A generic Network forensic examination includes the following steps:
Identification, preservation, collection, examination, analysis, presentation and Incident Response.
Identification: recognizing and determining an incident based on network indicators. This step is significant since it has an impact in the following steps.
Preservation: securing and isolating the state of physical and logical evidences from being altered, such as, for example, protection from electromagnetic damage or interference.
Collection: Recording the physical scene and duplicating digital evidence using standardized methods and procedures.
Examination: in-depth systematic search of evidence relating to the network attack. This focuses on identifying and discovering potential evidence and building detailed documentation for analysis.
Analysis: determine significance, reconstruct packets of network traffic data and draw conclusions based on evidence found.
Presentation: summarize and provide explanation of drawn conclusions.
Incident Response: The response to attack or intrusion detected is initiated based on the information gathered to validate and assess the incident.
There are steps organizations can take before an attack to help network-based forensic investigations be successful. Here are three things you can do:
- Put a process in place. For network forensic investigators to do their work, there need to be log and capture files for them to examine. Organizations should implement event-logging policies and procedures to capture, aggregate, and store log files.
- Make a plan. Incident management planning will help to respond to and mitigate the effects of an attack.
- Acquire the talent. The ability to interpret the data in log and capture files and recognize malicious activity in the data is a special skill that requires in-depth knowledge of network and application protocols. Whether the talent is in-house or external, it’s vital that organizations have access to computer and network forensics investigators who are experienced and accessible.
Feel free to contact E-SPIN for the various technology solution that can facilitate your network forensics infrastructure availability and security monitoring.