contents - files.transtutors.com · a transcript of the conversation between steve and judy is...

UMUC Cybercrime Investigation and Digital Forensics CSEC650

© UMUC 2011 of 29

Contents Topic 1: Scenario ............................................................................................................................. 2

Scenario: Network Investigation at NAI ....................................................................................... 2 Topic 2: Module Introduction ........................................................................................................... 4 Topic 3: Network Forensics: An Overview ...................................................................................... 5

What is Network Forensics? ........................................................................................................ 5 Why We Need Network Forensics ............................................................................................... 6

Topic 4: Challenges in Network Forensics ...................................................................................... 8 The Complexities of Network Forensics ...................................................................................... 8 The Key to Network Forensic Investigations ............................................................................... 9 Case Study: Birth of the Earth ................................................................................................... 11

Topic 5: Botnets ............................................................................................................................. 14 Botnets as a Network Forensic Antagonist ................................................................................ 14 Types of Botnets ........................................................................................................................ 16 Challenges and Protection ......................................................................................................... 17 Activity: Annihilating the Internet ................................................................................................ 19

Topic 6: Performing Live Acquisitions ........................................................................................... 24 Performing Live Acquisitions of Data ......................................................................................... 24 Techniques to Improve Live Acquisitions of Data ...................................................................... 25

Topic 7: Intrusion Detection and Monitoring .................................................................................. 26 Relevance to Network Forensics ............................................................................................... 26

Topic 8: Summary.......................................................................................................................... 27 Glossary ......................................................................................................................................... 28


© UMUC 2011 of 29

Topic 1: Scenario

Scenario: Network Investigation at NAI

Network Forensics CSEC650—Module 7

Network Investigation at NAI Steve Freeman, a senior network engineer at National Aerospace Industries (NAI), notices some unusual activity on the company's Wide Area Network (WAN). Steve knows that network forensics can help solve cases of data leakage and network intrusions by performing an in-depth and accurate analysis of the network. He asks a network forensic investigator to conduct a forensic investigation on the company's network. Steve is hoping that the network forensic investigator can help determine the cause of the unusual activity. Scenario Scene 1 Steve Freeman is the senior network engineer at NAI. He notices unusual activity on NAI's WAN, which serves about 1,200 users. Scene 2 Steve: Our company's network-management system has set off an alarm. There have been repeated unsuccessful log-ins, and they're all from Chief Financial Officer David Thompson's account. Steve: I wonder if the simultaneous occurrence of the unusual activity on the WAN and this alarm is a coincidence. I'd better review the alarm. Scene 3 Steve: There have been 24 attempted log-ins within a five-hour period, from 1 a.m. to 6 a.m. on July 2. Steve: This could be a serious security incident. I'll run this by Judy Maines, our chief forensic investigator. Scene 4 A transcript of the conversation between Steve and Judy is reproduced below. Steve: Hi, Judy. Do you have a moment? Judy: Sure, Steve. Steve: I noticed some unusual activity on our WAN. There were 24 unsuccessful attempts to log in to the CFO's account. I found this suspicious, so I'm hoping you can look into the matter. Judy: It definitely sounds suspicious to me. I'll take a look.


© UMUC 2011 of 29

Judy: Before I do that, I'll see if I can arrange a conference call with Mr. Thompson. Steve: Good idea. Let me know what happens. Scene 5 Judy contacts Mr. Thompson's secretary, who tells her that Mr. Thompson is in Florida on a family vacation. Given the potentially serious nature of this situation, Judy contacts him on his cell phone. Scene 6 A transcript of the conversation between Judy and Mr. Thompson is reproduced below. Judy: Hello, Mr. Thompson. I'm sorry to call while you're on vacation. There were several unsuccessful log-in attempts from your account. Have you had any log-in issues? Mr. Thompson: No, I haven't logged in to my account for a week. What do you plan to do now? Judy: We're looking into it. I'll let you know what we find. Scene 7 Judy: I'm really concerned now. Is a hacker trying to get into the network? Could the hacker already be inside, or is this just a glitch? Scene 8 Judy: I'm going to conduct a rigorous network forensic review. I'd also better get our incident response team involved.


© UMUC 2011 of 29

Topic 2: Module Introduction

Network forensics is much more complicated than deadbox or file system forensics because large networks have multiple entry and exit points. Conducting a forensic investigation on a network is more difficult than analyzing a single computer because of the complexities of network architectures. This module focuses on network forensics, its associated concepts, and the challenges related to network forensics. The first topic is a general overview of network forensics, including the main approaches to it and the considerations a forensic examiner must take into account. The second topic explores a series of challenges that are intrinsic to the special aspects of network forensics. The third topic presents the analysis of a major threat to network forensic analysis—botnet technology. The fourth topic deals with the issues related to planning and completing a live acquisition of network forensic captures. The final topic covers important aspects of how to use network logs to support a forensic investigation. The module concludes with a presentation of the important aspects of network intrusion detection and monitoring.


© UMUC 2011 of 29

Topic 3: Network Forensics: An Overview

What is Network Forensics?

The original purpose of the Internet was to share and disseminate information among physically separated parties by interconnecting networks. The early forms of networks required hardwired cabling and Network Interface Cards (NICs). Today, networks range from very small Personal Area Networks (PANs) to the vast Internet, and each network level uses various protocols to ensure a smooth and secure flow of information. With various protocols available for use at the network level, it is important to have a solid understanding of how networks operate before moving on to forensics. Most networks use TCP/IP to transmit and receive data from the Internet in a commonly structured format. In order to transmit data, whole files are broken down into multiple small data packets with source and destination addresses. As with an envelope being delivered from one destination to another, a number of technological processes and human actions exist to ensure accurate, timely, and secure delivery. In computer networks, routers perform the main phases of delivering data to client devices. Network forensics, therefore, involves acquiring/capturing, preserving, and analyzing relatively large amounts of data. Ideally, a highly competent digital forensic examiner will have an in-depth knowledge of the routers' performance, as well as security vulnerabilities and sources of evidence.


© UMUC 2011 of 29

Topic 3: Network Forensics: An Overview

Why We Need Network Forensics

The Need for Network Forensics An important question to ask about network forensics concerns its value to an organization. Network forensics is useful in capturing an attack fingerprint and performing post attack analysis for security exploits. Using network forensics, a forensic examiner can analyze historical network traffic. Such analyses help examiners investigate security attacks. Network forensics helps to reconstruct the sequence of events that occurred during the breach to get the complete picture. Cybersecurity attacks have become common these days. A Distributed Denial of Service (DDoS) attack on Bitbucket.org—a Web-based code-hosting service that relies on Amazon's Elastic Compute Cloud (EC2)1—and a DDoS attack on Facebook and Twitter in August 2011 are headline examples (WildPackets, n.d., p. 3).

In addition, IT professionals commonly use network forensics to do these things (WildPackets, p. 3):

Enhance network performance.

Improve the organization's intrusion-detection technologies.

Identify any rogue devices that reside on the network.

Prevent computer malware and network hacks. Reference: "WildPackets." Network Forensics 101: Finding the Needle in the Haystack. Retrieved from

https://mypeek.wildpackets.com/elements/whitepapers/Network_forensics101.pdf The Benefits of Network Forensics

Monitoring User Activity Monitoring user activity is an important aspect of workplace productivity as well as cybersecurity. For instance, social networking sites are known to create a significant decrease in worker productivity. As a result, many organizations have implemented policies that prohibit or minimize such activities (WildPackets, p. 3).

In addition, organizations have policies prohibiting non-work-related activities—such as online gaming and movie watching—that use network resources. Finally, rogue network forensics can monitor these types of activities and provide management with the evidence required to take disciplinary action against employees who violate an organization's policies (WildPackets, p. 4).

Reference: "WildPackets." Network Forensics 101: Finding the Needle in the Haystack. Retrieved from

https://mypeek.wildpackets.com/elements/whitepapers/Network_forensics101.pdf

Identifying the Source of Data Leaks Network monitoring helps to supervise the flow of data and to detect data leaks. If a data leak occurs in a monitored network, network monitoring can reveal vital information, such as what and how much data has been leaked (WildPackets, p. 4).

In addition, a digital forensic investigator can identify the root of the problem, determine whether the leak was intentional or accidental, and trace who or what


© UMUC 2011 of 29

caused the leak. It is important to secure data because the tangible and intangible costs of a data leak can run into millions of dollars.

Reference: "WildPackets." Network Forensics 101: Finding the Needle in the Haystack. Retrieved from https://mypeek.wildpackets.com/elements/whitepapers/Network_forensics101.pdf.

Analyzing Business Transactions Audit trails are an extremely useful source of network forensic information. This is true for all key business transactions and is even more important for systems and protocols that transmit data in plain text, such as Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), Telnet, and Structured Query Language (SQL) (WildPackets, p. 4).

Network administrators are the owners of audit logs, so they bear accountability for maintaining and archiving these logs, some of which may be initiated by the organization's customers. If there are problems with certain business transactions, network forensic techniques often can be used to resolve them.

Reference: "WildPackets." Network Forensics 101: Finding the Needle in the Haystack. Retrieved from https://mypeek.wildpackets.com/elements/whitepapers/Network_forensics101.pdf

Identifying the Source of Intermittent Network Performance Issues A practical application of network forensics is the identification of network performance issues in an organization's LAN or WAN through retrospective analysis. Network forensic tools are more scientific and reliable than traditional troubleshooting tools, and a timeline analysis can provide the information required to plot and analyze all detailed and significant network events (WildPackets, p. 4).

Through network forensics, a forensic investigator can answer questions about how the network performed in a given time period by examining every packet that was transmitted across the network. Common examples of network traffic include FTP traffic, Web browsing, e-mail messages, and instant messages.

Reference: "WildPackets." Network Forensics 101: Finding the Needle in the Haystack. Retrieved from

https://mypeek.wildpackets.com/elements/whitepapers/Network_forensics101.pdf.


© UMUC 2011 of 29

Topic 4: Challenges in Network Forensics

The Complexities of Network Forensics

In contemporary enterprises, it is important to think about the range of devices that send and receive data within a company's network. In addition to traditional computers, many other devices are in use today—laptops, netbooks, mobile devices, and Small-Scale Digital Devices (SSDDs), such as the iPad and the Galaxy tablet. Although most networks are under the control and security of the company, other networks, such as the cellular network, satellite network, and Internet Service Providers (ISPs), are external and outside the company's control. These external networks may have valuable network forensic artifacts, such as network event logs, system logs, or information from individual servers. Log files are perhaps the most important sources of network data because they contain information about devices, Internet activities, services, and the active state of network data, which can prove to be valuable network forensic information.


© UMUC 2011 of 29


The Key to Network Forensic Investigations

To investigate why the system raised an alarm, Judy, NAI's chief forensic investigator, decides to call a meeting with Steve and two other members of her team—Calpurnia and Jean. In this meeting, Judy hopes to discuss the merits of analyzing network logs because she intends to conduct a log review of NAI's network to trace the cause of the alarm. A transcript of the discussion among Judy and her team is reproduced here. Judy: Thank you all for taking the time to attend this discussion. Judy: I'm hoping we can conduct a log review of NAI's network, and I'd like to hear your thoughts about the merits of conducting such a review. Calpurnia: I think it's a good idea. At the very least, the network logs can provide information about the evidence trail of network events. Jean: I agree. The ability to analyze network logs is a big advantage for us. Steve: It'll be a big help if we can verify the entry points, personnel involved, and systems used to access the network. Judy: Yes, our organization had the foresight to make decisions about how the information is logged and retained. Jean: Judy, network log files can be extremely large. I suggest we establish accurate network log analysis processes, data-retention policies, and toolkits to analyze this information. Calpurnia: We can start with the event logs, which provide date-time stamps that can be essential in developing a timeline analysis for our investigation. Steve: There are a number of third-party software applications that will allow us to establish filters of these network logs. Jean: That should reduce the amount of data in the logs. Judy: Going forward, I'll see if we can assign the information security officer's staff to review these logs as part of their daily responsibilities and to back up the information regularly. Jean: Sounds good. How about using freeware tools to handle the complex and data-intensive aspects of network log analysis? Calpurnia: Sure. Many freeware tools provide filtering and data-reduction capabilities. We can use them to improve our efficiency!


© UMUC 2011 of 29

Judy: We'll go ahead with reviewing the network logs. Let's get to work and keep each other informed of any developments.


© UMUC 2011 of 29


Case Study: Birth of the Earth

Background New England–based Birth of the Earth is a leading manufacturer of outdoor clothing and footwear. The company uses a WAN to connect more than 850 users across its corporate offices, call center, and manufacturing plant. Last week, the company's digital forensic investigator, Joe Schumer, received a call from the networking group in the Information Systems department, reporting an active network intrusion at the company. Methodology As an experienced digital forensic investigator, Joe used the Investigations Triad methodology to conduct his investigation. The Investigations Triad method involves connecting the three main challenges in network forensics: vulnerabilities, intrusion response, and investigations.

Reference: Caballero, A. Fidge, S. Network Forensics: SIEM, the Investigations Triad, and SANS Top-20

Vulnerabilities. Retrieved from http://megabyteconcepts.com/Documents/ASC_Network_Forensics.pdf

Vulnerabilities

Vulnerabilities in IT systems are frequently unknown or are not immediately detected. Network forensic tools can help identify vulnerabilities and provide detailed information to the appropriate administrator, whose responsibility it is to fix vulnerabilities. Intrusion Response Intrusion response can create a particularly challenging situation for digital forensic investigators. One of the fundamental questions debated in such investigations is whether to shut the network down immediately or observe the intruder's behavior to gather more evidence. The obvious risk of having the intruder on the network for an extended period is that he or she can further damage the network. Conversely, tracking the intruder's actions can help acquire sufficient evidence to pursue a strong legal case. Investigations Investigations can revolve around an employee, a small group of employees, and/or outsiders. Most investigations begin with an analysis of all available logs and short interviews of key personnel, followed by the use of commercial or open-source tools to


© UMUC 2011 of 29

acquire evidence. Finally, the digital forensic investigator examines and analyzes the evidence. Try This! Choose all the correct answers. Question 1: How did the networking group at Birth of the Earth detect the intrusion in their network? a. They analyzed the network logs. b. They identified data leakage. c. They replaced computer hardware. d. They fixed the CEO's laptop. Correct Answers: Options a and b Feedback: Analyzing network logs and identifying data leakage can help identify network intrusions. Question 2: Select the network(s) that network forensic tools and investigative techniques can be useful with. a. Local Area Network (LAN) b. Personal Area Network (PAN) c. Wireless network d. Wide Area Network (WAN) Correct Answers: Options a, b, c, and d Feedback: Network forensic tools are useful with all types of computer networks.

Question 3: Which term refers to a type of record that should be kept for all business transactions and is often useful to digital forensic investigators? a. General journal b. Audit trail c. Purchase requisition d. Inventory listing Correct Answer: Option b Feedback: Audit trails document the flow of business transactions on a step-by-step basis. Question 4: What type of process is a network forensic investigation? a. Proactive b. Experimental c. Reactive d. Educational Correct Answer: Option c


© UMUC 2011 of 29

Feedback: Most network forensic investigations are reactive in nature because they respond to an internal investigation, network intrusion, or criminal investigation. Question 5: Network forensic tools are used to conduct digital investigations. Select another situation in which network forensic tools can be used. a. Training users about cybersecurity awareness b. Diagnosing network performance issues c. Testing antivirus signatures d. Evaluating IT personnel performance Correct Answer: Option b Feedback: Network forensic tools can be very useful in helping network administrators and engineers diagnose network performance problems.


© UMUC 2011 of 29

Topic 5: Botnets

Botnets as a Network Forensic Antagonist

Introduction Botnets, or robot networks, are one of the most serious and insidious threats facing the computing community today. Since their emergence in the late 1990s, botnet attacks have increased in severity, frequency, scale, scope, and sophistication. With botnets demonstrating robust and advanced capabilities, the lack of standardized and effective investigative procedures for battling them poses huge challenges for forensic engineers. Bot A bot is an autonomous application that is often malicious in nature, such as a piece of code that allows an attacker to commandeer a computer without the owner's knowledge. Bots turn the victim's computer into a robot or "zombie" that the attacker can control remotely. Botnet A botnet is a collection of computers infected by bots. A botnet is formed by running software, which is usually installed via drive-by downloads that exploit Web browser vulnerabilities, ActiveX controls, plug-ins, or any other applications that a computer requires to browse the Internet. Bots can control viruses, worms, Trojan horses, or backdoors under a common command-and-control infrastructure. Botnet Attacks Botnet attacks can have serious consequences, such as financial loss, including regulatory noncompliance fines and litigation fees associated with the theft of sensitive second- and third-party data or intellectual property leakage; damage to reputation; and the time and costs associated with preventing, detecting, and resolving attacks of fraud, DDoS, and spam. (EdgeWave, 2011). Reference: (n.d.) EdgeWave iPrism Technology. ThreatDefender.com. Retrieved from http://www.threatdefender.com/Web-Filter-Technology.asp

How Botnets Work A bot herder or botmaster controls botnets remotely, usually through an Internet Relay Chat (IRC), which is a form of real-time communication over the Internet, or peer-to-peer (P2P) networking communications. Often the command-and-control takes place via a server known as the command-and-control server (C&C), over a network, or through a unique encryption scheme for stealth and protection against detection or intrusion into the botnet network. A bot typically runs hidden and uses a covert channel standard, such as Instant Messaging (IM), to communicate with its C&C server. The Botnet Life Cycle The life cycle of a botnet typically includes four phases: spread, infect, command and control (C&C), and attack.


© UMUC 2011 of 29

Spread In the spread phase, the bots propagate to form many botnets and infect systems through varied means, such as spam and download of malicious code. The goal of this phase is to infect a system. The bot herder attempts either to trick the user into installing malicious code or to exploit vulnerabilities in the user's system. Infect Once malicious code is installed on a user's computer, the malicious code uses various techniques to infect the system and to hide its presence. These well-established techniques range from polymorphism (the code changes with every new instantiation), to rootkitting (the stealthy installation of malicious software), to actively targeting the protective measures (for example, the antivirus software, the intrusion detection or intrusion protection system [IDS/IPS], and the firewall). Command and Control Botnet C&C servers use a number of protocols, such as IRC, P2P, and HTTP, to communicate and control the bots. Social networking sites are prime targets for botnet C&C servers. Attack The final phase of the life cycle, the attack, involves the distribution of spam that is carrying the infection, targeted DDoS, and/or fraudulent activities. When the attack is successful, the size of the botnet can increase exponentially.


© UMUC 2011 of 29

Topic 5: Botnets

Types of Botnets

Attackers have different motives for using botnets. The most common incentives, however, are financial gain and destruction.

Fraud Fraud can take many forms and can be committed through many media, including "snail mail," wire, and telephone. Fraud is also committed over the Internet in various forms. For example, identity theft is one of the fastest-growing crimes on the Internet which is commonly initiated by bogus e-mail messages generated and sent by bots via spam. Bots can also harvest personal information through multiple fake Web sites by masquerading as popular auction Web sites, online money-transfer sites, or banks.

Spamming Bots can spam a compromised computer via a generic proxy protocol for TCP/IP-based networking applications. Some bots can also implement a special function to harvest e-mail addresses and other personal information.

Distributed Denial of Service Attacks Botnets are often used to carry out Distributed Denial of Service (DDoS) attacks on computer systems or networks. A DDoS attack causes a loss of service to users, including the loss of network connectivity and services, by consuming the bandwidth of the victim network or by overloading the computational resources of the victim system.

Sniffing Traffic Bots can use packet sniffers to watch for and retrieve sensitive clear-text data, such as usernames and passwords, passing by a compromised computer.

Keylogging Attackers use keylogging to retrieve encrypted sensitive data that sniffers cannot decrypt. By monitoring each keystroke a user types on his or her keyboard, an attacker can obtain a variety of user-specific information.

Spreading New Malicious Code Because all bots implement mechanisms to download and execute a file via HTTP or FTP, botnets usually spread new bots. They can also spread e-mail viruses, Trojans, worms, and other malicious code.


© UMUC 2011 of 29

Topic 5: Botnets

Challenges and Protection

Challenges of Handling Botnets The expertise of investigators who handle botnets varies from organization to organization. Some organizations use advanced techniques, and others may have insufficient knowledge and tools to handle any type of botnet analysis. These differences reiterate the need for standardization, coordination, and corroboration of competencies among digital investigators and jurisdictions. The need to improve the speed and quality of botnet investigations requires the development of a systematic approach and investigative toolset to handle botnets. This means that forensic investigators should examine botnets at both the local level and the network level. Botnets are constantly evolving. For example, they have moved from a centralized C&C structure to a distributed one, thereby increasing the complexity of network- and local-level investigations. The botnet infection and the control mechanism on infected hosts are generally quite similar, straightforward, and stable in nature. Therefore, relevant digital traces from a local machine can be collected to supplement any subsequent network-level investigation (Law, Chow, Lai, &Tse, 2009, p. 162). Reference: Law Y.W, F., Chow, K.P., Lai K.Y., P., TseK. S., H. A Host-Based Approach to BotNet Investigation? Center for Information Security & Cryptography. Retrieved from http://www.cs.hku.hk/cisc/forensics/papers/09_05.pdf.

Polymorphism Polymorphism is a condition in which bots change with every instantiation so that they always appear to be new.

Rootkitting Rootkitting is the stealthy installation of software called a rootkit, which is activated each time a user boots up the system. Rootkits are difficult to detect because they are activated before the system's operating system has completely booted.

Periodic Communications A botnet communicates with its controller only periodically. Therefore, the low volume of communication makes it more difficult to analyze.

Retaliatory Denial of Service Live investigations involving retaliatory DoS attacks can cause botmasters to expand their attack and cause even more damage. Retaliatory DoS attacks are risky and generally should be avoided unless the digital forensic examiners feel there is value in pursuing them.

Distributed Denial of Service A botnet can cause packet flooding from numerous external IP addresses against an organization's network. Packet flooding can exceed a server's capacity and overwhelm or crash the system.


© UMUC 2011 of 29

Fast Flux Botnets use a Domain Name Server (DNS) technique called fast flux to hide phishing and malicious code delivery sites behind an ever-changing network of compromised hosts acting as proxies. Fast flux makes bot networks more resistant to discovery and countermeasures through a combination of peer-to-peer networking, distributed command and control, Web-based load balancing, and proxy redirection.

Encrypted Channels and Code The use of code-hardening techniques increases complexity for reverse engineering. Code obfuscation, encryption, and encoding further hide the true nature of the malicious code.

Botnet Protection The most common approach to protecting networks against botnets is to use several firewalls and a layered security approach. Such protection may include full-fledged security systems covering all levels of the network, from individual computers to the servers, LANs, and external connectivity to the Web. Other methods to protect networks include installing intrusion detection systems and protection at the gateway to e-mails serves, and disabling unused ports used for FTP applications and IRCs, which are the applications most commonly used for communication with the bot herder. Isolating infected computers from the network immediately after an attack is detected, and educating users via training and security awareness are also protection mechanisms.


© UMUC 2011 of 29

Topic 5: Botnets

Activity: Annihilating the Internet

It's time to end the electronic age and save the world from its wired and impersonal existence. Let's cut some wires, spread infection, and herald destruction—but in good faith. You are the chosen one! You are hereby crowned Botmaster. Phase I: Organizing Your Botnet Technology You are now Botmaster, and it is your responsibility to begin annihilating the Internet! You have a budget of $1,500 to fund your dastardly deeds. Your first step will be to establish a command-and-control structure, which will allow you to gain the largest amount of information possible. As everyone knows, information is money! Get started! Welcome to the malware factory! Carry out all necessary steps to acquire the tools you will need in your toolbox. Step 1: Select the malware you want to create for annihilation. Keep in mind your budget and your goal of producing an appropriate impact! a. Virus: $100 Low Impact b. Worm: $250 Low Impact c. Trojan Horse: $400 Low Impact d. Rootkit: $750 High Impact Step 2: Select the distribution mechanism for your malware. a. Through a rogue distribution of a popular software program: $200 b. Via a downloadable game: $250 c. Through a Web browser: $175 d. As an e-mail attachment: $125 Step 3: How about customizing your malware to make it unique? Select a tool from the options below. a. Code Monster: $200

