Abstract
Network forensic involves the process of identifying, collecting, analyzing and examining the digital evidence extracted from network traffics and network security element logs. One of the most challenging tasks for network forensic is how to collect enough information in order to reconstruct the attack scenarios. Capturing and storing data packets from networks consume a lot of resources: CPU power and storage capacity. The emphasis of this paper is on the development of evidence collection control mechanism that produces solutions close to optimal with reasonable forensic service requests acceptance ratio with tolerable data capture losses. In this paper, we propose two evidence collection models, Non-QA and QA, with preferential treatments for network forensics. They are modeled as the Continuous Time Markov Chain (CTMC) and are solved by LINGO. Performance metrics in terms of the forensic service blocking rate, the storage utilization and trade-off cost are assessed in details. This study has confirmed that Non-QA and QA evidence collection models meet the cost-effective requirements and provide a practical solution to guarantee a certain level of quality of assurance for network forensics.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Sekar, V., Xie, Y., Maltz, D., Reiter, M., Zhang, H.: Toward a framework for internet forensic analysis. In: ACM SIGCOMM Hot Topics in Networks (HotNets), ACM Press, New York (2004)
Grance, T., Chevalier, S., Kent, K., Dang, H.: Guide to computer and network data analysis: Applying forensic techniques to incident response (Draft NIST Special Publication)
Nisase, T., Itoh, M.: Network forensic technologies utilizing communication information. NTT Technical Review 2(8) (2004)
Krasser, S., Conti, G., Grizzard, J., Gribschaw, J., Owen, H.: Real-time and forensic network data analysis using animated and coordinated visualization. In: IEEE Information Assurance Workshop (IAW), IEEE Computer Society Press, Los Alamitos (2005)
Casey, E.: Network traffic as a source of evidence: tool strengths, weaknesses, and future needs. Digital Investigation 1(1), 28–43 (2004)
Corey, V., Peterman, C., Shearin, S., Greenberg, M.S., Bokkelen, J.V.: Network forensics analysis. IEEE Internet Computing 6(6), 60–66 (2002)
Hong, D., Rapport, S.S.: Traffic model and performance analysis for cellular mobile radiotelephone systems with prioritized and non-prioritized handoff procedures. IEEE Trans. on Vehicular Technology 35, 77–92 (1986)
Jamjoom, H., Shin, K.: Persistent dropping: An efficient control of traffic aggregates. In: ACM SIGCOMM, ACM Press, New York (2003)
Feng, W., Kandlur, D., Saha, D., Shin, K.: Blue: A new class of active queue management algorithms. Technical report (1999)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 Springer Berlin Heidelberg
About this paper
Cite this paper
Cheng, BC., Chen, H. (2007). Quality Assurance for Evidence Collection in Network Forensics. In: Lee, J.K., Yi, O., Yung, M. (eds) Information Security Applications. WISA 2006. Lecture Notes in Computer Science, vol 4298. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-71093-6_10
Download citation
DOI: https://doi.org/10.1007/978-3-540-71093-6_10
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-71092-9
Online ISBN: 978-3-540-71093-6
eBook Packages: Computer ScienceComputer Science (R0)