10.14 Forensic Considerations

10.14 Forensic Considerations

As with any other type of crime, even after an attack has occurred, it is important to examine the scene and gather important evidence. In cybercrimes this involves analyzing audit data so that the extent of the system damage can be determined. It also involves tracking down attackers so that preventive steps can be taken to reduce future intrusions. Computer forensics involves preserving and collecting digital evidence, such as usage logs, IP traces, and any other type of audit trails that can be collected about the incident (log files, antivirus reports, router firewall logs and file changes). Basically, anything that can be traced back to the perpetrators, such as where they came in through and how they did it, is collected as evidence. An IDS is only part of the process of detecting, isolating, reconfiguring, and repairing an attack (see Figure 10.2).

Figure 10.2: An IDS is only part of the entire deterrence process.

To protect a system, it is not only important to thwart attacks; it is also essential to understand how they took place. This may require allowing intruders to continue with their intrusion, leaving the damage, preserving it as evidence, and treating a hack attack as what it is: a crime scene. Often by repairing the damage, administrators destroy the evidence against perpetrators. Instead, an image copy of all hard drives should be made. All investigative activities, including any data mining analyses undertaken with their results, should be documented.

Care should be taken that certain commands that will modify directories or file dates and time stamps are not used. Search activity may also change log files and modify, destroy, or corrupt important forensic evidence. An IDS can also be used to analyze audit data. This makes them valuable not only as real-time deterrence shields, but also as forensic tools for gathering the evidence used in prosecuting internal and external hackers.