FTP ResearchFTP ResearchConvert investigation of ftp Convert investigation of ftp servers and other file to file servers and other file to file
platforms platforms
The ProjectionThe Projection
Having had some Having had some time to conduct test’s time to conduct test’s and research in this and research in this area. It became clear area. It became clear that there is three that there is three main segments to the main segments to the project.project.
How ever these How ever these segments also hold segments also hold sub-segmentssub-segments
ftp covert investigation
Detection Surveillance Incursion
Detection Detection
Port scannerPort scanner Service’s detection Service’s detection
Server profiling Server profiling ((this is currently one of the main areas of the this is currently one of the main areas of the
research)research)
Service authentication Service authentication The use of the packet headers to detect the true The use of the packet headers to detect the true
service type service type
SurveillanceSurveillance
Traffic monitoring remotely Traffic monitoring remotely A type of IDS Signature detection of a remote A type of IDS Signature detection of a remote
source[1]source[1]
Pattern detection of previous illicitly Pattern detection of previous illicitly installed FTP serversinstalled FTP servers
Open proxy gateway traffic logs (hosted by Open proxy gateway traffic logs (hosted by the system)the system)
Proxy gatewayProxy gateway The system uses a set of proxies to The system uses a set of proxies to
distribute the port scanningdistribute the port scanning These could be configured to act as These could be configured to act as
transporting FTP proxy gateways transporting FTP proxy gateways This would allow passwords and user This would allow passwords and user
names to be gathered along with other names to be gathered along with other such data like FTP IP address’s and any such data like FTP IP address’s and any other information that the system might other information that the system might needneed
IncursionIncursion
After the target system has been identified After the target system has been identified as a positive the time for incursion into the as a positive the time for incursion into the server/servers for further evidence server/servers for further evidence gathering. gathering.
This should attempt to leave as little foot This should attempt to leave as little foot print as possible, in order not to change print as possible, in order not to change anything on the target system. anything on the target system.
Incursion EventsIncursion Events
EntryEntry Do this and stay looking like a standard user Do this and stay looking like a standard user
MappingMapping Fully map the file structureFully map the file structure
Evidence gatheringEvidence gathering Gather as much information about the content Gather as much information about the content
while still looking like a standard user and not while still looking like a standard user and not altering the evidence or influencing it.altering the evidence or influencing it.
Typical system layoutTypical system layout
1.1. The CS (control system) starts the port scan and services detection this is The CS (control system) starts the port scan and services detection this is done via the proxy networkdone via the proxy network
2.2. The CS uses the information gathered to profile the system this profile can The CS uses the information gathered to profile the system this profile can be used to select if the target need further investigation be used to select if the target need further investigation
3.3. The CS then set up part of the proxy network to monitor traffic if this traffic The CS then set up part of the proxy network to monitor traffic if this traffic is determined as a positive (using the signature matching)is determined as a positive (using the signature matching)
4.4. The remaining part of the proxy network would go to work on the intrusion The remaining part of the proxy network would go to work on the intrusion
WEB
Target systemControl system
proxies
So where am I So where am I At current I am some where between the first two sections (detection and At current I am some where between the first two sections (detection and
surveillance)surveillance) I currently have a port scanner that identifies ports and the services running I currently have a port scanner that identifies ports and the services running
(need to finish looking at making a profiling plug in ) (need to finish looking at making a profiling plug in ) My Resreach at the moment is looking at remote traffic monitoring on a My Resreach at the moment is looking at remote traffic monitoring on a
different network to the program. I’m looking at few things to help with this different network to the program. I’m looking at few things to help with this they are IDS and hacking methodologies. I will also be approaching Brian they are IDS and hacking methodologies. I will also be approaching Brian and graham to see what work they have done in this area. I have been and graham to see what work they have done in this area. I have been looking at the work done by others in this area such as :-looking at the work done by others in this area such as :- K Thompson, GJ Miller, R Wilder [2] K Thompson, GJ Miller, R Wilder [2] M Polychronakis, EP Markatos, KG Anagnostakis [3]M Polychronakis, EP Markatos, KG Anagnostakis [3] B Pande[4]B Pande[4]
Looking at proxy gateways as a way to monitor traffic and detect possible Looking at proxy gateways as a way to monitor traffic and detect possible targets for investigationtargets for investigation
Looking for an external for my transfer to PHD from MPhilLooking for an external for my transfer to PHD from MPhil Writing up my transfer paperWriting up my transfer paper Writing papersWriting papers
Papers and PostersPapers and Posters
Ecce paper Ecce paper Transferring crime fighting methods to the internetTransferring crime fighting methods to the internet
Static remote server profiling. outline done)Static remote server profiling. outline done) What is wire taping and what is not, when it What is wire taping and what is not, when it
comes to internet investigation? comes to internet investigation? Remote traffic analysis for internet forensics, is it Remote traffic analysis for internet forensics, is it
possible?possible? Who is learning from who?, what can we learn Who is learning from who?, what can we learn
from the internet criminal networks such as from the internet criminal networks such as hackers and virus programmers.hackers and virus programmers.
ReferencesReferences
1.1. JE Dickerson, JA Dickerson - Fuzzy JE Dickerson, JA Dickerson - Fuzzy Information Processing Society, 2000. Information Processing Society, 2000. NAFIPS. 19th , 2000 - ieeexplore.ieee.org NAFIPS. 19th , 2000 - ieeexplore.ieee.org
2.2. K Thompson, GJ Miller, R Wilder - IEEE NetwoK Thompson, GJ Miller, R Wilder - IEEE Network Magazine, 1997 -rk Magazine, 1997 -netlab.cs.tsinghua.edu.cnnetlab.cs.tsinghua.edu.cn
3.3. M Polychronakis, EP Markatos, KG M Polychronakis, EP Markatos, KG Anagnostakis - Network Operations and Anagnostakis - Network Operations and Management Symposium, 2004. NOMS 2004, Management Symposium, 2004. NOMS 2004, 2004 - ieeexplore.ieee.org 2004 - ieeexplore.ieee.org
4.4. B Pande - 2002 - cse.iitk.ac.in B Pande - 2002 - cse.iitk.ac.in