Drive acquisition is a fundamental process in the field of digital forensics, but the acquisition of an entire hard drive must be a forensically sound image that is a flat file bit stream image. Volatile data is extremely valuable evidence that can easily be lost, as it is data that is stored in RAM, a Window’s page file, or other repository that is wiped clean when a computer is shutoff. Both of these items need to have their accuracy guaranteed through hashing, which is basically a digital signature from the original hard drive or volatile data that is matched to the exact mirror image backup of that data. If these hashes do not match, the copy of the data is not considered to be a true, forensically sound copy of the original data.

The following table summarizes details of a handful of the top forensic tools on the market today.

Based on the various features and types of data searched, if a company were to purchase just one of these tools, it would have to be P2 Enterprise Edition (P2EE) by Paraben Corporation. P2EE offers all of the required functions and features for most forensic teams, while also giving an organization the tools it needs to be proactive in monitoring and storing digital evidence.

However, if an organization truly had no budget limitation, it should purchase:

• P2 Enterprise Edition by Paraben Corporation
• Forensic Toolkit (FTK) by AccessData
• EnCase Enterprise from Guidance Software

FTK provides numerous features that P2EE does not, such as recovering passwords from a plethora of applications, as well as steganography, which many terrorist and child pornography rings use to avoid detection. EnCase Enterprise is very similar to PS Enterprise Edition, so it may simply be overkill to have both, but a larger company should definitely consider it since the cost of running both would be minimal compared to the consequences of one missing something that the other may catch.

By combining these three forensic suites, a digital forensic team would be able to accurately track, monitor, gather, and report digital evidence to any law enforcement or organization that requires it, both proactively and reactively.

Sources:

1. http://www.accessdata.com/forensictoolkit.html
2. http://www.e-fense.com/h3-enterprise.php
3. http://www.guidancesoftware.com/products/ef_index.aspx
4. http://www.paraben-enterprise.com
5. http://www.paraben-enterprise.com/p2es.html
6. http://www.paraben-enterprise.com/p2ee.html
7. http://www.techpathways.com
8. http://www.techpathways.com/prodiscoverin.htm
9. http://www.scmagazineus.com/Forensic-Toolkit-v20/Review/2380/
10. http://www.scmagazineus.com/Paraben-P2-Enterprise-Shuttle/Review/78/
11. http://www.paraben-forensics.com/catalog/product_info.php?cPath=25&products_id=369&osCsid=2ba225bcdf31dd81d958f939efd173d3
12. http://www.techpathways.com/order.htm
13. http://www.scmagazineus.com/Guidance-Software-EnCase-Forensic-v-6/Review/159/
14. http://findarticles.com/p/articles/mi_m0EIN/is_2002_August_1/ai_89956939/

In the absence of a wireless probe to monitor the airwaves, security personnel can manually search for rogue access points. An inexpensive but effective method for finding potential rogues is to use a freely available Transmission Control Protocol (TCP) port scanner that identifies enabled TCP ports from various devices connected to the network.

The steps to discover a rogue access point begin with running the port scanner software from a computer connected to the network. The utility uncovers all Port 80 (HTTP) interfaces on the network, which include all Web servers, some printers, and nearly all access points. The access point will generally respond to the port scanner’s ping with the vendor name and its corresponding Internet Protocol (IP) address.

Once an access point is discovered, the network administrator must determine if the access point is or is not a rogue. Ideally, the administrator would use software that would allow a pre-configured authorized list of access points. If the scanning for rogue access points is manual, a list of authorized access points is still necessary. The authorized list can be populated using the following attributes:

• MAC Address
• SSID
• Vendor
• Radio Media Type
• Channel

The aforementioned attributes, determined automatically or manually if software is not being used, will alert the detection tool if access points with differing attributes from the authorized list are present.

When rogue access points are determined, the administrator must have procedures in place to identify their locations.

Perhaps the most difficult step in this discovery process is to determine the physical location of the rogue access point. Router table entries may help. A routing table is present on all IP nodes.

The routing table stores information about IP networks and how they can be reached. Because all nodes perform some form of IP routing then any node loading the TCP/IP protocol has a routing table. When an IP packet is to be forwarded, the routing table is used to determine the physical or logical interface used to forward the packet to either its destination or the next router.

