Visualization for network forensic analyses: extending the Forensic Log Investigator (FLI)

In a network attack investigation, the mountain of information collected from varying sources can be daunting. Investigators face significant challenges in being able to correlate findings from these sources, given difficulties with time synchronization. In addition, it is difficult to obtain summary or overview information for one set of data, much less the entire case. This, in turn, makes it nearly impossible to accurately identify missing information. Identifying these information gaps is one problem, yet another is filling them in. Investigators must rely on legal processes and requests to obtain the information they need. However, it is extremely important they are aware of cases or events that cross jurisdictional boundaries. Where tools exist to assist in evidence overview, they do not contain the necessary geographic information for investigators to quickly ascertain the location of those involved. In addition to these difficulties, investigators need to perform several types of analysis on the evidence that has been collected. Several of these analyses cannot typically be performed on data from multiple log files, since they are based on timing data. Furthermore, it is difficult to understand results from these analyses without visual representation, and there are no tools to bring them together in a single frame. This thesis details the design and implementation of an analysis and visualization extension for the Forensic Log Investigator, or FLI. FLI is a webbased analysis and visualization architecture built on advanced technologies and enterprise infrastructure. This extension assists investigators by providing the ability to correlate evidence and analysis across traditional log file and analysis method boundaries, identify information gaps, and perform analysis in accordance with published evidence handling guidelines.