X hits on this document

PDF document

Hassel Stacy Jr. Dr. Philip Lunsford ICTN4040 601 04/16/06 - page 5 / 8





5 / 8

Stacy 5

important to risk using live analysis techniques, as such incidents that involve sensitive data may result

in legal action. To date, there is more legal precedence dealing with digital evidence from dead

analysis than live analysis.

Sophisticated hackers operate by attempting to conceal or remove evidence of an intrusion

by deleting logs, altering date timestamps, and installing their own utilities to bypass the operating

system. Programs like Hacker Defender (hxdef.czweb.org) alter the kernel and return information

to systems calls. In addition, tools are being developed specifically to make forensic examination more

difficult (http://www.metasploit.com/projects/antiforensics/). Increasingly, cybercriminals are using strong

encryption to cloak their activities by encrypting data before stealing it. Careful intruders use covert

channel techniques to conceal their mailicious activities within legitimate network activities such as

DNS or HTML traffic.

Recovering from compromised hosts is only half the battle. Locating the criminals is also

becoming more challenging. Skilled intruders hide their location and work around firewall

restrictions using time activated backdoors that periodically “phone home” initiating a connection

from inside the compromised network tunnel through firewalls that the intruder uses to communicate

with compromised hosts, evening establishing a Windows Terminal Service session when this protocol

is blocked by a firewall.

A multidisciplinary team with a wide range of skills is usually needed to apprehend

sophisticated attackers. The ideal investigative team has expertise in information security, digital

forensics, penetration testing, reverse engineering, programming and behavior profiling. Record

keeping and case management are critical to monitor the flow of information. A successful forensic

investigation is heavily dependent on the logging and backup systems an organization has in place, and

how quickly sources of evidence are located and preserved. Integration of forensic principles into

Document info
Document views14
Page views14
Page last viewedFri Oct 28 16:07:32 UTC 2016