Before investigating a case, one needs to be aware of what illegal activity has taken place. A security measure to constantly survey the network in the look out for possible illegal activity may either be cyber patrol or cyber surveillance.

When you are aware of what criminal activity has take place; say a case of remote hacking, that is when you begin an investigation. In such a case your target would be to establish when your systems were intruded upon using the Netlog. You will be seeking to know if the hacker attacked from his own server or if he attempted to conceal his identity by using a proxy server. Any way you will want to find out the IP-address of the hacker because that way you can possibly trace who the hacker is or at the very least where he is situated. In other words during the investigations an investigator needs to know what he is looking for and not using trial and error to find out what information may be of use to him.

Investigation is either proactive or reactive. Mostly Network investigations are reactive investigations therefore taking a snap shot may not always be possible. Therefore investigations will mostly focus on what is left behind by the offender. That hardly changes unless you change it yourself.

There are many available tools available for network forensics, however as regards the AL tools, I confess not to know about. I will endeavor to find out about them.

==========================================================
Nobody has a monopoly to wisdom... we can learn even from the children

Of necessity multimedia data is stored somewhere. It could be the computer hard disk or other storage devices which may form part of forensic findings.

There are several efficient disks-imaging software available in the market. Disk imaging is a process of making an exact duplicate of the disk in question without actually opening it or accessing files within it.

The court does not believe stories, they believe facts. Hence the prosecution’s story must be backed up by facts with integrity. To maintain the integrity of data, forensic experts work on the duplicate disk. The original disk is then stored without being interfered with.

Processing of the duplicate disk will take place depending on the data type. For example multimedia data like a video recording of child pornography can just be played with the necessary software e.g. Media player classic, Windows media player, Nero show time, or VLC; victims as well as suspects will be identified and the same can be presented to court as evidence. The duplicate copy therefore is the one that will be used for flexible display. If the content is challenged, then the court will be able to establish that the original disk has not been interfered with. In other cases, processing could include decoding encryptions, steganographic algorithms and breaking passwords before the targeted data can be found.

The purpose of forensics is that of individualizing a suspect or suspects, and storing the evidence without compromising the integrity until it is presented in the court of law. The case to prove the integrity of data can be done through a simple process as opening the storage device in question before the court, right clicking on a document icon or folder containing evidential material. A pop up menu appears; then you click on the properties option. This gives you a dialogue box that contains details such as: Type of file, location, size, date and time created, date and time modified and last date and time accessed. Moreover it may also give details of title and authors name. This history is relevant especially to show that the forensic investigator has not interfered with the data.

As regards the issue of knowing what changes have been made, this is an issue requiring different expertise. Investigations requires a team work concept where a group of relevant different experts work together to solve cases. For example voice alteration requires people who can analyze sound and sound waves to find out what is not consistent with most of the data and therefore constitute an alteration. The same applies to pictures and motion pictures where examiners help in determining alterations. For example a video recording can be showing a person walking on a street in a sunny day but is not casting a shadow or is casting one to a different direction from the rest of the people. This will be an indication that perhaps that person has been superimposed on the scene using video editing software. The concept applied in this form of examination is that of ‘human error’ which basically holds that incase of a superimposition, something will be inconsistent with the scene. This could be lighting, reflections, shadows, proportion, distance, time, stimulus and response etc.

The investigation story will therefore show that a forbidden action occurred, that the suspect was in possession of the evidence; that the evidence implicated the suspect; that the evidence was legally acquired; and that the prosecution did not alter nor fabricate any evidence. This is the chain of evidence that need not be broken and from which the court must determine guilt or lack of it.

=========================================================
Nobody has a monopoly to wisdom... we can learn even from the children

I suppose my question is as follows: Given the large amounts of multi-source data that is produced by an investigation, wha techniques exist to scientifically differentiate useful data from irrelevant data (exformation) and obtain a broad view of the information generated while simultaneously having the ability to drill down ensuring that the conclusions reached by the investigation are correct? Obviously you have to navigate a space that is part hunch & guesswork, part experience and part science.

And given that network forensics are performed on a live network - which by definition is changing continuously - how is it possible to 'take a snapshot at a particular point in time' in a way that supports the investigation given that another snapshot with a different bias could lead to a completely different conclusion?

Also, are you aware of AI tools that can be used in network forensics?

Steve

I'd like to esquire what software you recommend for storing and displaying the complex multimedia data that is collected during a forensic examination and whether such systems have version control facilities eg. they show when changes have been made and by whom. Ultimately a chain of evidence needs to be proven and I was wondering how this is done while allowing flexible display of the data and maintaining data integrity. This chain of evidence is used to construct the story designed to secure a conviction and the chain cannot be broken as I understand

Steve
steve@storytelling.co.za

Often during an ICT forensic investigation, evidence is collected showing that the compromised host is not an isolated case but rather part of something larger spanning across a network or networks. This is where computer forensics meets network forensics.
Hence, once there has been a determination that an incident goes beyond one host on a network, a network forensic investigation begins with goal of determining the scope of the incidence.

The standard procedures for network investigation are generally the same as those of computer forensic investigation save for the following peculiarity:

Unlike a computer and other hardware devices, a network cannot be isolated. This is because the cost of doing so is very high. Therefore network forensics is purformed on a live network.
the key data sources in a network environment include; incident responce tools, packet captures, intrusion detection systems, netflow logs and any other network event logs.

The major challenge in network forensic is time and human error. This is because sometimes you may follow a wrong lead consuming alot of time only to discover that it is the wrong lead.

================================================================

Nobody has a monopoly to wisdom... we can learn even from the children