Gift Guide

Digital Forensics for Network, Internet, and Cloud Computing: A Forensic Evidence Guide for Moving Targets and Data [NOOK Book]


Network forensics is an evolution of typical digital forensics, in which evidence is gathered from network traffic in near real time. This book will help security and forensics professionals as well as network administrators build a solid foundation of processes and controls to identify incidents and gather evidence from the network. Forensic scientists and investigators are some of the fastest growing jobs in the United States with over 70,000  individuals employed in 2008. ...

See more details below
Digital Forensics for Network, Internet, and Cloud Computing: A Forensic Evidence Guide for Moving Targets and Data

Available on NOOK devices and apps  
  • NOOK Devices
  • Samsung Galaxy Tab 4 NOOK 7.0
  • Samsung Galaxy Tab 4 NOOK 10.1
  • NOOK HD Tablet
  • NOOK HD+ Tablet
  • NOOK eReaders
  • NOOK Color
  • NOOK Tablet
  • Tablet/Phone
  • NOOK for Windows 8 Tablet
  • NOOK for iOS
  • NOOK for Android
  • NOOK Kids for iPad
  • PC/Mac
  • NOOK for Windows 8
  • NOOK for PC
  • NOOK for Mac
  • NOOK for Web

Want a NOOK? Explore Now

NOOK Book (eBook)
$41.99 price
(Save 42%)$72.95 List Price


Network forensics is an evolution of typical digital forensics, in which evidence is gathered from network traffic in near real time. This book will help security and forensics professionals as well as network administrators build a solid foundation of processes and controls to identify incidents and gather evidence from the network. Forensic scientists and investigators are some of the fastest growing jobs in the United States with over 70,000  individuals employed in 2008. Specifically in the area of cybercrime and digital forensics, the federal government is conducting a talent search for 10,000 qualified specialists. Almost every technology company has developed or is developing a cloud computing strategy.  To cut costs, many companies are moving toward network-based applications like, PeopleSoft, and HR Direct. Every day, we are moving companies’ proprietary data into a cloud, which can be hosted anywhere in the world. These companies need to understand how to identify where their data is going and what they are sending.

  • Key network forensics skills and tools are discussed-for example, capturing network traffic, using Snort for network-based forensics, using NetWitness Investigator for network traffic analysis, and deciphering TCP/IP.
  • The current and future states of network forensics analysis tools are addressed.
  • The admissibility of network-based traffic is covered as well as the typical life cycle of a network forensics investigation.
Read More Show Less

Product Details

  • ISBN-13: 9781597495387
  • Publisher: Elsevier Science
  • Publication date: 7/2/2010
  • Sold by: Barnes & Noble
  • Format: eBook
  • Pages: 368
  • File size: 11 MB
  • Note: This product may take a few minutes to download.

Meet the Author

Clint P. Garrison has over 16 years experience in Law Enforcement and Information Systems
Security. Clint started his career working for a small police department near Austin Texas in
1995, and moved on as a Sergeant Investigator for the Texas Department of Insurance Insurer
Fraud Unit’s Major Case Team. His primary responsibilities included investigating major financial
fraud cases and digital forensics.
Clint is currently an IT Security Consultant for a fortune 100 company where his primary
responsibility is to ensure his company’s security compliance posture with numerous global
security standards. He is also responsible for maintaining the incident response process to
ensure timely and effective responses to potential breaches of company systems.
Certifications and Degrees:
• Adjunct instructor, teaching a Cyber Crimes and Information System Security class for
the University of Phoenix’s online graduate program in Criminal Justice
• BS in Administration of Criminal Justice from Mountain State University
• MBA in Information Assurance and MS in Information Technology from the University of
• Master Peace Officer’s License and Peace Officer Instructor License
Read More Show Less

Read an Excerpt

Digital Forensics for Network, Internet, and Cloud Computing

A Forensic Evidence Guide for Moving Targets and Data
By Terrence V. Lillard Clint P. Garrison Craig A. Schiller James Steele


Copyright © 2010 Elsevier Inc
All right reserved.

ISBN: 978-1-59749-538-7

Chapter One

What Is Network Forensics?


