Network Forensics Team, Research Paper Example

Introduction

Owing to the rise in number of people using the internet, the number of illegal activities carried out across the internet also increases. Such illegal activities include identity theft, data theft, illegal access to private information, etc. Computer Forensics deals with the collection and analysis of information from computer systems, networks, storage media and streams of communication both wired and wireless (Kessler, 2007). Network Forensics deals with the capture, recording and analysis of events taking place within the networks to be able to come up with evidential information about the source of security attacks (Sisaat & Miyamoto, 2006). Network Forensics has become an important part of computer forensics with the rapid growth and use of the internet. In the recent times, organisations storing and processing sensitive data face the risk of data theft and leakage of sensitive information. These are mainly brought about by the great uncertainties in the state of the networks. Most of the organisations do not have well laid down security control measures within the networks. There are also no processes to mitigate against data leakage and theft.

Background Information

The main tasks the network forensics team carries out fall in three main categories. The first entails assessing the vulnerabilities of the network. In addition, the team has to identify the risks the system is exposed to and be able to identify and prioritise each. The second involves detection of security breaches and other actions to analyse the attack, gather evidence about the invader and take all necessary preventive measures. Finally, the forensic team is responsible for managing the whole forensic procedure and carrying out forensic analysis and resolving incidences (Nelson, Phillips, Enfinger, & Steuart, 2007). The network forensic team has an important task to perform in order to obtain ad interpret data from the network traffic, identify suspicious patterns and reveal the source of the incidences. It is essential to note that files located at the victim host should not be used during this process as a source of information. These have a possibility of being modified and some parts of the file deleted by the attacker. Monitoring and capturing mechanisms are crucial in resolving an incident. The main tasks of the Networks forensics begin after the onset of an incident.

Objectives of the Project

The main objective of network forensics is to discover pieces of evidence against data theft and illegal data accessibility to rise in a court of law. The precise objective is to scrutinize all important features of network forensics. This enables one to relate event response methods and investigation techniques in practice. We will also ascertain the primary concerns in conducting forensic examinations, describe the importance of network forensics, and explain standard procedures for performing a live acquisition. To explain standard procedures for network forensics, to describe the use of network tools, and to ascertain to necessary causes of network forensic illegalities are also inclusive objectives.

Purpose and Scope of the Project

This project is a thorough research on network Forensics. It examines the steps taken in carrying out the process of network forensics. Further to that, it also examines the ways to identify, collect, and analyse network-based evidence and issues related to network devices. Within the scope of this project, there are the key aspects in network forensics, methods of incidence response and investigation techniques applied in practice. The project also discusses the different tolls and techniques used to conduct network forensics. It also explains the process used to perform forensic investigations of sensitive data.

Importance of Network Forensics

Network forensics is commonly used for capturing an attack fingerprint and performing post-attack analysis for security exploits. With network forensics, one analyzes the past network traffic occurrences in order to conduct research for security attacks. Using network forensics there is a possibility of reconstructing the flow of events occurring at the time of a violation. Therefore, Network forensic is used for improving network performance, and tuning intrusion detection solutions. It also assists in identifying rogue device access to the network, and stopping network hacks and viruses.

Network Forensic Tools

These are materials and products that offer a network forensic ability. They are responsible for recording, storing, and displaying all network data. With this, they are served best as inline appliances. These products can also contain more information that will enable the network analyst to inspect the data.  The first sets of tools are Sysinternals. These include a set of free tools for examining Windows products. The main examples of Sysinternals tools are RegMon which shows Registry data in real time, Process Explorer shows what is loaded, Handle shows open files and processes using them, and Filemon shows file system activity.  There are other tools which are from PsTools suite but are created by Sysinternals. These are PsExec that runs processes remotely, PsGetSid displays security identifier (SID), and PsKill responsible for killing process by name or ID. There is also PsList, this lists details about a process, PsLoggedOn shows persons logged into the network locally, and PsPasswd changes account passwords. More to these, PsService controls and views services, PsShutdown is responsible for shutting down and restarting PCs and PsSuspend suspends processes.

Network Forensics Process

Network Forensics process occurs in Phases. The first phase is Evidence extraction. This is the point where network forensics analyze the network system is to get information regarding data theft and accessibility. The second phase is Evidences Credibility Protection. In this phase, all the relevant materials collected in the first phase have to be stored accurately in order to avoid distortion of evidence. In this stage, there is an update of the network to be able to cub with the latest methods intruders use to infiltrate networks. The third phase is Attack Intelligence Gathering. This involves the use of network forensic tools to protect the network from further damage and hackers. Forensic experts determine the source of the attack and set measures to safeguard the system from further attacks. During this stage, there is performing of Live Acquisitions.

