Friday, July 20, 2007

Network Based Forensics?

Talking about Network Based Forensics, are you going to perform batch analysis on each files that you obtain via network data through network forensics mechanism?

Even if you able to examine each file transfers over network, can you really dig into the details of every single code? Remember malicious contents can be hidden inside picture file(stenography), simple backdoor can be injected into the normal application and so forth, and how do you able to examine every single binaries?

Do you have enough resources to perform this kind of operation?

How do you examine encrypted connections, any trail?

Therefore it still falls back to the NSM concept. I have seen expensive commercial system that can extract all the files and categorize them reliably, however I swear I don't want to examine those files one by one, it's too costly and exhaustive. I do agree those data can be stored as historical purpose but doing data mining on them requires better mechanism, and if you know Network Security Monitoring well, I think you will get what I mean as better mechanism.

NSM allows you to research on different area if you ask me, you can study on Network Statistical Analysis, Network Flow analysis, IDS log analysis or even data mining on raw network data(usually pcap). So you say you want to learn Network Based Forensics, then you should again rethink about NSM!!!!!

In fact, we don't need IDS analyzt but NSM analyzt.

Cheers ;]

No comments: