Network Forensics: When Network Forensics: When conventional forensic analysis conventional forensic analysis
is not enoughis not enough
Manuel Humberto Santander Peláez
GIAC GCFA Gold, GNET Silver, GCIA Gold
Network Security PerimeterNetwork Security Perimeter
• Firewalls
• NIDS/NIPS
• VPN Concentrator
• NAC (Switches)
• Antivirus
• Antispyware
• Content Filtering
Network Security PerimeterNetwork Security Perimeter
Firewall Switch (NAC)
VPN Concentrator
NIDS
Security Event Correlator
Network ForensicsNetwork Forensics
• Capture, recording and analysis of network events
• Need to discover source and type of network attacks
• Big amount of logs and traffic
• Network Security Perimeter devices gives lots of interesting info
Network ForensicsNetwork Forensics
• Network traffic gives evidence of attacks like:– Exploit attacks
– Virus breach attempts
– MITM
• Valuable if possible to correlate to computer breaches.
• Can find the missing information on a computer attack (“missing puzzle”)
Billing Information Change Billing Information Change using a network attackusing a network attack• Colombia Utility Company is the biggest
utility company in all Colombia
• Massive change of billing amount on 10000 installations, about 40% less on each invoice
• Once invoice is delivered, no change can be made (Law 142 of 1994 Colombian Congress)
• Where was the breach? How can this be prevented?
Billing Information Change Billing Information Change using a network attackusing a network attack• Billing process is a daily batch process
• 98% of invoices were altered
• Billing Calculations are done by stored procedures on the database
• First evidence gathered was report of users executing the offending transactions on the application (August 25/2007)
Billing Information Change Billing Information Change using a network attackusing a network attack
Same result obtained on every computer analyzed from the obtained table
Billing Information Change Billing Information Change using a network attackusing a network attack• IDS alerts showed ARP address change for main
router several times, No firewall or NAC alert• Found 4970 alerts for August 25/2007• Investigation showed a local desktop machine
claimed to be the router for the whole network segment
• All billing department people in that segment logged on the application
Billing Information Change Billing Information Change using a network attackusing a network attack
Oexplore access time matches the first access at the database. Passwords found cracked by Cain.
Lessons LearnedLessons Learned
• Network Forensics completes computer forensic evidence when evidence found inside computers doesn’t give enough clues.
• Network Forensics evidence must be correlated with the evidence found in computers to be valuable.
• Security Perimeter devices gives valuable information if well configured.