Computer forensics is the field of computer investigation and analysis to determine the possible legal evidence. Evidence is required in computer crime. Computer specialists can draw on a group of methods for noticing data that exist in a system, or recovering deleted, damaged or encrypted file information. Any information in this regard may help during an attack.
Computer forensics will help you make sure the overall integrity and survivability of your network infrastructure. Two types of data are to be collected in computer forensics. ?Persistent data? is stored on a local hard drive (or another medium) and is saved when the computer is turned off. ?Volatile data? is stored in memory that will be lost when the computer loses power or is turned off. Volatile data exists in Cache and RAM. Since volatile data lasts only for a particular time, it is necessary for an investigator to know the reliable ways to capture the data.
Common computer forensics cases are internet misuse, pornography in the workplace, illegal downloads, email analysis, data recovery, spyware analysis, IP theft, virus/malware infection, fraud, spoofed and threatening emails etc.
Ref :
http://www.computerforensics.net/forensics.htm
http://www.data-forensics.co.uk/articles/live_data_forensics.aspx
Techniques
Cross-drive analysis: A forensic technique that associates information found on multiple hard drives. The technique is being researched from several years and can be used for identifying social networks and for performing anomaly detection.
Live analysis: The examination of systems from within the OS using custom software tools to extract evidence. This is useful when dealing with Encrypted File Systems, in some instances, the hard disk drive volume is imaged (known as a live acquisition) before the computer is turned off.
Deleted files: A common method used in computer forensics is the recovery of deleted files. Modern forensic software does mostly have their own tools for recovering out deleted data.
Documenting the incident:
Documenting the scenario creates a permanent record of the investigation. It is done because we can exactly record the location and state of computers, storage media, other electronic devices and conventional evidence.
Documentation of the scene should be generated and maintained in compliance with your organizational policy.
Overall conditions and evidences should be documented in detail.
Ref:
http://library.thinkquest.org/04oct/00206/index1.htm
Incident Handling:
Incident handling refers to the response that should be taken by a person or organization to the occurred attack. Careful and strategic response to an Incident will lead to partial or complete recovery, which otherwise may be a huge disaster.
The following sequence of steps should be performed in the case of any type of attack:
1) Preparation
In order to reduce the possible damage from an attack, some preparation is necessary. These practices contain backup copies of all key data on a regular basis, monitoring and updating software on a regular basis, and creating and applying a documented security policy. It is also very important to update anti-virus software in order to keep system security up-to-date.
Patch Management:
Many information security experts agree that a large percentage of incidents involve exploitation of a relatively small number of vulnerabilities in systems and applications. So patch management and updating software on a regular basis is a must for any organization.
Host Security:
All hosts should be hardened appropriately. Besides keeping each host properly patched, hosts should be configured to provide only the minimum services to only the appropriate users and hosts?the principle of least privilege. Warning banners should be displayed whenever a user attempts to gain access to a secured resource. Hosts should have auditing enabled and should log significant security-related events. Many organizations use operating system and application configuration guides to assist administrators in securing hosts consistently and effectively.
Network Security:
The network perimeter should be configured to deny all activity that is not expressly permitted. Only activity necessary for the proper functioning of the organization should be permitted. This includes securing all connection points, such as modems, virtual private networks (VPNs), and dedicated connections to other organizations.
Malicious Code Prevention:
Software to detect and stop malicious code, such as viruses, worms, Trojan horses, and malicious mobile code, should be deployed throughout the organization. Malicious code protection should be deployed at the host level (e.g., server and workstation operating systems), the application server level (e.g., email server, Web proxies), and the application client level (e.g., email clients, instant messaging clients).
User Awareness and Training:
Users should be made aware of policies and procedures regarding appropriate use of networks, systems, and applications. Applicable lessons learned from previous incidents should also be shared with users so they can see how their actions could affect the organization. Improving user awareness regarding incidents should reduce the frequency of incidents, particularly those involving malicious code and violations of acceptable use policies. Information technology (IT) staff should be trained so that they can maintain their networks, systems, and applications in accordance with the organization?s security standards.
Ref :
http://www.cwu.edu/~networks/intrusion_detection1.html#3
2) Detection and Analysis
While research is very important for minimizing the effects of an attack, the first post-attack step in Incident handling is the identification of an incident. Identification of an incident becomes harder as the complexity of the attack grows. One needs to identify several features of an attack before it can be properly contained.
Incident Categories
Incidents can take place in infinite ways, so it is insensible to develop comprehensive procedures with step-by-step instructions for handling each and every incident. The best that the organization can perform is to prepare generally to handle any type of incident and more particularly to handle common incident types.
Denial of Service:
An attack that prevents or damages the authorized use of networks, systems or applications by exhausting resources.
Malicious Code:
A virus, Trojan horse, worm or other code-based malicious entity that successfully infects a host.
Unauthorized Access:
A person achieves logical or physical access without permission to a network, application, system, data, or other IT resource
Inappropriate Usage:
A person violates allowable use of any network or computer policies
Multiple Components:
Single incident that encompasses two or more incidents
3) Containment of Attack
After the identification of an attack, steps must be taken to reduce the effects of the attack. Containment allows the administrator to care for other systems and networks from the attack and bound damage. After the attack has been contained, the next phases are recovery and analysis.?
Before the spread of the incident overwhelms resources or the damage increases it is important to contain the incident when it has been detected and analyzed. Most of the incidents require containment, so it is important to think about it early in the course of handling each incident.
Criteria for determining the appropriate strategy include
Potential damage to and theft of resources
Need for evidence preservation
Service availability
Time and resources needed to implement the strategy
Effectiveness of the strategy
Duration of the solution
4) Recovery
The recovery phase allows to assess what loss has been occurred and the post-attack status of the system. Once the user is sure that the attack has been limited, it is helpful to accomplish an analysis of the attack. The analysis phase allows the administrators to determine the reason of the attack, its success status and the best course of action to protect against future attacks.
After an incident has been limited, eradication is required to eliminate components of the incident, such as malicious code and disabling breached user accounts.
Ref:
http://www.symantec.com/connect/articles/introduction-incident-handling
http://www.bankinfosecurity.com/articles.php?art_id=1724&pg=2
Computer forensic methods like Cross-drive analysis, live analysis are used to find the traces of an attack. A reasonable assumption is made with the obtained traces. Necessary measures are to be taken to stop from causing further damage (due to the attack) to the system.
Preventive measures such as Patch Management, Host Security, Anti Virus etc. are highly recommended. Efficient mechanisms for incident handling at the time of attack would reduce the impact to a great extent. If any data is lost or modified during the attack, it should be recovered.
Conclusion:
The usage of Computer forensic techniques to detect the anomalies in the System and to handle the scenario using Incident handling steps for eradicating the vulnerabilities and malware from the system and recovering all the valuable data which is damaged in the process.
Need an essay? You can buy essay help from us today!
Please rate the quality of this essay:
Thanks for your rating :)
Struggling with your essay?
You can get your essay custom written by an expert in your subject area. Fully researched and referenced, the perfect model answer...
Get a quote here
Request the removal of this essay.
apple ipad kony kony 2012 jim irsay the new ipad apple announcement indianapolis colts
No comments:
Post a Comment