Log files are used by logging systems to keep track of every action that occurs within a computer network. Log files give criminal investigators access to digital traces that identify attackers, their methods, and the computers used in the attack (Lalla, Flowerday, Sanyamahwe, & Tarwireyi, 2012). The data that was derived from the log files may be used as proof in court.
The process of finding and extracting data, modeling, and evaluating activity from log files is known as network log mining (Lalla et al., 2012). Forensic investigators should set up their network equipment to record all user activity as their initial step. Investigators have developed dedicated log file servers that solely back the storage and management of logs. When attackers access an organizations website, the configured network devices records their IP addresses, the date and time of access and the information accessed in the log files (Lalla et al., 2012). Log files can also point investigators to inside user threats that cause network anomalies Log files connect the activities in a network to a specific timeframe, which is important in pinning down of specific network attackers. The IP addresses reveal the location of offenders. In addition, the digital footprints left by attackers can help investigators study the behavioral patterns of attackers, providing them with useful insight into the modus operandi of cyber offenders (Saxena, Singh, Thakur, & Kumar, 2012). Profiling cyber criminals provides valuable information that can be used to lure and capture future offenders. However, not all information in the log files can necessarily be useful to criminal investigators. For instance, criminals can use proxy servers to hide their IP addresses thereby hiding their identities (Lalla et al., 2012). It becomes hard for investigators to collect prosecution evidence.
Wireshark
Wireshark is an application that acts as a network packet analyzer. In other words, it’s a measuring tool used to examine what is taking place in a network (Lamping, Sharpe, & Warnicke, 2014). Wireshark has a powerful filtering language that is useful to investigators. Wireshark can filter the activities of users that access a particular network and flag them as either safe or malicious. The powerful filtering language enables investigators to zero in on suspected criminal activities.
Packet marking enables an analyst to highlight packets of interest that are vital in the context of an investigation (Fletcher, 2015). During the process of trouble shooting, the investigator can use Wireshark to mark multiple packets that point to malicious activities. After troubleshooting the entire timeline, the investigator can then filter to show the marked entries only. The investigator can then compile the marked entries to form a report that can be used as evidence in court proceedings.
Another important Wireshark feature is the option to add packet comments. Packet comments are usually added to marked packets to provide a hypothesis to be validated at the onset of initial criminal investigation (Fletcher, 2015). It can act as evidence of motive that a prosecutor can take to court to seek permission to commence full-fledged investigation on suspected cyber criminals.
It is important to note that in itself, Wireshark cannot detect intrusions in a network system. In other words, Wireshark is measuring tool that limits the investigator to viewing and interpretation of packet data without the option of editing that information (Lamping et al., 2014).
Network Management System (NMS)
Network Management System (NMS) is a combination of hardware and software that permit a system administrator to monitor specific components of a network within a bigger network management framework (Bayuk, 2010). It is essential for cyber investigators to comprehend how data flows through an organization’s private network.
Network surveillance necessitates the strategic positioning of sensors to monitor and gather network traffic. Network surveillance tools permit investigation and preservation of evidence by storing the network traffic. Analysis of network traffic and network operations can identify corrupt insiders who transmit data to external hosts. In the case where an attack has already happened, traffic analysis can help in a reactive investigation by providing historical evidence of criminal activity (Bayuk, 2010). When a specific insider becomes a suspect, cyber investigators should focus their network surveillance tools on the suspect to gather as much forensic evidence as possible. The network surveillance tools should be safe to avoid alerting the suspect to the ongoing investigation.
An example of network surveillance tool is data harvesting surveillance. Corrupt insiders that intentionally move important data to outsiders mostly use their own access authorization to compile data and move that data to their local computers. Matching file-creation times on local computers to access logs can reveal the inside cyber thief (Bayuk, 2010).
The disadvantage of NMS is that additional broadcast traffic on an internal network might slow it down. When network-monitoring software is deployed in-house in a cloud-based solution, there is a big risk of losing access to managed elements (Lamping et al., 2014).
Firewalls
A properly implemented firewall system is very effective at blocking unauthorized users and stopping undesirable activities on an internal network. Firewalls form a perimeter of defense for an organization’s network security by intercepting and controlling traffic that gets through to its private network (Avolio, 1999). Firewalls can also provide an audit trail used to trace and study intrusions. Firewalls require strong user authentication that is essential in supporting confidential communication between interconnected networks thus limits the exposure of an organization to attacks.
Firewalls can only allow authorized communications between external and internal networks and are therefore supposed to provide complete network security. The However, new techniques that take advantage of the firewalls weaknesses emerge to compromise the firewalls security features (Wason & Chandra, 2014). One such weakness is that firewalls are not adept at reading people’s minds and can be exploited by an inside attacker (Avolio, 1999). Even though firewalls log in user’s activities, they cannot detect if the user has malicious intent. Outside attackers only need to gain access to authentication details of an insider to exploit the network.
The solution to the firewall’s inability to interpret human intention is to have strong user authentication added to security features of the firewall. A username and password alone do not provide strong user authentication. Uniquely keyed cryptographic calculators or certificates offer stronger user authentication by preventing copying and relaying of usernames and passwords (Wason & Chandra, 2014).
