Network Intrusion Analysis Essay Example

The problem of selection of reliable data sources for the process of digital forensics investigation is particularly relevant nowadays, with each type of computer-related crime relying on a specific set of such sources. In particular, in the case of network intrusion, user accounts, operation and intrusion detection systems, as well as the logs of Internet providers are the most useful sources of information. For malware installation, the investigators are likely to find the evidence that they require by analyzing system data, the storage of intrusion detection system, and the information provided by a virtual machine. Finally, in the case of insider file deletion, the investigation has to rely on hard disks and network storages as the primary sources of useful data.

Common Network Security Problems

Computer-related crimes are among the consequences of mass computerization of the society. The integration of modern information technologies in almost all areas of human activity has led to the fact that many traditional crimes (e.g. appropriation, theft, fraud, counterfeiting, etc.) are being committed with the help of computers. Crimes associated with the use of computer technology present a serious threat to any company or individual. In order to identify the offenders responsible for this damage, a special procedure called digital forensics investigation is conducted. On the contrary to the usual process that involves the gathering of evidence by questioning the witnesses, it relies on the information obtained from the digital sources. However, the quality and reliability of the gathered data may vary depending on the situation, which may affect the course of the investigation. As a result, the problem of selection of data sources for solving a computer-related crime becomes especially relevant. Therefore, the following research focuses on identification of the most valuable data sources that can be used in different cases of computer-related crimes (network intrusion, malware installation, and insider file deletion). Additionally, it classifies them in terms of their usefulness to investigators.

The network intrusion is the process of unauthorized access to the network that is mostly conducted with a malicious intent. The risks of such an activity are related to the devastating effects of the loss of time and money as a result of damage or theft of the important information and resources. The attackers can gain access to the network by exploiting vulnerabilities in software, hardware, or even attack by using such refined techniques as guessing other users’ logins and passwords.

An attacker that gains access to the network becomes the source of the four following types of threats:

• Data theft;
• Identity theft;
• Data loss and data manipulation;
• Termination of service.

In case of such an event, it is possible to distinguish several data sources that are of the most significant value for the digital forensics investigation. They include user accounts, the operation system itself, the intrusion detection system, and the records kept by the providers of web services.

User Accounts

The user accounts provide the most valuable information for the digital forensics investigation. In particular, the security measures of the majority of private networks involve the use of complex passwords that are to be changed regularly, the constant update of the list of registered users, and the limited amount of the incorrect attempts to enter the system. As a result, the possibility of the intrusion is lowered since it is impossible to log in to the network by using a fake account. Still, in case such an event has occurred, the audit of the existing user accounts may allow to identify the source of the intrusion, i.e., a particular account used by the attacker, thus narrowing the field of search. In turn, this information may provide investigators with hints regarding the ways of obtaining access to network, the timeline of the event, i.e., the time of logging in and out, the ways of misusing the account data, and so on. In other words, this data source defines the direction of the entire process of investigation (Fichera & Bolt, 2013). As a result, in terms of network intrusion, user accounts and the results of their audit are the most valuable of the listed sources of information.

Operation System

The information that is collected from the operation system, i.e., live system data, is also of high value for the digital forensics investigation. By reviewing it, it is possible to define the following details of the intrusion. First of all, the analysis of the system logs may provide the information on the password that the attacker used to access the network. In turn, this allows to define whether the user account was hacked or the password to it was simply stolen. Next, the analysis of system data may give insight into the nature of manipulations performed by the attacker within the network. In particular, the criminal may pursue specific goals by obtaining access to it. For example, in the case of a single event of data theft, the system logs are likely to contain the information on copying certain files. On the other hand, in case the offender’s primary goal was data manipulation or termination of the system (the events that usually require several intrusions), it is likely that certain software will be altered or replaced to utilize the weaknesses of the system and simplify the consequent intrusions. For example, the attacker may replace the original application layer protocol with a modified one that allows remote access to the system, which means that the intrusions will be occurring on a regular basis (Casey, 2010). As a result, the information on the nature of manipulations within the system may help define the motives of the crime, thus simplifying the process of identification of the attacker. All these facts allow to rank the aspect of system data second in the list of the most valuable sources for the digital forensics investigation. Indeed, its analysis allows to discover the files and systems that were altered as a result of intrusion, as well as define the way used by the attacker to access the network.

