1

CSCD 496Computer Forensics

Lecture 19Network Forensics

Winter 2010

2

Network Forensics Overview

• Introduction to Network Forensics• Techniques for Network Forensics• Sources of Data

– Location of potential data

• Challenges of Network Forensics• Host Log Files

– Example

3

Your Thoughts

• Do you think Networks and outlying computers/servers can be an important source of digital evidence?

• What are some sources of digital evidence from network sources?

4

Introduction

• Yes. Networks do contain digital evidence can establish – Crime committed or– Provide evidence useful to an

investigation• Evidence on a network is not as well-

defined as on a single host• Network data is more dynamic and

volatile – Difficult to take a snapshot of a network

at a given instant in time

5

Introduction

• Often can’t shut down a network to obtain evidence– Need to stay up and running for

business purposes• Suspect may leave evidence in many

places – Think about the yellow tape of crime

scene– Much harder to isolate a crime scene

when it includes a network!!

6

Investigative Authorization • Before conducting on-line investigation

law enforcement and investigators need to obtain permission

• Difficulty of obtaining authorization to search e-mail, network communications, and other data. Depends on

–Situation, type of data and country–Monitoring network traffic is

considered highly invasive of privacy–Search of recent or un-read e-mail

considered more invasive than old e-mail

7

Investigative Authorization

• If data exist in two or more places in US–Need to obtain additional warrants

for each location• Using passwords obtained during an

investigation to access remote sources of digital evidence–Requires additional authorization

8

Authorization Problems• Examples

– In 2002, legal action was brought against an investigator for gaining remote access to suspect computer and collecting evidence over Internet

– In 2000, FBI lured two Russian computer intruders to the United States for a fictitious job interview and used Winwhatwhere to capture passwords to suspects systems in Russia.

• Investigators used passwords to collect incriminating evidence remotely from suspects computers

• Russian government initiated criminal proceedings against one FBI agent for unauthorized access to computers in Russia

9

Network Data Request

• When drawing up affidavit for a warrant, important to mention all desired evidence

• Especially if want network records– Otherwise may miss important evidence– Also recommended to include explicit

examples of records to be seized • And form of seizure, digital and paper

10

Network Data Request• Example of request – John Doe

All records associated with the Subscriber and Account, including:

• Screen names and/or account names, phone numbers, addresses, credit card numbers used to establish the account,

• Connection records, to include logon dates and times, • IP addresses assigned for each session, origination

information for each call, phone number used for access to the system,

• Newsgroups logs, e-mail logs ... credit and billing information for any and all accounts held in the name of John Doe

• and the addresses 192.168.12.14 and 192.168.12.16 and johndoe@home.com

• for the period of (date and time conform to the period of suspect criminal activity)

11

Network Data Request

• Comments– Prior request is example of dispersed

nature of network forensics data– Did not specify email contents just e-mail

logs• Harder to obtain warrants for email contents

– Some organizations, Ebay – is one• Do not need court order to provide name and

address • User agreement permits disclosure to law

enforcement

12

Documentation, Collection and Preservation of Data

• Advice for Network Forensics data collection– Follow standard operating procedure

• Same principles as for single host!!– Retain log of actions taken during

collection process• Print screens of important actions

– Document which server contains evidence• May be multiple servers involved

– Calculate MD5/SHA1 values for all evidence prior to transfer and after transfer

13

Documentation, Collection and Preservation of Data

• Example Procedure:– Several cases, investigators gained

remote access to host that computer intruder was using to launch attacks

– They e-mailed themselves evidence they had gathered• Why shouldn’t they have done that?

14

Documentation, Collection and Preservation of Data

• Problem with e-mail of data to themselves– Complicates chain of custody– More difficult to confirm integrity of

evidence• E-mail can be forged

– What if e-mail were not delivered– Email is stored on intermediary servers

– Sometimes many servers traversed

15

Investigative Reconstruction• Fundamentals of Investigative

Reconstruction – Don’t change when networks are involved – Just gets harder!!!!– Criminal can be several places on a

network at any given time• Example: Network Intruder

–Sharing information with accomplices on IRC

–Same time, breaking into multiple computers elsewhere

16

Investigative Reconstruction

• Suspect can use Internet to conceal actual location

• How can they do this?

17

Difficulties with Network Identity

• How to Hide on the InternetAnonymous Network

Uses encryption and moves data between computers

http://freenetproject.org/

Proxieshttp://www.all-nettools.com/toolbox/privacy.htmhttp://www.inetprivacy.com/http://anon.inf.tu-dresden.de/index_en.html

Encryption - emailhttp://www.hushmail.comhttp://www.zixcorp.com/

18

Importance of Log Files

• Log files contain messages about system, including kernel, services, and applications running on it

• Log files can be very useful when looking for unauthorized login attempts to the system

• Linux/Unix Example– Some log files are controlled by daemon

syslogd– List of log messages maintained by syslogd– Found in the /etc/syslog.conf configuration file

19

Location of Log Files

• Most log files are located in the /var/log directory• Some applications such as httpd and samba have a

directory within /var/log for their log files • Notice multiple files in log file directory with same

name but numbers after them• Created when the log files are rotated

– Log files rotated so their file sizes don’t become too large

– Cron task that automatically rotates log files according to the /etc/logrotate.conf configuration file and the configuration files in the /etc/logrotate.d directory

– By default, it is configured to rotate every week and keep four weeks worth of previous log files

