Information Technology Reference
In-Depth Information
Data reduction capabilities as described in previous sections;
Data Recovery. This feature comprises the ability to extract from the intercepted
traffic not only the connections but also the payloads for the purpose of inter-
preting the formats of files exchanged during the transaction;
Ability to recognize covert channels (not absolutely essential but still highly
recommended);
Read Only During Collection and Examination. This is an indispensable feature
for this type of tool;
Complete Collection. This is one of the most important requisites. It is im-
portant that all packets are captured or else that all losses are minimized and
documented;
Intrinsic Security, with special emphasis on connections between points of ac-
quisition, collection repositories, administrative users, etc.
4.
Experimentation: Using GPL Tools for Investigation
and Correlation
So far we have introduced logs, correlation techniques and the associated security
issues. Regarding the tools used for this type of analysis and investigation, there are
GPL or open source projects with the main goal of providing the necessary tools for
a bottom-up investigation, which is a less costly and less complicated alternative to
the top-down approach based on automated correlation and GUI display techniques.
In this section we will introduce some projects and tools that may be used for the
purpose at hand.
4 . 1 T h e I R I t a l y P r o j e c t
IRItaly (Incident Response Italy) is a project that was developed at the
Crema
Teaching and Research Center of the Information Technology Department of the
Università Statale di Milano
. The main purpose of the project is to inform and sen-
sitize the Italian scientific community, small and large businesses, and private and
public players about Incident Response issues.
The project, which includes more than 15 instructors and students (BSC and
MSC), is divided into two parts. The first relates to documentation and provides
broad-ranging and detailed instructions. The second comprises a bootable CD-ROM.
The issues addressed regard information attacks and especially defensive systems,
computer and network forensics on incident handling and data recovery methods.