The Code Monster will allow you to develop and customize your malware code. You can choose to combine your malware with existing programs to develop superlatively malicious software.

b. Web Map: $250 Use the Web Map to keep track of your work. You can configure the Web Map to notify you when your malware infects new computers, to track the activities of other hackers, and to identify new targets to attack. Your targets can include private- and public-sector computers and Web sites. The Web Map comes equipped with various resources, such as the results of passive scans of networks.

c. Malware-Gro Toolkit: $275 Use the Malware-Gro Toolkit to determine the size of your botnet. You can even begin small and then grow, depending on your interest and the amount of damage and chaos you want to create. The Malware-Gro Toolkit has built-in tools to destroy huge sections of cyberspace.


© UMUC 2011 of 29

Step 4: Time to create the program to launch the attack! Phase II: Selecting Your Victim You have created your malware. Now it's time to select your first victim! Read the victim's profiles and the chat transcripts below. Then select a victim to launch the attack. Zombie 1: Rob Flower Rob is an elderly man who lives in a retirement community. He uses the Internet to communicate with his children, who live abroad. Zombie 2: Gareth Owen Gareth is a young IT professional. He has recently been hired as a software developer. Zombie 3: Martha Booth Martha teaches at a university in the United Kingdom. She teaches economics and uses the Internet to keep up with current economic news and developments. Zombie 4: Michael Thomas Michael is a college student. He uses the Internet to stay connected with his friends and to learn about new technology. An avid blogger, he usually blogs about music, travel, and changing technological trends. A transcript of the chat between the Botmaster and Martha/Gareth is below. Botmaster: Hello! I am Botham. I work as a travel agent. Are you interested traveling to exotic destinations? Martha/Gareth: I do not talk to strangers, Botham. I hope you don't mind. A transcript of the chat between the Botmaster and Rob/Michael is below. Botmaster: Hello! I am Botham. I work for a travel agent. Are you interested in traveling to exotic locations? Rob/Michael: Yes, I am. Botmaster: Great! I love traveling too, and was hoping to meet people on the Internet who share my interests. Rob/Michael: Hmm. Botmaster: So…do you travel budget or luxury? Rob/Michael: Budget. I'd love to go on a luxury vacation. Botmaster: In that case, here's a trade secret! You must check out this Website we use. It has special weekly offers on five-star resorts.


© UMUC 2011 of 29

Rob/Michael: Really? Can you send me the link? Botmaster: Sure. Here it is: www.travelabroad.com. I know you will enjoy it. I use it all the time. Rob/Michael: Thank you for your suggestion. Nice to meet you in cyberspace! Botmaster: You too. I hope your next trip is really fun. Feedback if you selected Rob or Michael as your victim: Congratulations! You have infected the victim's computer with your malware. Feedback if you selected Gareth or Martha as your victim: Operation failed! The chat transcript indicates that this person will not be an ideal victim. Select another victim. Phase III: Retaliation by the Infected Zombie You will now step into the shoes of the victim. Look at the incident from the victim's perspective. The victim's train of thought is reproduced below. Victim: I cannot believe it. I have all kinds of unauthorized charges on my credit cards, and someone has dipped into my checking account, too. Victim: Could I have been the victim of a botnet attack? I remember reading about how victims of botnet attacks lose their personal identity and financial security. Victim: I'm sure I didn't share my bank or credit card details with anyone. Victim: Hmm … the withdrawals from my account began a couple of days after I visited that travel Website. Victim: The site was really useful, and I booked my next vacation almost for free. However, they say there's no such thing as a free lunch. Is it possible my computer is infected with some type of malware? Victim: I'm angry at myself for not being more careful. I never thought I was a gullible person, but I'm going to have to be more careful. Victim: I would love to track that person down while I try to clean up this mess I've gotten myself into. I'd better start by educating myself before I do any more chatting online!


