IEEE Internet Computing
Persistent dropping: an efficient control of traffic aggregates
Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications
Tool review: Network traffic as a source of evidence: tool strengths, weaknesses, and future needs
Digital Investigation: The International Journal of Digital Forensics & Incident Response
| Hi-index | 0.00 |
Network forensic involves the process of identifying, collecting, analyzing and examining the digital evidence extracted from network traffics and network security element logs. One of the most challenging tasks for network forensic is how to collect enough information in order to reconstruct the attack scenarios. Capturing and storing data packets from networks consume a lot of resources: CPU power and storage capacity. The emphasis of this paper is on the development of evidence collection control mechanism that produces solutions close to optimal with reasonable forensic service requests acceptance ratio with tolerable data capture losses. In this paper, we propose two evidence collection models, Non-QA and QA, with preferential treatments for network forensics. They are modeled as the Continuous Time Markov Chain (CTMC) and are solved by LINGO. Performance metrics in terms of the forensic service blocking rate, the storage utilization and trade-off cost are assessed in details. This study has confirmed that Non-QA and QA evidence collection models meet the cost-effective requirements and provide a practical solution to guarantee a certain level of quality of assurance for network forensics.