* Introduction to Cloud Computing

* Introduction to the Incident Response Process

* Investigative and Forensics Methodologies

* Where Network Forensics Fits In

The modern computer environment has moved past the local data center with a single entry and exit point to a global network comprising many data centers and hundreds of entry and exit points. This business and service migration to remote data centers, where computing and storage are rented from a larger company, is referred to as cloud computing. Companies and people have realized great benefits that result from the use of cloud computing systems – not only in terms of productivity, but also in access to high-speed systems for managing very large data sets in ways that would be financially impossible for some small and midsized companies. Larger companies have also realized the benefits of cheap utility cloud computing as these companies migrate critical databases, transactional processing systems, and software packages to a rented space in a data center that can be anywhere in the world. This migration also has complications for information security, as we traditionally understand the information security process, both procedurally and legally.

The typical data center, locally or within traveling distance, that could have systems physically accessed is quickly becoming a process of the past that will continue to challenge all sections of the information security industry. Computer systems and network forensics are influenced by the change from local data centers to remote data centers, where access is not physically possible. Virtualization has also changed the nature of computer security and computer forensics in relationship to how computers are viewed, when dealing with an actual security incident. This means that there will continue to be changes in how computer security and forensics investigations are completed, when some or all of the system is not physically accessible. It is not possible to think now that one physical device will only have one operating system that needs to be taken down for investigation. The physical server can have many virtual servers running on the physical hardware and those virtual servers might not even belong to the same company or service. The nature and process of computer forensics need to address these new changes along with changes in how law enforcement is involved with physical systems seizure in the event of a major crime.

There is no longer a solid "security perimeter" (Perrin, 2008) as information security people were taught even as recently as 2 years ago. The security perimeter has become any place on any device where people access the network and systems services that the company provides. The flexibility in what has become the new "security perimeter" is attributable to the many ways that we consume data on many different types of devices worldwide. In the world of networked services and systems, data and services are consumed over the Internet that will complicate any computer security investigation. The enterprise class systems that are migrating to the cloud computing platform with services, either Web or otherwise, accessible through a browser or custom application have to be well secured and protected against misuse or theft. There are also legal and compliance issues that need to be addressed in relation to the data and data systems that are being migrated to the cloud computing environment.

Cloud computing will require a change to corporate and security policies concerning remote access and the use of the data over a browser, privacy and audit mechanisms, reporting systems, and management systems that incorporate how data is secured on a rented computer system that can be anywhere in the world. It is the full context of the cloud computing system that a company is using that makes for a complex and challenging security environment and that defines the modern security perimeter. The security perimeter now must be viewed as a series of systems (hardware and operating system packages in a virtualized environment), data, access rules and policies which govern the data and access, as well as incident response that only tend to complicate the architecture and support processes. This "deperimeterization" (Pieters & Van Cleef, 2009) requires a completely new approach to not only how systems are programmed, but also how information security is conducted. These changes have yet to be addressed by best practices, although larger cloud service providers are starting to meet the needs of the industry. Over time, this will include how companies can truly address network and computer forensics in a cloud computing environment.

Network forensics in the cloud computing environment could be focused only on data that go to and from the systems that the company has access to, but that would miss the rest of the picture. Network forensics needs to be part of and work with all the other components that comprise the entire system within the cloud environment. Without the network forensics investigator, understanding the architecture of the cloud environment systems and possible compromises will be overlooked or missed. The network forensics investigator also needs to understand that the cloud environment is the space that the company rents on another company's computer systems to perform the work. The rented space in the cloud can be in a globally connected data center with many other companies where the user network entry point can be at any point on the Internet. Data in the cloud environment can be replicated to any data center in the world that is owned and operated by the cloud provider. The cloud providers have their own series of policies, security systems, hardware, and software packages that are independent of what a company is doing in the cloud space. Cloud computing customers may or may not have access to the data that relates to them specifically if a computer is suspected to have been compromised by a hacker or if data is stolen by an insider or outsider.

