Elsevier

Digital Investigation

Volume 3, Issue 3, September 2006, Pages 118-126
Digital Investigation

Case study
Network intrusion investigation – Preparation and challenges

https://doi.org/10.1016/j.diin.2006.08.001Get rights and content

Abstract

As new legislation is written mandating notification of affected parties following the compromise of confidential data, reliable investigative procedures into unauthorized access of such data assume increasing importance. The increasing costs and penalties associated with exposure of sensitive data can be mitigated through forensic preparation and the ability to employ digital forensics. A case study of the compromise of several systems containing sensitive data is outlined, with particular attention given to the procedures followed during the initial response and their impact on the subsequent digital forensic examination. Practical problems and challenges that arise in intrusion investigations are discussed, along with solutions and methodologies to address these issues. This case study illustrates both the importance of evaluating the evidence analyzed and of corroborating findings and conclusions with multiple independent sources of evidence. An initial response that incorporates forensic procedures provides a solid foundation for a successful and thorough forensic examination.

Introduction

Investigations into network intrusions that involve the potential compromise of confidential data have taken on a new urgency with the passing of the state data breach notification laws.1 Organizations in both the private and public sectors are not only dealing with the embarrassment of the media coverage, but also the financial ramifications of notifying affected individuals, oftentimes in an effort to comply with these laws. This case study describes an incident that took place in 2005 that included the compromise of over 50 computers, some with confidential private data.2 The aim of the intrusion investigation was to determine the method of intrusion, the motivation of the intruder and whether the confidential data had been accessed and/or downloaded by the intruder(s). The investigation showed that although the confidential data on the compromised systems could have been accessed and downloaded by the intruders, there was no evidence of such activity.

The resources of two groups were brought to bear in the collection and analysis of the evidence related to this case. The initial response to the compromise was carried out by the organization's IT Security staff. Established incident handling procedures were followed until the severity and unusual characteristics of the compromise were discovered, after which more specialized efforts were employed to identify and secure evidence. Additional preservation and the evaluation of the evidence were performed by Digital Forensic Examiners from an independent organization.

This case study demonstrates the importance of forensic preparedness and employing digital forensics when responding to a critical incident. Practical problems that are encountered and judgments that must be made in an intrusion investigation are addressed in sidebars throughout this article. Organizations that are prepared to gather digital evidence and employ digital forensics put themselves in a better position to mitigate the increasing costs and penalties associated with exposure of sensitive data.

Section snippets

Identification of compromise

In May 2005, a server used to store sensitive information began to display a message that one of its drives was full and that it was unable to save a particular movie file. Since none of the server's legitimate functions involved movies, the local system administration staff made a call to the IT Security Department of the victim organization. The IT Security Department quickly realized the significance of this message on a server with more than 400 gigabytes (GB) of storage that served a

Identification and preservation of evidence

Realizing the potential severity and scope of the incident, the IT Security Department took two concurrent courses of action: locating other compromised systems (if any) and collecting and preserving evidence for possible legal action.

To search for other compromised systems, a network scan was used to identify systems with scanned profiles similar to that of the server already examined. The systems found in this way were tested for behavior that identified Hacker Defender installations like

The investigation

After reviewing the four systems, the Digital Forensic Examiners determined that only the server and one of the desktops had been compromised. In addition to examining the forensic images of each system, bootable clones of the two systems that were not compromised were created to enable a live examination. A live forensic examination was performed on these bootable clones to determine whether a rootkit or unusual processes were running. The bootable clones were also connected to a dedicated

Important points and lessons learned

Identifying the potential sources of information about the intrusion is an essential step in a network intrusion investigation. To do this successfully and thoroughly, the Examiner must understand where on a network information can be found (Casey, 2004). As information in an intrusion investigation tends to be fragile and transient in nature, delays in identifying and querying information sources can result in the loss of the information altogether. The right questions need to be asked of the

Acknowledgements

Ms. Reust would like to thank her colleagues at Stroz Friedberg LLC for their support and assistance with this article, particularly Eoghan Casey.

Mr. Johnston would like to thank Ms. Erin Kelly for her proofreading efforts and Mr. Eoghan Casey for his encouragement and tea.

References (4)

  • E. Casey

    Digital evidence and computer crime

    (2004)
  • E. Casey

    Case study: network intrusion investigation – lessons in forensic preparation

    Digital Investigation

    (2005)
There are more references available in the full text version of this article.

Cited by (9)

  • Establishing forensics capabilities in the presence of superuser insider threats

    2021, Forensic Science International: Digital Investigation
    Citation Excerpt :

    In case of insider threats, forensic readiness is a fundamental necessity as insiders own detailed information about the IT infrastructure of the organization. There are numbers of contributions available including Johnston and Reust (2006) that focused on the importance of forensic preparedness by providing a case study of network intrusion within an organization with over 50 compromised computers. They discussed each step of the forensic process with respect to the case and identified practical and legal issues throughout the investigation.

  • Digital transformation risk management in forensic science laboratories

    2020, Forensic Science International
    Citation Excerpt :

    A reactive approach is costly and disruptive, including the need to find and retain external digital forensic expertise. Forensic preparedness enhances business continuity and contingency planning, putting organizations in a better position to detect and investigate problems and manage the associated risks [18,19]. These issues and remedies apply equally to all forensic laboratories, including those within private enterprises.

  • Information security incident management: Current practice as reported in the literature

    2014, Computers and Security
    Citation Excerpt :

    Limited expertise on forensics is also reported by Ismail et al. (2011) and Hove and Tårnes (2013). Companies in some cases rely on third parties or the police for forensic investigations (Hove and Tårnes, 2013; Johnston and Reust, 2006). For common and less severe incidents the LRZ-CSIRT response is performed in a fully automatic manner (Metzger et al., 2011), where examples of automatic actions include forwarding of information to responsible on-site administrator, suspension of the offending machine's internet access, and notification of the CSIRT team.

  • Cyberpatterns: Criminal Behavior on the Internet. Criminal Behavior on the Internet.

    2011, Criminal Profiling: An Introduction to Behavioral Evidence Analysis
View all citing articles on Scopus
View full text