Performance Analysis of Network Based Forensic Systems for In-line and Out-of-line Detection and Logging

Graves, J., Buchanan, W., Saliou, L., Old, L.J. (2006). Performance Analysis of Network Based Forensic Systems for In-line and Out-of-line Detection and Logging. In: Hutchinson, B. (Ed.) 5th European Conference on Information Warfare and Security, , () ( ed.). (pp. 41-50). Helsink, Finland: . Academic Conferences International.

ISBN: 1-905305-20-6


Network based forensic investigations often rely on data provided by properly configured network- based devices. The logs from interconnected devices such as routers, servers and Intrusion Detection Systems (IDSs) can yield important information, which can be used during an investigation to piece together the events of a security incident. A device, such as a router, which performs its intended duties as well as logging tasks, can be defined as having in-line logging capabilities. A system that only performs these duties, such as an IDS, can be described as an out-of-line logging system.
The usefulness of these logs, though, must be compared against the impact that they have on the systems that produce them. It is thus possible to introduce a detrimental burden on inline devices. This can thus reduce the capability of the device to provide core functionality, and, the extra evidence generated could place an increased burden on the forensic investigator. Therefore, when configuring network devices, the security practitioner is the key to producing a careful balance between security, performance and generated data volume.
This paper outlines an intensive experiment to compare and contrast different logging schemes. These tests are placed within the scenario of a forensic investigation, which involves extensive data logging and analysis. The metrics compare CPU utilisation, bandwidth usage, memory buffers, usefulness of these records to the investigation, and so on. The two logging systems examined are the Cisco 20x series based routers, for in-line logging capabilities with Syslog, and the IDS Snort for out-of-line logging. This work provides an empirical perspective by plotting the footprint that this logging scheme has on the core network infrastructure, thus providing a proposed optimal logging approach for a network, along with the comparative merits of in-line and out-of-line auditing systems.
[Read More]


William Buchanan
Director of CDCS
+44 131 455 2759
Jamie Graves
Affiliate Research Fellow
+44 131 455

Areas of Expertise

Electronic information now plays a vital role in almost every aspect of our daily lives. So the need for a secure and trustworthy online infrastructure is more important than ever. without it, not only the growth of the internet but our personal interactions and the economy itself could be at risk.

Associated Projects