Because of the significance of Data, in this 21st century, its security has become a critical issue in the information technology (IT) industry. Cyber attacks from different sources are necessitating its mitigation in this new age of data and information security. Digital forensic is a new field that entails the collection, analysis as well as the documentation of Cyber attacks. Digital forensics is becoming increasingly vital because criminals are committed to expanding the use of technology to accomplish their organization of illegal activities. Through digital forensics, the investigators have access to several tools that help in the preservation as well as the analysis of digital evidence. The typical aim of an investigation is to gather as much evidence as possible using acceptable techniques to make the evidence accepted and admitted in court. The paper primarily focuses on the examination of the various sources for digital forensics including the live data systems, virtual machines, intrusion detection systems, hard drives and network drives, and Internet Service Provider s records.
In the past, most crimes had evidence regarding the physical world. Today, however, digital evidence has become imperative. Forensic Sciences have extended their scope to incorporate digital evidence allowing the collection of data from digital devices so that it can be used on a legal platform. Digital forensics, according to Sindhu and Meshram (2012), is the science that involves the identification, extraction, analysis, and presentation of the digital evidence stored in digital devices. The several events of crime scenes encountered by investigators necessitate the prioritization of the kinds of data that should be analyzed, the information that is required, and the value of that data concerning the event. This paper embodies the discussion of three particular events including network intrusion, malware installation, and insider file deletion before the analysis and prioritization of the data sources that can be used in investigating each case.
A network intrusion takes place when a device such as a computer in a network has been accessed by an unauthorized party. A network intrusion occurs when a computer network is accessed by an unauthorized party. Victim organizations have been losing critical files and data through network intrusion as the perpetrator can steal, delete, or alter files, or they can damage or destroy software or hardware. Even a moderate forensic investigation in an enterprise can aid in mitigating the effect of a major event and can enable the enterprise to obtain restitution (Casey, 2005). There are various network attack vectors, which include but not limited to asymmetric routing, buffer overflow attacks, protocol-specific attacks, gateway interface scripts, traffic flooding, Trojans, and worms. Since the discussion of these specific vectors is not the aim of this paper, we will only discuss how to address network intrusion.
Prioritized Data Sources
System, User, and Account Auditing
The first data source, in this case, is to review the user accounts and permissions the intruder might have used to access the network resources. This usually takes place via the user audit trails. The user audit trails are used to monitor and log the user activity in an application or system by recording the events initiated by the user (such as access to files, use of a modem, or access to a record). The user audit records are used to hold individuals accountable for their actions. The system audit trails are also useful in the identification of the intrusion to the network. The network administrators use the system audit record to monitor and fine-tune the system performance. The application audit trails are utilized to detect the flaws in the applications or any violations of the security policies committed to a given application.
Live System Data
The investigators can use a program that captures the live data from the system and keeps an audit log through the use of a script command. Through the live capture of system data, it can be determined how the intruder got access to the system, which tools were used, and other essential information. A number of tools can be leveraged to accomplish this, but the most common tool being used is the Encase tool. An incident handler can use this tool to capture live data and determine an event occurred and is a complete investigation should be conducted on the system. This capture of live data from a system is known as live forensics. It is concerned with the capturing of system information or volatile data which has disappeared after the powering down of a device.
According to McDougal (2006), the major challenge investigators get in carrying out live forensics is the preserving of the state of the system and making sure that the captured data is forensically valid. The author says that the best way of go about it is to leverage a forensic toolkit like the Encase tool that helps to automate the process. The live system data is a very important data source since live data offers the most promising evidence about the files and systems compromised as well as the evidence in real-time concerning the route used by the intruder to get into the system.
Intrusion Detection System
An intrusion detection system is the third data source that can be used for the detection of network intrusion. Network intrusion detection deals with the data on the wire between hosts. The network intrusion devices are also referred to as "packet-sniffers" and are used to intercept packets that travel in and out of a network along with various protocols and communication mediums. Once the packets have been captured, they are analyzed in many ways. Some intrusion detection devices simply compare the packet to then signature database that comprises of known attacks as well as malicious packet "fingerprint" whereas others examine for anomalous packet activity that signifies a malicious behavior. The IDS majorly monitors the network traffic with the aim of identifying activities that fall within the disallowed activities in the network. Therefore, the data from this source is very useful for forensic auditors. The challenge with the IDS is that, without the latest updates, it can be ineffective.
