There seems to be a constant debate as to whether a forensic investigator should pull the plug when investigating an electronic device such as a computer

There seems to be a constant debate as to whether a forensic investigator should pull the plug when investigating an electronic device such as a computer. There are many benefits to pulling the plug such as preserving the evidence and not allowing it to potentially be altered by the user to destroy evidence. This debate extends to whether an investigator should pull the network connection of an attacker to achieve the same results as pulling the plug. Network forensic is the “capture, recording, and analysis of network events in order to discover the source of security attacks or other problem incidents” (Pilli, Joshi & Niyogi, 2010, p. 15). When the thought of pulling a network connection comes up, it might seem obvious to want to pull the connection to prevent any attack from occurring to innocent people. Therefore, there may be a debate because while it may seem obvious to pull the connection, there might actually be benefits to leaving the connection and observing what the computer is doing. This paper will look at some of the benefits of pulling a network connection versus leaving it in.
To begin with, interrupting the network connection is crime dependent and based on what the investigator is trying to achieve. As well, the investigator would want to weigh the pros and cons of pulling the network connection and see if the benefits outweigh the risks. One benefit of pulling the network connection is to stop any crimes that are currently happening. Although removing the network connection would occur once the crime is taking place, pulling the connection would limit any further damaged that could have been caused by the attack. One such crime would be DoS attacks where attackers overload a system to make it unavailable from helping its users. Even though these attacks may appear to not cause a lot of physical damage, it costs companies lots of money to recover from such attacks, therefore, pulling a network connection could aid in how much a company must spend to recover from the attack. Another benefit of pulling the network connection is to prevent data from being overwritten that you are hoping to collect. Whatever has happened on the computer would remain in the same state after you pull the connection so the investigator would be able to grab that data from the logs. According to Chapter 12 of the textbook, “a device’s log files contain the primary records of a person’s activities on a system or network.” When pulling the network connection, I believe it is important to gather the evidence as quickly as possible to ensure that nothing gets destroyed when the connection gets pulled. Since it is network forensics, a lot of the analysis is done on live networks, therefore, there might have to be dire circumstances for the investigator to pull the network connection. Personally, I would wait until the very last moment to pull the network connection because that means that I have gathered all the relevant information to link the attacker to the crime. These are some of the benefits of pulling a network connection. Next, this paper will look at benefits of leaving the connection and observing what the computer is doing.
A benefit to leaving the network computer and observing what it is doing is to use a honeypot computer to try to gain more evidence. Once you pull the connection, you may lose the chance to gather more valuable data, however, using a honeypot computer can allow you to gather more information on the attacker. A honeypot computer is one that is intentionally meant to be compromised in the hopes of trapping the sender into revealing their network address. In the Vural and Venter (2009) article, they state that “the honeypot waits for the spammer to send new instructions and then identifies the network address of the sender” (p. 301) A problem with this as they also mentioned is if the spammer sends the instructions over open proxies. The type of honeypot the investigator wants to use may vary on what they are trying to achieve. According to the Nasir and Al-Mousa (2013) article, there are three levels currently being used: Low, medium, and high level of interaction honeypots (p. 702). There are risks associated with each level and how much data the investigator can collect based on each level of interaction. As well, from Chapter 12 of the textbook, the investigator can use a sniffer to “log traffic passing over a digital network.” Leaving the network in and observing the computer allows the investigator to collect volatile data. As a reminder, volatile data is data that can only maintain its memory when there is power to the computer. Once the power is removed, the data can be quickly lost. Another benefit to leaving the leaving the connection in and observing is to aid in predicting attacks in the future. Leaving the connection allows the investigator to gather more data about the attacker and the type of attack they are doing. After gathering this information, the investigator is more aware of how this attack took place and thus can predict any future attacks of the same nature. Overall, leaving the connection allows the investigator to monitor what the attack is doing while they are doing it and they can gather more evidence about the crime to potentially link it back to the attack. It would come down to whether it benefits outweighed the risk of allowing the attacker to continue their attack.
To conclude, there are many benefits to pulling a network connection versus leaving it in and observing what the computer is doing. Regarding pulling the connection, some of the benefits include preventing further damage from occurring and to prevent data from being overwritten. Some of the benefits of leaving it in and observing include trapping the attacker with the use of a honeypot computer, being able to gather volatile data, and gathering more data to predict future attacks. One method is not better than the other and it comes down to the type of crime that is being committed and what the investigator is trying to achieve. For example, in a DoS attack where the attacker overloads the target system and temporarily brings it down, pulling the network connection might be a better option to stop the attack from continuing. Although there still might be damage, it is minor compared to if the attack continued. If the investigator wants to gather more information in an identity theft case, they might want to observe what the attacker is doing to gather more information that links them to the crime. All in all, there are pros and cons to each method and I think it is important to weigh the risks and benefits before using one of the methods.