Digital Forensics to Capture Data Sources Network Intrusion

Prioritizing Data Sources

Account Auditing

Live System Data

Intrusion Detection System

Event Log Analysis

Malware Installation

Prioritizing data sources

Activity Monitoring

Integrity Checking

Data Mining

Insider File Deletion

Prioritizing data sources

Use of Uneraser program Recovers the Deleted Data

Network Storage

A recent advance in information technology has brought about both benefits and threats to business organizations. While businesses have been able to achieve competitive market advantages through the internet technology, the hackers are also using the opportunities to penetrate the organizational network systems to steal sensitive data worth billions of dollars. A recent wave of cybercrimes leads to the growth of forensic investigation dealing with a collection of evidence to track cyber offenders. The study investigates different data sources that can assist in enhancing digital forensic investigation. The study identifies event log analysis, port scanning, account auditing, and intrusion detection system as important strategies for data sources.

Introduction

The explosive growth of interconnection of network and computer systems has brought about benefits and inherent risks to organizations and individuals. Hackers and other cyber criminals have taken the advantages of the recent advance in technology to penetrate organizational network systems and steal sensitive data worth billions of dollars. In the United States, criminals steal data that worth billions of dollars from both private and public organizations yearly. The most intrigue aspect of the recent wave of criminality is that much traditional law enforcement agents are not well trained to track down the criminals because of the sophistication involved. The new wave of computer crimes has led to a development of the computer forensic science dealing with the digital tool for a collection, identification, examination, analysis of the network system to assist in preserving the integrity of data and information system. More importantly, the digital forensic experts assist in investigating the crime, collect and analyze vital evidence that can be used to prosecute cyber criminals. Digital forensic science deals with the investigation of data sources by collecting and examining the electronic evidence as well assessing the electronic attacks to recover lost information from the information system in order to prosecute the cyber criminals. In another word, digital forensic investigators collect a multitude of data sources to capture the evidence to be used for a legal procedure. In essence, forensic investigators need to differentiate data from different sources, compare data, prioritizing them in their level of importance.

The objective of this paper carries a comprehensive analysis of the strategy forensic investigators employ to collect data from their sources. The paper also provides challenges faced with regard to collecting and examining evidence from these sources.

Network Intrusion

Forensic experts carry out their investigation to capture evidence based on different events. A network intrusion is an intentional act with an attempt to intrude into an organizational network system in order to compromise the integrity, confidentiality, and availability of the network, computer, and data stored in the systems. The network intrusion is the most important events because it is the most common technique that many intruders employ to gain an unauthorized access into the network system. Typically, the network intrusion can cause a significant damage to an organization leading to altering, damage or stolen of sensitive data from the information system. When attackers are able to gain access to the network systems, they can cause a significant damage to the hardware and software.

The case, (2005) argues that that an investigation involving a network intrusion are both costly and complex, which can take a great deal of time to resolve. The author cites an example of a case study where intruders penetrated the information systems of several laboratories in 2000 leading to shut down of the organizations for several days and loss of the enormous amount of revenue. When the forensic investigators were invited to come in, they used several procedure to carry out the investigation that includes using the incident handlers to acquire the evidence. It also took enormous of time to track the offenders. It was in 2004 that the offenders were finally brought to justice.

Prioritizing Data Sources

Account Auditing

Forensic investigators use different strategies to collect, preserve, reconstruct evidence to track offenders. With reference to network intrusion, the first strategy is to carry out an account auditing to identify the data source and review...

The goal of the accounting auditing is to identify the weakness in the authentication and analyze the type of passwords used to log into the system. The accounting auditing is also used to establish whether the user accounts are active. (NIST, 2002). However, accounting auditing can be challenging when dealing with multiple operating systems because each operating system has a different user account. In essence, role auditing and user account are very critical for a data source with reference to network intrusion because the strategy will assist an administrator to understand whether the account has been misused.
Kent, Chevalier, Grance, et al. (2006) argue that the first step in the forensic investigation with reference to the network intrusion system is the identification of the potential source of data, and acquire data stored in the devices. Common data sources based on the level of importance include servers, desktop computers, laptop, network storage devices, and external drives such as DVDs, CDs, and USB (Universal Serial Bus). Other data sources include Firewire and PC memory card where a user can attach the external data devices and media. The investigators can also collect data from the log files of the network activity. Other sources of data include Thumb drive, flash and memory cards, magnetic disc and optical discs. Many standard computers also contain some volatile data available in the system until the systems are rebooted or shut down. Moreover, computer related devices such as digital recorders, audio players, digital cameras, cell phones, and the audio player may contain data. Another helpful data sources are the application systems that forward copies.

Live System Data

The live system data is another data source for the network instruction investigation. Typically, the live data provides one of the promising evidence from the compromised systems. Moreover, the live system delivers the evidence in a real time and method the intruders employ to gain access to the systems. The investigators can use the Encase program to capture a live data. Moreover, the program such as tcpurify can be used to capture network data. The method will assist the investigators to identify the strategy that the penetrators employ to gain access to the network system. (Vigina, Johnson, Kruegel, 2003). Essentially, live data sources allow forensic investigators to capture volatile data which may not be available during the postmortem investigation. The information to be captured during the live investigation includes network information, event logs, and registered drivers, running process and registered services. For example, the running services assist the investigators to capture data running on the computer system. These services command higher priorities, and many users may be unaware of the existence of the services. Based on their high priority and lack of attention from the system administrators, they are typical a common target for hackers. Thus, conducting a live instigation will assist an investigator to view the state of service, which are very crucial to the investigation. Despite the benefits associated to live forensic, preserving the state of the system to ensure that the data captured are legible can be challenging. The best strategy to make the data visible is to use the forensic toolkit that assists in keeping the process as automated as possible.

Intrusion Detection System

The IDS (Intrusion detection system) is another strategy that investigators can use to capture data from their sources. The IDS is particularly useful to monitor live analysis. For example, the IDS can be configured to monitor network traffic and watch the intruders in actions. Moreover, the IDS can be used to detect how hackers are assessing the systems. The strategy can assist the investigators to procure critical evidence based on their findings. The benefits of the IDS is that it allows the investigator to detect network intrusion because it can be programmed to make the system administrators detecting an unauthorized access to the network system. Typically, the IDS is similar to the burglary that alerts the house owners that a thief is attempting to intrude into their properties. Despite the benefits associated to IDS, some IDS alerts can be harmless to the system, and investigating this type of activities can lead to a waste of time. Kumar et al. (2013) argue that the goal of the IDS is to identify and capture an unauthorized access into the network system in a real time. The goal of the IDS is also to detect anomalies revealing that the symptoms are illegal, and can lead to a criminal and intrusive activity. Typically, the forensic investigators can use IDS as a tool of investigation to obtain sufficient evidence about the criminal activity. "The problem is that it is unsure that network security services are appropriate tools to collect evidence during ongoing attacks." (Kumar et 2013 p 613). Moreover, the…