Network Evidence

• IDS systems are not designed for forensics.

  • IDS systems may indicate a security event but do not document it to a level sufficient for forensics
  • IDS systems are valid reasons why investigations are started, but not sufficient, alone, as evidence

• Sniffers can be used to record network traffic.

  • tcpdump
  • ethereal

• Network tracefiles, flows, IDS alarms, and all logs should be preserved as evidence.

• Network monitoring may be contrary to corporate security, or privacy policy, or the law!

Notes: