Forensic Web service could reconstruct the scene of the cyber-crime

Proposal applies to non-human interaction

As online activities become more complex and more automated, securing and tracking transactions becomes more difficult. A team of researchers has developed a plan for an independent Web service that could generate and store data for evidence in court in the event of a security breach.

An Interagency Report from the National Institute of Standards and Technology proposes a design and architecture of a Forensic Web Services that would securely maintain transactional records between other Web services. Another agency could later use the records to reproduce the transactional history.

Web services typically are built on the Extensible Markup Language and related open services and enable applications, often running on separate servers and hosted by separate organizations, to interact without human intervention. As with many technologies, conveniences can come at a cost.

“Many of the features that make Web services attractive, including greater accessibility of data, dynamic application-to-application connections, and relative autonomy are at odds with traditional security models and controls,” the authors write.


Related coverage:

New tool could help computer fornesics move off the disk and into memory

NIST looks at forensics tool for handheld devices


Anoop Singhal, computer scientist in NIST’s Computer Security Division; Murat Gunestas, of Turkey’s security directorate, and Duminda Wijeskara, associate professor of information and software engineering at George Mason University, wrote the report.

Challenges in securing Web services include ensuring the confidentiality and integrity of data transmitted via Web services protocols; ensuring the functional integrity of the services; and ensuring availability in the face of denial of service attacks. Attacks and exploits against Web services can affect multiple servers and organizations, with damages to multiple organizations that can become adversaries in subsequent court actions. Records generated by hardware and software operated by each party can be challenged by other parties, eliminating their evidentiary value. But developing a secure and independent source of forensic data would help overcome that, the authors said.

"Investigating such incidents requires that dependencies between service invocations be retained in a participating party neutral and secure way,” the authors write. “Material evidence currently extractable from Web servers such as log records, firewall alerts from end point services, and the like, do not have forensic value.”

The architecture proposed would create a separate Forensic Web Services (FWS) that would capture and maintain data in a separate layer as a trusted third party, which could later be used to independently recreate the interactions between separate components.

“This would have a greater chance of being accepted in a court of law,” the authors write. “FWS will provide on-line forensic capabilities to other Web services as a Web service itself.”

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above