Categoria Top Downloads
Entrar Registrar Recobrar

CSEC 650 Individual Assignment 1

July 22, 2017 | Autor: Ambika Sample | Categoria: Cybersecurity
Share Embed
Denunciar este link


Descrição do Produto

1 " Page

CSEC650





Forensic Analysis Process
Individual Assignment #1

Ambika Sample
3/12/2015




Table of Contents

Abstract……………………………………………………………2
Introduction……………………………………………………..3
System Layers…………………………………………………..5
System Layer: Operating System………………….6
System Layer: Data Files……………………………….7
System Layer: Network Traffic………………………8
System Layer: Applications……………………………9
Conclusion…………………………………………………………10





Abstract

This paper will discuss the system layers that should be used in a forensic investigation that is pertaining to cyber - attacks on the network, malicious software installation and insider attacks. There are many system or network layers an investigator can sort through to gather data for a case but that paper will only focus on four system layers that most operating system and media device a user would use currently today. However it's up to the forensic investigator to cipher through the system and determine what is needed for evidence. When cyber-attacks occur a forensic analysis would have to trace the events of the attack from start to finish, meaning the four system layer categories would come into play in terms of dissecting the operating system, data files on the system, network traffic and the system applications for potential evidence of an attack.

Introduction

Before digital forensics became more complex and advance with new modern technology devices. Forensic examiners used only a hand full of digital devices for their investigation cases. In those days only the hard drive of the computer or the floppy disk drive was to be evaluated for potential evidence. The investigation cases during those times were very simple and straight forward. There wasn't a need to gather a lot of information to be enter into evidence. Now with new technology growing more and more such as the introduction of smartphones, tablets, laptops, etc. the investigation process have become more board and complex.

Nowadays with new and faster technology being introduce every day. There are a multitude of storage and media devices that will offer forensic examiners a better way of capturing, documenting and storing evidence. Before the new enhancements in technology examiners would have to use a magnetic storage media device to capture information. Now there are more options to use instead of the magnetic storage device. The use of optical media is offered now and the options of using three disk drives are BD, DVD and CD disks. Not only does forensic examiners have the options of using different storage media devices but they can also use flash drives as a storage devices like SD cards that are already offered on almost if not all media devices. An old way of how forensic examiners would gather information from the older computer device would be to pull the information that is stored on the computer drive, bring it to the lab for analysis and further investigating. The new process of gathering information has become less tedious with more relying solely on the new computer technology for gathering, transferring and processing the evidence. The only drawback from strictly relying on the computer is that the evidence is now being process and transfer via a network which can be vulnerable to be compromise at any given time. Therefore sending and receiving incriminating information that is needed for evidence now have made the forensic examiner work more complex.
In the new era of technology everyone has a smartphone, tablet or new techie device of some sort. The everyday consumer that buys a computer, laptop, smartphone or tablet is now equipped with a faster hard drive, optical media or a flash drive. Having those types of drives or media devices allows for data to be downloaded for operational purposes, saved or transferred via other media devices. With the magnitude of data being able to be stored on different devices and even being able to embed those files within digital images, makes it harder for forensic examiners to retrieve information to be consider criminal evidence if needed. Media devices now allow for numerous of data to be downloaded or stored on these devices, so now forensic investigators have to question how secure is the data and how to remove that data without compromising the evidence.






A forensic investigator job procedure is to analyze and gather information from the computer to be process as evidence. As well as if the computer or network was hacked an investigator would have to gather information about that crime. The investigator initial process is to obtain the data that is stored on a specific device and extract the information. Next an investigator has to determine what tools to use to extract the data from. The tools the investigator will use to obtain the data is decided by the case that is being evaluated as well as there are other techniques forensic investigators can use to get the information. As the investigation process is started different tools /techniques are used in the analyzing stage for example, an investigator would use several tools to determine how a network intrusion transpired, what malware was used in the installation process, and what insider files was deleted. So once the data is gathered from each source, the investigation now has to dissect data and determine its value.

System Layers
Forensic investigators need to fully understand the premise of an investigation, the four major layers of each system and how they work. The four data layers of the each system include network traffic, data files, system applications and the operating system. Each of the system layers has its own components and procedures as to how to begin the examination and perform the analysis process successfully. In the field of forensic investigation examiners should have a large amount of knowledge about networks and the security regulations on how to monitor/capture the outbound and inbound flow of the network traffic. Also forensic examiners need to be able to come to logical solutions during any investigation process. More often than not investigators will be able to combine more than one system layer together to successfully gather evidence for a case.

System Layer – Operating Systems
Removing data from a system can sometime be of no value to an investigation. Operating systems control the inner workings of how a system functions on a network, therefore if the system clash vital data can be loss if not stored correctly or if the database clashes where information is being stored everything is loss. Therefore relaying only on operating systems for information can make an investigation difficult. Within the operating systems there are software's that allows for storing diverse files that contains system logs, passwords, system configurations etc. Also on the system examiners are able to access potential evidence that shows malware being installed as well as logs showing deletion of insider files such as audit logs, system event logs or even system history logs. If Malware was detected on a system the investigators need to access those system events logs and implement their forensic devices to retrieve the data by means of CD – ROM or floppy disk.
Another issue investigators my encounter when trying to access data from a system is password policies. If password protection is on a system a forensic investigator would have to apply password crackers software to retrieve the password are may even have to break into the system through root access and gain entry that way , however the data could be loss. Modification to logs files could be a problem for investigators because if a user modifies or delete files that would make useful evidence invaluable or even loss. Security applications and network intrusion detections logs are other necessary tools used in collecting data about any malicious activity on a system or network.

