Evaluating the Availability of Forensic Evidence from Three IDSs: Tool Ability

Alsaiari, Emad
Nisbet, Alastair
Mee Loong Yang, Bobby
Item type
Degree name
Master of Forensic Information Technology
Journal Title
Journal ISSN
Volume Title
Auckland University of Technology

There is a risk whenever we use networks, computer systems and Internet technologies that things will go wrong and we need protection in our daily lives. Thus, in many communication networks for a small business or even for home use, people implement Intrusion Detection Systems (IDS). This is to increase the security level of their assets and to detect many malicious activities. An IDS offers significant alerting and logging capabilities that may be useful for forensic purposes. Historically the IDS has been used to detect intrusions and alerts. However, some skilled attacker might be able to erase all logs from the compromised host, which makes it more difficult for the forensic investigator to look for other evidence. The log files generated by the IDSs are essential for identifying the source and the type of the attack, and even the identity of the attacker. However, some LAN network attackers have become very skilled in terms of bypassing some IDSs, which has reduced the capability and efficiency of many signature based security infrastructures. Thus, the aim of this research is to examine three IDSs, and evaluate their capabilities in detecting four different types of network attacks. Additionally, to investigate the IDSs’ efficiency in producing admissible forensic evidence. The limitations and shortcomings of each IDS in terms of finding results from each type of attack will also be explored. The challenges and implications encountered while using the three IDSs will be examined, in order to deliver recommendations and suggestions that can assist in developing better system protection. The objective of the research addresses the implementation of three IDSs (open source) and their abilities for acquiring and preserving digital evidence of LAN networks. This objective will also include a report of the best practice for handling and reporting trials of evidentiary material in the form of digital evidence for four common types of LAN network attacks. The proposed system architecture consists of several devices. These devices are a Firewall, IDSs, namely PADS, OSSEC and Prelude, a Forensic Server and finally end hosts. The selected IDSs will be forensically monitoring the packets traveling from and to the proposed system. The first stage of this research was to identify and install the proposed system components including their requirements, in order to establish a LAN network experimental environment. All IDSs were running simultaneously on a sole computer to ensure each received the same number of packets and attack types. The reason for this was to ensure the fairness of the evaluation of IDS capabilities to detect and produce digital forensic evidence. Four attack stages were conducted during the research: Reconnaissance, DDoS, Dictionary, and Packet Sniffing attack. The results illustrate that the selected IDSs can be used as a source of digital evidence as well as the ability to detect, strengths, and weaknesses of each IDSs. These results could assist the LAN networks forensic investigators, law enforcement and other agencies when they are conducting an investigation on similar cases. Some of the IDS fail to detect some well-known LAN network attacks. This failure is related to detection signature databases and the interception functionality. This research will show how each of the selected IDS can be improved, in order to extract admissible digital forensic evidence. Additionally, the opportunities for improvement, development and further research in the LAN network forensic investigation area are also provided.

LAN attack , DDOS attack , Port Scanning attack , IDS , Type of IDS
Publisher's version
Rights statement