A Method for Solving Problems in Acquiring Communication Logs on End Hosts

Round 1

Reviewer 1 Report

Comments and Suggestions for Authors

This paper proposes a method for solving problems related to the acquisition of communication logs on end hosts, particularly focusing on issues with content and storage in network forensic evidence acquisition tasks. The authors highlight the challenges of maintaining the comprehensiveness and continuity of record storage, clearly mentioning the impact on incident response and legal disputes if these aspects are compromised. The authors' method aims to comprehensively record and continuously store communication logs on end hosts, addressing issues related to the integrity and reliability of recorded logs. 

The article could benefit from a more detailed discussion of the experimental methodology and results. Providing a comprehensive analysis of the experimental findings, including statistical data and comparisons with existing tools, would enhance the robustness of the study. Additionally, the article could further elaborate on the potential implications and applications of the proposed method in the field of network forensics. Exploring real-world scenarios or case studies where the proposed method could be applied would strengthen the practical relevance of the research. 

 Here are specific issues that I saw in the paper.

1. Figures are not explained in detail, specifically for Figure 3 it is hard to understand inner workings without an in-depth explanation.
2. Also, it is highly discouraged to have  "you" personal referral in the academic paper.
3. How does the tool work on different mechanisms of log files?
4. The quality of the figures needs to be updated. For instance, in Figure 1 "log transportation" did not fit into the cloud or arrows are overlapping with other arrows.

Author Response

Please see the attachment.

Author Response File: Author Response.pdf

Reviewer 2 Report

Comments and Suggestions for Authors

The authors of this paper propose a communication log acquisition method for solving problems with content and storage in acquiring communication logs on end hosts that satisfies the comprehensiveness of records and continuity of record storage. As an example, the authors implemented a packet sniffer tool that runs on Windows OS and conducted experiments
to compare it with existing tools.

The subject of the paper is interesting and very well presented. The results and the references are adequate. Please consider a paragraph at the end of the introduction including the structure of the remaining paper per section.

Author Response

Please see the attachment.

Author Response File: Author Response.pdf

Reviewer 3 Report

Comments and Suggestions for Authors

1. The motivation of presenting this communication log acquisition method needs to be well discussed.

 

2. The integration of the proposed method and the network protocal stack should be clarified in the section 3.

 

3. For future work, the authors are suggested to employ the digital twin to improve the performance of acquiring communication logs on end hosts, by considering the digital twin related work: “Digital Twin-Assisted Edge Computation Offloading in Industrial Internet of Things With NOMA,” IEEE Transactions on Vehicular Technology, vol. 72, no. 9, pp. 11935–11950, September 2023.

Comments on the Quality of English Language

The review has no further comments about the quality of English.

Author Response

Please see the attachment.

Author Response File: Author Response.pdf

Reviewer 4 Report

Comments and Suggestions for Authors

This paper introduced a straightforward approach to address challenges related to the capture and storage of communication logs on endpoint devices. It  developed a tool that intercepts raw data packets and conduct comparative analyses with established tools.

 

Herein some comments to be addresses for enhancing the manuscript

 

1-      Can you elaborate on how this method might be adapted or extended for operating systems other than Windows, considering the specific use of Windows Filtering Platform (WFP) in your implementation?

2-      It is proposed to include the following paper in the introduction:-

 

-      Sergio Saponara, Abdussalam Elhanashi, Alessio Gagliardi, "Reconstruct fingerprint images using deep learning and sparse autoencoder algorithms," Proc. SPIE 11736, Real-Time Image Processing and Deep Learning 2021, 1173603 (12 April 2021); https://doi.org/10.1117/12.2585707

 

3-      how the performance (e.g., CPU usage, memory consumption) of your tool compares to these existing tools under various load conditions?

4-      what security measures do you recommend implementing to ensure the confidentiality, integrity, and availability of the logs collected by your tool?

5-      Are there any mechanisms in place to prioritize critical communications in scenarios where traffic exceeds storage or processing capacity?

6-      Could you discuss in more depth how your tool ensures user privacy, especially in jurisdictions with stringent data protection laws?

7-      Could you elaborate on potential future research directions or technological advancements that could help overcome these challenges?

 

8-      What are the known limitations of your packet sniffer tool, and how does it handle errors or anomalies during data capture and storage processes?

Author Response

Please see the attachment.

Author Response File: Author Response.pdf

Reviewer 5 Report

Comments and Suggestions for Authors

The paper titled "A Method for Acquiring Communication Logs on End Hosts with Content and Storage Problems in Network Forensics" proposes a simple yet comprehensive solution to the challenges encountered in acquiring communication logs on end hosts in network forensics. The paper addresses the critical issues of record comprehensiveness and continuity of storage, presenting a method that integrates seamlessly with existing tools while providing enhanced control over communication events. The paper offers a well-rounded approach to the challenges of network forensics, covering aspects from data acquisition to storage. By proposing a method that integrates seamlessly with existing tools, it ensures a smooth transition for practitioners. The paper provides experimental validation of the proposed method, comparing it with existing tools such as Wireshark and TCPDUMP and can be implemented on Windows OS, making it accessible to a wide range of users. Additionally, the paper discusses potential applications in real-world scenarios, enhancing its practical relevance.