20

Example of Logs Kept-rw-r----- 1 syslog adm 859075 2010-03-01 05:26 messages.0-rw-r----- 1 syslog adm 158966 2010-02-22 06:20 messages.1.gz-rw-r----- 1 syslog adm 135613 2010-02-15 10:49 messages.2.gz-rw-r----- 1 syslog adm 142595 2010-02-08 07:11 messages.3.gz-rw-r----- 1 syslog adm 212676 2009-10-07 05:44 messages.4.gz-rw-r----- 1 syslog adm 139323 2009-04-24 11:25 messages.5.gz. . . -rw-r----- 1 syslog adm 89361 2010-03-01 11:32 syslog-rw-r----- 1 syslog adm 159357 2010-03-01 05:26 syslog.0-rw-r----- 1 syslog adm 14253 2010-02-28 08:32 syslog.1.gz-rw-r----- 1 syslog adm 15926 2010-02-27 09:52 syslog.2.gz-rw-r----- 1 syslog adm 28826 2010-02-26 09:11 syslog.3.gz-rw-r----- 1 syslog adm 73396 2010-02-25 10:12 syslog.4.gz-rw-r----- 1 syslog adm 46112 2010-02-24 06:42 syslog.5.gz-rw-r----- 1 syslog adm 97564 2010-02-23 09:48 syslog.6.gz

21

What to Check

• /var/log/messages and /var/log/syslog: – Messages and syslog files contain all

system-level and system process logging– Include services such as NIS, sendmail, and

rpc /var/log/messages also contains failed login

and su attempts to other accounts on your system

• /var/log/sulog: – The su log is a log of all successful attempts

by somebody using the su function to login as a different user

22

What to Check

• /var/log/wtmp or utmp: – wtmp/utmp you parse with the command, last– /var/adm/wtmp shows you when, where, and

how long a user was logged onto your system

• /var/adm/acct or pact: – The process accounting logs (started by the

acct command) are logs you parse with the command, spar

– These logs show you the commands users ran and how long the processes ran for.

23

What to Check• What do you look for in the logs

• Unusual activity– Date-time anomalies – people who should not

be logged in on that date or at that time (1:00 am on Sat.)

– A lot of activity from users who normally don’t generate that much activity

– Unusual tasks – messing with network connections or security features of system

– Failed Su commands – normal user trying to become root

• Missing Logs – log files are deleted or empty• Tampered Logs – harder to detect, there are tools

that allow others to mess up your log files so you are less alarmed to their presence

24

Investigative Reconstruction• Might need to analyze all available log

files– Logs from routers,– Firewalls,– Int. Detection Systems, or other sources

• Might reveal a pattern of compromise– Example: Intrusion Captured in Log Files

• FTP Server was compromised• Computer intrusion first detected by Tripwire• What does Tripwire do?

– It calculates and stores hashes of system files and notes when file changes

25

Example Investigative Reconstruction

• Example continued– Tripwire was first alert– Several system components were

replaced through a rootkit (/bin/login, /usr/bin/du, /usr/bin/top, /usr/bin/find, /usr/bin/killall)

– Following entry in /var/log/secure showed a connection to the FTP server:

Apr 24 22:50:34 ftpserver in.ftpd[2103]: connect from 62.30.247.138

26

Investigative Reconstruction• Example continued• Another entry in /var/log/wtmp ftp ftp pc-62-3-247-138-do.blueyonder.co.uk

[62.30.247.138] Tue Apr 24 22:50-22:50 (00:00)

Unauthorized connection partially supported by Entry in /var/log/messages

– Only difference is time stamp

Apr 25 02:50:40 ftpserver in.ftpd[2103]: ANONYMOUS FTP LOGIN FROM pc-62.30.247.138-do.blueyonder.co.uk [62.30.247.138], guest@here.com

27

Investigative Reconstruction

• Example ContinuedInvestigators checked Intrusion detection

system logs for a corresponding entry but didn’t find one.

They did find an entry for a different time and source

[**] FTP-site-exec [**]04/25-02:48:44 04/25-02;49:37 63 62.122.10.221 ->

192.168.2.6S: 4158 D:21

Why might host logs differ from network logs?

28

Investigative ReconstructionNext, searched Netflow logs (cisco router

logs) for all connections to and from compromised computer

Found original connection from blueyonder.co.uk at 22:50:34 was part of a broader scan of FTP Servers which was not logged by the Intrusion detection system

Netflow logs also showed actual intrusion occurred at 02:47:12 from 62-122-10-221.flat.galactica.it and that intruder downloaded a patch from RPMfind and fixed vulnerability.

29

Investigative Reconstruction

IDS logs and Netflow logs provided more reliable evidence than tampered logs of the compromised host

So, instead of the intrusion coming from United Kingdom, intrusion actually originated in Italy!

30

Behavioral Analysis

• When looking at digital evidence on a network– Keep in mind looking at effects of human

activities • Trying to figure out associated behavior

and intent– Log files can be great sources of

behavioral evidence• Record a lot of activities • Can often determine what a person did and

was trying to achieve

31

Behavioral Analysis

• Log file analysis can often reveal patterns– Can indicate whether it was the same

intruder

• Example– On-line sexual predator– Have extensive communication with victims

• Trying to gain their trust• A lot of evidence will have accumulated

32

Behavioral Analysis

• Activities can reveal intruder knowledge and skill level– Focused attack

• Only attack certain machines – ones with sensitive database of financial data

• Reveals intruder knew network and which machines to target

– Time patterns• Track how long intruder took to commit

the compromise–Might even suggest insiders vs. outsider

involvement

33

Conclusion

• More challenging to piece together evidence trail when it covers multiple machines in distant locations

• Need to pay attention to authorization in collecting network data or could be liable for violating intruder’s rights

• Need to know how networks function, and where evidence occurs in a networked environment

• Also need to understand network tools that can assist with collection and preservation of distributed evidence

34

Resources

Digital Evidence and Computer Crimeby Eoghan Casey

Elsevier Academic Press, 2004

35

End

• Next time–Lab –Guest speaker on Wed., Dale

Lindekugel, Criminal Justice