Wikipedia states that Network Forensics is “…proven techniques to collect, fuse, identify, examine, correlate, analyze, and document digital evidence from multiple, actively processing and transmitting digital sources for the purpose of uncovering facts related to the planned intent, or measured success of unauthorized activities meant to disrupt, corrupt, and or compromise system components as well as providing information to assist in response to or recovery from these activities…”
This business case requires a number of different tools, the most important of which is an enterprise-class Security Information and Event Management (SIEM) tool, which becomes the epicenter of all investigations and workflow. The SIEM must have some mandatory features which I will cover later in this article. But first, I would like to tell you how it’s done without SIEM.
In a previous job as a Network Security Specialist, I was in charge of tapping the wire for employee investigations and handling the data with chain-of-custody. This served as a daunting task as I would start my data captures with Open-Source software and use the spread-sheet kung-fu method of mapping all of the user activity and log data into digitally-signed archives, pending possible litigation. I established all of the guidelines and processes with support from our Legal and Corporate Fraud teams and built the procedures around the following processes: