Intrusion detection: issues and challenges in evidence acquisition

As the dangers of hacking and cyber‐warfare for network security become a reality, the need to be able to generate legally admissible evidence of criminal or other illegal online behaviours has become increasingly important. While technical systems providing intrusion detection and network monitoring are constantly being improved, the security they provide is never absolute. As a result, when assessing the value and nature of the data that these systems produce, it becomes critical to be aware of a number of factors: these systems themselves are susceptible to attack and/or evasion; these systems may collect only a partial data set; and, these data sets may themselves be flawed, erroneous or may already have been tampered with. Additionally, the issue of privacy and data protection is emerging as a central debate in forensic computing research. In this context, this paper examines intrusion detection systems (IDS) and provides the results of a case study on the use of the SNORT IDS on a university department World Wide Web (WWW) server. The case study is analysed and discussed using a forensic computing perspective. This perspective considers the nature of the intrusion detection and network monitoring security provided and evaluates the system in terms of its evidence acquisition (‘forensic’) capabilities and the legal admissibility of the digital evidence generated.