Achieving critical infrastructure protection through the interaction of computer security and network forensics

Recent years have seen substantial development in computer and network security design. This has been manifested as an every increasing range of new protocols, new encryption algorithms, new methods of authentication, smarter firewalls and intrusion detection techniques, new anti-malware products and many more. During the same period of time increasing demands for more trustworthy network infrastructure have seen the development of sophisticated analysis tools necessary to meet the operational requirements of law enforcement agencies. These include tools for e-discovery, commercial intelligence and national security. Thus the industry has seen equally significant developments in computer forensic tools where methods of searching for and detection of, malicious activity for presentation as evidence and provision of trust have become ever more sophisticated. To a considerable degree the science of security and forensics have seen both rapid but separate developments. This paper proposes that there are areas in common between these two important fields of endeavour and sets out techniques and ideas which demonstrate how they can overlap and work together in order to provide improved security and trustworthiness in critical infrastructures. In particular this paper addresses computer security and forensic analysis from a real-time perspective such that security events can be monitored in a live network while sound forensic data collection, storage and processing can be carried out in a manner which supports real-time security and at the same time still meeting the requirements of sound evidence.