As information systems become cheaper and cheaper, companies are rapidly automating not only their overhead processes such as purchasing, payables, hiring, and payroll, but also their value by adding processing such as marketing and sales. The result of this rush to automate and, with the explosion of the Internet. With this dependency comes a vulnerability: The ability of corporations to conduct their business is dependent on technology that was designed to be as open as possible and that only a minority of engineers and scientists understand.
When netted out, what managers need to do is create barriers that deter cyber-based or internal perpetrators from attacking their systems. The first way to do this is to analyze corporate resources for know vulnerabilities. That is, systems need to be checked that they are correctly configured and have the most up-to-date security patches in place. This is what security scanners do. Next, one needs to find out the perpetrator’s methods of operation and alert when those methods are sensed. This is what intrusion detectors do. Next, one needs a mechanism to filter out suspected malicious activity, once it is identified. This is what firewalls do. However, even with all of these systems in place, there is a vulnerability to attacks that use new or unknown methods of attack.
What current Intrusion Detection Systems (IDS) do is monitor the network and watch for specific patterns. Once a pattern is recognized, IDS can alert the systems administrator, close the connection via the firewall, or record the activity for further analysis. However, if an attacker uses a method not previously known to the IDS, it will transpire unnoticed, the corporate Web site will be defaced, employee records will be retrieved, or client lists will be extracted. When the malicious act is discovered, the question immediately comes to mind: "How did they do this?", and sometimes: "What did they do?".
Network forensics is the principle of reconstructing the activities leading to an event and determining the answer to “What did they do?” and “How did they do it?” Instead of matching observed activities on a LAN to database of known patterns of malicious intent, it records all activity on a LAN and provides centralized tools to analyze the activity in real time, for surveillance, and historically, for damage assessment and prosecution. Because the system is network-based, it is impregnable to circumvention. If a resource is accessible via a LAN for exploitation, it is observable by a network forensics agent.
A TECHNICAL APPROACH
One approach here will be to use an interactive visualization interface to drive the underlying network forensic data acquisition tools and analysis routines. The objective of the interface will be to capture the abilities of a skilled network security analyst into an intuitive and guided examination of network security events. To achieve this, you should propose to investigate different visualization techniques to model the network security data. The goal is to encapsulate these visualization techniques into modular network forensic data visualizes. In addition, you should investigate tying these data visualizers into a visual query interface that can drive the network security database backend.
For example, a prototyping vehicle to conceptualize and test these ideas is AVS/Express. AVS/Express is a multi-platform (UNIX, NT) object-oriented data visualization tool that has 2D and 3D data visualization modules; as well as, a configurable GUI interface combined with selection and picking capability to support interactive data probing and visual querying. In addition, AVS/Express will allow you to develop custom modules to interact with external data sources, databases, and analysis programs. Also, an interactive data flow process allows multiple visualization steps to be combined as a single visualization macro. The main components of a network forensic data visualizer are as follows:
When netted out, what managers need to do is create barriers that deter cyber-based or internal perpetrators from attacking their systems. The first way to do this is to analyze corporate resources for know vulnerabilities. That is, systems need to be checked that they are correctly configured and have the most up-to-date security patches in place. This is what security scanners do. Next, one needs to find out the perpetrator’s methods of operation and alert when those methods are sensed. This is what intrusion detectors do. Next, one needs a mechanism to filter out suspected malicious activity, once it is identified. This is what firewalls do. However, even with all of these systems in place, there is a vulnerability to attacks that use new or unknown methods of attack.
What current Intrusion Detection Systems (IDS) do is monitor the network and watch for specific patterns. Once a pattern is recognized, IDS can alert the systems administrator, close the connection via the firewall, or record the activity for further analysis. However, if an attacker uses a method not previously known to the IDS, it will transpire unnoticed, the corporate Web site will be defaced, employee records will be retrieved, or client lists will be extracted. When the malicious act is discovered, the question immediately comes to mind: "How did they do this?", and sometimes: "What did they do?".