Proxy Servers
A proxy server is a computer server that functions as a gateway between a personal computer and a server computer. Proxy servers work by blocking direct connection and transfer of data between a local network and a large-scale network such as the internet for privacy and security purposes (Lambert, 2012). When accessing the internet without a proxy server, the server computer stores your personal data such as your IP address and browsing history. Third parties can easily access server computers and use your personal information for malicious purposes. On the other hand, proxy servers filter personal data from your searches before they reach a server computer.
The major advantage of employing proxy servers is that it helps computer users to protect their private information from hackers (Lambert, 2012). For instance, an organization can use proxy servers to monitor and control employees’ access to outside networks, thus limit the risks of hackers’ access to its private network. In digital forensics, security researchers use proxies to infiltrate criminal networks to collect information while hiding their identities. A proxy server can also act as a tool to bypass blocked websites. Some websites that have important research content have country restrictions. By using the proxy server of that country, one can gain access to the region-restricted content.
The main disadvantage of proxy servers is that criminals can also use them to mask their online activities. Criminals usually use multi-layered proxy servers to reduce the chances of interception by the authorities (Lambert, 2012). However, many dedicated proxy server providers usually work with the authorities to identify and prosecute such criminals.
Intrusion Detection Systems: Snort
Intrusion Detection Systems (IDS) are network security features that identify signatures of known attacks or anomalies in the functioning of a network (Richard, 2015). An example of an ID is Snort. Snort works by performing real-time analysis of signature flow (traffic and data packet logging on IP networks). Snort can perform content search and matching and protocol analysis to detect various attacks and intrusions such as stealth port scans, CGI attacks, OS fingerprint attempts and buffer overflows. Snort can provide network forensics with three different kinds of evidence. The first evidence is pre-generated IDS Alerts that enables the investigator to analyze IDS log files. A binary capture file is the second type of evidence that can be uploaded to Snort and processed in the same manner as IDS log files. The last type of evidence, live packet captures can indicate whether the attack is ongoing.
The advantage of Snort is that its detection engine uses a highly modularized design that combines several different pre-processors to standardize, filter and categorize data. Snort also uses powerful post-processors to log the data generated. In addition, Snort is an open source project that is simple to update (Richard, 2015). Therefore, it is easy to catalogue and add new intrusion signatures to Snorts detection engine. The additions widen the area of defense that Snort provides to intrusion attacks.
Just like any other network defense application, Snort has its disadvantages. The downside of Snort in relation to attacks on services is that new forms of attack may take time before they are known because it long for the new attack signature to be shared across all networks. Snort is also susceptible to Distributed Denial of Service attacks (Richard, 2015). The solution to Snorts vulnerability is to never to use it alone for network protection. Other applications such as firewalls integrate with Snort to provide an umbrella of protection against network-based attacks.
References
Avolio, F. (1999). Firewalls and Internet Security, the Second Hundred (Internet) Years. The Internet Protocol Journal, 2(2). Retrieved from http://www.cisco.com/c/en/us/about/press/internet-protocol-journal/back-issues/table-contents-1/ipj-archive/article09186a00800c85ae.html
Bayuk, J. (2010). CyberForensics: Understanding Information Security Investigations. Berlin: Springer Science & Business Media.
Fletcher, D. (2015). Forensic Timeline Analysis using Wireshark. Retrieved from https://www.sans.org/reading-room/whitepapers/forensics/forensic-timeline-analysis-wireshark-giac-gcfa-gold-certification-36137
Lalla, H., Flowerday, S., Sanyamahwe, T., & Tarwireyi, P. (2012). A Log File Digital Forensic Model. In G. Peterson & S. Shenoi (Eds.), Advances in Digital Forensics VIII (pp. 247–259). International Federation for Information Processing.
Lambert, P. (2012). The Basics of Using a Proxy Server for Privacy and Security. Retrieved from http://www.techrepublic.com/blog/it-security/the-basics-of-using-a-proxy-server-for-privacy-and-security/
Lamping, U., Sharpe, R., & Warnicke, E. (2014). Wireshark User’s Guide. Retrieved from https://www.wireshark.org/download/docs/user-guide-a4.pdf
Richard, M. (2015). IDFAQ: Are there limitations of Intrusion Signatures? Retrieved from https://www.sans.org/security-resources/idfaq/are-there-limitations-of-intrusion-signatures/1/21
Saxena, M., Singh, N. kumar, Thakur, S. S., & Kumar, P. (2012). A Review of Computer forensic & Logging System. International Journal of Advanced Research in Computer Science and Software Engineering, 2(1). Retrieved from https://www.ijarcsse.com/docs/papers/january2012/V2I1023.pdf
Wason, T., & Chandra, A. (2014). Firewall Technology in Network Security. International Journal of Innovative Research in Technology, 1(5). Retrieved from http://www.ijirt.org/vol1/paperpublished/IJIRT100430_PAPER.pdf
