Abstract
Understanding the behavior of network forensic devices is important to support prosecutions of malicious conduct on computer networks as well as legal remedies for false accusations of network management negligence. Individuals who seek to establish the credibility of network forensic data must speak competently about how the data was gathered and the potential for data loss. Unfortunately, manufacturers rarely provide information about the performance of low-layer network devices at a level that will survive legal challenges. This paper proposes a first step toward an independent calibration standard by establishing a validation testing methodology for evaluating forensic taps against manufacturer specifications. The methodology and the theoretical analysis that led to its development are offered as a conceptual framework for developing a standard and to “operationalize” network forensic readiness. This paper also provides details of an exemplar test, testing environment, procedures and results.
Chapter PDF
Similar content being viewed by others
References
R. Addie, M. Zukerman and T. Neame, Broadband traffic modeling: Simple solutions to hard problems, IEEE Communications, vol. 36, pp. 2–9, 1998.
Agilent Technologies, Metrology Forum: Basics, Terminology (http://www.agilent.com/metrology/terminology.shtml).
Agilent Technologies, Metrology Forum: Basics, Why calibrate? (http://www.agilent.com/metrology/why-cal.shtml).
N. Allen, Are you seeing what you expected? presented at The Agora, University of Washington, Seattle, Washington, 2006.
R. Bejtlich, The Tao Of Network Security Monitoring: Beyond Intrusion Detection, Addison-Wesley, Boston, Massachusetts, 2005.
S. Bradner and J. McQuaid, RFC 2544 —Benchmarking Methodology for Network Interconnect Devices, IETF Network Working Group (http://www.faqs.org/rfcs/rfc2544.html), 1999.
B. Carrier and E. Spafford, Getting physical with the digital investigation process, International Journal of Digital Evidence, vol. 2(2), 2003.
B. Endicott-Popovsky and B. Chee, NetOptics 10/100BaseT Dual Port Aggregator Tap, Spirent Test Center Technical Report, Advanced Network Computing Laboratory, University of Hawaii at Manoa, Honolulu, Hawaii, 2006.
B. Endicott-Popovsky and D. Frincke, Adding the fourth “R” —A systems approach to solving the hacker’s arms race, presented at the Hawaii International Conference on System Sciences Symposium (http://www.itl.nist.gov/iaui/vvrg/hicss39), 2006.
B. Endicott-Popovsky and D. Frincke, Embedding forensic capabilities into networks: Addressing inefficiencies in digital forensics investigations, Proceedings from the Seventh IEEE Systems, Man and Cybernetics Information Assurance Workshop, pp. 133–139, 2006.
M. Lawson, Expert Witness Testimony (United States vs. Jimmy Myers Brown (Defendant), Case No. 98-14068-CR, Southern District of Florida, Fort Pierce Division, Fort Pierce, Florida, September 13, 2000), Global CompuSearch, Spokane, Washington, 2006.
D. Nassar, Network Performance Baselining, Sams, Indianapolis, Indiana, 2000.
I. Orton, King County (Washington) Prosecutor, personal communication, 2006.
M. Pollitt, Unit Chief FBI CART (Retired), personal communication, 2005.
E. Schultz and R. Shumway, Incident Response: A Strategic Guide to Handling System and Network Security Breaches, Sams, Indianapolis, Indiana, 2001.
M. Simon, Chief Technology Officer, Conjungi Corporation, Seattle, Washington, personal communication, 2005.
F. Smith and R. Bace, A Guide to Forensic Testimony: The Art and Practice of Presenting Testimony as an Expert Technical Witness, Pearson Education, Boston, Massachusetts, 2003.
P. Sommers, Emerging problems in digital evidence, presented at the Computer Forensics Workshop, University of Idaho, Moscow, Idaho, 2002.
Spirent Communications, Spirent TestCenter (http://www.spirent.com/analysis/technology.cfm?media=7& WS=325& SS=117& wt=2).
J. Tan, Forensic readiness, Technical report, @stake, Cambridge, Massachusetts, 2001.
Y. Tang and T. Daniels, A simple framework for distributed forensics, Proceedings of the Twenty-Fifth IEEE International Conference on Distributed Computing Systems, pp. 163–169, 2005.
The Tipmra, The genuine Tipmra speeding ticket defense (http://www.tipmra.com/new_tipmra/washington_state_speeding_ticket.htm).
U.S. Circuit Court of Appeals (DC Circuit), Frye v. United States, Federal Reporter, vol. 293, pp. 1013–1014, 1923.
U.S. Supreme Court, Daubert v. Merrell Dow Pharmaceuticals, Inc., United States Reports, vol. 509, pp. 579–601, 1993.
U.S. Supreme Court, Kumho Tire Co. v. Carmichael, United States Reports, vol. 526, pp. 137–159, 1999.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2007 International Federation for Information Processing
About this paper
Cite this paper
Endicott-Popovsky, B., Chee, B., Frincke, D. (2007). Calibration Testing Of Network Tap Devices. In: Craiger, P., Shenoi, S. (eds) Advances in Digital Forensics III. DigitalForensics 2007. IFIP — The International Federation for Information Processing, vol 242. Springer, New York, NY. https://doi.org/10.1007/978-0-387-73742-3_1
Download citation
DOI: https://doi.org/10.1007/978-0-387-73742-3_1
Publisher Name: Springer, New York, NY
Print ISBN: 978-0-387-73741-6
Online ISBN: 978-0-387-73742-3
eBook Packages: Computer ScienceComputer Science (R0)