and the Wireshark extract the data imprecisely. Therefore, the results will not draw the correct picture which should be the actual result. The data acquisition tools are instructed to detect and process various types of network traffic, additional transmission of traffic to this tool may overload the process and many important packets can be discarded. Moreover, if the tool is designed to save the initial packet to process further, there is the chance of duplication of packets which may result in degradation of packet capture process. Data transmission in a network forms a many to single relationship i.e., data from different interfaces is received and transmit on a single interface. This concludes that the buffer at every interface can be overflow in a switch which can cause packet drop due to congestion and consequently the forensic tool will face packet loss and will generate an incorrect report and metrics. Hence, the best practice to be adopted is that the replicating data should be configured on a port with large buffer size. By adopting this practice will decrease the probability of packet loss that is residing on a switch port and that packet will be appropriately counted. Moreover, this technique is best practice for data acquisition from switch and by integrating required effective method for filtering and customization of data packets. As a result of deploying the best practice and methodologies, it will facilitate the accurate network traffic and perfect metrics, will minimize the required processing power and maximize the data storage capability. Switch Port Analyzer (SPAN) Network dictionary defines Switch Port Analyzer as: “Switched Port Analyzer (SPAN) is a feature of many managed switches that extends the monitoring capabilities of existing network analyzers into a switched Ethernet environment. SPAN mirrors the traffic at one switched segment onto a pre-defined SPAN port. A network analyzer attached to the SPAN port can monitor traffic from any of the other switched ports”. This feature of SPAN port is available in Cisco network devices that provide option to network administrator to copy data traffic from one port (physical layer) of the switch to another. The SPAN ports are configured using source and destination session. The monitor session performs two tasks i.e., monitors destination’s session and source’s session. The monitor source session identifies the present physically on SPAN to copy data and also identifies the direction traffic i.e., TX and RX. The monitor session destination identifies the ports that the SPAN will use for copying data. The Monitor session’s source has three attributes as defined by Expert Data Acquisition Best Practice, these are: Monitor session number: Differentiates the monitor session from any others on the switch. Monitor session source: Specifies the ports or VLANs from which the SPAN will copy data. Monitor session direction: Specifies the monitor session direction: RX, TX, or both (both by default). (Expert data acquisition best practice, n.d) Monitor session source defines the association of Layer 2 (L2) and Layer 3 (L3) ports with the replication of data to the destination. However, at a time both the ports can be used. There are constraints which limits the WAN interface to represent a source port. For example, a good example is ATM interface. Furthermore, best practice says that Ethernet channel ports should not represent as source port and ports cannot be merged with VLAN to be a representative of monitor session source; instead it should be configured as physical port or VLAN. When VLAN is configured as source information, this is called VLAN SPAN. VLAN SPAN includes all the interfaces of the VLAN that can be monitored effectively and efficiently. Destination port caveats: Expert Data Acquisition Best Practice says: A destination port can be any physical port, with release 12.1(13) E and later of Cisco IOS, you can configure the destination port to be a trunk port. This allows you to forward VLAN tags to the data collection device for monitoring purposes. This technique can also be used to filter data leaving the destination port with the “switch port trunk allowed VLAN” command. A destination port can only service a single SPAN session and cannot be an Ether Channel port. A monitor session can have up to 64 destination interfaces (Expert data acquisition best practice, n.d) Port SPAN The environment where access layer switches are installed, Port SPAN allows separate interfaces to b represented as similar sources. The monitoring of session mainly focuses on the connected interfaces of production servers and business critical application servers. The redirecting data to other server is not visible to analyzer and saves bandwidth on SPAN destination by following this best practice. Future of Digital Forensic Investigation The difference between forensic and security was given by Dr. Roy Nutter, during a presentation at Carnegie Mellon University’s CyLab Capacity Building Program. He concluded that all the theories and mechanism required for designing protection and resources are included in security while forensic prompt after an accident. Due to increasing security incidents there will be more demand of forensic computing professionals in future (, Computer forensics). Moreover, there is also a conclusion by Peterson that professional those are related to forensic computing have to deal with highly technical subjects and must have patience like a wildlife photographer with literary skills equivalent to Mark Twain (Computer forensics, n.d ). Reference Switched port analyzer. (2007). Network Dictionary, , 469-470. Expert data acquisition best practice, n.d Retrieved 10/23/2011, 2011, from http://www.scribd.com/doc/53797426/Expert-Data-Acquisition-Best-Practice Computer forensics – a critical need in computer Retrieved 10/23/2011, 2011, from http://www.scribd.com/doc/131838/Computer-Forensics-a-Critical-Need-in-Computer Computer forensics, n.d Retrieved 10/23/2011, 2011, from http://dl.acm.org/citation.cfm?id=1047894 Read More