important to risk using live analysis techniques, as such incidents that involve sensitive data may result
in legal action. To date, there is more legal precedence dealing with digital evidence from dead
analysis than live analysis.
Sophisticated hackers operate by attempting to conceal or remove evidence of an intrusion
by deleting logs, altering date timestamps, and installing their own utilities to bypass the operating
system. Programs like Hacker Defender (hxdef.czweb.org) alter the kernel and return information
to systems calls. In addition, tools are being developed specifically to make forensic examination more
difficult (http://www.metasploit.com/projects/antiforensics/). Increasingly, cybercriminals are using strong
encryption to cloak their activities by encrypting data before stealing it. Careful intruders use covert
channel techniques to conceal their mailicious activities within legitimate network activities such as
DNS or HTML traffic.
Recovering from compromised hosts is only half the battle. Locating the criminals is also
becoming more challenging. Skilled intruders hide their location and work around firewall
restrictions using time activated backdoors that periodically “phone home” initiating a connection
from inside the compromised network tunnel through firewalls that the intruder uses to communicate
with compromised hosts, evening establishing a Windows Terminal Service session when this protocol
is blocked by a firewall.
A multidisciplinary team with a wide range of skills is usually needed to apprehend
sophisticated attackers. The ideal investigative team has expertise in information security, digital
forensics, penetration testing, reverse engineering, programming and behavior profiling. Record
keeping and case management are critical to monitor the flow of information. A successful forensic
investigation is heavily dependent on the logging and backup systems an organization has in place, and
how quickly sources of evidence are located and preserved. Integration of forensic principles into