The Digital Forensics - Research Paper Example

The Digital Forensics Network threats are evolving along with different risks associated with it. It is essential for an organization to construct a security framework that will address threats related to computer networks. Likewise, highly skilled staffs, previous threat treatment records and incident management teams are the essential part of this security framework. In a situation where the network is already compromised, it is essential to isolate the infected nodes, in order to restrict the worm from spreading it to the whole network. However, before restricting or counter attacking a breach, it is important to find the source and the nodes that are affected. In the current scenario, network administration is facing a challenge of finding traces of a worm that has breached within the distributed network. A distributed network can be on a broad scale and may involve many enterprise computer networks. Likewise, the currently installed network security controls are bypassed by the worm because distributed traffic anomaly is complex and small to detect. However, combining with multiple small data packets can impose a significant impact, as they all share the same frequency and domain that is already happening in the current scenario. For this reason, a method for detecting threats originating from distributed network was introduced by (Zonglin, Guangmin, Xingmiao, & Dan, 2009). The methodology includes a detection of patterns of distributed network along with network wide correlation analysis of instantaneous parameters, anomalous space extraction and instantaneous amplitude and instantaneous frequency. In the current scenario, network administrators can apply instantaneous amplitude and instantaneous frequency, which is a part of this model, of network transmission signals can invade network unknown patters and categorize them in to frequency and time domains separately. Moreover, they can also deploy an anomalous space extraction methodology that is based on network transmission predictions. This methodology will facilitate network administrators to exceed the boundaries of PCA based methods that are already failed to provide strong correlations. Furthermore, the third component that is a network wide correlation analysis of amplitude and frequency can discover overall network transmission originating from distributed networks, as the current controls are only sensing them in a small amount or quantity. After determining the exact source of the unknown worm, the next challenge is to analyze the infected nodes within the network. It is obvious that without a specialized tool, it is a daunting or almost impossible task to detect anomalies on low levels i.e. network ports. There is a requirement of pin pointing unknown threat activities within the network, for this purpose, a powerful tool known as Wire shark will serve the purpose. Wire shark is a freeware tool that analyzes network packets and processes them for illustrating detailed contents of the packets (Scalisi, 2010). Moreover, the tool contains numerous features that can facilitate the threat detection process. The first step that a network administrator will take is to identity the type of traffic or ports that needs to be targeted. The second step is to start capturing packets on all ports of all the switches (Scalisi, 2010). However, there is a requirement of modifying port numbers. As per the current scenario, all the network ports will be scanned including the Simple Mail transfer Protocol (SMTP) port. The tool has a feature of only scanning specific ports that needs to be targeted. However, in a corporate network environment that will not be possible, as Intrusion detection system (IDS) and Firewalls may conflict with the tool. Moreover, different subnets on the network will also require complex and time consuming configurations. Furthermore, network administrator can always set the time limit for capturing specific network port data. Therefore, the tool will distinguish increased network activity on each port by constructing real time statistical data along with report after completing the investigation. Attacks are always intelligent, as the hacker do not want us to track the source, trace back is always difficult. After conducting these two tasks, the third task for the network administrator is to trace the hacker or source of the threat. Network administrators will analyze two fields in a packet header i.e. time stamps and record route. However, these fields are considered by network engineers for various routing problems that may arise. Moreover, one more challenge for network administrators is to maintain a globally synchronized clock throughout the trace back process, as the packet may have travelled from different time zones. A methodology called as packet marking will be used to eliminate these challenges, as it will append the data with fractional information of paths, in order to complete a successful trace back. Conclusion Network administrators must encompass several techniques and methodologies for countering a compromised computer network within minimum time possible. As we can see that attacks are far more intelligent and uses new techniques every time. Initially, it is very difficult to trace the worm that has already intruded within the system and continues to spread. Network administrators need to configure network security appliances intelligently. Moreover, after detecting the threat, there is a requirement of identifying systems, where the worm is located and continues to spread. However, identification of systems is not enough, network administrators have to identify and trace effected network ports and services, as the worm will use these ports and network associated services to spread. After identifying infected systems and network ports, network administrators can make decisions, as they now come to know the affected systems and the affected network ports and services. Lastly, in order to trace the source, there is a requirement to trace the intruder. This may be a challenging task, as evidence is limited and the time stamps are not always correct. Network administrators can use packet marking and analyze packet header to focus on two areas of interest i.e. time stamps and record route. References Zonglin, L., Guangmin, H., Xingmiao, Y., & Dan, Y. (2009). Detecting distributed network traffic anomaly with network-wide correlation analysis. EURASIP Journal on Advances in Signal Processing, , 1-11. doi:10.1155/2009/752818 Scalisi, M. (2010). Analyze network problems with wireshark. PC World, 28(4), 30-30. Read More