Friday, November 04, 2005

Network Forensics? Please.

Today I looked at the Interop New York 2005 Schedule and noticed an item called "Network Forensic Day" taught by Pine Mountain Group. I try to stay current with people and companies performing security work, but I had never heard of PMG. I looked at the description of the course, wondering if the "network" meant "enterprise," as in "how to use forensics in the enterprise." I think that is a misapplication of the term network in that context, but it's common enough. Alternatively, perhaps "network" meant "traffic," which is how I use the term.

When I mention "network forensics," I define it as the art of collecting, protecting,
analyzing, and presenting network traffic to support remediation or prosecution.
This is in line with the definition of forensics:

"1. The art or study of formal debate; argumentation.
2. The use of science and technology to investigate and establish facts in criminal or civil courts of law."

It turns out PMG's use of the term "Network Forensics" has nothing to do with any recognized application of the term. They say:

"Network Forensics is the study of the micro transactions of inter-network components, platforms and the applications that process on and across them.

By taking a forensic measurement of a micro transaction, quantifying the repeated dependency on the micro to that of the macro we can quantify the improvement for an end user that specific IT optimizations might provide. On the business process side, quantification of the cost of the macro transaction time spent by an end user can be quantified in annual cost or lost productivity associated with slow applications. Knowing optimization improvements and their associated costs allows a long term ROI to be considered. The result? Best bang for the buck optimization!

Come join PMG NetAnalyst in a day of cross technology, vendor independent network training with a twist: PMG will take you on a journey down several complex multi-vendor network environments where troubles abound. You will be taught how to use a well rounded 'bag of tools' to analyze and troubleshoot the issues as well as how applying best practices could have avoided these issues. Forensics Day will show you how to save money as well as improve performance and reliability by using 'brain cells' instead of budget to solve and even prevent problems."

Please. This is not "network forensics" by any stretch of the imagination. This is an attempt to add a sexy name to the otherwise boring ideas of network troubleshooting. The latest iteration and expansion of the concept uses the term Business Service Management, which I learned about recently though the 1 September 2005 Network Computing magazine.

I understand there are similar uses of the term "forensics" outside of the legal realm. However, "network forensics" has had a security association for years. I would like to see it stay that way to avoid further cluttering our professional landscape.


Semper_Securus said...

Completely agree...
This is another example of "cultural marketing" at its best (or worst). With the popularity of television programs like CSI, Law & Order, et al. I'm surprised we aren't seeing more examples of this.

It reminds me of when a certain game show was hugely popular a few years back. Everywhere I turned I saw seminars such as "Who Wants To Be A CIO?"... "Who Wants To Be An IT Hero?"...... Ugh..

Anonymous said...

Security pros actually do a bit their own "cultural marketing" by using terms like forensics. It is natural that all those in the consulting biz want to latch on to latest sexy terminology.

You're all in the business of selling your seminars and books. Try to keep that in mind as you pompously denegrate others methods in the name of "uncluttering" your field.

Richard Bejtlich said...

Anonymous -- I'll take your comments seriously when you post using a real name.

js said...

I agree with Richard. The point is that PMG are using network forensic techniques, but they are certainly not performing network forensics. For them to say they're doing forensics is like saying forensics includes removing spyware or figuring out why newly-installed RAM isn't recognized.

Anonymous said...


I really like your stuff, but I find it hard to believe that you've never heard of PMG before. Pine Mountain Group has been a staple offering network analysis training at the Interop conferences since the early 90's. Regarding your dislike of the term "Network Forensics" being used by PMG for their courses, you do have a point regarding the definition of the term. However, PMG has been talking about "Network Forensics" for a long time. I believe I heard Bill Alderson, the founder of PMG, use the term this way back in 2000 at the Interop conference in Atlanta. Where have you been all of these years?

Clarke Morledge
Network Engineer
College of William and Mary

Anonymous said...

Richard is right. The use of the term forensics, as PMG used it, was not correct. There are no such thing as "forensic techniques", there are scientific techniques which are used in forensics. The technique itself comes from whatever discipline (e.g. biology, chemisty, computer science, etc.) The forensic part comes from the application of the technique. If I use Ethereal during an investigation to examine network traffic, in order to identify the actions of a suspect, then this is more likely than not forensics. If I use Ethereal to troubleshoot a network, I'm still doing the same packet-analysis, but I'm not doing forensics. The difference is not the technique/knowledge but the application.