Live acquisitions are useful when dealing with active network intrusions or attacks. Live acquisitions performed before taking a system offline are becoming a necessity. This is because attacks leave footprints only in running processes or RAM. Live acquisitions do not follow typical forensics procedures. The final phase is Forensics Follow-Up. This involves setting up control policies within the network and carrying out implementation of the policies.

Network Forensics analysis is an expensive process as it is a physical process; it is use much of an individual’s time, and requires a team of forensics investigators to carry out procedures. Another limitation that makes most organizations unable to practice network forensics is that the current network forensics systems and tools have limited capabilities.

Implementation plan / Control Policies

An effective information security program needs policies and procedures to facilitate information risks management. This is it to say; there has to be an action plan that defines security and forensic policies.  Technical controls and tools within the network should provide the automatic implementation, enablement, enforcement, and monitoring of the laid down policies and procedures. In order to achieve compliance with set regulations, organizations must examine both successful and unsuccessful efforts made in accessing their computer systems. Organizations that follow these strict policies and regulations end up with well-organized and lucrative, operational tools to manage information within their network. As the tasks performed by the IT Risk Management become vital, the number of solutions would increase. These solutions will come in a variety of prices according to the federal regulations and ensure the network information is secure.

The security centre is vital for every organization. It acts like a resource centre. It also assists organizations in collecting appropriate network event data and maintaining it in a structure that can be simply utilized for study and reporting throughout audits, security events, or forensic investigations. The security centre helps to ensure that rules and formulas safeguard sensitive data and audits. This ensures that only authorized persons access data. Finally, the security centre sets up a baseline of network and system action for managerial computing environments.

There are several actions that need to be put in place for proper implementation of the program ad to achieve effective results. This measure needs to be laid down by the forensic team and its effectiveness analyzed. First, they need to aggregate and normalize event data from diverse network components, security devices, and application servers into applicable information. The team also needs to analyze and correlate information from various network tools to recognize attacks immediately and help respond quickly to intrusions. Controlling network forensic examination on historical or real-time proceedings through visualization and rerun of events is also a key practice. The team should create customized report formats to adhere to compliance regulations. There is also need to increase the worth and performance of alive security devices by offering a consolidated event management and examination platform. Finally, the team should improve the efficiency and assist focus IT Risk Management employees on what events are vital.

Conclusion

Network forensics is a powerful tool used to unlock miseries present within the network. It is crucial to set up a network forensic tool within the network of the organization. The network forensic tool applied within the network varies according to an organization’s needs. It is important for forensic experts to analyze data and capture network traffic at crucial network points. This helps in minimizing traffic lads on the network that may be as a result of polling devices. Organizations should store data in a common searchable format. This will enable them to find data  under search fast and accurately.  They should also provide users with simple and complex filters for mining the data.

Network Forensics tracks down internal and external network interferences. The network should thus be hardened by applying a layered defence mechanism to the network architecture. Live acquisitions are necessary to recover unstable items. Standard procedures are essential in determining the way forward after the occurrence of a network security event. One becomes familiar with the normal traffic pattern on the network by tracking network logs.  Network tools monitor traffic on the network, but they may be used by network intruders. For example, one can use the Bootable Linux CDs, such as Knoppix STD and Helix, to examine Linux and Windows systems. Therefore, the Honey-net Project is designed to help people learn the latest intrusion techniques that attackers are using.

References

Nelson, A. Phillips, F. Enfinger, and C. Steuart (2007). Guide to Computer Forensics and Investigations, Course Technology Press.

Caballero A. & Fidge S. Network Forensics: SIEM, the Investigations Triad, and SANS Top-20 Vulnerabilities

Meghanathan N,  Allam S.R, & Loretta A.  “Tools and Techniques for Network

Forensics”. Moore Department of Computer Science, Jackson State University, Jackson, MS 39217, USA Web 11 June 2011  <http://airccse.org/journal/nsa/0409s2.pdf>

Kessler G. (2007).  “Online Education in Computer and Digital Forensics,” Proceedings of the 40th Hawaii International Conference on System Sciences.

Sisaat K. & Miyamoto D. (2006) “Source Address Validation Support for Network Forensics,” Proceedings of the 1st Joint Workshop on Information Security, Sep 2006.

Akbar Qureshi (2009). “Network Forensic Analysis,” SANS Institute InfoSec Reading Room

Network Forensic Decision group. (2009) “Network Forensics”  Web 11 June 2011 http://www.decision-groups.com/NETWORK_FORENSICS.html