Forensically-Sound Methods to Collect Live Network Evidence

In the last decade Digital Forensics has experienced several issues when dealing with network evidence. An analyst, which is in charge of managing evidence flowing over a network have to face problems due to the volatile nature of such information. In facts, such data may change over time, may be lying on a server out of the his jurisdiction, or geographically far from where the crime was committed. In this paper two methods to allow remote collection of network evidence produced by online services such as web pages, chats, documents, photos and videos are presented. They enable the analyst to drive the acquisition process through the online services considered potential sources of evidence. During the process, all data flowing through the network is automatically collected (i.e., all the IP packets). The second one also collects the graphical representation of the acquisition (e.g., how the browser visualizes such data). Both methods introduce a trusted third party (acting as a digital notary) which is in charge of collecting and ``certifying´´ network evidence. Before closing the acquisition process, a detailed report of the collected evidence is generated and made available to the analyst along with the collected data. Cryptographic primitives are used to demonstrate ex post data integrity, how it has been acquired and the acquisition time. As a proof of concept two prototypes have been implemented. To enhance the Court confidence of the collected evidence, at the same time, the service could be run across multiple coordinated servers acquiring the same data from different point of the network.