@inproceedings { , title = {Performance analysis of network based forensic systems for in-line and out-of-line detection and logging.}, abstract = {Network based forensic investigations often rely on data provided by properly configured network- based devices. The logs from interconnected devices such as routers, servers and Intrusion Detection Systems (IDSs) can yield important information, which can be used during an investigation to piece together the events of a security incident. A device, such as a router, which performs its intended duties as well as logging tasks, can be defined as having in-line logging capabilities. A system that only performs these duties, such as an IDS, can be described as an out-of-line logging system. The usefulness of these logs, though, must be compared against the impact that they have on the systems that produce them. It is thus possible to introduce a detrimental burden on inline devices. This can thus reduce the capability of the device to provide core functionality, and, the extra evidence generated could place an increased burden on the forensic investigator. Therefore, when configuring network devices, the security practitioner is the key to producing a careful balance between security, performance and generated data volume. This paper outlines an intensive experiment to compare and contrast different logging schemes. These tests are placed within the scenario of a forensic investigation, which involves extensive data logging and analysis. The metrics compare CPU utilisation, bandwidth usage, memory buffers, usefulness of these records to the investigation, and so on. The two logging systems examined are the Cisco 20x series based routers, for in-line logging capabilities with Syslog, and the IDS Snort for out-of-line logging. This work provides an empirical perspective by plotting the footprint that this logging scheme has on the core network infrastructure, thus providing a proposed optimal logging approach for a network, along with the comparative merits of in-line and out-of-line auditing systems.}, conference = {5th European Conference on Information Warfare and Security (ECIW)}, isbn = {1905305206}, note = {Note: Remenyi, D. (ed.). Proceedings of the 5th European Conference on Information Warfare and Security ECIW 2006. Reading, Kidmore End: Academic Conferences, 1st June 2006. ISBN 1905305206 \& ISBN13 9781905305209. 281p. Conference dates: 1st-2nd June 2006 School: sch\_comp}, organization = {National Defense College, Helsinki, Finland}, pages = {41-50}, publicationstatus = {Published}, url = {http://researchrepository.napier.ac.uk/id/eprint/1838}, keyword = {005 Computer programming, programs & data, 005.8 Data security, QA76 Computer software, Cyber-security, Centre for Distributed Computing, Networking and Security, AI and Technologies, Logging, Digital forensics, Network management, Network performance, Intrusion detection;}, year = {2006}, author = {Graves, Jamie and Buchanan, William J and Saliou, Lionel and Old, L John} }