This complex series of interlinkages between the cloud provider and the cloud consumer provides a fertile ground for hackers and criminals who want to hack into systems for their own purposes. This also provides a fertile ground for insiders as well because the cost of setting up a cloud computer is so cheap. With about $40 a month, a full cloud server can be set up to be used for any purpose by anyone with a credit card. Simple programs like WinSCP can be used to access that cloud computer, or if configured, it can simply be like any other File Transfer Protocol (FTP) server on the Internet meaning that any FTP client including a Windows mounting process can be used to drop data on the cloud server. Some companies like drop box and Mozy offer this service for free up to 2 GB of information per user e-mail address. The cost for not understanding the network forensics in a cloud computing environment can be devastating for a company if their data is lost or stolen by an employee. Cloud computing, with its assets and limitations, can also be a difficult environment for traditionally trained information security professionals to understand just how porous the network has become and how traditional forensics does not fit completely into a globally distributed cloud computing environment.


Cloud computing can be thought of as a simple rental of computer space in another company's data center. This implies that a company has control over some aspects of its systems depending on which cloud service that the company has bought. However, there is a lack of total control of the company's computing systems that the company would have in a traditional data center or computing environment. This requires a necessary shift in how a company addresses information security through controls, policies, and technical solutions because total control of the computing and networking assets is not possible in the cloud computing environment. Pragmatically, in cloud computing, a company is simply purchasing a virtual machine in someone else's data center.

The cloud service provider also has a set of inherent strengths and weaknesses that comes with the design philosophy that the cloud service provider had when it designed its systems. These design and architectural decisions on the part of the cloud service provider put limitations on what can and cannot be done in a forensics analysis of an event level that a company might engage in if it thinks that it has lost data or its cloud systems were compromised. It is important that the network forensics investigator and any information security person understand these design considerations that went into the cloud service provider's architecture. Amazon, Rackspace, and Microsoft Azure all have significantly different design philosophies that went into how they provide cloud computing services that will complicate any network forensics process that is taken by a company, which suspects that its cloud systems have been hacked.

With Amazon Web Services (AWS), you are purchasing an "Amazon Machine Image" (AMI) that is either Linux or Windows. You can run that virtual machine and do anything you want to do with it; you own it from the operating system on up. You do not own the network infrastructure, and you neither own the firewalls in the data center, nor do you own any of the supporting hardware below the operating system. However, you do own the entire virtualized machine, either Linux or Windows, and can do anything you want to do within the confines of that virtualized system. This is much the same setup that companies have internally in their own virtualized systems in their own company-controlled data centers. This also makes migration of tools and applications easier for traditional security tools that need to make changes to the registry of a computer system to operate. The key to note with Amazon is that once the virtualized server has been shut down, it is essentially lost and there is no way to retrieve that image, so it is very important to never shut down an image that is currently being investigated by a computer forensics or network forensics team. (More information on AWS can be obtained at

With Microsoft Azure, you own everything above the operating system and cannot alter anything in the operating system, including the registry. Any program that is installed on the system can only be installed as an XCopy (Chappell, 2009a), in that the software cannot make any changes to the registry of the computer, or will require a deeper integration into the operating system as most Windows-based software at this time does. In Azure, you cannot debug an application within the Azure framework to see if it has been doing something it should not do over the network (Chappell, 2009b). Rather, Azure is framed in support of Web services only and it requires a new approach to thinking about programming, as well as traditional software including failover and the sudden loss of a computer system. The use of Azure will speed up operations for transactional and scalable systems, but much like Amazon, once the image has been taken down or stopped, it is no longer available for analysis.

Rackspace Cloud follows the same design principles as AWS, but is only Linux rather than a mixture of server operating systems (The Rackspace Cloud F.A.Q., 2010). Much like Amazon, you are given a simple virtual machine so that you can do anything you want to do with it. Rackspace is more flexible with dynamic resizing and processing of the system that the company is renting, but because of the use of the single operating system, the typical mixed environment of a larger company does not exist. Like all other primary cloud service providers, once the virtual machine is turned off, it cannot be recovered and it is simply lost.

