Model of integration of information for forensic analysis of data

Person in charge: Dr. Roberto Gómez Cárdenas

The security tools become are becoming the basic tool to guarantee the protection of the systems and networks. At the moment there are a great variety of tools to monitor systems. This type of tools can be divided in three categories: prevention, detection and recovery.

The prevention mechanisms increase the security of a system during its operation. They prevent the violations to the security. Examples of this type of mechanisms are the encryption during the data transmission, passwords difficulty, firewalls and biometrics. The detection mechanisms are those that are used to detect violations of the security or attempts of violation. Examples of this type of mechanisms are the systems detectors of intruders, as well as the detectors of vulnerabilities can be. The recovery mechanisms are those that are applied when a violation of the system has been detected, to return this one to their correct operation. As example we can mention the endorsements of information, the equipment redundancy, the strategic plans based on BCP (Bussines Continuity Planning) and DRP (Disaster Recovery Planning). In this last group we can add an area that has been put in fashion lately: the forensic analysis.

The forensic analysis is a relatively new term, and it refers to the process of applying scientific and analytical techniques to computer infrastructure, to identify, to preserve, to analyze and to present/display evidence so that it can be acceptable in a legal procedure.

When an incident happens, and it is necessary to define responsibilities, the one in charge of the investigation must analyze several binnacles generated by the different used tools and the different administered servers. Depending on the company and the organization, the amount of information can be considerable and very difficult to check all of it for the administrator. One of the tendencies of the companies dedicated to the security area (ISS, Associates Network, Symantec) is to gather different tools within a solution. Mainly it tends to offer a product that administers antivirus, the IDS, the detector of vulnerabilities and in some cases firewalls. Nevertheless they do not offer means to analyze the binnacles generated by the different tools nor to relate these tools to binnacles generated by other applications. The objective of this project is to provide to the administrator a tool that helps in the analysis of the information generated by the different tools and applications.

One of the first tasks to do is to bind two tools of security: iptables and snort. The result of this work will be the design of a communication protocol between these tools. Once communicated it is possible that one can be reconfigured. According to the learning in the previous work it will be generalized to be able to communicate 2 any tools. Because of the great variety of "syntax" that exists in the different tools from security, applications and servers in the market, it is necessary to design a model that allows the representing of the diverse generated binnacles. On the basis of this syntax an analysis of the different events can be done to detect relations among them.