Network forensics is the principle of reconstructing the activities leading to an event and determining the answer to “What did they do?” and “How did they do it?” Instead of matching observed activities on a LAN to database of known patterns of malicious intent, it records all activity on a LAN and provides centralized tools to analyze the activity in real time, for surveillance, and historically, for damage assessment and prosecution. Because the system is network-based, it is impregnable to circumvention. If a resource is accessible via a LAN for exploitation, it is observable by a network forensics agent.
A TECHNICAL APPROACH
One approach here will be to use an interactive visualization interface to drive the underlying network forensic data acquisition tools and analysis routines. The objective of the interface will be to capture the abilities of a skilled network security analyst into an intuitive and guided examination of network security events. To achieve this, you should propose to investigate different visualization techniques to model the network security data. The goal is to encapsulate these visualization techniques into modular network forensic data visualizes. In addition, you should investigate tying these data visualizers into a visual query interface that can drive the network security database backend.
For example, a prototyping vehicle to conceptualize and test these ideas is AVS/Express. AVS/Express is a multi-platform (UNIX, NT) object-oriented data visualization tool that has 2D and 3D data visualization modules; as well as, a configurable GUI interface combined with selection and picking capability to support interactive data probing and visual querying. In addition, AVS/Express will allow you to develop custom modules to interact with external data sources, databases, and analysis programs. Also, an interactive data flow process allows multiple visualization steps to be combined as a single visualization macro. The main components of a network forensic data visualizer are as follows:
- Network forensic data and database.
- Visual query interface.
- Network forensic data visualizers.
*Note: AVS/Express is Advanced Visual Systems’ new visualization development tool. It is a modular, hierarchical, open, and extensible system, with hundreds of predefined components for visualizing data.
DAMAGING COMPUTER EVIDENCE
The latter part of the 20th century was marked by the electronic transistor and the machines and ideas made possible by it. As a result, the world changed from analog to digital. Although the computer reigns supreme in the digital domain, it is not the only digital device. An entire constellation of audio, video, communications, and photographic devices are becoming so closely associated with the computer as to have converged with it.
From a law enforcement perspective, more of the information that serves as currency in the judicial process is being stored, transmitted, or processed in digital form. The connectivity resulting from a single world economy in which the companies providing goods and services are truly international has enabled criminals to act transjurisdictionally with ease. Consequently, a perpetrator may be brought to justice in one jurisdiction while the digital evidence required to successfully prosecute the case may reside only in other jurisdictions.
This situation requires that all nations have the ability to collect and preserve digital evidence without damaging it, for their own needs as well as for the potential needs of other sovereigns. Each jurisdiction has its own system of government and administration of justice, but for one country to protect itself and its citizens, it must be able to make use of undamaged evidence collected by other nations.
Though it is not reasonable to expect all nations to know about and abide by the precise laws and rules of other countries, a means that will allow the exchange of undamaged evidence must be found.
INTERNATIONAL PRINCIPLES AGAINTS DAMAGING OF COMPUTER EVIDENCE
The International Organization on Computer Evidence (IOCE) was established in 1995 to provide international law enforcement agencies a forum for the exchange of information concerning computer crime investigation and other computer-related forensic issues. Comprised of accredited government agencies involved in computer forensic investigations, IOCE identifies and discusses issues of interest to its constituents, facilitates the international dissemination of information, and develops recommendations for consideration by its member agencies. In addition to formulating computer evidence standards, IOCE develops communications services between member agencies and holds conferences geared toward the establishment of working relationships.
In response to the G-8 Communique and Action plans of 1997, IOCE was tasked with the development of international standards for the exchange and recovery of undamaged electronic evidence. Working groups in Canada, Europe, the United Kingdom, and the United States have been formed to address this standardization of computer evidence.
