Individual Project 5 Network Forensic, Research Paper Example

Introduction & Statistics

Generally, the business functions and processes, which exist electronically and digitally within the organization needs to be protected. The people who use Internet, provides a lot of personal information on the Internet in order to perform banking, registration, subscription, purchasing a product or service. The personal information has enormous dimensions to be extracted and become vulnerabilities. One of the most common threats in the context of misusing personal information is Internet crimes. Identity Theft has gained a significant amount of attention by a vast increment in attacks related to identity theft in USA. A survey was conducted concluding approximately 27.3 million Americans were affected by one of the many ways of identity theft. However, the figure for the survey in 2003 was 10 million, indicating the total number of victims in 2002. Moreover, the losses that were occurred in financial institutions and businesses due to identity theft were calculated to nearly $48 billion and $5 billion for consumer victims. Furthermore, identity theft was declared the most reported crime in 2003. As a report was publicized by the “National and State Trends in Fraud & Identity Theft” in December 2003, identified rise in identity theft for consecutively four months. In addition, “identity theft topped the list of consumer complaints, accounting for 42 percent of all complaints lodged in the FTC’s Consumer Sentinel database (up 40% from 2002). The actual number of victims is likely to be much higher, as the FTC only reported on the number of formal complaints filed by consumers” (Identity theft – part 1 – introduction to identity theft – the police notebook ).

Problem Definition

In a proposed environment, an e-commerce enabled organization receives complains from the customers related to unknown orders in their account. Hackers gained access to user account created on the website. They processed fake order on several hundred accounts. Likewise, order processing was integrated with an email system i.e. when any account holder places an order; organization receives an email including all the details. As there is no mechanism to track emails, and hence, security specialists were not able to track the precise location of the originator. The hacker may benefit from receiving the product via a fake order i.e. not known to the account holder. Likewise, the product is than trade inn for other products on any other e-commerce websites. This is the point, where web based intrusion investigation triggers, making it a daunting task without any evidence at all. In order to detect the traces, a method is implemented, called as log file forensics using the Internet Information Services (IIS) logs integrated with SQL queries and Microsoft’s Log Parser tool. A powerful and robust tool provides access from bundled queries to text based log files such as XML and CSV files. Moreover, the tool also supports active directory, registry, file system, critical assets and Windows platforms. (Download details – microsoft download center – log parser 2.2 ).

Investigation was focused on the organization’s critical asset i.e. online ordering system. Several log files that were configure on different IIS based servers were extracted. Log files highlighted accurate date and time apart from the IP addresses, as they were anonymous due to configuring proxy server by the attacker. Consequently, the log files were not up to expectations.

Log Parser Tool

In order to take the investigation to the next level, incorporation of Microsoft’s Log Parser tool was selected, as the tool is designed to emphasize and contribute to email forensics investigation. Investigators examined the log files that were collected in the investigated, These log files includes Date, Time, Client IP Address, User name, Service name, Server name, Server IP Address, Server port, Method, URI Stem, Protocol status,Win32 Status, Bytes sent, Bytes Received and Time taken.

As there are many log files, it is difficult to administer them. Log parser tool facilitated investigators to arrange them, in order to search for the number of errors per hour. After processing the script, the results consist of a number of hits against each IP address. Results concluded that the hacker has used two separate IP addresses and were highest in terms of a number of errors per hour. This is the point where the investigation has reached a tentative conclusion, as investigators cannot distinguish the hacker from these two IP addresses. However, by analyzing the log files further, it was disclosed that the hacker has first used his own IP address, after downloading the website contents; hacker changed his IP address and then intruded in the system. As these evidences have clearly exposed the activity of a hacker by incorporating Microsoft Log Parser Tool, there is no requirement of further analysis and investigation.

Adrilla Tool (for Preventing SQL Injection)

In order to secure the website from SQL injection attacks, investigators conducted an in depth investigation related to Automatic Creation of SQL Injection and Cross-Site Scripting Attacks. The purpose of this study was to destroy SQL injection attacks by a tool called ‘Ardilla’. The tool implements techniques for PHP that is developed on input generation, dynamic taint propagation, and input mutation in order to analyze a variant of input that retrieves vulnerability. Taint is stored by using a novel concrete symbolic database; ‘Ardilla’ can effectively extract the most destructive type of Web application attack that is stored in XSS. The study includes detection of 68 SQL injection attacks in five applications, each demonstrating a unique vulnerability with very high accuracy and low false positives (Kie?un, Guo, Jayaraman, & Ernst, 2009).

Conclusion

Microsoft Log Parser tool was implemented to organize various log files in a workable environment. Log files were located in various IIS servers in the proposed organization’s server environment. After re organizing the log files, investigators examined IP addresses for the number of errors per hours. Likewise, if any hacker tries to gain access to any website, error rate is much higher as compared to a normal user. At this point, investigators found two IP addresses both with a high number of errors per hour. In order to find out the original IP i.e. of a hacker, they examined headers of log files and found dissimilarities between the two IP addresses. The original IP address was identified in the end and consequently, the hacker was exposed. Moreover, investigators also examined a new type of attack that focuses on database hacking. However, the attack known as SQL injection attacks were prevented by incorporating a tool called as ‘Adrilla’.

References

Download details – microsoft download center – log parser 2.2 Retrieved 7/1/2011, 2011, from http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=24659

Forensic log parsing with microsoft’s LogParser | symantec connect community Retrieved 7/1/2011, 2011, from http://www.symantec.com/connect/articles/forensic-log-parsing-microsofts-logparser

Identity theft – part 1 – introduction to identity theft – the police notebook Retrieved 7/1/2011, 2011, from http://www.ou.edu/oupd/idtheft.htm

Kie?un, A., Guo, P. J., Jayaraman, K., & Ernst, M. D. (2009). Automatic creation of SQL injection and cross-site scripting attacks. ICSE: International Conference on Software Engineering, , 199-209.