Intrusion Detection System

Intrusion Detection System (IDS) is a hardware or software designed to detect the facts of unauthorized access to a computer system or network or their unauthorized management. IDS provides an additional level of security of computer systems by alerting the administrators of any abnormalities in the work of the network. The typical IDS includes a sensor subsystem for collecting the events related to the security of the protected system, analytical subsystem designed to detect attacks and suspicious activity on the basis of sensor data, and storage providing the accumulation of primary events and analysis. In most cases, the analysis preformed by IDS is based on the principle of signature matching: the system refers to the dictionary of the known attack signatures. In case any part of the attack pattern complies with the existing signature, the system makes an attempt to halt it and warns the administrator of a threat. However, in order to achieve the maximum efficiency of this method, it is necessary to replenish the dictionary of the signatures on a regular basis. At the same time, the attack patterns used by the offenders are becoming more sophisticated, meaning that even the newest signatures cannot guarantee complete protection of the network. In turn, this results in an increased amount of false alarms on the part of IDS (Casey, 2010).

Still, the data from the storage of IDS, namely the alarms, can be useful for investigation, provided it is sorted. By filtering all the false alarms, it is possible to use the remaining information for the analysis of the less developed system logs and search for the clues on the nature of the attack. In particular, the use of IDS data makes it possible to obtain additional details about the connection used by the attacker and thus prevent the consequent attempts of intrusion. In some cases, it also allows to pinpoint the direction of the traffic, thus simplifying the process of identification of the attacker. However, such an analysis requires comprehensive knowledge of operation systems and hacking techniques, as well as the presence of logs of diagnostic tools. As a result, IDS can be placed on the third place in terms of its value to the digital forensics investigation of network intrusion: it provides useful information that may affect the course of investigation significantly, but its identification and isolation from the pool of unnecessary data requires great efforts on the part of investigators.

The Records of the Providers of Web Services

In order to organize and conduct their attacks on networks, the offenders must use web services (the Internet connection, messengers, etc.). As a result, by turning to the providers of these services, it is possible to acquire the information on the timeline of their use by the hackers at the time of event. Nevertheless, providers may collect such data as names and e-mail addresses of their clients as well as their payment information, e.g. data on credit cards and bank accounts. In the case of Internet providers, it is also possible to obtain IP addresses of the potential offenders at the time of the event, in case the dynamic IP is used. All this information can be employed to prove either involvement or non-involvement of the potential offenders in the act of network intrusion. However, each of the providers has a different policy regarding the consumers’ data collection, meaning that it is difficult to obtain consistent information in this way. Moreover, there is no guarantee that the obtained information is reliable. As a result, the records of the providers of web services are ranked fourth and last in terms of their value to the digital forensics investigation.

Malware Installation

Malware is any software designed to gain unauthorized access to the resources of the computer or network. Currently, there are tens of thousands of such programs, with the new ones being created on a regular basis. Malware may cause serious damage to corporate networks, email systems, and web sites by using their different vulnerabilities.

Its installation may result in the following negative effects:

• The interference to the processes of the infected system (the block of antivirus software and administrative functions of the operating system as well as the sabotage of the computer-controlled processes);
• The installation of another malicious software (either by downloading it from the network or unpacking another malicious program already contained within the file);
• Theft, fraud, extortion, and spying on the user (theft of accounts of various services and payment systems as well as key logging);
• Other illegal activities (an unauthorized access to the resources of the computer, the organization of DDoS-attacks, etc.) (Sikorski & Honig, 2012).

In the case of malware installation, such data sources as the operation system itself, IDS, and virtual machine are of the highest usefulness for the digital forensics investigation.

Operation System

The volatile data collected from the running operation system, specifically the one obtained at the time of malware installation, allows to conduct a search for hidden files that were integrated into the system by malware. In this regard, the alternate data streams present the highest value for investigators. Moreover, the analysis of such components of the system as drivers and applications as well as the executed services and processes may help identify the type of malware and its source (Sikorski & Honig, 2012). The usefulness of this data becomes even higher in case investigators were able to discover the fact of malware installation before it was finished. The primary reason for that is the fact that they may collect and analyze the data on it without alerting the criminal. As a result, the process of identification of the offender is simplified. At the same time, the discovery of the fact of malware installation often requires a comprehensive analysis of the potentially infected system. As was mentioned before, new types of malware are being developed regularly, meaning that even the use of the most advanced diagnostic tools does not guarantee the absence of false alarms or critical failures, for example, the malware is not detected until it causes irreparable damage to the system (Casey, 2010). Nevertheless, all the above mentioned facts allow to consider the operating system as the most valuable source of information for the digital forensics investigation of the malware installation case.

