[Title]

[title] [menu option]
[menu option]
[menu option]
[menu option]
[title]
     For years, computer and network security experts (whitehats) have fought to stay ahead of computer criminals (blackhats). As blackhats became more skilled and computers became more powerful, conventional security measures became less effective. This perpetual action-response reaction cycle evolved into a new field of study known as Computer and Network Forensics (CNF).

     CNF techniques are used to discover evidence in a variety of crimes ranging from theft of trade secrets, to protection of intellectual property, to general misuse of computers. Any enterprise that depends on, or utilizes, computers and networks should have a balanced concern for security and forensic capabilities.

     Until recently, the relationship between CNF and mainstream computer and network security techniques has been vague at best. By their nature, security efforts traditionally depend on actions that are taken before an attack to protect resources or information from malicious access or use. This is done through access control techniques, encryption, and vulnerability assessment mechanisms. More recently, significant effort has been focused on providing attack detection and response technology that works during suspected attacks to protect resources.

     Alternatively, CNF traditionally has had a different focus from both of these two perspectives. First, CNF is concerned with gathering information about attacks and perpetrators rather than directly protecting resources or information. Consequently, the second fundamental difference is that CNF has historically dedicated its efforts to actions taken after-the-fact, i.e. after malicious or suspicious activity has occurred, rather than activity that occurs before or during attacks.

     Our initial focus on this project was to fundamentally extended the scope of CNF by proposing policies and techniques that could be implemented before an attack occurred that facilitate the CNF effort both during and after malicious or suspicious activity occurred, therefore changing the nature of the traditional CNF Model (Figure 1).

[CNF Traditional Model]
[Figure 1: CNF Traditional Model]


[CNF New Model]
[Figure 2: CNF New Model]


     The model we proposed (Figure 2) would enable enterprises deter computer crime and position them to respond effectively to successful attacks by initiating the gathering of evidence before an attack occurs, therefore improving their ability and effectiveness to conduct CNF analysis.

     Over the last couple of years, CNF techniques have become highly sophisticated and CNF tools are increasingly effective. In addition to putting computer criminals in jail, CNF techniques have enabled whitehats to learn valuable information about blackhats' techniques and methods and to formulate protection and defense mechanisms, tools, and techniques.

     As our research continues to develop we expanded our original idea based on using independently implemented systems to gather information that enable CNF experts to put blackhats that attack production systems into jail.

[BAR]
         Researcher:

         Yanet Manzano
         Graduate Student
         Information Assurance and Security Track
         Department of Computer Science
         Florida State University
         http://www.cs.fsu.edu/~manzano/
         manzano@cs.fsu.edu
Advisor:

Dr. Alec Yasinsac
Assistant Professor
Department of Computer Science
Florida State University
http://www.cs.fsu.edu/~yasinsac/
yasinsac@cs.fsu.edu