Case study: Network intrusion investigation - lessons in forensic preparation

Investigations of network security breaches are both complex and costly. Even a moderate amount of forensic preparation in an organization can mitigate the impact of a major incident and can enable the organization to obtain restitution. A case study of an intrusion is outlined in which the victim organization worked with law enforcement agencies to apprehend the perpetrator. This case study contains examples of challenges that can arise during this type of investigation, and discusses practical steps that an organization can take to prepare for a major incident. The overlapping roles of System Administrators, Incident Handlers, and Forensic Examiners in a network intrusion are explored, with an emphasis on the need for collaboration and proper evidence handling. This case study also shows how effective case management and methodical reconstruction of events can help create a more complete picture of the crime and help establish links between computer intruders and their illegal activities.