Question

Specification: As digital crime increases exponentially, the need for computer forensic tools grows with it. Many law enforcement agencies, such as your local police force, the FBI and countless other entities, who rely on computer forensics tools to catch criminals. Computer forensics is quickly becoming used for many different areas of criminal investigations and there is now a methodology that is used. Computers have been widely known for being used in committing crime but now the tables have turned, and forensics has the edge using computer forensics to catch criminals who believe they do not leave an imprint when committing certain crimes. Tasks: Write a report (3-4 pages) that shows how Intrusion Detection System (IDS) can be used in Forensics and Incident Response by investigators to trace the crimes/attacks. Also, in which tools that can be used as well with some example cases and the implementation of the tools with some screenshot.

Answer 1

Although the main aim of IDSs is to detect intrusions to
prompt evasive measures, a further aim can be to supply
evidence in criminal and civil legal proceedings . The
ultimate goal of Intrusion Detection is to identify, preferably
in real-time, unauthorized use, misuse, and abuse of computer
systems by both systems insiders and external penetrations. In
the case of anomaly intrusions, intrusion detection is based on
the idea that the anomalies that may surface in a system are
symptoms indicating illegal, intrusive or criminal activity.
The ultimate goal, with a view to a forensic application
however, would be to obtain sufficient evidence to in order to
trace the crime back to the criminal. Within a computer system
the natural blanket of anonymity afforded the criminal
encourages destructive behavior while making it extremely
difficult for law enforces to prove the identity of the criminal.
Therefore, the ability to obtain a fingerprint of system users
and their typical behavior is imperative in order to acquire
some hold on identifying the perpetrator. The study of
available log files would always be uses as fundamental in
evidence collection. However, many times at a higher level it
is necessary to posses a more in-depth ability to narrow the
field or even establish a list of possible suspects. As we all
know, the computer crime is always the result of human
activity on a system, be it system users or intruders. So at this
level, it is not only desirable to have some logging activity to
provide evidential information, but also some mechanism to
collate and collect profile of system users. Intrusion detection
systems can form a starting point that can be used by a
computer forensics investigator.

Due to the complexity of today’s data breaches and intrusions, deploying and maintaining network security more frequently requires a promising system to defend against intruders and other security threats as well. Organizations securing their networks often use a combination of technologies to combat the countless cyber attack, intrusion, and compromise methods available to cyber criminals today.

Although a wide range of tools and methodologies exists, the two widespread fundamentals to all secure enterprise network configurations are the firewall and the intrusion detection/prevention system (IDS/IDPS). A firewall controls incoming and departing traffic based on rules and policies, and act as a wall between secure and un-trusted networks. Within the secure network, an IDS/IDPS discovers suspicious activities to/from hosts and within the traffic itself and can take proactive measures to log and block attacks.

In intrusion detection system we have two common types of IDS, Network Based Intrusion Detection System (NIDS) and Host Based Intrusion Detection System (HIDS) that are widely used.

NIDS:

Network-based intrusion detection system (NIDS) attempts to identify unauthorized, illicit, and anomalous behavior based solely on network traffic. The role of a network IDS is passive, only gathering, identifying, logging and alerting. It monitors traffic on a network looking for suspicious activity, which could be an attack or unauthorized activity.

HIDS:

A host-based intrusion detection system (HIDS) examines all or parts of the dynamic behavior and the state of a computer system. It monitors and analyzes the internals of a computing system as well as (in some cases) the network packets on its network interfaces. An HIDS gives you deep visibility of what’s happening on your critical systems.

Both types of Intrusion Detection System involve the gathering and analysis of information from a variety of areas contained in a computer or network to identify possible threats posed by hackers and crackers inside or outside the organization. However, the most effective fortification for a corporate network is provided by a combination of both technologies.

IDS is It’s simply a security software which is termed to help user or system administrator by automatically alerting or notifying when a user attempts to compromise information system through any malicious activities or at the point where a violation of security policies is taken. These detections are operated by inspecting traffic that occurs between hosts. These mechanisms are prorated into two major forms.

1. Signature detection
2. Anomaly detection

Signature Detection:

This type of detection works well with the threads that are already determined or known. It implicates searching a series of bytes or sequence that are termed to be malicious. One of the most profitable points is that signatures are easy to apply and develop once you figure out the sort of network behavior to be found out.

The main drawback to signature based IDS is that it’s easy to fool signature-based solutions by changing the ways in which an attack is made and the more advanced the IDS Signature database, the higher the CPU load for the system charged with analyzing each signature.

Anomaly Detection:

The anomaly detection technique is a centralized process that works on the concept of a baseline for network behavior. This baseline is a depiction of accepted network behavior, which is learned or specified by the network administrators, or both. It’s like a guard personally interviewing everyone at the gate before they are let down the drive.

One of the major drawbacks of anomaly detection engines is the difficulty of defining rules. Each protocol being analyzed must be defined, implemented and tested for accuracy which is not always an easy task.

Whether you need to monitor your own network or Host by connecting them to identify any latest threats, there are various free Intrusion Detection Systems that offer outstanding functionalities and can be used at the enterprise level. Many, if not most, of these intrusion-detection systems (IDS), uses a combination of engines, to create solid, free intrusion-detection services.

OSSEC:

OSSEC is an open source host intrusion detection system (HIDS) which offers multiple additional modules that can be used with the core functionality of IDS. In addition to intrusion detection, the OSSEC can perform file integrity monitoring and rootkit detection with real-time alerts, all of which are centrally managed with the ability to create different policies, depending on a company’s needs. The OSSEC can locally run on most operating systems, including Linux versions, Mac OSX and Windows.

OpenWIPS-NG:OpenWIPS-NG is a wireless IDS/IPS that relies on a server, sensors, and interfaces and available freely. As developed by the author of Aircrack-NG, this system has many functionalities and services already built for scanning, detection and intrusion prevention. OpenWIPS-NG is modular and allows an administrator to download plug-ins for additional features. It also provides facility to perform WIPS on a tight budget.