During the International Hi-Tech Crime and Forensics Conference (IHCFC) of October 1999, the IOCE held meetings and a workshop that reviewed the United Kingdom Good Practice Guide and the SWGDE Draft Standards. The working group proposed the following principles, which were voted on by the IOCE delegates present with unanimous approval. The international principles developed by IOCE for the standardized recovery of computer-based evidence are governed by the following attributes:
DAMAGING COMPUTER EVIDENCE
The latter part of the 20th century was marked by the electronic transistor and the machines and ideas made possible by it. As a result, the world changed from analog to digital. Although the computer reigns supreme in the digital domain, it is not the only digital device. An entire constellation of audio, video, communications, and photographic devices are becoming so closely associated with the computer as to have converged with it.
From a law enforcement perspective, more of the information that serves as currency in the judicial process is being stored, transmitted, or processed in digital form. The connectivity resulting from a single world economy in which the companies providing goods and services are truly international has enabled criminals to act transjurisdictionally with ease. Consequently, a perpetrator may be brought to justice in one jurisdiction while the digital evidence required to successfully prosecute the case may reside only in other jurisdictions.
This situation requires that all nations have the ability to collect and preserve digital evidence without damaging it, for their own needs as well as for the potential needs of other sovereigns. Each jurisdiction has its own system of government and administration of justice, but for one country to protect itself and its citizens, it must be able to make use of undamaged evidence collected by other nations.
Though it is not reasonable to expect all nations to know about and abide by the precise laws and rules of other countries, a means that will allow the exchange of undamaged evidence must be found.
INTERNATIONAL PRINCIPLES AGAINTS DAMAGING OF COMPUTER EVIDENCE
The International Organization on Computer Evidence (IOCE) was established in 1995 to provide international law enforcement agencies a forum for the exchange of information concerning computer crime investigation and other computer-related forensic issues. Comprised of accredited government agencies involved in computer forensic investigations, IOCE identifies and discusses issues of interest to its constituents, facilitates the international dissemination of information, and develops recommendations for consideration by its member agencies. In addition to formulating computer evidence standards, IOCE develops communications services between member agencies and holds conferences geared toward the establishment of working relationships.
In response to the G-8 Communique and Action plans of 1997, IOCE was tasked with the development of international standards for the exchange and recovery of undamaged electronic evidence. Working groups in Canada, Europe, the United Kingdom, and the United States have been formed to address this standardization of computer evidence.
During the International Hi-Tech Crime and Forensics Conference (IHCFC) of October 1999, the IOCE held meetings and a workshop that reviewed the United Kingdom Good Practice Guide and the SWGDE Draft Standards. The working group proposed the following principles, which were voted on by the IOCE delegates present with unanimous approval. The international principles developed by IOCE for the standardized recovery of computer-based evidence are governed by the following attributes:
- Consistency with all legal systems.
- Allowance for the use of a common language.
- Durability.
- Ability to cross international boundaries.
- Ability to instill confidence in the integrity of evidence.
- Applicability to all forensic evidence.
- Applicability at every level, including that of individual, agency, and country.
Furthermore, these international principles were presented and approved at the International Hi-Tech Crime and Forensics Conference in October 1999. They are as follows:
- Upon seizing digital evidence, actions taken should not change that evidence.
- When it is necessary for a person to access original digital evidence, that person must be forensically competent.
- All activity relating to the seizure, access, storage, or transfer of digital evidence must be fully documented, preserved, and available for review.
- An individual is responsible for all actions taken with respect to digital evidence while the digital evidence is in their possession.
Any agency that is responsible for seizing, accessing, storing, or transferring digital evidence is responsible for compliance with these principles.
So, do you have a well-documented intrusion-detection response plan? In other words, if you are attacked, do you have the documentation tools that are needed to record the attack, so that you can make the proper response?. Let's take a look. ;-)
So, do you have a well-documented intrusion-detection response plan? In other words, if you are attacked, do you have the documentation tools that are needed to record the attack, so that you can make the proper response?. Let's take a look. ;-)