This network forensics analysis mechanism includes presenting the evidence, manipulating, and automated reasoning.
Analyst Interface
The analyst interface provides visualization of the evidence graph and reasoning results to the analyst, who passes the feedback to the graph generation and reasoning components.
Evidence Collection
Evidence collection involves the collection of intrusion evidence from networks and hosts under investigation.
Evidence Preprocessing
Evidence preprocessing deals with the analysis of assertive types of evidence, such as intrusion alerts, into the appropriate format and reduces the repetition in low-level evidence by aggregation.
Evidence Depository
After preprocessing, the collected intrusion evidence is stored in the evidence depository.
Evidence Graph Generation
Evidence graph manipulation generates and updates the evidence graph using intrusion evidence from the depository.
Attack Reasoning
Attack reasoning is the process of automated reasoning based on the evidence graph.
Attack Knowledge Base
The attack knowledge base includes knowledge of prior exploits.
Related Product : Computer Hacking Forensic Investigator | CHFI
Asset Knowledge Base
The asset knowledge base includes knowledge of the networks from the fundamentals and hosts under investigation.
In the initial phase, the evidence collected is pre-processed and stored in the evidence depository. The graph generation module builds the evidence graph with the evidence retrieved from the depository. Next, the reasoning module derives the automated inference based on the evidence graph and presents the results to the analyst. Through the interface module, the analyst can provide expert opinions and out-of-band information, mainly via two approaches:
- Edit the evidence graph directly.
- Send queries to retrieve specific evidence.
Next, the reasoning process is performed on the updated evidence graph for better results.
Maintain Chain of Custody
Chain of custody is documentation of all the actions taken during an investigation. It not only documents all the actions but also documents information about the evidence and its necessity toward solving the case. When we move the log files from the server and later to an offline device, it is essential to keep track of where the files go. The investigators can use technical or non-technical methods, such as MD5 authentication, to maintain chain of custody.
MD5 Authentication: It is an algorithm used to preserve the integrity of the log files. This algorithm uses a 128-bit hash value for the particular Fog file to protect the file from any kind of alteration.
Condensing Log File
Syslogs are the log files that are essential for sorting and routing log messages. With the large number of syslog log files, it becomes difficult for the forensic team to filter the important log entries. For this purpose, it is necessary to use tools such as Swatch and Logcheck for filtering the log files depending on the requirements.
Also Read : What is Centralized Logging?
The tools used are as follows:
1. Swatch
Swatch is a tool used for monitoring log files produced by UNIX’s syslog facility
2. Logcheck
Logcheck is a utility that allows system administrators to view the log files, which are produced by hosts under their control. This is done by mailing summaries of the log files to the hosts, after first filtering out “normal” entries. Normal entries are entries that match one of the many regular expression files contained in the database.
Questions related to this topic
- What is network forensics?
- What is network forensic analysis tool?
- How is network forensics used?
- How do you do a forensic analysis?
- What is Network Forensics Analysis Mechanism?
This Blog Article is posted by
Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
Contact us – www.info-savvy.com
