Comparing and Selecting Forensic Tools, Research Paper Example

Digital Forensics

Network threats are evolving along with different risks associated with it. It is essential for an organization to construct a security framework that will address threats related to computer networks. Likewise, highly skilled staffs, previous threat treatment records and incident management teams are the essential part of this security framework. A distributed network can be on a broad scale and may involve many enterprise computer networks. Likewise, the currently installed network security controls are bypassed by the worm because distributed traffic anomaly is complex and small to detect. However, combining with multiple small data packets can impose a significant impact, as they all share the same frequency and domain that is already happening in the current scenario. Furthermore, the third component that is a network wide correlation analysis of amplitude and frequency can discover overall network transmission originating from distributed networks, as the current controls are only sensing them in a small amount or quantity.

After determining the exact source of the unknown worm, the next challenge is to analyze the infected nodes within the network. It is obvious that without a specialized tool, it is a daunting or almost impossible task to detect anomalies on low levels i.e. network ports. There is a requirement of pin pointing unknown threat activities within the network, for this purpose, a powerful tool known as Wire shark will serve the purpose. Wire shark is a freeware tool that analyzes network packets and processes them for illustrating detailed contents of the packets (Scalisi, 2010). Moreover, the tool contains numerous features that can facilitate the threat detection process. The first step that a network administrator will take is to identity the type of traffic or ports that needs to be targeted. The second step is to start capturing packets on all ports of all the switches (Scalisi, 2010). However, there is a requirement of modifying port numbers. As per the current scenario, all the network ports will be scanned including the Simple Mail transfer Protocol (SMTP) port. The tool has a feature of only scanning specific ports that needs to be targeted. However, in a corporate network environment that will not be possible, as Intrusion detection system (IDS) and Firewalls may conflict with the tool. Moreover, different subnets on the network will also require complex and time consuming configurations. Furthermore, network administrator can always set the time limit for capturing specific network port data. Therefore, the tool will distinguish increased network activity on each port by constructing real time statistical data along with report after completing the investigation.

Attacks are always intelligent, as the hacker do not want us to track the source, trace back is always difficult. After conducting these two tasks, the third task for the network administrator is to trace the hacker or source of the threat. Network administrators will analyze two fields in a packet header i.e. time stamps and record route. However, these fields are considered by network engineers for various routing problems that may arise. Moreover, one more challenge for network administrators is to maintain a globally synchronized clock throughout the trace back process, as the packet may have travelled from different time zones. A methodology called as packet marking will be used to eliminate these challenges, as it will append the data with fractional information of paths, in order to complete a successful trace back.

Log miner is a recommendation for correcting errors efficiently and robustly in projects related to military medical industry. It was implemented to provide two functions i.e. mining and analyzing the redo log files that are created by the database powered by Oracle. In milestone one the evaluation of database forensic tool named as log miner was discussed. The researchers evaluated the capability and performance of this tool, in order to analyze timelines and audit trails of databases. The testing or evaluation of this tool concluded that it could analyze Oracle generated redo files. The redo files contain information that contributes in file recovery or tracking audit trails. Therefore, following tests were conducted in order to check the integrity an accuracy of Log miner:

• General forensic capability:
• Accuracy level
• Find out source of inaccuracy

After conducting the above-mentioned tests, all the results were successful and hence the tool was considered as an efficient product for recovering lost data from a database. Moreover, the expanded literature review and methodology concluded its usage in different industries including military and hospitals. A study was conducted on synchronizing heterogeneous grid databases by utilizing ‘CONStanza’. Furthermore, another study was demonstrated associated with ‘LogMiner’ to locate archive log flow. In this study, hard drive and storage devices were examined closely.

First Step: The first step involves the collection of data from the database or any other possible location.

Second Step: The second step includes preservation i.e. replication of data that was gathered in step 1. Likewise, the verification of data is conducted by ‘MD5’ and ‘SHA -1’ algorithm techniques.

Third Step: This step analyzes and extracts the recovered data on the screen nu filtering and searching.

Fourth Step: At the end the FTK provide options to produce a customized report of data recovery.

The military medical program demonstrated the core concept of ‘Logminer’ in terms of configuration and utilizing its features within the register program (Application of LogMiner in no.1 military medical project– Chinese medical equipment Journal 2008). The register program was the sub program of the project. Likewise, the errors occurred were efficiently detected by SQL statements via UNDO_VALUE field. After reviewing its pinpoint accuracy, Log miner was recommended for maintenance personnel programs associated with hospital information systems (Application of LogMiner in no.1 military medical project– Chinese medical equipment Journal 2008). Moreover, one more research was conducted by (Pucciani, Domenici, Donno, & Stockinger, 2010) that was related to a performance study on the synchronization of heterogeneous Grid databases using ‘CONStanza’. The study was implementing on grid computing that links with high performance computing. The grid environment is composed of many heterogeneous database management systems. Likewise, these database management systems serve their purpose for many administrative tasks. The study illustrated the evaluation of system components for further future developments. Moreover, one more study was conducted related to the utilization of ‘LogMiner’ to locate Archive Logs Flow. The researchers analyzed rapid disk possession without creating new jobs. Consequently, the new log archive is developed every 60 seconds along with the rapid increment in disk possession. The conclusion of the study demonstrated that the internal processes related to the ‘STATPACK’, were the foundation of unnecessary log archives. Furthermore, the time intervals were not configured correctly for STATPACK.

References

Application of LogMiner in no.1 military medical project– Chinese medical equipment Journal 2008 Retrieved 6/6/2011, 2011, from http://en.cnki.com.cn/Article_en/CJFDTOTAL-YNWS200810016.htm

Scalisi, M. (2010). Analyze network problems with wireshark. PC World, 28(4), 30-30.

Pucciani, G., Domenici, A., Donno, F., & Stockinger, H. (2010). A performance study on the synchronisation of heterogeneous grid databases using CONStanza Future Generation Computer Systems, 26(6), 820 <last_page> 834. doi:10.1016/j.future.2010.03.001

Zonglin, L., Guangmin, H., Xingmiao, Y., & Dan, Y. (2009). Detecting distributed network traffic anomaly with network-wide correlation analysis. EURASIP Journal on Advances in Signal Processing, , 1-11. doi:10.1155/2009/752818