ScienceDirect® Home Skip Main Navigation Links
You have guest access to ScienceDirect. Find out more.
 
Home
Browse
My Settings
Alerts
Help
 Quick Search
 Search tips (Opens new window)
    Clear all fields    
advertisementadvertisement
Digital Investigation
Volume 3, Issue 2, June 2006, Pages 89-96
 
Font Size: Decrease Font Size  Increase Font Size
 Abstract - selected
Article
Purchase PDF (155 K)

  E-mail Article   
  Add to my Quick Links   
Bookmark and share in 2collab (opens in new window)
Request permission to reuse this article
  Cited By in Scopus (1)
 
 
 
Related Articles in ScienceDirect
View More Related Articles
 
View Record in Scopus
 
doi:10.1016/j.diin.2006.05.002    How to Cite or Link Using DOI (Opens New Window)
Copyright © 2006 Elsevier Ltd All rights reserved.

Improving evidence acquisition from live network sources

Bruce J. Nikkela, E-mail The Corresponding Author

aRisk Control, UBS AG, CH-8098 Zurich, Switzerland

Received 10 January 2006; 
revised 27 April 2006; 
accepted 3 May 2006. 
Available online 13 June 2006.

Purchase the full-text article



References and further reading may be available for this article. To view references and further reading you must purchase this article.

Abstract

The pervasiveness of network technology is causing a shift in the location of digital evidence. What was once largely found on individual disks tied to single individuals is now becoming distributed across remote networked machines, under the control of multiple organizations, and scattered over multiple jurisdictions. The network interactions between these machines are also becoming recognized as a source of network evidence. These live network sources of evidence bring additional challenges which need to be addressed. This paper discusses these issues and suggests some improvements in the methods used for the collection of evidence from live network sources.

Keywords: Network forensics; Live network evidence; Live network acquisition; Live network forensics; NFAT

Article Outline

1. Introduction
2. Collector location
2.1. Minimizing distance to source
2.2. Issues with firewalls, proxies and address translation
2.3. Multiple corroborating collectors
3. Evidence integrity during and after acquisition
3.1. Imposing layered and filtered write-blocking
3.2. Maintaining integrity of collection device
3.3. Integrity and protection of collected data
4. Acquiring a complete set of data
4.1. Difficulties with live network acquisition
4.2. Selecting data to be retrieved
4.3. Retrieve multiple instances/sources of data
4.4. Including protocol and out-of-band activity
5. Documenting live network acquisition process
5.1. Documenting network writes and filtering
5.2. Timestamping
5.3. Location stamping
5.4. Reporting errors
6. Analyzing authenticity and reliability of acquired data
6.1. Identifying authoritative sources
6.2. Self-consistency/self-contradiction
6.3. Independent corroborating sources
6.4. Cryptographic authentication
7. Conclusion
References
Vitae

Digital Investigation
Volume 3, Issue 2, June 2006, Pages 89-96
 
Home
Browse
My Settings
Alerts
Help
Elsevier.com (Opens new window)
About ScienceDirect  |  Contact Us  |  Information for Advertisers  |  Terms & Conditions  |  Privacy Policy
Copyright © 2008 Elsevier B.V. All rights reserved. ScienceDirect® is a registered trademark of Elsevier B.V.