Lecture by Peter Stephenson, CPE, PCE
Director of Technology, Netigy Corporation, San Jose, California PhD Research Student, Oxford Brooks University, Oxford, UK
ABSTRACT: The concepts of intrusion detection and forensic analysis often are not considered together, even though the intrusion detection system (IDS) is the most likely candidate for gathering information useful in tracing and analyzing a network-based computer security incident. From the standpoint of the security practitioner, the primary use for the IDS is detection and response. To extend that to include forensic analysis of the event implies going outside the parameters of most intrusion detection systems.
Contrary to that belief, however, is the obvious concept that, when an event occurs, there is a high probability that the IDS will be the only thing watching the network in significant enough detail to capture the event and any precursor events in their entirety. Thus, the application of the output of an IDS to the investigation and potential prosecution of an attack against computers on a network is of interest both to practitioners and to researchers.
This lecture will discuss the details of intrusion detection systems in the context of their use as investigative tools, fundamentals of forensic computer analysis and network forensic analysi,s and some potential methods of combining techniques to enable investigation and prosecution of computer-related crime.
Specific topics to be covered include:
• Intrusion detection system architectures
• Application of forensic computer analysis
• Current network forensic analysis techniques
• Legal requirements for the use of forensic evidence
• Using forensics for system recovery (operational forensics) • Examination of an IDS suitable for use in forensic analysis of attacks • Problems and challenges in the forensic application of intrusion detection...