© UMUC 2011 of 29

Learn More Test your knowledge of botnets by answering the following questions. Question 1: Select the best methods to protect a system from botnet attacks. a. Disable unused ports. b. Establish several firewall layers. c. Install an intrusion detection system. Correct Answers: Options a, b, and c Feedback: All of these methods help protect your computer system from botnet attacks. Question 2: The botnet life cycle involves four key steps. Select the steps in correct order of occurrence. a. Command and control, spread, attack, and infect b. Attack, spread, infect, and command and control c. Spread, infect, command and control, and attack d. Infect, command and control, spread, and attack Correct Answer: Option c Feedback: The proper sequence of steps in the botnet life cycle is: spread, infect, command and control, and attack. Question 3: Which of the following malicious goals can botnets accomplish? a. Spamming b. Fraud c. Antivirus protection d. DDoS attacks Correct Answers: Options a, b, and d Feedback: Spamming, fraud, and DDoS attacks are common malicious goals of botnets. Question 4: What challenges do digital forensic investigators face in detecting botnets? a. Polymorphism b. Fast flux c. Covert channel communications d. Rootkitting Correct Answers: Options a, b, c, and d. Feedback: Polymorphism, fast flux, covert channel communication, and rootkitting are all challenges for digital forensic investigators in detecting botnets.


© UMUC 2011 of 29

Question 5: What are common terms for the individual who controls a botnet? a. Network engineer b. Botmaster c. Bot herder d. Script kiddie

Correct Answers: Options b and c Feedback: Botmaster and bot herder are the most common terms for a person who controls a botnet. Question 6: Select a tool that one can use to track down a botmaster. a. Traceroute b. Wireshark c. Pingplotter d. Whatsup Correct Answer: Options a, b, c, and d Feedback: All of these tools provide the ability to trace traffic from one's computer back to the sending computer.


© UMUC 2011 of 29

Topic 6: Performing Live Acquisitions

Performing Live Acquisitions of Data

Network forensic projects involving live acquisition of data are widespread. Conducting a live acquisition of data is helpful in large companies, where taking a network offline to collect forensic information can have an enormous impact on the company's production. It is important, then, that cybersecurity professionals understand the precautions needed to perform a live acquisition of network data. Coordination It is essential to coordinate the authorization and acquisition approach with the organization's network engineering group. This will minimize the potential adverse effects of working with live data, such as data corruption and system crashes. Coordination with other IT professionals is essential with any digital investigation, and even more so with live acquisition because the risks involved are exponentially higher than with other forensic procedures like deadbox analysis or reviewing a smartphone for forensic information. Timing Timing is another crucial aspect of acquiring live network data. Event logs, e-mail messages, and data files are the most important forensic information needed in an investigation. It is essential to ensure that all legal procedures and precautions are taken to use the data. Permissions can be obtained from internal legal counsel and law enforcement officials.


© UMUC 2011 of 29

Topic 6: Performing Live Acquisitions

Techniques to Improve Live Acquisitions of Data

Digital forensic researchers have identified several methods to improve the live acquisition of network data. Judy conducts a presentation to teach her team members techniques for improving the live acquisition of data.

Recommendation 1: Position the collector as close as possible to the source of information. The physical and the logical distance of the source of information must be considered. The collector should be close as possible to the evidence source, both physically and logically. Proximity will help minimize latency, potential loss of evidence, and authenticity of the evidence.

Recommendation 2: Perform write blocking of the evidence. Perform write blocking of data to maintain the integrity of the evidence. Write blocking can be done with one-way Ethernet cables or by using a read-only FTP client device. In addition, write blocking should be performed in front of a witness, and both the procedures and the results should be documented. The documented data will serve as verification of the data's integrity.

Recommendation 3: Define workable boundaries to collect relevant data. Define workable boundaries so that the investigator collects relevant data. Due to the nature of high-speed networks, data travels faster than it can be fully captured in a live environment. Coordinating with an organization's IT staff to develop some filters and other technical controls is helpful.

Recommendation 4: Ensure that documentation requirements are met. Nickell (2006) makes seven specific recommendations for documentation: 1. Diligence on the forensic investigator's part 2. Adherence to accepted methods and procedures 3. Precise data showing what was collected or, in some cases, not collected 4. Start and end timestamps 5. Additional technical information, such as lower-level protocol information or

headers 6. Notation of any errors or lost or corrupted data 7. Other meta information, such as the investigator's name, case ID, and

case/evidence descriptions Reference: B. Nickell (2006). "Improving Evidence Acquisition from Network Sources," Digital Investigation: The International Journal of Digital Forensics and Incident Response, Vol. 3, No. 2.


© UMUC 2011 of 29

Topic 7: Intrusion Detection and Monitoring

Relevance to Network Forensics

A very important and challenging aspect of forensic investigations involves intrusion detection. It is important to determine when to monitor a network, and how much monitoring to do, before taking an aggressive action in a digital forensic investigation. There are no steadfast rules about how to monitor a network intrusion and when to bring down your network to stop the intrusion from penetrating deeper into your network. One of the core challenges forensic investigators face is balancing the need to have sufficient evidence against the intruder with the need to stop the intrusion. The more evidence you gather, the stronger your legal case will be. On the other hand, the longer you allow the intruder access to your network in order to gather evidence, the higher the risks to your network. With practical experience comes greater knowledge in dealing with these important considerations. Popular commercial tools like Ethereal, NetIntercept, and others act as aids to the forensic investigation.


© UMUC 2011 of 29

Topic 8: Summary

We have come to the end of Module 7. The key concepts covered in this module are listed below.

