Abstract
Instant Messaging (IM) applications have become an important tool for business and social communication. However, when using IM, individuals and companies expose themselves to many security threats. Collecting all available data and preserving the integrity of evidence is a challenging task to perform IM forensics. In particular, under resource constrained situations, a good evidence collection mechanism is required to provide effective event collection in a network environment with heavy traffic. The emphasis of this paper is on the development of an effective evidence collection control mechanism that achieves an optimal outcome with a reasonable forensic service requests acceptance ratio and tolerable level of data capture loss. In this paper, we propose an evidence collection control model used in network forensics, called Quality Assurance Evidence Collection (QAEC). QAEC dynamically adjusts the amount of data to be collected on an evidence flow according to the storage capacity level. QAEC is firstly modeled as the Continuous Time Markov Chain (CTMC) and is realized by a cost function that comprises both flow-level and packet-level components to reflect the efforts on the evidence reconstruction process. We also present a prototype system (known as the MSN-Shot) as a MSN forensic system which uses QAEC to select an appropriate evidence collection strategy to maximize the given cost function. With the numerical analysis and prototype results, this study confirmed that the QAEC model meets cost-effective requirements and provides a practical security solution and guarantees a high level of quality assurance for network forensics.
Similar content being viewed by others
References
Casey E. (2004) Network traffic as a source of evidence: Tool strengths, weaknesses, and future needs. Digital Investigation 1(1): 28–43
Corey V., Peterman C., Shearin S., Greenberg M.S., Bokkelen J.V. (2002) Network forensics analysis. IEEE Internet Computing 6(6): 60–66
Feng, W., Kandlur, D., Saha, D., & Shin, K. (1999). Blue: A new class of active queue management algorithms. Technical Report CSE-TR-387-99, April, University of Michigan.
Hong D., Rapport S.S. (1986) Traffic model and performance analysis for cellular mobile radiotelephone systems with prioritized and non-prioritized handoff procedures. IEEE Transactions on Vehicular Technology 35: 77–92
Jamjoom, H., & Shin, K. (2003). Persistent dropping: An efficient control of traffic aggregates. In Proceedings of ACM SIGCOMM ’03, August (pp. 287–297). Karlsruhe, German.
Kent, K., Chevalier, S., Grance, T., & Dang, H. (2006). Guide to integrating forensic techniques into incident response. NIST Special Publication 800-86. August. http://csrc.nist.gov/publications/nistpubs/800-86/SP800-86.pdf.
Krasser, S., Conti, G., Grizzard, J., Gribschaw, J., & Owen, H. (2005). Real-time and forensic network data analysis using animated and coordinated visualization. In Sixth Annual IEEE Information Assurance Workshop (IAW), June (pp. 42–49).
Nisase, T., & Itoh, M. (2004). Network forensic technologies utilizing communication information. NTT Technical Review, 2(8).
Sekar, V., Xie, Y., Maltz, D., Reiter, M., & Zhang, H. (2004). Toward a framework for internet forensic analysis. In: ACM SIGCOMM Hot Topics in Networks (HotNets-III) San Diego, CA, USA.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Cheng, BC., Chen, H. & Tseng, RY. Quality assurance evidence collection model for MSN forensics. J Intell Manuf 21, 613–622 (2010). https://doi.org/10.1007/s10845-009-0241-6
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10845-009-0241-6