|
Network forensics is a sub-branch of digital forensics relating to the monitoring and analysis of computer network traffic for the purposes of information gathering, legal evidence, or intrusion detection.〔Gary Palmer, A Road Map for Digital Forensic Research, Report from DFRWS 2001, First Digital Forensic Research Workshop, Utica, New York, August 7 – 8, 2001, Page(s) 27–30〕 Unlike other areas of digital forensics, network investigations deal with volatile and dynamic information. Network traffic is transmitted and then lost, so network forensics is often a pro-active investigation. Network forensics generally has two uses. The first, relating to security, involves monitoring a network for anomalous traffic and identifying intrusions. An attacker might be able to erase all log files on a compromised host; network-based evidence might therefore be the only evidence available for forensic analysis.〔Erik Hjelmvik, Passive Network Security Analysis with NetworkMiner http://www.forensicfocus.com/passive-network-security-analysis-networkminer〕 The second form relates to law enforcement. In this case analysis of captured network traffic can include tasks such as reassembling transferred files, searching for keywords and parsing human communication such as emails or chat sessions. Two systems are commonly used to collect network data; a brute force "catch it as you can" and a more intelligent "stop look listen" method. ==Overview== Network forensics is a comparatively new field of forensic science. The growing popularity of the Internet in homes means that computing has become network-centric and data is now available outside of disk-based digital evidence. Network forensics can be performed as a standalone investigation or alongside a computer forensics analysis (where it is often used to reveal links between digital devices or reconstruct how a crime was committed).〔 Marcus Ranum is credited with defining Network forensics as “the capture, recording, and analysis of network events in order to discover the source of security attacks or other problem incidents.”〔Marcus Ranum, Network Flight Recorder, http://www.ranum.com〕 Compared to computer forensics, where evidence is usually preserved on disk, network data is more volatile and unpredictable. Investigators often only have material to examine if packet filters, firewalls, and intrusion detection systems were set up to anticipate breaches of security.〔 Systems used to collect network data for forensics use usually come in two forms:〔Simson Garfinkel, Network Forensics: Tapping the Internet http://www.oreillynet.com/pub/a/network/2002/04/26/nettap.html〕 *"Catch-it-as-you-can" - This is where all packets passing through certain traffic point are captured and written to storage with analysis being done subsequently in batch mode. This approach requires large amounts of storage. *"Stop, look and listen" - This is where each packet is analyzed in a rudimentary way in memory and only certain information saved for future analysis. This approach requires a faster processor to keep up with incoming traffic. 抄文引用元・出典: フリー百科事典『 ウィキペディア(Wikipedia)』 ■ウィキペディアで「Network forensics」の詳細全文を読む スポンサード リンク
|