Computer/Network Forensics is about finding out and collecting information about an online attack/security breach and presenting it in a way that is permissible in a court of law.
Should IT managers be concerned about Computer Forensics? Yes, they should. Tracing and preventing an attack from harming an organizational network is one of their objectives. Though UTM/IPS systems can secure the network to a certain extent, in some situations it is required to trace out and identify the real identity of the attacker, and bring them to justice. That way, repeated attacks by a particular attacker can be stopped.
IT managers/Network administrators might be surprised at the amount of information that can be retrieved from internal and external systems, post attack. It is always better to be plan and be ready so that when security breaches actually happen, it might be easier to trace the attacker. Let us discuss some methods of tracing down online attackers.
There are tools (1, 2) that can help trace an email or an IP address back to its sender and provide a good amount of publicly available information about the sender. This is important because there are so many phishing spam mails that are sent to dupe users with malicious links that try to extract financial/personal information. An email header (present in every email) contains information about the origin of the message, all the systems it has passed through (with date and time) and other such valuable information, which can be extracted and analyzed by certain programs.
If an insider attack is suspected or if the computer used by an external suspect can be accessed, it is possible to trace out all their Internet activities like websites visited, files downloaded, etc from a file called index.dat, which is stored securely in most of the common browsers (it is usually difficult to delete). There are index.dat viewers/analyzers that help in extracting and documenting the details of the web-activities of a suspect/attacker.
Even if an attacker uses multiple intermediary systems to carry out their attack, it is still possible to trace back the attack to the initiator or at least the Network/ISP of the initiator. This can be done because routers present across the Internet have their own markings, record routes taken by attack packets and all that information can be traced by using appropriate tools. If the identity of the intruder cannot be traced directly, some coordination with the ISP should reveal the identity of the attacker.
Some companies set-up honeypot systems that deliberately run software with known vulnerabilities. These systems are kept to entice attackers to hack into them so that the attack pattern can be studied and perhaps the source of the attack can be determined. These systems are isolated from the main network, so that other systems are not affected by such attacks.
Logs are maintained by almost every IT equipment deployed in a company. Servers, firewalls, UTM, IPS and many more devices/applications store retrievable logs that can be useful to study a security breach, when it occurs. SIEM (Security Information and Event Management) systems enable centralized collection and analysis of logs from various security devices across the network and this could be useful for analyzing and tracing an attack.
There are various methodologies adopted by various organizations, government agencies and even private agencies to trace online attacks and prove the misconduct in a court of law. IT managers/Network administrators should be aware that such things can be done and have appropriate systems in place in order to conduct/help the investigation process after a security breach.
You can keep yourself updated with the various computer networking/IT technologies by subscribing to this blog with your email address in the sidebar box that says, ‘Get email updates when new articles are published’