Digital forensics is still a young science. That newness, coupled with the fast-changing world of computer technology, has resulted in a digital forensics taxonomy that is poorly defined and confusing to computer security experts and law enforcement alike.
Network forensics is a sub-discipline of digital forensics, dealing with evidence that passes over a computer network. Network forensics can be applied to network security (checking organisational networks for vulnerabilities) or within traditional law enforcement and judicial contexts.
It's anticipated that in the near future, network forensics will be a common component of trial cases. As a result, having credible standards for network forensics is vital to the continued speed and fairness of the judicial system.
As forensic evidence, network data is slippery to collect: It does not reside with its sender or its receiver. Usually it is archived only by network service providers or by law enforcement. Who owns such evidence is one of numerous legal dilemmas created by the lack of standards. These issues could be resolved if standards bodies created formal taxonomies, procedures and tools for network forensics. The computer security community should assist in the creation and maintenance of formal standards. And the most expedient way to implement these standards may be to use proprietary tools rather than open source software or freeware.
In the absence of formal network forensics standards, many de facto standards and best practices have been implemented. In fact, de facto standards have been in use since network forensics has been part of the corporate and legal landscape.
The most general practices in network forensics concern preservation, identification, extraction, documentation and interpretation. Each component of these practices is broken down into smaller, common-sense procedures. For instance, the preservation best practice recommends working in teams and collecting maximum amounts of data. There's also an evidence-collection chronology best practice: Focus on network danger first, then collect the data. Although these practices represent a fraction of the network security corpus, they do signify a core knowledge base.
Lack of standards also creates recursive problems: Researchers can't test new software to see if it meets standards that don't exist. Nor can they create benchmarking tools to test software for standards applicability. Researchers at the US National Institute of Standards and Technology (NIST) complained that their methodology for testing tools for network forensics "was complicated by the lack of standards or specifications that describe what forensic tools should do," and subsequently have not revised their research.
Learning from the EU
In 2003 the European Union released the world's first network forensics standards, which it intended all EU nations to implement. These standards were clearly presented and strongly promoted, but they were unsuccessful. The EU's computer security community appears to have rejected or ignored these forensic tools, as well as the call to use them.
How did this happen? The answer could lie with the standards themselves. The EU's recommended forensic applications were web-based freeware, written in XML. This design was well intentioned and practical, given the EU member nations' varying rules of evidence. However, XML is slow and quickly has become outmoded; a web-based application's value depends on its browser and network connection; and as a way to gather evidence in a high-stakes judicial case, it could be argued that freeware is a dicey solution.
The corporate argument that "we shouldn't have to pay for commercial network forensic tools if we won't ever need them," theoretically is valid. But in practice, if an organisation’s network data is subpoenaed, that organisation should be prepared to present its best possible forensic evidence.
Commercial network forensic and analysis tools are common now, and need not be highly elaborate or expensive to provide users with complete and easy-to-understand data. Manufacturers of forensic and visibility tool kits should partner with standards bodies such as NIST, to create functional and lasting standards for network forensics.
Network forensics is growing more important. Standardised tools and methods will ease the job for network researchers and expert witnesses, and will be an improvement to the judicial system itself.