Individual Paper Willie F. Cason
University of Maryland University College
CSEC 650
10/20/2014
Instructor Sandro Tuccinardi
Table of Contents
Abstract______________________________________________________________3
Introduction___________________________________________________________3
Live System Data_______________________________________________________4
Intrusion Detection System_______________________________________________5
Network Intrusion______________________________________________________5/6
Embedded System______________________________________________________6/7
Conclusion_____________________________________________________________8
References_____________________________________________________________9
Abstract
Data sources drawn on to acquire evidence in digital forensics case subsequently hold opposing views. These opposing views held are very significant depending on the case. However, this paper give precedence to data sources used to acquire evidence for network intrusions, malware installations, and insider file deletions. These three events direct the arrangement to the analyzing of data presented. In addition, the paper also covers what communication is preferred, and the practicality of that data. Primary emphasis is data brought together from sources such as Live System Data, Intrusion Detection System, Network Intrusion, and Embedded System
Introduction
Digital forensics is the skill of recognizing, removing, evaluating, and displaying the digital evidence that has been amassed in the digital devices. This paper will assess at least four different sources of data that could be used in a digital forensics investigation. An assortment of digital tools and methods are being manipulated to achieve this. The four sources this paper will cover are listed as Live System Data, Intrusion Detection System, Network Intrusion, and Account Auditing. In addition, the paper will account for and make clear the forensic analysis steps in the storage media.
Live System Data
On a live system, selected digital evidence is present in the configuration of volatile data. The volatile data is directed by the operating procedure in a vibrant setting. System memory files encompass data of advancements, network connections, and interim data. These programs are used by the operating system at a specific point of time. Nonvolatile data and volatile data are dissimilar. They are dissimilar because memory data will be wiped out and cease to exist without a trail after interruption of power to the machine. After powering off the machine it will be nearly impossible to acquire the template to verify the digital evidence obtained from the live system or the dump. “Traditionally, computer forensics experts agreed that shutting the computer system down in order to preserve evidence and eliminate the potential changing of information is best practice prior to examination” (“Live Forensics and Investigations,” 2013, p. 1).
For its elevated volatility and dynamicity, it is normally agreed that validating the integrity of volatile data is impossible. One example of volatile data is system memory data. System memory data contain information of processes that are unlike nonvolatile data. System memory data will disappear and leave no clue to the trail after powering off the machine. There is not a possibility to acquire the original issue to authenticate the digital evidence obtained from the live system or the dump. Memory data have become more and more significant at court proceedings.
Intrusion Detection System
The second most useful tool for malware installation is an intrusion Detection System. Subsequently, the preliminary inquiry is concluded and the analyst has viewed an apparent virus but was not identified or discovered. The workstation should be disconnected from the network to avoid the spread of malware to other
