![Sample our Law journals, sign in here to start your FREE access for 14 days]({"type":"image" , "src" : "/sda/5942/TOC-Subject-Sample-2021-Law.jpg"})
Abstract
As the dangers of hacking and cyber‐warfare for network security become a reality, the need to be able to generate legally admissible evidence of criminal or other illegal online behaviours has become increasingly important. While technical systems providing intrusion detection and network monitoring are constantly being improved, the security they provide is never absolute. As a result, when assessing the value and nature of the data that these systems produce, it becomes critical to be aware of a number of factors: these systems themselves are susceptible to attack and/or evasion; these systems may collect only a partial data set; and, these data sets may themselves be flawed, erroneous or may already have been tampered with. Additionally, the issue of privacy and data protection is emerging as a central debate in forensic computing research. In this context, this paper examines intrusion detection systems (IDS) and provides the results of a case study on the use of the SNORT IDS on a university department World Wide Web (WWW) server. The case study is analysed and discussed using a forensic computing perspective. This perspective considers the nature of the intrusion detection and network monitoring security provided and evaluates the system in terms of its evidence acquisition (‘forensic’) capabilities and the legal admissibility of the digital evidence generated.
Notes
Correspondence: Vlasti Broucek, School of Information Systems, Private Bag 87, Hobart TAS 7001, Australia. Tel: +61‐3‐62262346; Fax: +61‐3‐62262883. E‐mail: [email protected].
Forensic Computing (FC) has been previously defined as ‘the process of identifying, preserving, analysing and presenting digital evidence in a manner that is legally acceptable’ (R McKemmish ‘What is forensic computing’ Trends and Issues in Crime and Criminal Justice 118, 1999) and is becoming important academic discipline attracting growing number of researchers.
D Farmer and W Venema ‘Improving the security of your site by breaking into it’ 1993. Retrieved 12 January 2001, from http://www.fish.com/security/admin‐guide‐to‐cracking.html.
M Handley, V Paxson and C Kreibich ‘Network intrusion detection: evasion, traffic normalization, and end‐to‐end protocol semantics’ in 10th USENIX Security Symposium Washington, DC, USA, 2001; T H Ptacek and T N Newsham ‘Insertion, evasion, and denial of service: eluding network intrusion detection’ 1998. Retrieved 11 November 2001, from http://www.snort.org/docs/idspaper/.
M Roesch ‘Snort—lightweight intrusion detection for networks’ in 13th Systems Administration Conference—LISA '99. Seattle, WA, 1999; M Roesch ‘Snort 1.8.7’ [man pages] 2001a; M Roesch Snort Users Manual—Snort Release: 1.8.7, 2001b, Retrieved 27 July 2002, from http://www.snort.org.
P R Stephenson ‘The application of intrusion detection systems in a forensic environment’ in Recent Advances in Intrusion Detection—RAID 2000 Toulouse, France, 2000a. P R Stephenson ‘Intrusion management: a top level model for securing information assets in an enterprise environment’ in U E Gattiker (ed), EICAR 2000, 2000b, pp 287–298.
P Sommer ‘Digital footprints: assessing computer evidence’ Criminal Law Review Special Edition, 61–78, 1998a. P Sommer ‘Intrusion detection systems as evidence’ in Recent Advances in Intrusion Detection—RAID '98. Louvain‐la‐Neuve, Belgium, 1998b. P Sommer ‘Intrusion detection systems as evidence’ Computer Networks Vol 31, Nos 23–24, pp 2477–2487, 1999.
A Patel and S O Ciardhuáin ‘The impact of forensic computing on telecommunications’ IEEE Communications Magazine pp 64–67, November 2000.
See http://www.sniffer.com/common/media/sniffer/pdf/channel_media_2_24_03.pdf, http://www.sniffer.com/common/media/sniffer/pdf/computer_world_2_25_03.pdf, http://www.sniffer.com/products/infinistream/default.asp?A = 5.
R Bace and P Mell ‘Intrusion detection systems’, 2001. Retrieved 23 March 2002, from http://csrc.nist.gov/publications/nistpubs/800‐31/sp800‐31.pdf.
Ibid.
B Laing ‘How to guide: implementing a network based intrusion detection system’ 2000. Retrieved November 21, 2001, from http://www.snort.org/docs/iss‐placement.pdf.
Bace and Mell, op cit, note 9; Laing, op cit, note 11
E Lundin ‘Anomaly‐based intrusion detection: privacy concerns and other problems’ Computer Networks, Vol 34, No 4, pp 623–640, 2000. E Lundin and E Jonsson ‘Privacy vs intrusion detection analysis’ in The 2nd International Workshop on Recent Advances in Intrusion Detection (RAID '99). Lafayette, Indiana, USA, 1999a. E Lundin and E Jonsson ‘Some practical and fundamental problems with anomaly detection’ in The 4th Nordic Workshop on Secure IT Systems (NORDSEC '99). Kista, Sweden, 1999b.
V Broucek and P Turner ‘Bridging the divide: rising awareness of forensic issues amongst systems administrators’ Paper presented at The 3rd International System Administration and Networking Conference, 27–31 May 2002, Maastricht, The Netherlands, 2002b. V Broucek and P Turner ‘Risks and solutions to problems arising from illegal or inappropriate on‐line behaviours: two core debates within forensic computing’ Paper presented at The EICAR2002 Conference, 8–11 June 2002, Berlin, Germany, 2002d.
