Capture Data Sources Using the Digital Forensics Tool

Digital Forensics to Capture Data Sources

Network Intrusion

Prioritizing Data Sources

Account Auditing

Live System Data

Intrusion Detection System

Event Log Analysis

Malware Installation

Prioritizing data sources

Activity Monitoring

Integrity Checking

Data Mining

Insider File Deletion

Prioritizing data sources

Use of Uneraser program Recovers the Deleted Data

Network Storage

A recent advance in information technology has brought about both benefits and threats to business organizations. While businesses have been able to achieve competitive market advantages through the internet technology, the hackers are also using the opportunities to penetrate the organizational network systems to steal sensitive data worth billions of dollars. A recent wave of cybercrimes leads to the growth of forensic investigation dealing with a collection of evidence to track cyber offenders. The study investigates different data sources that can assist in enhancing digital forensic investigation. The study identifies event log analysis, port scanning, account auditing, and intrusion detection system as important strategies for data sources.

Introduction

The explosive growth of interconnection of network and computer systems has brought about benefits and inherent risks to organizations and individuals. Hackers and other cyber criminals have taken the advantages of the recent advance in technology to penetrate organizational network systems and steal sensitive data worth billions of dollars. In the United States, criminals steal data that worth billions of dollars from both private and public organizations yearly. The most intrigue aspect of the recent wave of criminality is that much traditional law enforcement agents are not well trained to track down the criminals because of the sophistication involved. The new wave of computer crimes has led to a development of the computer forensic science dealing with the digital tool for a collection, identification, examination, analysis of the network system to assist in preserving the integrity of data and information system. More importantly, the digital forensic experts assist in investigating the crime, collect and analyze vital evidence that can be used to prosecute cyber criminals. Digital forensic science deals with the investigation of data sources by collecting and examining the electronic evidence as well assessing the electronic attacks to recover lost information from the information system in order to prosecute the cyber criminals. In another word, digital forensic investigators collect a multitude of data sources to capture the evidence to be used for a legal procedure. In essence, forensic investigators need to differentiate data from different sources, compare data, prioritizing them in their level of importance.

The objective of this paper carries a comprehensive analysis of the strategy forensic investigators employ to collect data from their sources. The paper also provides challenges faced with regard to collecting and examining evidence from these sources.

Network Intrusion

Forensic experts carry out their investigation to capture evidence based on different events. A network intrusion is an intentional act with an attempt to intrude into an organizational network system in order to compromise the integrity, confidentiality, and availability of the network, computer, and data stored in the systems. The network intrusion is the most important events because it is the most common technique that many intruders employ to gain an unauthorized access into the network system. Typically, the network intrusion can cause a significant damage to an organization leading to altering, damage or stolen of sensitive data from the information system. When attackers are able to gain access to the network systems, they can cause a significant damage to the hardware and software.

The case, (2005) argues that that an investigation involving a network intrusion are both costly and complex, which can take a great deal of time to resolve. The author cites an example of a case study where intruders penetrated the information systems of several laboratories in 2000 leading to shut down of the organizations for several days and loss of the enormous amount of revenue. When the forensic investigators were invited to come in, they used several procedure to carry out the investigation that includes using the incident handlers to acquire the evidence. It also took enormous of time to track the offenders. It was in 2004 that the offenders were finally brought to justice.

Prioritizing Data Sources

Account Auditing

Forensic investigators use different strategies to collect, preserve, reconstruct evidence to track offenders. With reference to network intrusion, the first strategy is to carry out an account auditing to identify the data source and review user account to identify the servers that intruders employ to gain access to the organizational network systems. The goal of the accounting auditing is to identify the weakness in the authentication and analyze the type of passwords used to log into the system. The accounting auditing is also used to establish whether the user accounts are active. (NIST, 2002). However, accounting auditing can be challenging when dealing with multiple operating systems because each operating system has a different user account. In essence, role auditing and user account are very critical for a data source with reference to network intrusion because the strategy will assist an administrator to understand whether the account has been misused.

