Product & Services
Not just the ability to identify, track, trace, and analyze common log files, but custom log files too. This is central to intrusion forensic investigations where digital evidence is the main source of data and the answers. Miss a single source and the investigation you are performing will likely take a wrong turn and will never bring back accurate results.
There are several products that are still not capable of coping with volume of traffic and processing of the packets. It is still a challenge when collecting the most valuable data. However research is on going and each year better and better tools come out. The IDS log collection process are needed to build the original point of origin, but they are needed to help establish motive. Completing the IDS log collection process usually requires computer forensics as the next place to go.
There remains a significant challenge in making the IDS devices to work as attack/ intrusion blocking systems. They act as a detection system to attacks and intrusions but the alerts is generated after the attack when the alert goes out. Its difficult to prevent when the attack has started. There are problems with IDS false positive and false negatives as well. The challenge still remains in handling encrypted data and OS specific application protocols. Signature based IDS need regular updating of their signature database and that is a a huge challenge since the signatures usually come out later, well after the attack.
The potential of using log files, as evidence constantly challenges our court system. It is not impossible as long as the admissibility and weight restrictions are met. The legal aspect and value of using IDS logs as forensic evidence will change if the legislation allows the companies to legally intercept communications. But the fact is the legislation limits the use of IDS logs as forensic evidence and the legislations need to change in order to use the logs as evidence.