Information Technology Reference
In-Depth Information
3.6.3 Top Down Approach
This is the approach most frequently used in network forensics when the examiner
is working with an automated log and event correlation tool. While in intrusion de-
tection a top-down approach means starting from an attack to trace back to the point
of origin, in network forensics it means starting from a GUI display of the event to
get back to the source log, with the dual purpose of:
1. Validating the correlation process used by the engine of the automatic log and
event correlation tool and displayed to the Security Administrator;
2. Seeking out the source logs that will then be used as evidence in court or for
subsequent analysis.
In reference to
Fig. 6
, we have a top-down approach to get back to the source logs
represented in the previous figures. Once retraced, the acquired logs are produced and
recorded onto a CD-ROM or DVD, and the operator will append a digital signature.
3.6.4 Bottom-Up Approach
This approach is applied by the tool starting from the source log. It is a method
used by the IDS to identify an ongoing attack through a real time analysis of events.
In a distributed security environment the IDS engine may reside (as hypothesized
in Section
2.2
) in the same machine hosting the normalization engine. In this case
the IDS engine will then use the network forensic tool to display the problem on the
GUI. You start from an automatic low level analysis of the events generated by the
points of acquisition to arrive at the “presentation” level of the investigative process.
Such an approach, furthermore, is followed when log analysis (and the subsequent
correlation) is performed manually, i.e., without the aid of automated tools. Here,
a category of tools known as
log parsers
comes to your aid. The purpose of these
tools is to analyze source logs for a bottom-up correlation. A parser is usually written
in a script language like Perl or Python. There are however parsers written in Java
to provide a cross-platform approach to network forensics examiners, perhaps on a
bootable CD-ROM (see Section
5
for examples).
3 . 7 R e q u i s i t e s o f L o g F i l e A c q u i s i t i o n To o l s
Regardless of which vendor is chosen to represent the standard, the literature has
identified a number of requisites that a logging infrastructure must have to achieve
forensically compliant correlations:
TCPdump support, both in import and in export;
Use of state-of-the-art hashing algorithms;
