Network Forensic Process Management System supports the forensic readiness of organisations, but systematising the interactions of personnel for the evidence acquisition, by collecting it in anticipation of an incident in a legally acceptable manner and before investigations begin.
Why is it needed?
Currently, the approach taken by organisations to cyber-incidents focuses on business continuity and disaster recovery. However, this approach often includes actions that contradict the principles of forensic investigations. Organizations tend to be reactive to cyber-incidents, meaning that once a security incident or data breach occurs they try to handle it and perform forensic investigations, followed by actual evidence collection.
Evidence suggests that the companies suffer significant financial losses due to cybercrime for example in the UK losses are reported around 37 billion euro per year (27 billion pounds), Italy $875 million, the recovery and opportunity costs reached $8.5 billion and the “average cost of cybercrime in Europe has risen steeply to $57,000 (€50,000) per incident”, and recent figures show that the median cost jumped to €50,000 over the past 12 months (2019-2020), representing a near six-fold increase on the previous year’s €9,000.
According to the Merriam-Webster dictionary forensics is: ‘the application of scientific knowledge to legal problems, especially scientific analysis of physical evidence, as from a crime scene’. The forensics process is dominated by ruling out potential explanations for the security events under investigation.
Network Forensics is defined as ‘The use of scientifically proved techniques to collect, fuse, identify, examine, correlate, analyse, and document digital evidence from multiple, actively processing and transmitting digital sources for the purpose of uncovering facts related to the planned intent, or measured success of unauthorized activities meant to disrupt, corrupt, and or compromise system components as well as providing information to assist in response to or recovery from these activities.’
Network forensics relates to the monitoring and analysis of network traffic for the purposes of gathering information, including legal evidence. It is the art of capturing, storing and analysing of host and network-based evidence, aiming to shed light on what has happened in the past and to identify the source of a network attack.
Network forensics is a complex task, which becomes even more complex due to the increasing complexity of ICT infrastructures. Consequently, network forensic processes aim to identify profound information in and about the network and the infrastructure not previously known. They are complex processes in which methodologies, tools and human intelligence combine for the purpose of an investigation.
Forensic Readiness is defined as ‘…the ability of an organisation to maximise its potential to use digital evidence whilst minimising the costs of an investigation’ and ‘having an appropriate level of capability in order to be able to preserve, collect, protect and analyse digital evidence so that this evidence can be used effectively: in any legal matters; in security investigations; in disciplinary proceeding; in an employment tribunal; or in a court of law.’ 
Organisations, during their operation, generate a lot of digital data that can become central pieces of evidence during a security incident investigation. However, not all digital evidence is collected, as they are generated for adjacent and phenomenally irrelevant purposes, such as internal communication, regulatory or legal requirements, or other external reasons. It is thus not easy to forecast when and what digital evidence is necessary. To this extend a forensic readiness process aims to assist organizations in laying the groundwork for incident readiness, so that retrieval of digital evidence is structured and documented, resulting in being appropriately collected and stored even “before an incident occurs”, without services interruption. Furthermore, a forensic readiness process ensures that when digital evidence is required, it will be made available in a legally accepted form.
Being forensic ready demonstrates that an organization has the initiative and ability to manage risks effectively.
To assist organisations in their forensic readiness journey, European Dynamics has developed a novel Network Forensics Process Management System (NFPMS) that systematizes the process of evidence acquisition and supports the collaboration of security personnel to interact and exchange knowledge and information online with forensic expert(s), adopting and implementing all the steps of the OSCAR network forensics methodology.
OSCAR is a methodological framework, used by forensic investigators, ensuring that the results of the network forensic task are reproducible and accurate. This step-by-step process stands for:
- Obtain information about :
- the incident itself, such as the date and time when an incident was discovered, persons and systems involved, what has initially happened, actions taken since the discovery, who is incident manager, etc. The time frame for investigation/recovery/resolution and goals should be defined and written down
- the environment where it took place, including business model, legal issues, network topology (network map), available sources of network evidence, organizational structure (organizational chart), incident response management process/procedures, etc.
- Strategy for planning of the investigation and the prioritisation of the acquisition of the network-based evidence. For example, a company may define as high priority the collection of web proxy cache data or the firewall logs.
- Collection of evidence from each identified source, based on the plan defined in the previous step, considering,
- Documentation (log file) of all systems accessed and all actions taken during evidence collection, stored safely, including time, source of the evidence, acquisition method and the involved investigator(s).