N Desai ‘Increasing performance in high speed NIDS: a look at Snort's internals’, 2002. Retrieved 13 March 2002, from http://www.snort.org/docs/Increasing_Performance_in_High_Speed_NIDS.pdf; Handley et al, op cit, note 3; C Kruegel and T Toth ‘Automatic rule clustering for improved, signature based intrusion detection’ 2003. Retrieved 16 January 2003, from http://www.infosys.tuwien.ac.at/snort‐ng/snort‐ng.pdf.
R Clayton ‘The limits of traceability’ 2000. Retrieved 10 December 2002, from http://www.cl.cam.ac.uk/∼rnc1/The_Limits_of_Traceability.pdf.
Ptacek and Newsham, op cit, note 3.
Handley et al, op cit, note 3; P Mell, D Marks and M McLarnon ‘A denial‐of‐service resistant intrusion detection architecture’ Computer Networks, Vol 34, pp 641–658, 2000.
See ESB‐2003.0141—Snort Vulnerability Advisory—[SNORT‐2003‐001] at http://www.auscert.org.au/render.html?it = 2816.
Sommer, 1998b, 1999, op cit, note 6.
J Christy ‘Rome Laboratory attacks: prepared testimony of Jim Christy, Air Force Investigator, before the Senate Governmental Affairs Committee, Permanent Investigation Subcommittee, May 22, 1996’ in D E Denning and P J Denning (eds) Internet Besieged: Countering Cyberspace Scofflaws ACM Press, 1998, pp 57–65.
J Klensin ‘RFC2821‐simple mail transfer protocol’ 2001. Retrieved 12 December 2001, from http://www.ietf.org/rfc/rfc2821.txt?number = 2821; J B Postel ‘RFC821‐simple mail transfer protocol’ 1982. Retrieved 12 December 2001, from http://www.ietf.org/rfc/rfc0821.txt?number = 821.
J Biskup and U Flegel ‘On pseudonymization of audit data for intrusion detection’ in Workshop on Design Issues in Anonymity and Unobservability (Designing Privacy Enhancing Technologies) Berkeley, CA Vol 2009. Springer, Berlin, 2000a, pp 161–180. J Biskup and U Flegel ‘Threshold‐based identity recovery for privacy enhanced applications’ In 7th ACM Conference on Computer and Communications Security (CCS 2000) Athens, Greece: ACM, 2000b, pp 71–79. J Biskup and U Flegel ‘Transaction‐based pseudonyms in audit‐data for privacy respecting intrusion detection’ in Third International Workshop on Recent Advances in Intrusion Detection (RAID 2000). Toulouse, France, Vol 1907 Springer, Berlin, 2000c, pp 28–48; H Kvarnström, E Lundin and E Jonsson ‘Combining fraud and intrusion detection‐meeting new requirements’ in The fifth Nordic Workshop on Secure IT systems (NordSec2000) Reykjavik, Iceland, 2000; Lundin, op cit note 13; Lundin and Jonsson, op cit note 13; M Sobirey, S Fischer‐Hübner and K Rannenberg ‘Pseudonymous audit for privacy enhanced intrusion detection’ in L Yngstrom and J Carlsen (eds) IFIP TC11 13th International Conference on Information Security (SEC'97) Copenhagen, Denmark. Chapman & Hall, London, 1997, pp 151–163.
V Broucek and P Turner ‘Intrusion detection: forensic computing insights arising from a case study on SNORT’ in U E Gattiker (ed) EICAR Conference Best Paper Proceedings Copenhagen, Denmark, 2003.
Australian Computer Emergency Response Team ‘UNIX Security Checklist v2.0’ 2001a. Retrieved 19 November 2001, from http://www.auscert.org.au/Information/Auscert_info/Papers/usc20.html; Australian Computer Emergency Response Team ‘UNIX Security Checklist v2.0‐the essentials’ 2001b. Retrieved 19 November 2001, from http://www.auscert.org.au/Information/Auscert_info/Papers/usc20_essentials.html; D Smith and J Indulska ‘Enhancing security of Unix systems’ 2001. Retrieved 17 November 2001, from http://www.auscert.org.au/Information/Auscert_info/Papers/Enhancing_Security_of_Unix_Systems.html.
W Venema ‘TCP WRAPPER: network monitoring, access control, and booby traps’ in 3rd UNIX Security Symposium Baltimore, USA, 1992.
Roesch, 1999, 2001a, 2001b, op cit, note 4.
Fully qualified domain name.
V Broucek and P Turner ‘Bridging the divide: rising awareness of forensic issues amongst systems administrators’ in 3rd International System Administration and Networking Conference Maastricht, The Netherlands, 2002a; V Broucek and P Turner ‘Risks and solutions to problems arising from illegal or inappropriate on‐line behaviours: two core debates within forensic computing’ in U E Gattiker (ed) EICAR Conference Best Paper Proceedings Berlin, Germany, 2002c, pp 206–219; Sommer, 1998b, 1999, op cit, note 6.
‘Trusted host’ is a host that is being considered as host that cannot pose any risk to the system/network.
Biskup and Flegel, 2000a, 2000b, 2000c, op cit, note 23; Kvarnström et al, op cit, note 23; Lundin, op cit, note 13; Lundin and Jonsson, op cit note 13; Sobirey et al, op cit, note 23.
Sommer, 1998b, 1999, op cit, note 6.
Broucek and Turner, 2002a, 2002c, note 29.
McKemmish, op cit, note 1.