Evaluating the Availability of Forensic Evidence from Three IDSs: Tool Ability

aut.embargoNoen_NZ
aut.thirdpc.containsNoen_NZ
aut.thirdpc.permissionNoen_NZ
aut.thirdpc.removedNoen_NZ
dc.contributor.advisorNisbet, Alastair
dc.contributor.advisorMee Loong Yang, Bobby
dc.contributor.authorAlsaiari, Emad
dc.date.accessioned2016-11-29T01:52:16Z
dc.date.available2016-11-29T01:52:16Z
dc.date.copyright2016
dc.date.created2016
dc.date.issued2016
dc.date.updated2016-11-29T00:05:36Z
dc.description.abstractThere is a risk whenever we use networks, computer systems and Internet technologies that things will go wrong and we need protection in our daily lives. Thus, in many communication networks for a small business or even for home use, people implement Intrusion Detection Systems (IDS). This is to increase the security level of their assets and to detect many malicious activities. An IDS offers significant alerting and logging capabilities that may be useful for forensic purposes. Historically the IDS has been used to detect intrusions and alerts. However, some skilled attacker might be able to erase all logs from the compromised host, which makes it more difficult for the forensic investigator to look for other evidence. The log files generated by the IDSs are essential for identifying the source and the type of the attack, and even the identity of the attacker. However, some LAN network attackers have become very skilled in terms of bypassing some IDSs, which has reduced the capability and efficiency of many signature based security infrastructures. Thus, the aim of this research is to examine three IDSs, and evaluate their capabilities in detecting four different types of network attacks. Additionally, to investigate the IDSs’ efficiency in producing admissible forensic evidence. The limitations and shortcomings of each IDS in terms of finding results from each type of attack will also be explored. The challenges and implications encountered while using the three IDSs will be examined, in order to deliver recommendations and suggestions that can assist in developing better system protection. The objective of the research addresses the implementation of three IDSs (open source) and their abilities for acquiring and preserving digital evidence of LAN networks. This objective will also include a report of the best practice for handling and reporting trials of evidentiary material in the form of digital evidence for four common types of LAN network attacks. The proposed system architecture consists of several devices. These devices are a Firewall, IDSs, namely PADS, OSSEC and Prelude, a Forensic Server and finally end hosts. The selected IDSs will be forensically monitoring the packets traveling from and to the proposed system. The first stage of this research was to identify and install the proposed system components including their requirements, in order to establish a LAN network experimental environment. All IDSs were running simultaneously on a sole computer to ensure each received the same number of packets and attack types. The reason for this was to ensure the fairness of the evaluation of IDS capabilities to detect and produce digital forensic evidence. Four attack stages were conducted during the research: Reconnaissance, DDoS, Dictionary, and Packet Sniffing attack. The results illustrate that the selected IDSs can be used as a source of digital evidence as well as the ability to detect, strengths, and weaknesses of each IDSs. These results could assist the LAN networks forensic investigators, law enforcement and other agencies when they are conducting an investigation on similar cases. Some of the IDS fail to detect some well-known LAN network attacks. This failure is related to detection signature databases and the interception functionality. This research will show how each of the selected IDS can be improved, in order to extract admissible digital forensic evidence. Additionally, the opportunities for improvement, development and further research in the LAN network forensic investigation area are also provided.en_NZ
dc.identifier.urihttps://hdl.handle.net/10292/10232
dc.language.isoenen_NZ
dc.publisherAuckland University of Technology
dc.rights.accessrightsOpenAccess
dc.subjectLAN attacken_NZ
dc.subjectDDOS attacken_NZ
dc.subjectPort Scanning attacken_NZ
dc.subjectIDSen_NZ
dc.subjectType of IDSen_NZ
dc.titleEvaluating the Availability of Forensic Evidence from Three IDSs: Tool Abilityen_NZ
dc.typeThesis
thesis.degree.grantorAuckland University of Technology
thesis.degree.levelMasters Theses
thesis.degree.nameMaster of Forensic Information Technologyen_NZ
Files
Original bundle
Now showing 1 - 1 of 1
Loading...
Thumbnail Image
Name:
AlsaiariEA.pdf
Size:
5.15 MB
Format:
Adobe Portable Document Format
Description:
Whole thesis
License bundle
Now showing 1 - 1 of 1
Loading...
Thumbnail Image
Name:
license.txt
Size:
897 B
Format:
Item-specific license agreed upon to submission
Description:
Collections