- Capturing of the evidence where network packets are captured, system and application logs and copied, etc.
- Storage/Transport of the collected evidence, demonstrating the Chain of Custody.
- Analysis to recover evidence material using a number of different methodologies and tools, depending on the case and what leads are already present. According to Brian D. Carrier, “After the obvious evidence has been found, then more exhaustive searches are conducted to start filling in the holes”
- Report the results of the investigations to the client(s) in fully understandable by non-technical persons manner, like managers, judges, etc.
This evidence is collected in anticipation of an incident in a legally acceptable manner and before investigations begin. As a result, time and money are saved.
European Dynamics NFPMS fosters an organized approach as a key element of a successful forensic readiness plan, by enabling organisations to organise their steps to:
- determine the significant or relevant risks, types of incidents to be expected, and potential responses.
- define the cyber incidents and scenarios that require digital evidence.
- identify the capturing points for monitoring, select the monitoring targets, potential event sources, where they are stored, how they can be accessed, who should be contacted to get permission to access and collect them and how forensically sound they are.
- identify the resources available for event log collection, aggregation and analysis including evidence storage space, available time, tools, systems, and staff for collection and analysis.
- identify how the sources of evidence and the network itself might be impacted by evidence collection.
- prioritize sources of evidence, by identify those that are likely to be of the highest value to the investigation, while also considering the effort needed to obtain them.
- plan evidence acquisition and identify relevant personnel that should be invited to provide access to the evidence and what kind of access should be given (physical or remote).
- select the appropriate methodologies and tools for collecting, storing and recovering evidence material in a secure and forensically sound manner.
Workflows and Screenshots
NFPMS supports organisations to meet the preconditions to enable network monitoring and forensics, by enabling/allowing:
- Security personnel to upload their organisation network architecture and topology including a detailed description;
- Forensic experts to indicate the capturing points for monitoring;
- Security personnel to select appropriate monitoring targets, focusing and prioritizing on the most critical systems, including monitoring targets attack signatures is available;
- Security personnel to provide network related information, such as network behaviour, used protocols and connections and any communication patterns that will allow the forensic experts to define and decide upon the monitoring policy;
- Forensic experts to review, comment and request for an update, for all uploaded material;
The following 9 steps illustrate this capacity.
Step 1: After the security personnel logs in to the NFPMS he navigates to the “Tasklist” application, and follow the steps to start the process.
Step 2: The security personnel uploads network architecture including a detailed description.
Step 4: NFPMS process allocates a new task to the security personnel to indicate the capturing points.
Step 5: The security personnel selects appropriate monitoring targets, focusing and prioritizing on the most critical systems, including monitoring targets attack signatures if available and information on the network behaviour, such as whether network behaviour is known and whether the used protocols and connections can be kept down to the necessary minimum.
Step 6: NFPMS invites the security personnel to select the monitoring policy and subsequently to define the monitoring targets, used protocols and connections.
The forensic expert reviews uploaded information on monitoring targets, availability of attack signatures, network behaviour, used protocols and connections as well as any uploaded communication patterns and decides on the monitoring policy.
Execution of the OSCAR methodology
NFPMS allows security personnel to interact with forensic experts through all the steps of the OSCAR methodology, aiming to:
- Obtain information about the environment, identify the event logs sources, identify available resources for event log collection, analyze whether and how the sources of evidence and network itself will be impacted by evidence collection;
- Prioritize sources of network-based evidence, including their potential value to the investigation and the effort needed to obtain them;
- Initiate the Chain of Custody process, by documenting everything done by the security personnel and the forensic expert, including which systems were accessed and how, how collection of evidence from the network was achieved and all actions taken during collection of evidence from the central logging server;
- Detail the methodologies and tools used for recovering and analyzing evidence material from the forensic working/investigate image, which is a duplicate the forensic disk image;
- convey the results of the investigation, to the security personnel.
The following steps illustrate this capacity.
Step 1: As soon as the forensic expert logins to the NFPMS he/she navigates to the “Tasklist” application, where he/she is presented with the tasks assigned to him/her.
He/she navigates to the relevant task and clicks on it. He/she is then presented with the 1st step of the OSCAR methodology namely the “Obtain Information” step.
