Information Technology Reference
In-Depth Information
0 8 16 32 48 ... 96
-----------------------------------------------
Previous packet (timestamp tai64)
-----------------------------------------------
Part Number
-----------------------------------------------
Data
-----------------------------------------------
of N Parts
Message Length
Msg ID
F IG . 12.
In Fig. 12 we can see the format of the packet sent by the client and published to
the DNS server. This example uses the TXT record which allows it to publish 220
bytes, 18 of which for the header.
6.
The State of the Art in Research; Solving Emerging
Issues
The internal tool validation process remains one of the most pressing problems
in digital forensics, including the tools we discussed in this chapter. The validation
process that the IRItaly Project, for example, is seeking to complete offers as a de-
liverable a checklist of tools that comprise the daily toolset of a forensic investigator,
according to master documents in the literature. The ultimate purpose of this deliver-
able is a checklist to ensure that the tools used are state-of-the-art. The priority is to
guarantee a minimum of compliance with best practices and a solution to the prob-
lems of integrity and security defined in this article. This is currently not possible
since the issues expressed regard the acquisition phase and not the analysis phase,
which is essentially done off-line with the tools cited above.
To date we have completed the daemon architecture and we are writing the code to
be submitted for in-depth testing at the IRItaly laboratory (Incident Response Italy)
located at the DTI in Crema. Implementation studies will be largely geared to ver-
ifying in practice what we have described above, with particular reference to the
forensic compliance of the daemon we have decided to implement. We believe this
project may represent a valid alternative to advanced syslogging systems such as
those cited at the top of this chapter and that SecSyslog, as described, can guarantee
reliability for a system that was not developed for digital forensic purposes, but which
can satisfy these functions when circumstances require it. In most criminal trials in
which we have been called as expert witnesses, the defense attorney has questioned
the integrity of the syslog produced as evidence, citing its vulnerability to intercep-
tion and attack by hackers. We believe that, after satisfying certain implementation
requirements, the SecSyslog daemon will be ready for peer review (we are aiming
Search WWH ::




Custom Search