Regardless of the device owners awareness, remote monitoring of a computer or mobile device can be done by an agent deployed on the device, or by analyzing the traffic generated by the device. Each of these approaches have its own pros and cons that will be discussed below.
Remote monitoring of a computer utilizing locally deployed agent (such as event log monitor or key logger) can provide a wealth of information such as currently running processes, existing and active users, access to installed applications, etc. Legitimate deployment of such agents usually done by installing the software on a workstation or laptop by a system administrator either with or without users knowledge, while tools such as key loggers used by malicious users or criminal are usually deployed using existing vulnerabilities in the operating system, web browser or other installed applications. It is interesting to note that many legitimate monitoring software packages are using technology and methods previously used my malware. For example, many of employee monitoring software have capabilities such as keystroke monitoring, send and received Email messages logging, website activity, accessed documents, etc (TopTenReviews, 2011).
On the other hand, monitoring computer activities by analyzing the generated network traffic does not require the installation of a user agent (malware), means it leaves no traces on the computer itself which can be uncovered by a digital forensic investigator. The disadvantage, of course, is that the information can be deducted only from services and applications generating network traffic. For example, laptops connected to a domain will try to communicate to a domain controller, Java JRE and Adobe Reader periodically checks for available updates therefore providing the intruder with a list of potential targer (services and applications). In some cases, when devices communicates using insecure protocols, it is possible to gather information such as user names and passwords. Moreover, there are some attack vectors which can subvert the traffic such as DNS poisoning, ARP poisoning and Man In The Middle (MiTM) Proxy to servers/devices controlled by the intruder.
From a legal point of view, the technical aspect of data acquisition could fall into a different category. For example, in the US data collected while in transit, such as Email message, falls under the Wiretap Act therefore requires special permission. On the other hand, “dropping” a key-logger and collecting data as it is being drafted does not violate the Wiretap Act. Similarly, “at the recipient’s end, the U.S. District Court of New Hampshire in Basil W. Thompson v. Anne M. Thompson, et al., ruled that accessing email stored on a hard drive was not an "interception" under the Wiretap Act” (Ryan, DJ. & Shpantzer, G. 2005). Moreover, the age of the acquired data impacts the applicable legal requirements; Recent data, less than 180 days, which would include network log files, even logs, etc. “requires a warrant issued under the Federal Rules of Criminal Procedure or equivalent State warrant, while older communications can be accessed without notice to the subscriber or customer” (Ryan, DJ. & Shpantzer, G. 2005).
Finally, network environment introduces unique challenges to the digital forensic process, such as inability to take a snapshot, distributed geographic locations with different legal requirements and the amount of available data, requires some adaptation of the AAA principals (Laureate Online Education B.V., 2009). In order to be admissible in the court of law, the handling of network traffic as a digital forensic evidence, has to be in accordance with Daubert guidelines which “assess the forensic process in four categories: error rate, publication, acceptance and testing” (John Markh 2011). Moreover, due to the high volatility of the artifacts, the investigators are required to pay additional attention to the chain of custody.
- Laureate Online Education B.V. 2009, “Computer Forensics
Seminar for Week 6: Network Forensics I”, Laureate Online
- Markh J. 2011, “Week 5 Discussion Question - UNIX Forensic
Tools”. Laureate Online Education B.V.
- Ryan, DJ. & Shpantzer, G. 2005. “Legal Aspects of
Digital Forensics” [online]. Available from:
(accessed: July 07, 2011).
- TopTenReviews 2011, “2011 Monitoring Software Review
Product Comparisons” [online], TechMediaNetwork.com, Available
(accessed: July 7, 2011).
Post a Comment