Kent, Chevalier, Grance, et al. (2006) argue that the first step in the forensic investigation with reference to the network intrusion system is the identification of the potential source of data, and acquire data stored in the devices. Common data sources based on the level of importance include servers, desktop computers, laptop, network storage devices, and external drives such as DVDs, CDs, and USB (Universal Serial Bus). Other data sources include Firewire and PC memory card where a user can attach the external data devices and media. The investigators can also collect data from the log files of the network activity. Other sources of data include Thumb drive, flash and memory cards, magnetic disc and optical discs. Many standard computers also contain some volatile data available in the system until the systems are rebooted or shut down. Moreover, computer related devices such as digital recorders, audio players, digital cameras, cell phones, and the audio player may contain data. Another helpful data sources are the application systems that forward copies.

Live System Data

The live system data is another data source for the network instruction investigation. Typically, the live data provides one of the promising evidence from the compromised systems. Moreover, the live system delivers the evidence in a real time and method the intruders employ to gain access to the systems. The investigators can use the Encase program to capture a live data. Moreover, the program such as tcpurify can be used to capture network data. The method will assist the investigators to identify the strategy that the penetrators employ to gain access to the network system. (Vigina, Johnson, Kruegel, 2003). Essentially, live data sources allow forensic investigators to capture volatile data which may not be available during the postmortem investigation. The information to be captured during the live investigation includes network information, event logs, and registered drivers, running process and registered services. For example, the running services assist the investigators to capture data running on the computer system. These services command higher priorities, and many users may be unaware of the existence of the services. Based on their high priority and lack of attention from the system administrators, they are typical a common target for hackers. Thus, conducting a live instigation will assist an investigator to view the state of service, which are very crucial to the investigation. Despite the benefits associated to live forensic, preserving the state of the system to ensure that the data captured are legible can be challenging. The best strategy to make the data visible is to use the forensic toolkit that assists in keeping the process as automated as possible.

Intrusion Detection System

The IDS (Intrusion detection system) is another strategy that investigators can use to capture data from their sources. The IDS is particularly useful to monitor live analysis. For example, the IDS can be configured to monitor network traffic and watch the intruders in actions. Moreover, the IDS can be used to detect how hackers are assessing the systems. The strategy can assist the investigators to procure critical evidence based on their findings. The benefits of the IDS is that it allows the investigator to detect network intrusion because it can be programmed to make the system administrators detecting an unauthorized access to the network system. Typically, the IDS is similar to the burglary that alerts the house owners that a thief is attempting to intrude into their properties. Despite the benefits associated to IDS, some IDS alerts can be harmless to the system, and investigating this type of activities can lead to a waste of time. Kumar et al. (2013) argue that the goal of the IDS is to identify and capture an unauthorized access into the network system in a real time. The goal of the IDS is also to detect anomalies revealing that the symptoms are illegal, and can lead to a criminal and intrusive activity. Typically, the forensic investigators can use IDS as a tool of investigation to obtain sufficient evidence about the criminal activity. "The problem is that it is unsure that network security services are appropriate tools to collect evidence during ongoing attacks." (Kumar et 2013 p 613). Moreover, the investigator can use the automated IDS to reveal the incident pattern and strategy carried out during the attack. Unfortunately, the automated IDS can create a false alarm. Thus, to capture a real time evidence from the IDS, the investigators are required to have vast knowledge about of the IDS and log diagnostic tool to capture an authentic evidence from the system.

Johnson, & Reusi, (2006) point out that investigation is both challenging and complex. The authors cite an example of 50 organizations that the networks systems have been compromised in 2005 where private and public organizations were affected. The intruders gained access to the organization network systems to steal sensitive data. The investigation consists of several layers. First, the forensic examiners identified the compromised server where the data had been stored. The initial strategy involves a remote port scan of the compromised server to facilitate the onsite investigation. The outcome of the investigation revealed that the attacker uses the malware to get access to the network system. The next layer of the network intrusion investigation involved booting of the server using the Helix distribution CD to examine the file system. The next stage is to identify and preserve the evidence using different forensic tools such as toolkits to identify the method of intrusion and trace the offenders.

Event Log Analysis

The investigators can also use the event log analysis to capture data. For example, most modern operating systems have facilities that can record activity such as log-ins and log-outs, root access events, and user command histories. Moreover, some operating system can collect a large volume of security data. For example, Window XP, Window 7 and Window 8 have the capabilities to collect log-on activities, user access, and administrator's activities. Thus, the investigators can collect log evidence using the log analysis. The challenge of using this strategy is that some skilled attackers can use many tactics to avoid being detected. For example, attackers may hide or delete log-evidences and modify the operating systems. However, it is still possible to collect log data using this strategy because the attackers may still leave some traces and remnants of the logs may be found in the systems. The evidence that can be collected from the event logs includes system logs, application logs, and security logs.

