Information Technology Reference
In-Depth Information
time-stamps each data item written to the database to protect integrity and
to be able to use in a court of law.
-
Storage Management and Query Processor: Query processor handles all
database access and query processing issues and is discussed in more de-
tail below when we discuss the Forensics Server.
3.3 Design Considerations
Experiences we have had with a simple proof-of-concept ForNet network in a
large network have steered us toward achieving the following design goals for a
forensically sound network logging mechanism:
Capture of Complete & Correct Evidence:
Network speeds have grown consid-
erably over the years making it dicult to capture raw network trac in its
entirety. Therefore, SynApps should be able to capture network trac and cre-
ate appropriate synopses at line speeds. Our goal is to implement SynApps in
hardware by using network processors such that synopses can be created at line
speed. Traditional packet-loggers encounter severe bottlenecks when transfer-
ring raw network data from high-speed network media to slower storage media.
SynApps get around this bottleneck by transferring synopsis of network trac
which is only a fraction of the size of actual trac. Furthermore, synopsis tech-
niques also allow us to quantify the errors during transformation of raw data
such that an analyst can quantify the correctness of evidence upon retrieval.
Longevity & Accessibility of Evidence:
Captured network data must be stored
for a prolonged period of time as we don't know when we might need the data.
Synopses allow us to archive evidence for a longer time (compared to storing
raw network data) as they represent large amount of network data succinctly.
Prompt and secure access to evidence is important to solving a crime on time.
SynApps support secure remote access to evidence via a query mechanism.
Ubiquity of SynApps:
In order for SynApps to capture evidence they must be
omnipresent on a network. Hardware design of SynApps will be such that they
can be seamlessly integrated into networking components and their presence on
the network can be as ubiquitous as that of networking components.
Security & Privacy:
It is safer to assume various components of ForNet will
be potential targets of attacks themselves. We discuss some attacks on ForNet
in Section 5. Moreover, any forensic tool that monitors networks must consider
privacy implications and support adequate compartmentalization of data they
store.
Modular & Scalable Design:
Modular design of various components of ForNet
allows for new synopsis techniques to be introduced into the system without
expensive redesigns. In order to keep up with ever increasing network tra
c
ForNet must scale well as a whole. Therefore, various components of ForNet, from
communication protocols to query processors, must be designed with scalability
in mind.
