Data collection is the most important stage in network forensics; but under the resource constrained situations, a good evidence collection mechanism is required to provide effective event collections in a high network traffic environment. In literatures, a few network forensic tools offer MSN-messenger behavior reconstruction. Moreover, they do not have classification strategies at the collection stage when the system becomes saturated. The emphasis of this paper is to address the shortcomings of the above situations and pose a solution to select a better classification in order to ensure the integrity of the evidences in the collection stage under high-traffic network environments. A system-awareness decision classifier (SADC) mechanism is proposed in this paper. MSN-shot sensor is able to adjust the amount of data to be collected according to the current system status and to keep evidence integrity as much as possible according to the file format and the current system status. Analytical results show that proposed SADC to implement selective collection (SC) consumes less cost than full collection (FC) under heavy traffic scenarios. With the deployment of the proposed SADC mechanism, we believe that MSN-shot is able to reconstruct the MSN-messenger behaviors perfectly in the context of upcoming next generation network.
[1]
Timothy Grance,et al.
Guide to Integrating Forensic Techniques into Incident Response
,
2006
.
[2]
Bo-Chao Cheng,et al.
Developing and Implementing IHPM on IXP 425 Network Processor Platforms
,
2005,
WISA.
[3]
Eoghan Casey,et al.
Network traffic as a source of evidence: tool strengths, weaknesses, and future needs
,
2004,
Digit. Investig..
[4]
Kang G. Shin,et al.
Persistent dropping: an efficient control of traffic aggregates
,
2003,
SIGCOMM '03.
[5]
QUTdN QeO,et al.
Random early detection gateways for congestion avoidance
,
1993,
TNET.
[6]
Wu-chang Fengy,et al.
BLUE: A New Class of Active Queue Management Algorithms
,
1999
.
[7]
Bo-Chao Cheng,et al.
Quality Assurance for Evidence Collection in Network Forensics
,
2006,
WISA.