Question

A new start-up SME (small-medium enterprise) based in Melbourne with an Egovernment model has recently begun to notice anomalies in its accounting and product records. It has undertaken an initial check of system log files, and there are many suspicious entries and IP addresses with a large amount of data being sent outside the company firewall. They have also recently received a number of customer complaints saying that there is often a strange message displayed during order processing, and they are often redirected to a payment page that does not look legitimate. Address the following questions while preparing your report as a digital forensics investigator. a) Discuss a general overview of the methodology that you will use, and provide a reasoned argument as to why the particular method chosen is relevant. [5 Marks] b) How should you proceed if your network forensic investigation involves other companies? [5 Marks] c) Explore the techniques and tools that can be used in this situation. [5 Marks] d) Describe significant challenges with network forensics in this network, including forensic acquisition and evidence preservation. [5 Marks] e) Identify and explain three types of log files you should examine after a network intrusion.

Answer 1

Sol:

a)

When we look indepth to the case , we can understand that the server is in a risk . The log files indicating that there are many unknown entries are came and send the data outside the firewall. Also the bugg redirecting the company payment page to other fraudlent page as same as phishing attack.

The main methodology that i will prefer is to undergo a detailed anaysis to the entire system. The server may be corrupted , and we need to understand the cause of it as soon as possible to go further. Since the firewall also broke the severity is higher . A advanced scanning and checking of firewall is needed. till the problem resolved we need to shutdown the payment portel.

b)

so when we proceed with our network forensic method , there is a chance of involving other companies. In that case acquire all available data and preserve it . If possible contact the other company and discuss about the intrusion that happened for them . in crucial cases can go forward with agencies.

c)

we can use some techniques and tools for gathering data an understanding its working . lets check some of it ,

* Analyse all the available data

* make a track of all available ip address.

* make use of the tool wireshark for analysing network packets.

* identifying the exact problem is very much important in network forensic.

d)

challenges

* Since so much payload came ip tracking is difficult.

* attacker may mask the ip address.

* if the attacker encrypted his network it is difficult for the network forensic to identify .

* Re installing of firewall is needed as soon as possible.