Information Technology Reference
In-Depth Information
windows), or on global aggregate quantities (histograms, wavelets), instead of
focusing on precise periods or events in the past.
Industry Efforts:
It is only until recently that commercial organizations have re-
alized the significance of a forensics system in aiding investigation for the cause of
network security problems. In fact, at the time of writing Network Associates in-
troduced a forensics tool called InfiniStream [32], which is a brute force approach
that will not scale to a network of appliances. Also, there does not seem to be
any concept of a network of Forensics Servers that we describe. Another product
along similar lines is from Sandstorm Enterprise called NetIntercept [15].
3 Overview of ForNet
In this section we provide an overview of ForNet, and describe the architecture
of one of its components, the SynApp. ForNet is a distributed network logging
mechanism to aid digital forensics over wide area networks. It is highly scalable
and hence can keep up with ever increasing volume of data that goes through our
networks. Unlike traditional packet-loggers, ForNet uses synopsis techniques to
represent enormous volume of network trac in a space-ecient manner so that
it can be stored, processed, or transported across networks to answer queries.
3.1
ForNet Blueprint
ForNet is made of two main components: SynApps and Forensic Servers. SynApp
is an appliance that can be integrated into networking components, such as
switches and routers, that can summarize and remember network events in its
vicinity for a prolonged period of time and be able to attest to these events with
certain level of confidence. Although a single SynApp functioning on its own
can provide very useful information to a forensic analyst, a network of such co-
operating appliances (even across a corporate intranet) would bring powerful new
possibilities to the types of information that could be inferred from the combined
synopses. Networking SynApps would also help them share data, storage, and
let them collaborate in answering queries accurately. These SynApps can be
arranged in a pure peer-to-peer architecture to collaborate with each other in
the absence of centralized control. A hierarchical architecture is simpler (See
Fig. 1) and would also work better with the given structure of the Internet.
In the hierarchical architecture all the SynApps within a domain form a net-
work and are associated with the Forensic Server of that domain. Like the DNS
servers of today, we envision future networks to have Forensic Servers as a critical
component of their infrastructure. Forensic Server functions as a centralized ad-
ministrative control for the domain, receiving queries from outside its domain to
pass them on to the query processor and storage management unit (which could
be located in the SynApp or in the Forensic Server) after authentication and
sending query results back after certification. Network of SynApps form the first
level of hierarchy in the hierarchical architecture of ForNet. Naturally, Forensic
