Network and Operating System Investigation - Research Paper Example

Network and Operating System Investigation Introduction As it is understandable, that the usage of Internet is increasing with pace. Even small companies are integrating their business process with a small computer network. Every now and then, a new business wants its presence on the web. Moreover, services provided on the web are considered value added, in terms of customer satisfaction and feasibility. Furthermore, financial institutions have introduced online banking that is a treat for cyber criminals to achieve massive revenue by intercepting large online transactions. The Internet banking facilities consist of funds transfer, online shopping, credit card transactions, prepaid vouchers of different mobile phone companies and much more. Moreover, an Internet service provider (ISP) provides internet services to corporate organizations, home users and small business. If the security of an ISP is compromised, then the hacker may be able to access all the systems that are ultimately the clients of the company. Likewise, ISP also provides site-to-site VPN connectivity from where all the classified data is encrypted from one end to the other. Furthermore, government based organizations also provides information services on the Internet along with defense agencies that are controlled and monitored by the military, once hacked, the impacts can be devastating if the hackers becomes vulnerable. This can also result in disrupting relations between the two countries. Similarly, a multi-national organization wants to be top of the competition by endearing the competitive advantage, in order to make its presence stronger, several online features made available, providing more opportunities for hackers and cyber criminals. Why IDS As per network dictionary, IDS is defined as “Intrusion detection system (IDS) is a type of security management system for computers and networks. An IDS gathers and analyzes information from various areas within a computer or a network to identify possible security breaches, which include both intrusions and misuse”. IDS are of many types and organizations choose the best possible type that suits their prioritized mission critical systems. The types includes network based IDS, host based IDS and software based IDS. These types are further categorized in to signature based IDS which is also referred as misuse detection, and Anomaly detection. The functionality of ‘signature based IDS’ is dependent on known signatures. The word ‘known’ is important because threats that are detecting so far are categorized as known threats and are called signatures. Signature based IDS only detect threats similar to the defined available signatures and do not comply with any new threat. Whereas, Anomaly based IDS detect unknown activities within the network and detect them as threats and vulnerabilities. Defining Computing Forensics Discussing computer forensics in the context of law enforcement agencies or in corporate security, it will lead to a conclusion of a subject that covers the utilization of computers to catalog physical evidence that is analyzed in other forensics techniques including biometric identification, analyzing DNA and dental evidence. Current technological trends have revolutionized the methods of storing data along with different advanced access mechanisms. These systems facilitate law enforcement agencies by providing instant access to these characteristics. Although, computer forensics also facilitates in investigation of crimes within themselves in order to gather evidence associated with criminal activities that breaches violation of an organizations policy. The data can be extracted from storage devices including hard drives, flash drives and memory cards etc. (Computer Forensics – a Critical Need in Computer. (n.d.)) Digital Forensics for a Database In order to conduct data forensics, some of the particular methods are mentioned below: Data dictionary extraction is achievable in flat files and ‘redo’ log files. However, in Oracle 9i, if an investigator is analyzing a ‘redo’ log file that is created within the same database, the online dictionary data can be utilized as a replacement for a ‘redo’ log file or a flat file. The extraction of information encapsulated in the data dictionary is possible via DBMS_LOGMNR_D package. The package provides certain features such as: Incarcerating extraction of data dictionary of flat files Incarcerating extraction of data dictionary of the redo log files Modifying the location and storage, where the tables are stored, and are utilized to incarcerate data dictionary extraction in the redo log files. However, by default, the table storage is located in ‘SYSTEM tablespace’ (TOO CLEVER FOR WORDS: ORACLE9I LOG MINER - ORACLE). Apart from the features, the package also supports procedural outcomes that are associated with ‘DBMS_LOGMNR_D’ package. The procedural outcomes are named as ‘PROCEDURE BUILD’ ‘PROCEDURE SET_TABLESPACE’ and ‘IDENTIFYING REDO LOG FILES’. In order to start a session of the Log minor, there is a requirement of redo log files, as the log miner reads the information that is present in the ‘redo’ log files. The information in the ‘redo’ log files comes from the data dictionary extraction (TOO CLEVER FOR WORDS: ORACLE9I LOG MINER - ORACLE). Moreover, the value ‘DBMS_LOGMNR.DICT_FROM_REDO_LOGS’ I configured in the options parameter. The value ‘DBMS_LOGMNR.COMMITTED_DATA_ONLY’ is configured for the automated filtration of transactions that are uncommitted in the database. The filtration separates the uncommitted transactions so that only committed transactions can be displayed (TOO CLEVER FOR WORDS: ORACLE9I LOG MINER - ORACLE). The value ‘DBMS_LOGMNR.DICT_FROM_ONLINE_CATALOG’ is configured if the redo log files are developed within the same database. In this case, the implementation of online data dictionary takes place, in order to start the translation map of data dictionary. Moreover, many additional features can only be implemented while log miner sessions are in progress. Some of the names of these processes include (TOO CLEVER FOR WORDS: ORACLE9I LOG MINER - ORACLE): V$LOGMNR_DICTIONARY V$LOGMNR_LOGS $LOGMNR_LOGFILE V$LOGMNR_PARAMETERS V$LOGMNR_SESSION V$LOGMNR_PROCESS V$LOGMNR_TRANSACTION V$LOGMNR_REGION V$LOGMNR_CALLBACK V$LOGMNR_STATS In the end, the log miner session can be ended by the DBMS_LOGMNR.END_LOGMNR procedure (TOO CLEVER FOR WORDS: ORACLE9I LOG MINER - ORACLE). Conclusion and Future Works We have demonstrated the significance of IDS that may upsurge network security and the probability to detect potential threats. Moreover, digital forensics is vital for detecting evidences against crimes that are conducted online. We have illustrated the methodology of investigating database forensics by a digital forensic tool known as log miner. Furthermore, during a presentation at Carnegie Mellon University’s CyLab Capacity Building Program, Dr. Roy Nutter differentiated between forensics and security. He concluded that security includes all the theory and mechanism that is required to design protection for people and resources. On the other hand, forensics triggers when any incident occurs. As security incidents are rising, there will be huge demand for forensic computing professionals in future (Computer Forensics – a Critical Need in Computer. (n.d.)). In future, online labs providing testing environment will facilitate students. Moreover, these tools must also integrate these functions: Decryption tools Volatile data analysis Gaining information from operating system’s log files Retrieving passwords / cracking passwords Tracking hidden data References Intrusion detection system. (2007). Network Dictionary, , 258-258. Computer Forensics – a Critical Need in Computer. (n.d.). Retrieved from http://www.scribd.com/doc/131838/Computer-Forensics-a-Critical-Need-in-Computer TOO CLEVER FOR WORDS: ORACLE9I LOG MINER - ORACLE. (n.d.). Retrieved from http://blogold.chinaunix.net/u/3787/showart_26417.htm Read More