Areas for Improvement:

1.     Abstract and background: too short.

2.     Contribution, discussion: no discussion (missing).

3.     Theoretical Underpinnings: While the paper presents a practical solution, it could benefit from a deeper discussion of the theoretical foundations underlying the proposed method. Providing insights into the underlying principles and how they address the identified challenges would enrich the paper.

4.     Structure: I advise the authors to restructure the paper.

5.     Clarity in Experimental Setup: While the experimental results are presented effectively, providing a clearer description of the experimental setup, including specific configurations and parameters, would enhance reproducibility and facilitate comparison with other studies.

6.     Ethical Considerations: Given the sensitive nature of forensic investigations and data privacy concerns, it would be beneficial for the paper to address ethical considerations, such as data anonymization and user consent, associated with the proposed method.

7.     Limitations and Future Directions: Although the paper briefly mentions future issues regarding the storage of log data, a more comprehensive discussion on the limitations of the proposed method and avenues for future research would strengthen the paper.

Comments on the Quality of English Language

The paper titled "A Method for Acquiring Communication Logs on End Hosts with Content and Storage Problems in Network Forensics" proposes a simple yet comprehensive solution to the challenges encountered in acquiring communication logs on end hosts in network forensics. The paper addresses the critical issues of record comprehensiveness and continuity of storage, presenting a method that integrates seamlessly with existing tools while providing enhanced control over communication events. The paper offers a well-rounded approach to the challenges of network forensics, covering aspects from data acquisition to storage. By proposing a method that integrates seamlessly with existing tools, it ensures a smooth transition for practitioners. The paper provides experimental validation of the proposed method, comparing it with existing tools such as Wireshark and TCPDUMP and can be implemented on Windows OS, making it accessible to a wide range of users. Additionally, the paper discusses potential applications in real-world scenarios, enhancing its practical relevance.

Areas for Improvement:

1.     Abstract and background: too short.

2.     Contribution, discussion: no discussion (missing).

3.     Theoretical Underpinnings: While the paper presents a practical solution, it could benefit from a deeper discussion of the theoretical foundations underlying the proposed method. Providing insights into the underlying principles and how they address the identified challenges would enrich the paper.

4.     Structure: I advise the authors to restructure the paper.

5.     Clarity in Experimental Setup: While the experimental results are presented effectively, providing a clearer description of the experimental setup, including specific configurations and parameters, would enhance reproducibility and facilitate comparison with other studies.

6.     Ethical Considerations: Given the sensitive nature of forensic investigations and data privacy concerns, it would be beneficial for the paper to address ethical considerations, such as data anonymization and user consent, associated with the proposed method.

7.     Limitations and Future Directions: Although the paper briefly mentions future issues regarding the storage of log data, a more comprehensive discussion on the limitations of the proposed method and avenues for future research would strengthen the paper.

Author Response

Please see the attachment.

Author Response File: Author Response.pdf

Round 2

Reviewer 4 Report

Comments and Suggestions for Authors

Thanks to authors for implementng the paper

Author Response

Please see the attachment.

Author Response File: Author Response.pdf

Reviewer 5 Report

Comments and Suggestions for Authors

I advised the authors to revise several aspects of the paper, but unfortunately, these suggestions were not adequately addressed:

1. Abstract and Background: Despite all the redaction, the abstract and the background portion remains too short to allow its inclusion of sufficient details. This "Introductory Part" is responsible for introducing the purpose of the paper, the method of research, and the findings which will act as a frame for the entire work.  
2. Contribution and Discussion: This paper, however, is missing a meaningful discussion section which is vital for grasping the findings the study describes and their consequences. An appropriately developed discussion paper would frame and benchmark study results in the context of relevant research and practice, showing the method's implications on the system.  
3. Evaluation and Results: While the author suggests the method to be used, the true measurement of its effectiveness is up for the doubt. For instance, this can be numerical or nominative measurements which prove its efficiency and also comparing it with the current methods.  
4. Limitations and Future Directions: Conversely, the paper indicates some future aspect of classification regarding log data but it does not discuss other the drawbacks of this novel algorithm and also areas where research can be conducted further. The essay will be more constructive after this as it provides assistance on identifying the weaknesses of the paper and also provides a basis for taking measures in the future in the same field.

Comments on the Quality of English Language

no

Author Response

Please see the attachment.

Author Response File: Author Response.pdf