Intrusion Detection System

As was mentioned before, IDS identifies and blocks threats, including malware, on the basis of signature matching principles. As a result, the data obtained from its storage may be used to identify the type of malware as well as the attack pattern used by the offender. Moreover, after obtaining the volatile data collected from the running operation system, it is possible to compare it with the existing signatures in the dictionary of IDS and define whether the installed malware has any specific features, for example, downloader, dropper, etc. (Sikorski & Honig, 2012). In turn, this information may provide evidence on the goals of the attacker. At the same time, there is no guarantee that the log of IDS will be free of false alarms or that the system will detect the attempt to install malware. Moreover, comparing signatures and volatile data, the amount of information may be overwhelming, which may slow the process of investigation (Marshall, 2008). Considering the mentioned issues as well as the fact that IDS can be used to its full extent only after the analysis of the volatile system data, it is possible to rank it as the second useful source of information for the digital forensics investigation of the malware installation case.

Virtual Machine

In the case of malware installation, investigators often have to examine the principles of operation of the harmful software and determine the potential threat that it contains by using a virtual machine. It is a software and/or hardware system that emulates the hardware of a target platform and executes the programs for a target platform on the host platform. It can also virtualize a particular platform and create the environments that isolate programs and even operating systems from each other on its basis (Barrett & Kipper, 2010). The virtual machine allows to examine the behavior of malware in different conditions and gives an opportunity to return to any stage of the malware installation process as well as change its pace. In turn, it may provide evidence on the type of files that the program tries to modify or delete, the information that it tries to collect as well as the final destination of the stolen data (Sikorski & Honig, 2012). As a result, it may provide insight either into the motives of the attacker or his location, thus speeding the process of investigation. At the same time, the virtual machine cannot always act as a perfect replica of an operating system. As a result, the likelihood of it being discovered by the attackers increases, meaning that they will take safety measures, thus slowing the process of investigation. Moreover, it may not always provide a sufficient environment for the analysis (Barrett & Kipper, 2010). Considering all these facts, it is possible to rank it third in the list of the most useful data sources for the digital forensics investigation of the malware installation case.

Insider File Deletion

Insider file deletion is a threat that emanates from the people within the organization, such as its current and former employees, contractors, and business partners that have information on security practices within it as well as the data and computer systems. Insiders may have passwords that give them legal access to the system. Moreover, they are often familiar with the data and intellectual property of the organization as well as the methods used to protect them. As a result, they can circumvent the entire security system. Physical proximity to the data means that insiders do not need to break through the organizational network by passing the outer perimeter firewalls. Due to the fact that they often have a legitimate access to the information, the file deletion performed by the insiders is difficult to track and prevent (Probst et al., 2010). In this case, such data sources as hard disk drives and network storages are most useful for the digital forensics investigation.

Hard Disk Drive

Considering that the insider file deletion is usually aimed at non-volatile data, which is not deleted after the shutdown of the system, it is clear that the hard disk drive will be the primary target of the attackers. Despite the fact that the file has been removed completely, i.e., deleted from recycle.bin, only the information regarding its storage sector, path, and create/modify date is erased from the system drive. By using the forensic software, it is possible to recover it, thus nullifying the damage done by the insider and, which is most important, obtaining the evidence on the motives and time of the crime, namely by reviewing the contents of the target file and the time of the deletion (Marshall, 2008). At the same time, the recovery is possible only within a short period of time since the required file data can be overwritten by the system. Moreover, the insider may use specific software to overwrite the mentioned data immediately, meaning it cannot be recovered (Probst et al., 2010). Nevertheless, due to its nature of a primary target, a hard disk drive is the most useful data source for the digital forensics investigation.

Network Storage

The network storage can be used as a data source in case the deleted file was previously shared with other users. In general, the algorithm of its recovery is based on the search of previous versions of this file. The information obtained from it serves similar purposes. However, in case of network storage, the challenges faced by investigators are more significant due to the overwhelming amounts of information in comparison to that stored on the hard disk drive. Moreover, as in the previous case, the insiders may delete the file permanently or erase the parts of network storage that contain the corresponding information (Lillard et al., 2010). As a result, it ranks second in terms of usefulness to the digital forensics investigation.

A significant variety of computer crimes presents a wide array of data sources that can be used during the process of investigation. The types of these sources as well as their usefulness vary depending on the nature of a crime. Still, it is possible to classify them in terms of their value for each specific case, which was demonstrated in the research. However, it should be noted that in most cases, the usefulness of the described data sources depends on the skills and equipment possessed by the investigation team. Moreover, in some cases, for example, the insider file deletion, the preventive measures taken by the attackers can render any of the available data sources useless. As a result, it is clear that the process of digital forensics investigation must be improved on a regular basis to follow the pace of development of the contemporary information technologies.