Table of Contents
Relatively, network forensics is a recent discipline in the field of forensic science. The discipline has gained popularity as the use of the Internet across homes and offices has expanded greatly. The development implies that computing has shifted away from the traditional way, as data is no longer limited to disks as it was in the past. Network forensics can be conducted separately or as an appendage of computer forensics (Hunton, 2011). In the second case, the objective is to establish connections between digital devices or trace the commission of a crime. It is also noted that network forensics differs from computer forensics on data preservation. Whereas the latter used disks, the former relies on network data which is deemed volatile and unpredictable (Hunton, 2011). In practice, investigations concentrate on packet filters, intrusion detectors and firewalls are in place to intercept security threats. Current paper focuses on existing perspectives of network forensics.
Although network forensics entails investigating incidents and persons involved in computer networks, defining the concept has led to many variations. For instance, Giordano (2002) takes a military perspective to define network forensics. On the contrary, Hunton (2011) uses an industry-based paradigm to define forensics. The most accepted definition may be found in the work of Lemieux (2011) which is centered on research of digital forensics. For the purposes of the current paper, network forensics is viewed as the study of the core objectives, actions, sources and outcomes of incidents that violate organizational policy leading to compromising of systems’ security. Attacks that compromise a system’s security are designed in a silent and hidden process that is often ignored by experts (Endicott-Popovsky, 2007). Consequently, such attacks lead to catastrophic damages. The academia community finds itself in a situation where it must contribute to understanding network forensics owing to the danger posed by digital wars.
Based on the above introduction, the academia plays a role in addressing the challenges emerging from the digital world. To enhance the effectiveness of investigations, a perceptive understanding of the underlying causes of systems intrusion is necessary. For instance, establishing who is involved in the process, the requirements, available sources, capacity requirements and the desired outcomes form part of the aspects that must be understood on network forensics. Thus, it would appear that the academia field is the pivot on which network forensics develops.
As observed earlier, different perspectives, such as law enforcement, network security professional, military, and civil litigation, apply to the assessment of network forensics. However, various perspectives can be categorized into three: military, industries and law enforcement (Giordano, 2002). The military perspective focuses on government and military research as well as academic activities. Regarding the industry perspective, reference is made to personnel working in the private sector such as cyber security attendants. The law enforcement perspective covers the personnel involved in legal technical entities, policing systems, as well as government agencies. Each of the perspectives indicates that personnel, qualification and education are the major aspects of network forensics (Giordano, 2002).
Network Forensics Perspective Framework
While focusing on the challenges faced in network forensics in the military environment, Giordano (2002) acknowledged that the information system is one of the attack targets. Hence, network forenscs in a military setting focuses on describing cyber warfare with the intention to restore information infrastructure and strengthen investigative processes. However, Lemieux (2011) observed that organizational objectives influence the network forensic simulation tools used in controlling military cyber warfare. Often, network forensics under the military perspective is viewed against real-time investigations. Hence, the focus on physical geographical location detection as well as behavior-oriented algorithm research is adopted to limit cyber anonymity (Lemieux, 2011). Based on the findings of Endicott-Popovsky (2007), the military industry is the most affected by cyber insecurity as attacks target its infrastructure.
Focusing on the law-enforcement perspective, Shakeel (2011) supported the use of a 3-phase investigation framework. The author drew the observation based on a review of the cyber law adopted by the Republic of Maldives. Although traditional solvability of crimes might not be applicable to solving cyber threats, it would be useful in eliminating threats to such security (Gragido & Pirc, 2011). Despite technological advancements, investigations remain largely human-centered. The reliance on humans increases the need for awareness maintenance. As Hunton (2011) observed, the effective law enforcement system helps in the contextualization of cyber crime in terms of behavior patterns and quantification of network technology for easier examination of issues.
Features of Network Forensics Perspectives
Reviewing network forensics is different in objectives and scope as one perspective varies from another. However, reviews depict the main characteristic features of the forensic paradigms. Under the military perspective, network forensics concentrates on tactical and reactive cyber defense against a proactive calculated cyber investigation (Giordano, 2002). It is not surprising that military leaders have commenced processes of drawing policies focused on investigating and preventing cyber crime.