System Layer – Data Files
On each system layer there are data files stored within the application that is very useful in a forensic case that is pertaining to a malicious threat, therefore data needs to be gather about any network intrusion, insider deletion or malware installation occurrence. Files on a system are generally name by the information stored within it. There are many ways as well as different categories of media to use to associate the file. Also there are numerous of media devices that allow files to be stored on them such as DVD, zip disk, flash drive, CD-ROM's, backup tapes and floppy disks. Storage media devices can be helpful or detriment to a forensic examiner. A larger number of storage devices that are on the market are being used for malicious purposes for profitable gain. For example, smartphones are a media device comes equipped with a SD card to stored files. In a case that require a forensic investigator to extract messages such as text or email messages that have been deleted but more permanently deleted on the SD card. An investigator would be easily able to retrieve that data from the smartphone.
An SD card also offers an advantage for an investigator to retrieve information because a large quantity is produce and every consumer has one. During an investigation the forensic analyst will find that malware is easily implantable on a smartphone device to gain access to the network. If the forensic analyst is implementing the malware on a device to gain information once entry is made an examiner can enter a command on the device to manipulate the software to retrieve data without being detected. While on the network investigator can look at saved messages and other media devices that are connected to the network. Also investigators can send commands to transfer and delete data on the network. Insider files that are stored on the SD card and have been deleted from the phone can also be retrieved. In this case, an insider hacked into a network and downloaded criminal files from an organization via there network and saved it their phone. Investigators are able to perform a forensics analyst on the cellphone device and identify where the files on stored and where the files may have been sent to other devices.

System Layer – Network Traffic
Routers connected to a network are very helpful in an examination. Routers can show the types of traffic coming and going through the router via a network. Routers have the ability to stored there settings, security protocols, network passwords and security settings. Furthermore the router is able to store logs of the media devices that are connected to the router in addition to MAC addresses. If a network attack has occurred and information was stolen. The investigator would be able to potential find out there MAC address only if the IP address it was coming from wasn't spoof. Investigators who are capturing data by monitoring the network traffic have to oblige by the security guidelines that are in place. Data that is stored or recorded and is capture to a log file can sometimes cause a problem in a case because sometimes passwords and certain information is exposed for non-disclosure. Therefore monitoring the network has to be performed in a closed settings and security tools has to be implemented i.e. (Nmap, Honeypots, and Wireshark). Encrypted network traffic can also cause a problem during investigations because IDS software would have to be use to scan the network and look for signature patterns or codes to de-encrypt the information. Host based intrusion detection systems (HIDS) allows for the logs to be analyze with make the analysis process much smoother. Network intrusion detection systems (NIDS) allow logs to capture any misuse of data coming through the network while monitoring the system.

System Layer – Applications
Application allows the operating systems to send data to and from the system via the network. Criminals can install malicious software application on a system to gain entry and retrieve information. Within an application there are components that help it to run successfully such as authentication, configuration files and other data files. Those components can help with the analysis stage of an investigation because it can show who and what modifications took place to that application. The authentication process is a major part in the investigation because when an investigator looks at a system logs he/she can see exactly who access the system or application and they can gather evidence on a specific person. Application logs have the capability to document events, errors and other files. In addition to application logs the files within an application can comprise of audits, events, errors that would be important data to a forensic investigator. Applications can house malware once a user either click on an application to start or download an application on their system. Various forms of malware applications are Trojans, zombies, viruses, worms etc. all which can be devastating to a system and would be pertinent evidence in a forensic investigation.

Collecting data from applications can fluctuate depending where the data is located and how secure the system or network is to access that data. For instance, if the information needed for a case is located within a user email address that email could have been sent to multiple email addresses or even downloaded on different applications on the system. An investigator must know how to track down those email addresses and locate the data. Programs that are written by users can pose a problem for an investigator because a user can put a code within the applications that can make the software perform differently then what that investigator is accustom to knowing. Once an investigation is perform on an application it is very important to combine all of the application data into one setting and dissect it to reconstruction the events that took place on a system or network.








Conclusion
Enclosing, Investigators that are performing a forensic analysis for a case need to fully understand the in/out of an investigation and the four important layers of a system, so the correct tools can be implement for the process to begin. Each of the system layers plays a pertinent role in an investigation when certain cases arise such as insider deletion of files, malware installation and network intrusion. The first analysis stage is to process the computer or network for forensic evidence. That means to search through the operating systems and look for any data pertaining to logs, configurations, passwords, open files, user groups and running processes. Search through data files to find out of information is in them that can be used as evidence. Network traffic need to be analyzed for any patterns or signatures that can be identify as network attacks on the system. Finally the applications on a system should be review to find out what's running on the systems and what configuration has been modified to hide evidence. If all four of these system layers are perform correctly in an investigation the forensic examiner would have the evidence he/she need to be presented in a court of law.




[Type the company name]
[Type the document title]
[Type the document subtitle]
[Type the author name]
[Pick the date]

Lihat lebih banyak...

Comentários

Copyright © 2017 DADOSPDF Inc.