Failure Detection in Network Forensics for Volatile Data Acquisition

Acts committed in cyber attacks are often difficult to identify because attackers remove incriminating traces. Digital forensics provides evidence of illegal actions in the digital world. One of its branches, network forensics, can record the entire communication flow between the attacker and the victim, but it is unfeasible to capture all packets traveling on the network all the time. Such recording requires excessive storage space and time consumption for data analyses. The work developed here presents a framework that uses security management as a trigger for volatile data acquisition in networks as soon as a security failure is detected. Initially, some security metrics and corresponding thresholds are defined to indicate the violation risk for each monitored server. Such security metrics include password file modification, server restarting, and excessive users. Once a security violation is detected, the management system sends a remote command to start a complete datagram acquisition directed at the target. This data acquisition can be compared to a video recording when the motion sensor camera records after being triggered by a movement. The management system also emails the security team, which then prevents further server damage and decides when to stop data capture. The solution is appropriate for enterprises since the network packet capture software must be preconfigured. Network data acquisition becomes essential when a successful attack leaves no hints on the target server. Proof of concept for the framework is presented in a real environment, demonstrating the feasibility of the solution and its accessible implementation by using open software tools.