COMPUTER FORENSICS

Computer Forensics

Abstract

No computer network is immune to information security breaches. Governments and business organizations alike, thus, need to develop an effective contingency and incident response plan in place in order to perform network and system forensics once a data breach occurs. In the world of computer networks, no matter how careful an organization, operating a computer network, strives to be in securing the information system assets, breaches can happen. In addition to the chances of hardware or software component failure, people can also make mistakes. All the situations mentioned above require an effective emergency plan at hand to respond to such incidents. This paper discusses the strategies an incident response team should employ when conducting network forensics. These strategies will help find out: what servers or network devices were compromised; what user accounts were employed to gain access to system or network infrastructure; what vulnerabilities were exploited by the hackers; and finally the strategies that could be implemented to prevent the recurrence of such an incident in the future. Table of Contents

What servers were compromised?4

Abnormal trends of network usage and bandwidth atypical consumption4

Abnormal Open Ports4

Command Output4

What network equipment comprised?5

Monitoring Network Bandwidth5

Knowing Network Traffic5

Examining Strange or Abnormal Traffic and Which Computer on the Network It Is Coming From5

What user accounts were employed to do gain access?6

What vulnerabilities were exploited?6

What can be done to prevent a recurrence?7

Conclusion9

References10

What servers were compromised?

Abnormal trends of network usage and bandwidth atypical consumption

Majority of the networks usually have routine traffic trends that repeat on a daily basis. If the graph develops spikes or plateaus without warning throughout the day, it could be a signal of something interesting. Additionally if the site consumes around 2TB monthly traffic and it shows 1.5TB on the fourth day of the month, it is a sign meriting a closely examination of the server

Even though the scans might look like packets of large numbers, service denial attacks commonly consume more bandwidth. Network traffic is easily tabbed with software like MRTG, munin and cacti (Vacca, 2005).

Abnormal Open Ports

If the server runs on port 80 and netstat -ntlp displays listening on other ports above 1024, those processes should be observed. Lsof commands should be used to test for network ports and files used by processes. /proc/[pid] finds the original directory processes launched.

An eye should be kept out for processes beginning inside directories like /tmp, /dev or /shm, Last authentication logs should be reviewed (Vacca, 2008).

Command Output

There are cases which show the attackers replacing integral applications like top, lsof and ps to hide the compromised evidence. But /proc can show what is really happening

If there is a suspicion of compromises, the package manager can be used to authenticate the package's integrity. Tabbing the changing files is difficult but logwatch and tripwire can come in handy in tight situations like these (Huang, MacCallum & Du, 2010).

What network equipment comprised?

Monitoring Network Bandwidth

Considering the situation in this manner that the temperature gauge in a car can hint at any problems that might happen? Bandwidth usage works on ...