During this step, the forensic expert obtains information about the incident itself and the environment, by reviewing information provided earlier regarding the network architecture, and relevant IT policies and procedures. After reviewing the network architecture and talking with the security personnel/administrator(s), the forensic expert is now in a position to identify the sources of evidence (event logs sources) that are likely to relate to the investigation, including available resources and organisation personnel for collecting evidence (event log collection). At this step the forensic expert can also analyze whether and how the sources of evidence and network itself will be impacted by evidence collection and hence decide whether devices (sources of evidence) can be removed from the network, if they can be powered off, if they can be accessed remotely (active acquisition) and as a last resort whether they can be accessed at specific times or schedule a downtime, to minimise the impact.
Step 2: NFPMS informs via email the security personnel/administrator(s) that the forensic expert has provided information regarding the sources of evidence, the available resources for evidence collection and whether and how the sources of evidence and the network itself might be impacted by evidence collection.
The security personnel reviews the provided information and provides his/hers comments.
Step 3: NFPMS informs via email the forensic expert that the security personnel/administrator(s) has reviewed the obtain information details and requests to proceed with the strategize step.
During this step, the forensic expert prioritizes sources of network-based evidence, including their potential value to the investigation and the effort needed to obtain them, including which organisation personnel (system and/or network administrators) will provide him/her access to the evidence as well as the acquisition method.
Step 4: NFPMS informs via email the security personnel/administrator(s) that the forensic expert has prioritized the sources of network-based evidence, including their potential value to the investigation and the effort needed to obtain them, including which organisation personnel (system and/or network administrators) will provide him/her access to the evidence as well as the acquisition method.
The security personnel reviews the provided information and provides his/hers comments.
Step 5: NFPMS informs via email the forensic expert that the security personnel/administrator(s) has reviewed the strategize details and requests to proceed with the collect evidence step. At the last step of Collecting Evidence, the forensic expert initiates the Chain of Custody process, by documenting all the steps, the systems accessed and how.
Step 6: NFPMS informs via email the security personnel/administrator(s) that the forensic expert has initiated the Chain of Custody process. The security personnel reviews the information uploaded and provides any further feedback if needed. The forensic expert/investigator uses his/hers querying and analytics tools to recover evidence material from the forensic working image aligned with the 4th (Analysis) step of the OSCAR methodology.
Step 7: The process final step invites the forensic expert/investigator to the final step of OSCAR methodology namely the “Report” to convey the results of the investigations in a detailed Forensics Technical Report.
European Dynamics Network Forensics Process Management System benefits include:
- Online collaboration and cooperation, between security personnel/administrator and forensic experts.
- Ready to respond to the potential need for digital evidence. In case an organization has to bring matters to a trial, where digital evidence is required, there will be a need for digital forensics. This in turns requires electronic evidence to be provided quickly and in a forensically sound manner when requested. The OSCAR based NFPMS ensures that appropriate procedures are established through all the steps, so that data related to a specific event are collected, stored and processed in an appropriate manner, making them readily available when requested;
- Minimized cost of cyber investigations, since the evidence is gathered and acquired in anticipation of an incident. Costs, time to respond as well as the disruption of operations are reduced and investigations are efficient and rapidly completed;
- Easier and faster detection and understanding of attack vector;
- Reduced costs of regulatory or legal requirements for data disclosure, since evidence is collected and stored in a proper manner, enabling organisations to provide evidence, when requested by regulatory authorities or law enforcement agencies, in an appropriate and timely manner;
- Complete and faster damage restoration and eradication, since post-incident activities are optimized, regarding cost, time and effort;
- Reduced insurance premiums, since organisations can prove that are ready to respond to cyber incidents;
- Demonstrates due diligence and good corporate governance of the company’s information assets as well as regulatory compliance.
 We define “evidence” as any recordable event, or an artefact of an event, that can be used towards understanding the cause and nature of the observed incident/event.
 Net Losses: Estimating the Global Cost of Cybercrime Economic impact of cybercrime II
 Cost of cybercrime per incident jumps six-fold to €50,000, June 2020
 Sule, Dauda; “Digital Forensics 101: Case Study Using FTK Imager”
 Robert Rowlingson, “A Ten Step Process for Forensic Readiness”
 The National Archives; Digital Continuity to Support Forensic Readiness, 2011
 The OSCAR methodology is defined in “Network Forensics, Tracking Hackers through Cyberspace”, by Sherri Davidoff and Jonathan Ham, page 17-22
 Brian D. Carrier, Digital Investigation and Digital Forensic Basics, 2006