Académique Documents
Professionnel Documents
Culture Documents
OV=39%
Gregory J. Lubinsky
Andrew J. Mahaney
Abstract
Cooperation of law and private corporations leads to categorizing incidents of computer crimes
and expands knowledge to include training , combating and restoring from incidents for better
response times in detecting, isolating and prosecuting the offenders. Life’s lessons in comparing
two unrelated fields of interest while both use the same methods to effect the same outcome. As
a fire can lead to better prevention methods in the same way the restoration of a computer system
can lead to better protection method from various incidents. Lastly different types of intrusions
Identifying Incidents
Categories of Incidents
Law Enforcement and Corporate Cooperation. The federal government and U.S. Cert
developed a method of identifying and categorizing computer incidents. Numbered from 0-6
(See Appendix), each category is a level of intrusion detection with the exception of category
Zero which is a testing scenario for training purposes to heighten awareness, detection and
recover from computer incidents and category six which is an ongoing investigation (US Cert).
Similarities of both incidents. A person cannot compare a “high water or low water”
boiler casualty to an intrusion on a computer. However in both instances there are similarities
that constitute controlling a situation and recovery from the casualty. The main purpose of both
is to control of the situation so no further damage occurs and find the cause and and correct the
situation to return to normal operation. It is also no different in civilian life when electricity goes
out in a super market, the manager or owner has to establish rules that govern security in the
store to prevent loss of frozen foods, theft by customers and influx and out flux of people
entering and leaving the store. Everybody does it, and everyone has a different name for it! The
secret is control and action. The ability to control situations by a series of actions rehearsed or
not rehearsed to prevent loss or damage of important resources. Take for instance a business that
was struck by fire and part of the building was damage. During the restoration of the building,
the owner may install fire retardant walls and flooring, insulation and paint. This constitutes
added preventative measures that were not present to begin with. The point being that these
INTRODUCTION TO COMPUTER FORENSICS 4
measures are not exclusive to fire damage, it is practice in all forms of business and personal life.
Computers are no different, after an attack, team has to prevent further instances from occurring,
or at least deter the incident longer so control of the situation can commence possibly before loss
Combating Intrusions
Installed Systems
IDS and NIDS Systems. These systems are designed to handle intrusions IDS and NIDS
monitors the packets, and a hacker with the intension of causing denial of service to a a system
that watches for large number of TCP connection requests (SYN) to many different ports on a
target machine, show an intruder scanning the TCP port. NIDS can watch all traffic on the
network while the IDS monitors the many machines (WindowsSecurity, 2010). SIV monitors
system files so that when a hacker changes the files, the SIV (Security Integrity Verifier) can
catch him in the act, and watched other components like the Registry and Chron configuration.
LFM monitors files generated by networks services. Honeypots, fly-traps, lures and decoys are
Physical Intrusions have the advantage of the hacker with physical contact with the
machine, in which case he can dismantle is piece by piece or install Trojans, and viruses locally
(WindowsSecurity, 2010). System Intrusions usually already have a low level account on the
system on a system that does not have the latest patches makes a good target for intrusion by the
hacker (WindowsSecurity, 2010).. Remote Intrusion is the hacker attemps to penetrate the
system remotely within the network with no special clearances, and will have a harder time if
firewall exist between him and the target machine (WindowsSecurity, 2010). Other forms of
INTRODUCTION TO COMPUTER FORENSICS 5
infiltration are Software bugs, such as Buffer Overflows, Unexpected Combinations, like sending
a language Perl that tells the computer what to do, in launching an addition program when the
user want one to start the computer open a completely different program. Default configurations
are dangerous although they maybe easy to use, they are also easy to hack, this is in reference to
Unix and Windows NT systems. Lazy Administrators cause most of the problems because they
do not want to configure the passwords now, while setting up, they want to get the machine
Countering attacks can be fun for some people, but some of the most common counter
attacks are Ping sweeps, TCP, UDT and Account Scans and OS Identification
identify the operating system. Standards usually state how machines should
input. Thus, each operating system's unique responses to invalid inputs forms a
signature that hackers can use to figure out what the target machine is. This type
of activity occurs at a low level (like stealth TCP scans) that systems do not log
(WindowsSecurity, 2010).
INTRODUCTION TO COMPUTER FORENSICS 6
Reference
Pfleeger, C.P. & S.L., (2007). Security in computing (4th ed.). Upper Saddle River, N.J.,
Prentice/Hall
Steel, C. (2006). Windows forensics, a field guide for conducting corporate computer
reportingRequirements.html website
windowsecurity.com/whitepapers/FAQ_Network_Intrusion_Detection_Systems_.html#
1. website
INTRODUCTION TO COMPUTER FORENSICS 7
Appendix