Computer Forensics: Computer Crime Scene Investigation (With CD-ROM) (Networking Series)

This chapter introduced several solutions to the dilemma of network forensics. As previously explained, network forensics is the principle of reconstructing the activities leading to an event and determining the answer to What did they do? and How did they do it?

Furthermore, protecting your network against hackers need not be a full-time job. By including a few best practices as part of your organization’s daily routine, you can prevent leaks from developing—or at the very least, plug them before the dams break altogether.

Conclusions Drawn from Networks

• One approach to Network Intrusion Detection and Network Forensics depends on the development of new data visualization techniques to address the volumes of data collected in a forensics application.

• An algorithm to reasonably collect and retain information about each and every packet that transits a network is needed. This comprehensive collection posture results in very large datasets that necessitate the use of data visualization techniques to reasonably analyze events.

• Visualization software should be produced to present the IP sessions in a manner that enables visual data mining. This will consist of gaining an understanding of IP session attributes, mapping these attributes to visual resources (x-axis, y-axis, z-axis, color, shape, thickness, etc.), establishing the connections to the datasets, and constructing dynamic, data-driven visualization displays.

• The resulting visualizations should allow an analyst with a cursory understanding of data networks to identify normal patterns of network traffic and therefore identify deviations from the norm.

• The visualizations would allow an analyst to drill through the volumes of data from the global view down to individual events or transactions.

• Different visualizations will be explored with ease of use and data density as the evaluation criteria.

• Acquisition of digital evidence begins when information and/or physical items that are collected or stored for examination purposes.

• The term “evidence” implies that courts recognize the collector of evidence.

• The process of collecting is also assumed to be a legal process and appropriate for rules of evidence in that locality.

• A data object or physical item only becomes evidence when so deemed by a law enforcement official or designee.

• Data objects are objects or information of potential probative value that are associated with physical items.

• Data objects may occur in different formats without altering the original information.

• Digital evidence is information of probative value stored or transmitted in digital form.

• Physical items are items on which data objects or information may be stored and/or through which data objects are transferred.

• Original digital evidence are physical items and the data objects associated with such items at the time of acquisition or seizure.

• Duplicate digital evidence is an accurate digital reproduction of all data objects contained on an original physical item.

• Copy is an accurate reproduction of information contained on an original physical item, independent of the original physical item.

• With forensic competency, there is a need to generate an agreement on international accreditation and the validation of tools, techniques, and training.

• Issues need to be resolved that relate to practices and procedures for the examination of digital evidence.

• The sharing of information that relates to hi-tech crime and forensic computing is needed—such as events, tools, and techniques.

• SNMP is an extremely useful feature for recording system error messages from servers and routers, but it can also reveal quite a bit of information about your network.

• With the volume of network traffic increasing every day, network security remains a top priority. Most instances of unauthorized access result from simple negligence; so if all your company does is pay attention and adhere to a few basic routines, you’ll already be ahead of the game.

An Agenda for Action in Networks

The following is a provisional list of actions for networks. The order is not significant; however these are the activities for which the research would want to provide a detailed description of procedures, review, and assessment for ease of use and admissibility. A number of these network topics have been mentioned in passing already:

1. Provide expert data visualization techniques to the problem of network data pattern analysis

2. Apply standard research and analysis techniques to datasets provided by a company or organization

3. Apply the lessons learned from company-provided datasets to open datasets as the research advances

4. Provide initial datasets, project initiation, and training in network traffic datasets and analysis techniques

5. Provide expert network forensical rule-based algorithms for incorporation by researchers

6. Repeatedly test and verify new visualization techniques and procedures to ensure that new patterns are, in fact, accurate representations of designated activities

7. Develop a test database

8. Develop a design methodology for visualizing test data

9. Develop a query interface to the database

10. Map data structures to a visualization model

11. Build a prototype

12. Refine a prototype

13. Incorporate live Internet data

14. Test live Internet data

15. Deliver a final build

16. Produce new visualization techniques to streamline and enhance analysis of network forensic data

17. Produce a Web browser compatible prototype that demonstrates these techniques to visualize and query vast amounts of data. The resulting interactive visualization interface will advance the usability of the system, solve the volumetric problem with analyzing these datasets, and advance the adaptation of the solution in the INFOSEC market.

18. Routinely archive all e-mail as it is received on your server for a certain period of time (say, 30–60 days)

19. Clear the archives after an additional specified time

20. Physically segregate the back-up copies of the e-mail system from back-ups of the rest of the computer system

21. Automatically erase e-mail from the computer system, including back-ups, after a short period (15–30 days)

22. Apply uniform retention and deletion standards and features outside the server to workstations and laptops

23. Formulate and distribute a statement that the automatic deletion of electronic records will be suspended and steps taken to preserve records in the event of investigation or litigation

24. All agencies that seize and/or examine digital evidence must maintain an appropriate SOP document

25. All elements of an agency’s policies and procedures concerning digital evidence must be clearly set forth in this SOP document, which must be issued under the agency’s management authority

26. Agency management must review the SOPs on an annual basis to ensure their continued suitability and effectiveness

27. Procedures used must be generally accepted in the field or supported by data gathered and recorded in a scientific manner

28. The agency must maintain written copies of appropriate technical procedures

29. The agency must use hardware and software that is appropriate and effective for the seizure or examination procedure

30. All activity relating to the seizure, storage, examination, or transfer of digital evidence must be recorded in writing and be available for review and testimony

31. Any action that has the potential to alter, damage, or destroy any aspect of original evidence must be performed by qualified persons in a forensically sound manner

32. Be alert. One of the best ways to ensure that your network is secure is to keep abreast of developing threats. Security experts agree that ignorance is the most detrimental security problem. Most hacks occur because someone wasn’t paying attention. Web sites such as the CERT home page (http://www.cert.org) are excellent places to get current information.

33. Apply all service patches. Many companies will sit on patches rather than put them to use. Others are not diligent enough about searching for and downloading the latest virus definitions. Smart hackers bank on the negligence of others.

34. Limit port access. Although just about any application that uses TCP requires a port, you can minimize exposure by limiting the number of ports accessible through a firewall. NNTP (Network News Transport Protocol) is an excellent example: Unless your shop requires newsgroup access, port 119 should be shut down.

35. Eliminate unused user IDs and change existing passwords. Poor maintenance is almost as dangerous as ignorance.

36. System administrators should routinely audit and delete any idle user IDs.

37. To limit the likelihood of successful random guessing, all user and system passwords should be system-generated or system-enforced.

38. Avoid the use of SNMP across the firewall

39. Routers should be checked to make sure they do not respond to SNMP commands originating outside the network.

40. Secure remote access. Try to break into your own network. You can learn a lot by hacking into your own system.

41. If you can gain access to your systems from a workstation outside your network, you can easily test your packet-filtering scheme without any outside exposure. If you do spot a weakness, you’ll be one step ahead of the hackers.

42. When in doubt, ask a consultant. If you don’t have the technical wherewithal in-house or if your staff is too busy working on other projects, don’t hesitate to call in a consultant. Many companies offer security assessment and training services.

43. Companies should assess their networking needs and shut down any ports that aren’t necessary for day-to-day operations, such as port 53 for DNS access and port 119 for NNTP (Network News Transfer Protocol) services.

44. Be sure to eliminate unused user IDs and to avoid provisioning SNMP services through the firewall.