With the information derived from the routing table, a rogue IP address may be located by determining which node the address utilizes. Keep in mind that the location of nodes must be correlated with the addresses in the routing table. The limited operational distance of the RF signal can be useful in narrowing down the physical location of the rogue access point as well.

Perhaps the most fundamental step in protecting against a rogue access point may be having a security policy. A security policy should outline the rules against unauthorized wireless devices and employees should be educated about the policy.  This will help stop the most common users of unauthorized devices, employees.

Sources:

1. http://compnetworking.about.com/cs/wireless/g/bldef_ap.htm

2. http://www.wi-fiplanet.com/tutorials/article.php/1564431

3.http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/cnet/cnbb_tcp_oauc.mspx?mfr=true

4. http://whitepapers.zdnet.co.uk/0,1000000651,260114539p,00.htm

5. http://www.manageengine.com/products/wifi-manager/rogue-access-point-detection.html

6. http://www.smallbusinesscomputing.com/webmaster/article.php/3590656

7. How to Cheat at Securing a Wireless Network, Chris Hurley and Lee Barken

1. Port scanner
2. Network scanner
3. Web application security scanner
4. Computer malware scanner

While it isn’t important to delve into detail about what each of these scanners does, it is extremely important that you understand the weaknesses in your system. The Internet is awash with suggestions about which security scanner would be best for your computer. But don’t worry, these are free! So you can try them all and choose the one you are most comfortable using.

• Let’s start with the Nessus Project. This program provides heavy Internet users a free, powerful, and easy to use remote scanner.  Nessus scanner can be used throughout an entire enterprise, inside DMZs and across physically separate networks.  It is available for a variety of operating systems including: Window, Mac, Linux, FreeBSD, and Solaris.

• Next comes the MBSA or Microsoft Baseline Security Analyzer is a free tool to analyze a Window’s computer security configuration.  This tool points out the weaknesses in your system AND recommends how to fix them.

• GFI LANguard on the other hand analyzes and archives events logs of all machines in a network and alerts you in real time of a security breach.  This network and security scanner addresses patch management, network auditing, and vulnerability issues in one package.

• Next up is the Tripwire. This is software that checks for major changes in your system. It also monitors key attributes of all files that should not change including binary signature, size, expected change of size etc.

• Then there is the Nmap (Network Mapper), which even though is not a vulnerability scanner technically; it helps find potential vulnerabilities that are hiding in plain sight.  Nmap is able to fingerprint a network and tell what types of operating systems, applications, versions, firewalls, etc may be running on a network.

Just picking and running a vulnerability scanner is not enough. You have to take time to evaluate the results of the scan and always apply the appropriate remedies.  Keep in mind that as useful as these tools are for network administrators to assess the security of their systems, they are also useful for attackers.  An attacker uses vulnerability scanners to perform network reconnaissance on a potential target.  Their aim is to determine what weaknesses are present that they may be able to exploit and break-in.

Here are some easy ways to spot if your computer is infected by malware. For your convenience, we will divide the symptoms in two broad categories: Symptoms found during surfing the net and symptoms found while generally working on the computer.

While Internet browsing, your computer may be infected if:

• Excessive pop-ups that keep popping up no matter whatever you are browsing. Also if these pop-ups are X-rated, you can be sure that something is not right!
• You are greeted with a homepage that you don’t recognize or don’t remember having set it. If repeated attempts at changing the settings fail, you should definitely be concerned.
• Your browser crashes unexpectedly or presents error messages mentioning unusual file names.
• Browsing speed is slow. But in certain countries owing to a difference in bandwidth, browsing speed maybe naturally slow. What I mean is, if your browsing speed is slower than usual and if you find pages taking an eternity to open, you should definitely scan your computer for infections.
• Your bookmarks or your favorites have changed without your knowledge.
• The search engine preferences have been changed without your knowledge.

While general use, your computer may be infected if:

• Your computer becomes slow, programs do not respond to commands and machine hangs.
• You notice unfamiliar icons and shortcuts on your desktop which weren’t there before. Also if there are significant changes in your desktop appearance, color schemes wallpaper, font size etc.
• Your computer shuts down unexpectedly.
• Your taskbar vanishes.
• You notice unfamiliar message boxes.
• While shutting down, your machine notifies you that there are ‘other users’ connected to the same network.
• Your machine freezes without warning.