Public Release: 

Dartmouth Institute examines cyber attack investigation preparedness

Dartmouth College

HANOVER, N.H. - A report released this week by researchers at Dartmouth's Institute for Security Technology Studies (ISTS) examines the state of investigative tools needed by law enforcement officials who fight cyber crime, committed not only by terrorists but also by organized crime groups, individual "hackers" or nation-states.

The report, titled "Law Enforcement Tools and Technologies for Investigating Cyber Attacks: A National Needs Assessment," details the technology hurdles faced by cyber crime investigators and outlines a wish list of tools and technologies required to do this job better. The report is available on the Internet at , and it is primarily intended for law enforcement officials at each level of government.

Cyber attacks can take many forms: computer intrusions to steal or destroy information; denial-of-service attacks, which can shut down computer networks; or destructive viruses or worms, which propagate automatically and can damage computer networks around the world.

"This report is the first step toward establishing a national research and development agenda on combating cyber attacks," says Michael Vatis, Director of ISTS. "Cyber attacks pose a threat to our national security and our economy, and they are increasing in number, sophistication and severity.

Law enforcement personnel need to be better prepared to prevent and respond to cyber attacks at the federal, state and local levels. The R&D community can play a critical role by developing new technologies that assist investigators in their responsibilities. This report provides useful guidance to researchers in industry, academia and government."

The report outlines areas where focused R&D attention would have the greatest impact in helping address this increasing threat.

"We found that one of the greatest challenges facing cyber investigators is in the area of log analysis," says Andrew Macpherson, Acting Assistant Director of Law Enforcement Programs at ISTS and one of the report's writers. "This makes sense. After all, when an attack is detected, gathering data from a network's activity logs is the logical source to find out what happened. Having better tools to examine those logs is essential."

The ISTS report features seven areas of concern:

  • Preliminary Data Collection: Investigators need tools to automate the collection of data files from multiple operating systems in a victim's network and a better way to retrieve, store and analyze very large volumes of evidence. Also required are an automated process to create a map of a victim's network and an attack-specific data recovery tool.
  • Log Analysis: Investigators need tools that recognize and import activity logs from multiple platforms across a network, reconstruct damaged logs and analyze the data. They also need the ability to organize the log data in a compatible format to share with other law enforcement agencies.
  • Internet Protocol Tracing: Cyber attackers sometimes mask their identity to evade detection or use publicly accessible computers. A combination of technological solutions and changes in public policy would help investigators trace an attack to its source.
  • Emerging Technologies: Keeping up with new technologies remains a priority for cyber crime fighters. Successful cyber attack investigations need to be able to circumvent unbreakable encryption, locate the source of mobile or wireless network attacks, and discover hidden programs, images or signatures on a seized computer.
  • Information Sharing: The ability to share information across agencies would greatly aid in cyber attack investigations. In addition, investigators need a directory or database of cyber crime investigators in each jurisdiction, listing each person's expertise and contact information, to enhance cooperation and information sharing during investigations.
  • Multiple Skill Levels: Because investigators' technical skills and experience vary greatly in this new and rapidly evolving field, new crime-fighting tools must have a built-in capability to adjust to the skill level of the investigator. Help files should accompany all new technology.
  • Ongoing Training: Keeping abreast of new and emerging technology is the backbone to remaining prepared to address this sophisticated type of crime. Efforts should be made to assess current training programs and identify gaps in order to create a national training and development strategy.

ISTS researchers gathered data from a web-based survey of select law enforcement personnel, from site visits to law enforcement agencies, and from a two-day workshop, which convened an expert group of current and former cyber attack investigators and prosecutors. The data revealed numerous technological obstacles to investigating computer network attacks. ISTS personnel are already working on the next step, to evaluate the existing tools and technology in order to find the gaps where the needed technology does not exist so that R&D initiatives can be prioritized accordingly.


Background on ISTS: Dartmouth's Institute for Security Technology Studies (ISTS) serves as a national center for counter-terrorism and cyber security technology research, development and assessment. It is funded in part through the U.S. Justice Department's National Institute of Justice, Office of Science and Technology, and the U.S. Commerce Department's National Institute of Standards and Technology.

Disclaimer: AAAS and EurekAlert! are not responsible for the accuracy of news releases posted to EurekAlert! by contributing institutions or for the use of any information through the EurekAlert system.