"However, some events have cryptic descriptions and many are relatively unimportant in the context of security needs. Furthermore, this capture of security related events provides very little in the way of real-time monitoring or notification of suspicious activities, analyzing of logs, fusing, and correlating of networked computer logs." (Kumar et 2013 p 614).

Malware Installation

Malware is defined as the malicious software intentional inserted into the system to cause untold damage or harmful purpose. Siddiqui, (2008) defines malware as

"any program that purposefully created to harm the computer system operations or data is termed as malicious programs. Malicious programs include viruses, worms, trojans, backdoors, adware, spyware, bots, rootkits etc. All malware are sometimes loosely termed as virus (viruses, worms, trojans specifically) Commercial anti-malware products are still called antivirus." ( Siddiqui,2008 p 2).

Malware can emerge from codes or scripts hidden in the attached file or software program to cause a damage to the system. Types of malware include the virus, worms, and denial of service attack. A virus is a type malicious program that can infect the system and modify the data stored in the system. Some virus has the ability to steal the password of a legitimate user. A worm is another type of malware having an ability to replicate itself and send the copies from one computer to the other through the network connections. When a worm propagates itself, it has the ability to perform an unwanted action. Stallings, (2011) identifies the Trojan horse, logic bomb, mobile code, auto-rooter, virus generator, and downloaders as other types of malware. The Trojan horse is a type of program having potential and hidden malicious functions such as exploiting legitimate authorization.

Prioritizing data sources

Scanning

Scanning is the most effective and widely used standard to source for a string in the file. The scanning assists in searching for a pre-defined virus and variant of the virus. Scanning technique includes string scanning, and wildcard scanning that allows identifying various types of virus signature, and smart scanning and virus family.

Activity Monitoring

The activity monitoring is another strategy for data source from malware. The activity monitoring is used to search and monitor malicious behavior. Typically, the activity monitoring can cause a dynamic and static problem to the system.

Integrity Checking

The integrity checking is the strategy of creating the cryptographic checksum in each file system to monitor an eventual variation in the information systems. The integrity checking also involves checking for any possible changes in the systems due to virus activity.

Data Mining

The data mining involves using the machine and statistical learning algorithms to identify the malicious program or cleanup program. Data mining can also be used to detect unknown virus, which can be built to achieve accuracy rate.

Insider File Deletion

Inside attacks are the vulnerabilities that organizations face in the contemporary business environment. The threats can come from employees, contractors, vendors, and visitors. However, the inside threats are more common, among employers than other stakeholders because these employees have access to the organization database, files and they are permitted to cross the security barriers. In the contemporary business environment, files are very crucial to the business process, however, the file can be intentionally or accidentally deleted from the database. Some deleted files are very crucial that need to be recovered as soon possible. However, some disgruntled employees can deliberately delete sensitive files from the database. For example, an employee working with a financial institution planted a logic bomb that deleted over 10 billion files. Typically, an employee can insert the logic bomb in the computer system and activate it at a later time

Prioritizing data sources

Use of Uneraser program Recovers the Deleted Data

Several software can be used to restore the deleted file from the hard disk. The investigators can use the Uneraser program for Window and Data Rescue 3 for Mac to recover the delete file. When a file is deleted from the hard disk, the data are not entirely lost from the computer directory; the file is still 100% intact and can be recovered if using the appropriate method to recover the data. If a file deleted, it will go to the recycle bin in case of Window operating system, however, the data can be restored by using the restore option. However, if the recycle bin has been emptied, there is still a chance to recover the data because the file is still not entirely deleted. The investigator should use the Uneraser software to recover the deleted file. Typically, the Uneraser program uses a sophisticated recovering powerful tool to recover the files. The program also allows investigators to identify the files and recover them within few minutes. Similarly, Data Rescue 3 program can assist the investigators to recover the deleted files from the Mac operating system. The algorithms of the Data Rescue 3 is sophisticated to recover the lost files. The challenges of using these program are that a skilled insider may use an eraser program to remove the file from the systems, and the issue may prove challenging for a forensic investigator to recover the file from the system.