Case studyNetwork intrusion investigation – Preparation and challenges
Introduction
Investigations into network intrusions that involve the potential compromise of confidential data have taken on a new urgency with the passing of the state data breach notification laws.1 Organizations in both the private and public sectors are not only dealing with the embarrassment of the media coverage, but also the financial ramifications of notifying affected individuals, oftentimes in an effort to comply with these laws. This case study describes an incident that took place in 2005 that included the compromise of over 50 computers, some with confidential private data.2 The aim of the intrusion investigation was to determine the method of intrusion, the motivation of the intruder and whether the confidential data had been accessed and/or downloaded by the intruder(s). The investigation showed that although the confidential data on the compromised systems could have been accessed and downloaded by the intruders, there was no evidence of such activity.
The resources of two groups were brought to bear in the collection and analysis of the evidence related to this case. The initial response to the compromise was carried out by the organization's IT Security staff. Established incident handling procedures were followed until the severity and unusual characteristics of the compromise were discovered, after which more specialized efforts were employed to identify and secure evidence. Additional preservation and the evaluation of the evidence were performed by Digital Forensic Examiners from an independent organization.
This case study demonstrates the importance of forensic preparedness and employing digital forensics when responding to a critical incident. Practical problems that are encountered and judgments that must be made in an intrusion investigation are addressed in sidebars throughout this article. Organizations that are prepared to gather digital evidence and employ digital forensics put themselves in a better position to mitigate the increasing costs and penalties associated with exposure of sensitive data.
Section snippets
Identification of compromise
In May 2005, a server used to store sensitive information began to display a message that one of its drives was full and that it was unable to save a particular movie file. Since none of the server's legitimate functions involved movies, the local system administration staff made a call to the IT Security Department of the victim organization. The IT Security Department quickly realized the significance of this message on a server with more than 400 gigabytes (GB) of storage that served a
Identification and preservation of evidence
Realizing the potential severity and scope of the incident, the IT Security Department took two concurrent courses of action: locating other compromised systems (if any) and collecting and preserving evidence for possible legal action.
To search for other compromised systems, a network scan was used to identify systems with scanned profiles similar to that of the server already examined. The systems found in this way were tested for behavior that identified Hacker Defender installations like
The investigation
After reviewing the four systems, the Digital Forensic Examiners determined that only the server and one of the desktops had been compromised. In addition to examining the forensic images of each system, bootable clones of the two systems that were not compromised were created to enable a live examination. A live forensic examination was performed on these bootable clones to determine whether a rootkit or unusual processes were running. The bootable clones were also connected to a dedicated
Important points and lessons learned
Identifying the potential sources of information about the intrusion is an essential step in a network intrusion investigation. To do this successfully and thoroughly, the Examiner must understand where on a network information can be found (Casey, 2004). As information in an intrusion investigation tends to be fragile and transient in nature, delays in identifying and querying information sources can result in the loss of the information altogether. The right questions need to be asked of the
Acknowledgements
Ms. Reust would like to thank her colleagues at Stroz Friedberg LLC for their support and assistance with this article, particularly Eoghan Casey.
Mr. Johnston would like to thank Ms. Erin Kelly for her proofreading efforts and Mr. Eoghan Casey for his encouragement and tea.
References (4)
Digital evidence and computer crime
(2004)Case study: network intrusion investigation – lessons in forensic preparation
Digital Investigation
(2005)
Cited by (9)
Establishing forensics capabilities in the presence of superuser insider threats
2021, Forensic Science International: Digital InvestigationCitation Excerpt :In case of insider threats, forensic readiness is a fundamental necessity as insiders own detailed information about the IT infrastructure of the organization. There are numbers of contributions available including Johnston and Reust (2006) that focused on the importance of forensic preparedness by providing a case study of network intrusion within an organization with over 50 compromised computers. They discussed each step of the forensic process with respect to the case and identified practical and legal issues throughout the investigation.
Digital transformation risk management in forensic science laboratories
2020, Forensic Science InternationalCitation Excerpt :A reactive approach is costly and disruptive, including the need to find and retain external digital forensic expertise. Forensic preparedness enhances business continuity and contingency planning, putting organizations in a better position to detect and investigate problems and manage the associated risks [18,19]. These issues and remedies apply equally to all forensic laboratories, including those within private enterprises.
Information security incident management: Current practice as reported in the literature
2014, Computers and SecurityCitation Excerpt :Limited expertise on forensics is also reported by Ismail et al. (2011) and Hove and Tårnes (2013). Companies in some cases rely on third parties or the police for forensic investigations (Hove and Tårnes, 2013; Johnston and Reust, 2006). For common and less severe incidents the LRZ-CSIRT response is performed in a fully automatic manner (Metzger et al., 2011), where examples of automatic actions include forwarding of information to responsible on-site administrator, suspension of the offending machine's internet access, and notification of the CSIRT team.
Cyberpatterns: Criminal behavior on the internet
2012, Criminal ProfilingCyberpatterns: Criminal Behavior on the Internet. Criminal Behavior on the Internet.
2011, Criminal Profiling: An Introduction to Behavioral Evidence Analysis