The military perspective includes proactive, reactive and defense investigations (Giordano, 2002). The first investigation item captures a process that entails integrating expertise, motivation and attack vector when conducting network event analysis (Giordano, 2002). Expertise involves expert hackers and script kiddies, while motivation is about financial gain, political achievement, national vendetta, and selfish aggrandizement (Gragido & Pirc, 2011). Therefore, the proactive aspect borders on predicting events before full incubation by focusing on network traffic patterns and intelligent correlations. Essentially, the investigation is critical within a military set-up since it encompasses real-time events and resources available for preventing attacks. The investigative paradigms are built on the belief that attacks on the military are often sponsored with the view of causing irredeemable destruction (Giordano, 2002).
Defensive or reactive investigations concentrate on the identification of network vulnerabilities and the implementation of remedies to prevent criminals from taking advantage of existing loopholes (Gragido & Pirc, 2011). Investigations of this nature cover a diverse spectrum of information security management and healthy network defense systems. Preventing additional incidences from occurring based on filtering traffic and isolating networks are also a part of such types of investigation.
A reactive investigation focuses on assessing network devices and traffic with the intention of addressing breaches in a direct or indirect way to obstruct intrusionn (Gragido & Pirc, 2011). The investigation is judged based on the accuracy of identifying the source, circumstances of intrusion and logistical information relating to the preparedness, technical expertise and situational awareness.
The law enforcement framework on investigations focuses on reviews that follow incidents (Lemieux, 2011). Hence, it rests in reviewing processes after the infiltration of networks. Thus, the primary aim of the perspective is to uncover information necessary for prosecuting culprits. In this regard, criminal apprehension is the principal motive of the law enforcement perspective. It also follows that deterrence is among the outcomes of such investigations since the process involves collecting, identifying, analyzing, documenting and presenting evidences that violate stipulated laws. However, a high expectation of grounds must exist before the perspective takes effect.
The industry perspective draws similarities with the military model on the proactive and defensiveness of carrying out investigations. Similarly, industry can be an attack target. However, the framework is distinct based on its training and certification processes (Hunton, 2011). The perspective involves the conduct of forensic investigations before being applied across the other two categories. Industries are also viewed as outsourcing units for law enforcement investigators. Despite a number of similarities, the three perspectives also differ on given aspects. For instance, military network forensics concentrates on stochastic heavy-tailed likelihood distributions while the other frameworks do not (Budhiraja & Liu, 2011).
We provide excellent custom writing service
Our team will make your paper up to your expectations so that you will come back
to buy from us again.
Do you have any questions?
Approaches to Monitoring
The application of network forensics is done based on given methods. For instance, when applied over the Ethernet layer, the sniffers’ monitoring tools are used (Palmer, 2001). Further, the author observes that the Wireshark/Ethereal is the most commonly applied tool in data collection and facilitation of filtering different events. The use of the tools allows to follow and reconstruct emails, websites and overall network traffic (Palmer, 2001). However, the detection method might be limited in case an intruder suspects eavesdropping on his/her connection. In such a case, the attacker might use encryption to protect his connection. Breaking today’s encryption is difficult although the adoption of the approach would send a signal that suspicious activities are taking place.
The TCP/IP presents another approach to network forensics. Eoghan (2004) noted that the Internet Protocol (IP) is in charge of directing the packets that the TCP generates. Users of routers are in a position to establish sources and destinations of data. For routing to be done properly, each intermediate router is required to have a routing table if it is to send packets correctly. The tables form a critical segment of investigations whenever a crime is committed. Authentication logs also constitute important evidence because they demonstrate accounts and users associated with account-activities.
It is apparent that network forensics is gaining popularity owing to the widespread use of digital communication globally. With the increase in the usage of information technology, new threats emerge. Thus, the rise of network forensics is timely as it plays a significant role in preventing attacks against Internet users. The field is also proving critical within military, industry and legal environments as demonstrated in the study. Various forensics perspectives differ slightly although their primary objective is to control cyber threats.