Network forensics is useful in capturing an attack fingerprint, performing post attack analysis for security exploits, and analyzing historical network traffic.

Network forensics can help monitor user activity, identify the source of data leaks, analyze business transactions, and identify the source of intermittent network performance issues.

Log files are an important source of network data because they contain information about devices, Internet activities, services, and the active state of network data that can be valuable network forensic information.

The Investigations Triad methodology is an investigative technique that involves connecting the three main challenges in network forensics: vulnerabilities, intrusion response, and investigations.

A bot is an autonomous application that is often malicious. A computer attacked by a bot is known as a robot or a zombie. A collection of computers infected by bots is known as a botnet.

The life cycle of a botnet typically includes four phases: spread, infection, command and control (C&C), and attack.

Some challenges encountered while dealing with botnets include polymorphism, rootkitting, periodic communications, retaliation, denial of service, distributed denial of service, fast flux, and encrypted channels and code.

The most common methods of protecting networks against botnets are using several firewalls and a layered security approach, installing intrusion detection systems and protection at the gateway to e-mail servers, disabling unused ports, and isolating infected computers.

Conducting a live acquisition of data is helpful in collecting forensic information. It should be done in coordination with the organization's IT department.


© UMUC 2011 of 29

Glossary

Term Definition

Audit Log An audit log is a list of all system-based activities, including the user ID, time of activity, workstation ID, and other information.

Audit Trail Audit trail is the ability to trace system activities to their original source of input, entry, transfer, or termination on the system.

Backdoor A backdoor is a remote access point for software; it allows remote connectivity. Though originally intended for debugging purposes, backdoors are currently used for remote command-and-control actions.

Bot A bot is a computer program that is used to rapidly carry out a large number of automated and repetitive tasks on the Internet, usually in a cybersecurity attack.

Bot herder A bot herder, also known as a botmaster, controls botnets remotely and tricks a victim into installing malicious code on a computer.

Botnets A botnet is a group of robots, or compromised computers, running automatically. Often, the victims whose computers are part of the botnet are unaware of the invasion.

Command-and-Control A command-and-control system provides for command and control of system components, such as other computers.

Deadbox Forensics Deadbox forensics is an expression that refers to forensic analysis of laptops and PCs that are not actively connected to a live network.

Denial of Service Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks use "zombie" servers to flood a target site with large volumes of traffic. This flood of traffic consumes all of the target site's network or system resources and denies access to legitimate users.

Distributed Denial of Service

In a distributed denial of service attack (DDoS attack), a computer's resources are made unavailable to its user when several compromised systems flood it with useless data.

Fast Flux Fast flux is a Domain Name Server (DNS) technique used to hide phishing and malicious code delivery sites behind compromised hosts that act as proxies.

File System Forensics File system forensics is the forensic analysis of an individual computer's file system and operating system components.

FTP File Transfer Protocol (FTP) is an application protocol that uses the TCP/IP protocol (or the Internet) to transfer files between computers.

HTTP Hypertext Transfer Protocol (HTTP) transmits Web pages to clients.

Internet Relay Chat Internet Relay Chat (IRC) is a form of communicating over the Internet using private messages, chats, or group discussions.


© UMUC 2011 of 29

Term Definition

Intrusion Response Intrusion response is the response by an individual cyberforensic investigator or incident response team to a network-based intrusion.

Investigations Triad Method

The Investigations Triad method involves connecting the three main challenges in network forensics: vulnerabilities, intrusion response, and investigations.

Network Forensics Network forensics is a forensic process involving multiple devices on a computer network.

Personal Area Networks

A Personal Area Network (PAN) enables communication between computers, TVs, MP3 players, personal digital assistants (PDAs), and smartphones that are within a few feet of each other.

Pingplotter Pingplotter allows the user to trace the path of packets across the Internet.

Polymorphism Polymorphism is a condition in which bots change with every instantiation, so they always appear to be new.

Rogue Network Forensics

Rogue network forensics is used to describe the practice of using network forensic techniques to perform malicious activities.

Rootkitting Rootkitting is the stealthy installation of software called a rootkit, which is activated each time a user boots up a system.

Small-Scale Digital Devices

Small-scale digital devices are devices that are analogous to embedded systems.

Structured Query Language

Structured Query Language (SQL) is a data-manipulation language that is the de facto standard used to manage actual data in relational database management systems.

Telnet Telnet enables remote use and supervision of systems. Network administrators monitor and control systems remotely using Telnet.

Traceroute Traceroute traces the path of packets across an IP network. An intruder uses traceroute to map routers for known destinations around the targeted system.

Whatsup Whatsup is a network-monitoring software.

Wireshark Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education.

Write Blocking Write blocking is a forensic technique used to avoid altering the state of the source computer, in order to create a forensically sound image of that computer.

Zombie A zombie is a computer that is remotely controlled by a bot herder or botmaster in a botnet.