The platform and hosting service that a company purchases for cloud computing is an essential decision point for network forensics. When making a decision on what provider to use, it is also important to understand how cloud computing works, what can be done with it, and what cannot be done with cloud computing. Some processes are going to be excellent in a cloud computing environment, such as transaction processing, scalable Web services, and scalable Web servers. Cloud computing is also very good at raw horsepower when a large number of computations need to be made, or huge terabyte-size databases need to be reviewed for business intelligence or for information security log file data mining. The inherent limitations of cloud computing also need to be equally understood if network and computer forensics are to be successful in this environment. The decision to use a cloud service provider has to be reviewed not only in terms of what services the cloud service offers, but also in terms of how the company purchasing the cloud computing services decides to use it. These decisions have direct implications on how network and systems forensics will be conducted. It is important that the security department has a voice at the table when a company is looking for a cloud service provider because the security department will need to be able to construct and build security services and monitoring services based on the cloud service provider that is chosen. However, there are commonalities among all the cloud service providers that the security department and the forensics personnel can fall back on regardless of what cloud service provider is chosen by a company. In some cases, regardless of the provider, the virtualized environment will complicate, and in some cases, it will reduce the effectiveness of network-based forensics. The cloud service provider commonalities are as follows:

* There is no access to network routers, load balancers, or other networkbased components.

* There is no access to large firewall installations – the closest firewall is the one that is on board the operating system itself.

* There is no true capability to design a network map of known hops from one instance to another that will remain static or consistent across the cloud-routing schema.

* Systems are meant to be commodity systems in that they are designed to be built and torn down at will. When the virtual machine (VM) is torn down, there is no physical data of that image, and it is simply lost. If the VM is ever shutdown, then the entire system including logs can also be destroyed and never recovered.

* VMs will be built and torn down at will by any number of system administrators at a company as an on-demand service – the company has to make an entire new set of security policies and plans to work with suspected compromised cloud servers and services.

* It is possible to make a bitstream image of the virtual machine but only as an International Organization for Standardization (ISO) image that will have to be examined offline. However, the ISO images can be stored in the cloud computing environment for sharing with law enforcement or legal council.

* What services are being provided, such as Software as a Service (SaaS), Platform as a Service (PaaS), or Infrastructure as a Service (IaaS), make a difference in how security compliance, controls, policies, and investigation standards will be implemented by a company (Cloud Security Alliance, 2009).

* The threat environment is the same on the cloud for an exposed service as it is for any other exposed service that a company offers to anyone on the Internet.

* The network forensics investigator is limited to the tools on the box rather than the entire network because the network forensics investigators have got used to the tools.

The concept of network forensics in cloud computing requires a new mindset where some data will not be available, some data will be suspect, and some data will be court ready and can fit into the traditional network forensics model. The challenge for any forensics investigator is to understand what data set collected falls into each of the categories of not available, suspect, and court ready. Working with the company's legal counsel and cloud computing experts will be a necessity, until the general information security community catches up with the changes that cloud computing represents for information security, in general.


Excerpted from Digital Forensics for Network, Internet, and Cloud Computing by Terrence V. Lillard Clint P. Garrison Craig A. Schiller James Steele Copyright © 2010 by Elsevier Inc. Excerpted by permission of SYNGRESS. All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.

Read More Show Less

Table of Contents

PART I INTRODUCTION CHAPTER 1 What Is Network Forensics?

PART II GATHERING EVIDENCE CHAPTER 2 Capturing Network Traffic CHAPTER 3 Other Network Evidence


PART IV COMMERCIAL NETWORK FORENSICS APPLICATIONS CHAPTER 6 Commercial NetFlow Applications CHAPTER 7 NetWitness Investigator CHAPTER 8 SilentRunner by AccessData

PART V MAKING YOUR NETWORK FORENSICS CASE CHAPTER 9 Incorporating Network Forensics into Incident Response Plans CHAPTER 10 Legal Implications and Considerations CHAPTER 11 Putting It All Together

PART VI THE FUTURE OF NETWORK FORENSICS CHAPTER 12 The Future of Cloud Computing CHAPTER 13 The Future of Network Forensics

Read More Show Less

Customer Reviews

Be the first to write a review
( 0 )
Rating Distribution

5 Star


4 Star


3 Star


2 Star


1 Star


Your Rating:

Your Name: Create a Pen Name or

Barnes & Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation


  • - By submitting a review, you grant to Barnes & and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Terms of Use.
  • - Barnes & reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously

    If you find inappropriate content, please report it to Barnes & Noble
    Why is this product inappropriate?
    Comments (optional)