Intrusion Detection: Forensic Computing Insights arising from a Case Study on SNORT

As the dangers of hacking and cyber-warfare for network security become a reality, the need to be able to generate legally admissible evidence of criminal or other illegal on-line behaviours has become increasingly important. While technical systems providing intrusion detection and network monitoring are constantly being improved, the security they provide is never absolute. As a result, when assessing the value and nature of the data these systems produce, it becomes critical to be aware of a number of factors: these systems themselves are susceptible to attack and/or evasion (Arona, Bruschi, & Rosti, 1999; Handley, Paxson, & Kreibich, 2001; Ptacek & Newsham, 1998); these systems may only collect a partial data set; and, these data sets may themselves be flawed, erroneous or already have been tampered with (Broucek & Turner, 2002b). Additionally, the issue of privacy and data protection is emerging as a central debate in forensic computing research (Broucek & Turner, 2002b). In this context, this paper provides a detailed case study on the use of the SNORT intrusion detection system (IDS) on a university department World Wide Web (WWW) server. The case study is analysed and discussed using a forensic computing perspective. This perspective considers the nature of the intrusion detection and network monitoring security provided and evaluates the system in terms of its evidence acquisition (“forensic”) capabilities, the legal admissibility of the digital evidence generated and privacy implications of intrusion detection systems and network monitoring.