The 411 on Digital Forensics

Jacqueline Emigh undresses the sexy part of the computer security world in tackling the somewhat ambiguous term 'Digital Forensics.'

 By Jacqueline Emigh
Page 1 of 2
Print Article

"Forensics" -- Few Companies Agree on What It Means

"Digital Forensics." When you see that word, who (or what) springs to mind? Sherlock Holmes' reincarnation in cyberspace? The latest advancements in network troubleshooting perhaps? More and more products now are claiming to help out with digital forensics. These products, though, can vary drastically in capabilities, experts say.

In the traditional sense of the word, digital forensics tools are used to help gather legal evidence after a network attack or similar incident has already happened, maintains John Pescatore, an analyst at IDC.

Speaking of Sherlock Holmes, Scotland Yard's Computer Crime Unit has now started using Guidance Software's EnCase Forensic Edition to glean evidence for submission to UK courts. AccessData is another company selling products in the investigatory forensics space.

Getting Sexy with Digital Security

"This is the sexy part of the computer security world," Pescatore said. "These products help to tell what occurred, what resources were affected, and who initiated an incident, in a manner that will support a legal action."

Increasingly, though, other types of diagnosis and security response products are also getting tagged with the "forensics" moniker, either intentionally or not. One kind of product is geared to administrators who are "drowning in alerts," Pescatore noted.

"These are really just tools to reduce the amount of data you're getting. They pull info from IDS (intrusion detection system) logs, server logs, and multivendor firewalls," according to the analyst.

A few vendors with products in this general category include netForensics, OpenService, Intellitactics, and GuardedNet.

Guidance's software and similar data filtering products might help you catch computer wrongdoers, but data filtering tools aren't intended to produce legally convincing evidence. On the other hand, information about incursions typically becomes available much more quickly -- possibly while there's still time left to thwart an attack.

"We can filter out a lot of the unimportant data. Then, after an attack, administrators can do a full log analysis," said Phil Hollows, VP of product marketing for OpenService.

"We let operators see what's happening in their environments across multiple devices -- in as near as real time as possible," according to Bill Oliphant, product manager at netForensics.

"If somebody has deleted a hard drive or downloaded something pornographic, we can reconstruct the incident. If a virus enters the network, we can recognize the propagation path," he added. The netForensics product also comes with over 100 canned reports, letting administrators drill down into information by device type, for instance.


Hugh McArthur, information systems security officer at Online Resources Corp. (ORC), said netForensics has met most of his company's expectations.

"About a year ago, we were looking for something that would consolidate information from IDS, firewalls, and logs, and that would also do realtime monitoring and alerting. Everyone's complaining that when you use IDS, you get too much data. We'd been manually correlating information from independent resources like Network Flight Recorder and Snort," according to McArthur.

ORC decided on NetForensics after looking at several competing products. The company is running netForensics' engine and database on Linux. The netForensics agents, though, are distributed across a mainly Windows environment.

"netForensics seemed to have the most compatible agents for our environment. As with anything, though, it takes a little tuning. We had some training with netForensics, and the learning curve was less than a week," McArthur recalled.

Charles Watson, another netForensics user, has actually detected an incursion through use of the product. "The biggest benefit to netForensics is that you get a single view. You don't need to keep looking at multiple tools. It's also flexible. You can also filter it down to whatever you want. I can decide not to look at ICMP traffic, for instance, because ICMP comes only from me," said Watson, who is data network supervisor at Cellular South.

"The very first day I had netForensics, I noticed that some ports had been left open. An individual was using these ports, and he shouldn't have been."

Page 2: "Security Dashboards" and Threat Scoring

This article was originally published on Feb 6, 2003
Get the Latest Scoop with Networking Update Newsletter