The Internet Service Provider (ISP) Records
The ISP record is the last source of evidence. An ISP usually keeps logs and records of the activities that are done on their site. After a subpoena, some basic information can be gleaned from the ISP records, depending on what the information the ISP collects from the account holders (Daniel, 2012). Such information as e-mails addresses and names of the paid account holders and any associated activities can be provided by the ISP thereby making the work of the digital forensic auditors easy. The only challenge about this is that sometimes the information may be unreliable, and ISPs usually gather minimal amounts of information from their clients.
Malware, the short form of malicious software is a term that refers to various forms of intrusive or hostile software such as computer viruses, adware, worms, Trojan horses, spyware, scareware, and other malicious programs. Malware acts against the requirements of computer users; it is not software that causes unintentional harm because of some deficiency. The most current malware is the NotPetya that has caught the attention of the media as it paralyzed thousands of machines across the globe, shutting down ports, industries, and offices as it quickly spread across organizational networks of more than 60 countries within just a few days (Polityuk it is immediately erased using the TRIM command. Modern solid-state drives and some versions of Windows like Windows 7 and Windows 8 support this command. The safest way to recover the deleted file is, first of all, to shut down the computer and then boot from a file-recovery live CD or a USB drive (Willison the desired files can be overwritten. The criminal can also utilize a freeware like "Eraser" to overwrite the deleted file immediately thereby making the file unrecoverable with the forensic toolkits (Capshaw, 2011). There are also some versions of operating systems that remove the file entirely from the hard drive after it has been deleted.
Another source that can be very useful to the forensic investigators is the data in storage in the network storage devices such as the Network Attached Storage (NAS), Storage Are Network (SAN), and Windows File Server. Often, important files of an organization are shared among various groups of users and can thus be found in the network storage devices like the ones mentioned above. The deleted can be recovered in Windows if only the Microsoft Management Console and the system restore points have been enabled. The previous versions of the folders are often created using the Windows Backup after which a shadow copy is then put in the Microsoft Management Console and the system restore points. That is why, if the above items are not enabled it is impossible to recover the deleted files from the previous folder version. That is impossible often without a network storage system.
There are also some challenges about the recovery of deleted files using a network storage system. Part of the challenge is that Windows does not treat network drives the same way it treats local ones. It cannot. The network drive is controlled by its local operating system, and when a file is deleted from a network drive, Windows reels the operating system to delete it completely. Another challenge is that a file system disk may be too large and difficult to analyze.
Digital forensic investigations are a useful way of investigating any crime that has been committed regarding computer attacks. When such an investigation is taking place, there are various sources of data that can be useful to the investigators and these include the live data systems, virtual machines, intrusion detection systems, hard drives and network drives, and Internet Service Provider s records. These various data sources have been examined in details and how they can be prioritized in the face of three incidents including network intrusion, malware installation, and insider file deletion. The various challenges that the investigators face while trying to analyze the digital forensic data have also been examined in the paper. The scientific community should, therefore, leverage the various data sources in advancing state of the art in digital forensics as they also ensure that the known challenges are effectively addressed for success.
Baggili, I., & Breitinger, F. (2015, March). Data sources for advancing cyber forensics: What the social world has to offer. In 2015 AAAI Spring Symposium Series.
Casey, E. (2005). Case study: network intrusion investigation-lessons in forensic preparation. Digital Investigation, 2(4), 254-260.
McDougal, M. (2006). Live Forensics on a Windows System: Using Windows Forensic Toolchest (WFT). Foolmoon Software & Security
Pfleeger, S. L., & Stolfo, S. J. (2009). Addressing the insider threat. IEEE Security & Privacy, 7(6), 10-13.
Sindhu, K. K., & Meshram, B. B. (2012). Digital Forensic Investigation Tools and Procedures. International Journal of Computer Network and Information Security, 4(4), 39.
Willison, R., & Siponen, M. (2009). Overcoming the insider: reducing employee computer crime through Situational Crime Prevention. Communications of the ACM, 52(9), 133-137.
Zeltser, L. (2007, May 1). Using VMware for malware analysis. Zheng, M., Sun, M., & Lui, J. C. (2013, July). Droid analytics: a signature based analytic system to collect, extract, analyze and associate android malware. In Trust, Security and Privacy in Computing and Communications (TrustCom), 2013 12th IEEE International Conference on (pp. 163-171). IEEE.
I'm Trent and was born on 11 July 1972.