Download - Network forensics1
![Page 1: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/1.jpg)
Network Forensics
1Network Forensics
![Page 2: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/2.jpg)
Cyber Threat Evolution
Virus
Breaking Web Sites
Malicious Code
(Melissa)
Advanced Worm / Trojan (I LOVE YOU)
Identity Theft (Phishing)
1995 2000 2003-04 2005-06 2007-081977
Organised CrimeData Theft, DoS /
DDoS
Data TheftBotnet
Targeted Attacks
2009-10
![Page 3: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/3.jpg)
Global Attack Trend
Source: Websense
![Page 4: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/4.jpg)
Network Forensics ?
• What we have seen is DEAD analysis • Network evidences are highly volatile. • Needs real time analysis of network traffic.
4Network Forensics
![Page 5: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/5.jpg)
Network Forensics
• Network forensics is the capture, recording, and analysis of network events in order to discover the source of security attacks or other problem incidents.
• The ultimate goal is to provide sufficient evidence to allow the criminal to be successfully prosecuted.
• Network forensics can reveal evidence that is crucial to building a case.
• Forensics for computer networks is extremely difficult and depends completely on the quality of information you maintain.
5Network Forensics
![Page 6: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/6.jpg)
Why network-based evidence?
– Host-centric forensics is an established discipline, but many investigators ignore or do not understand network traffic
– Network-based evidence can be found everywhere
– Network-based evidence can be easy to collect -- without anyone's notice
![Page 7: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/7.jpg)
Applications
Operating System
Network
Vulnerability
![Page 8: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/8.jpg)
Vulnerability Exploitation Trends
*Symantec
![Page 9: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/9.jpg)
Network Forensics ModelDetect
Identify
Preserve
Research
Extract
Solve
ProactiveForensics
ReactiveForensics
Capture
Data Aggregation
Data Validation
Data Analysis
Data Confirmation
![Page 10: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/10.jpg)
Network ElementsPC
Laptop
Web Server
Web Server
Mail Server
DB Server
Firewall
IDS / IPS
Switch
Router
Wifi Router
Access Point
MX
Proxy
Relay
![Page 11: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/11.jpg)
Network Forensics
• Systematic Capture and Analysis of network events and traffic in order to trace and prove a network incident.
– Online Capture and Analysis– Offline Analysis
![Page 12: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/12.jpg)
Network-based evidence complements host-basedevidence.
Network traffic can be used to show a timed sequence of user’s network activities.
Suspicious network activities can be monitored real-time.
Online Analysis of Network Traffic
![Page 13: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/13.jpg)
Network traffic also enables an investigator to extract information that is difficult to obtain from host-based evidence, such as
IP addresses and other identity information a user usesPasswords
•Specialized knowledge and tools are required to process network traffic as a source of evidence.
In general, there is only one chance to capture real-timenetwork data from a network.
Online Analysis of Network Traffic
![Page 14: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/14.jpg)
Online Monitoring
If you need to have online analysis of network you need to capture packets.
Network Traffic Analysis requires online capturing and analysis of packets in real time.
Used in Stateful Analysis
IPSIDSFirewall
![Page 15: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/15.jpg)
Capturing
Network Traffic Flow Analysis
Capturing Network Traffic using
TAPSInLine DevicesHubsSPAN Ports
![Page 16: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/16.jpg)
TAPS
Test Access Ports
Devices specially built for accessing traffic between network devices
Usually pre-installed at important traffic points
Physical devices are able to capture traffic at the physical layer
![Page 17: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/17.jpg)
TAPS
![Page 18: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/18.jpg)
Similar to a tap, but implemented using a computer having at least two bridged NICs
The two devices being monitored are connected to these two NICs
Traffic through the bridged NICs is available to the computer or another device connected to an extra NIC
Inline devices are also used to enforce access control.
Inline device
![Page 19: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/19.jpg)
The simplest and cheapest way to gain access to network traffic
A hub forwards frames to all ports.
A monitoring station, connected to one of the ports, sees all traffic passing through the hub.
Hub
![Page 20: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/20.jpg)
SPAN Port - Switched Port Analyzer(Port Mirroring)
Provided on good switches
A switch can be configured to copy one or more switch ports to a dedicated port.
A capture device connected to the SPAN port sees traffic flowing through specified switch ports.
A SPAN port only copies valid network packets.Error packets may be ignored and not copied.
![Page 21: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/21.jpg)
Collecting Network Traffic as Evidence
• Position the sensor properly• Consider perimeter monitoring
scenario at right– Perimeter is easiest place to
monitor– However, sensor as shown
may not be able to see all the traffic an analyst needs to understand the scope of an intrusion
• Alternative deployments shown on following slides
![Page 22: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/22.jpg)
Collecting Network Traffic as Evidence
• At left we monitor perimeter (via tap) and DMZ (via switch SPAN)
• At right we add a filtering bridge/sensor to watch and/or control a high value target
![Page 23: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/23.jpg)
Collecting Network Traffic as Evidence
• Don't forget to accommodate address translation issues• Here we add a second interface behind the gateway
![Page 24: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/24.jpg)
Collecting Network Traffic as Evidence
• This network shows a variety of instrumentation options
![Page 25: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/25.jpg)
Collecting Network Traffic as Evidence
• Verify the sensor collects traffic as expected
![Page 26: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/26.jpg)
Collecting Network Traffic as Evidence
• Consider using Network Security Monitoring principles to guide your data collection strategies– Alert data (Snort, other IDSs)
• Traditional IDS alerts or judgments (“RPC call!”)• Context-sensitive, either by signature or anomaly
– Full content data (Tcpdump)• All packet details, including application layer• Expensive to save, but always most granular analysis
– Session data (Argus, SANCP, NetFlow)• Summaries of conversations between systems• Content-neutral, compact; encryption no problem
– Statistical data (Capinfos, Tcpdstat)• Descriptive, high-level view of aggregated events
• Sguil (www.sguil.net) is an interface to much of this in a single open source suite
![Page 27: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/27.jpg)
Protecting and Preserving Network-Based Evidence
• Hash traces after collection and store hashes elsewhere• Understand forms of evidence• Copy evidence to read-only media when possible• Create derivative evidence• Follow chains of evidence
![Page 28: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/28.jpg)
Protecting and Preserving Network-Based Evidence
• Understand forms of evidence• Best evidence should, to the extent practically possible, never be analyzed
directly. – Rather, investigators should make working copies of the best
evidence, and analyze those duplications.– Network traffic saved on a sensor is the best evidence available.– Copies of that traffic transferred to a central location become working
copies.
![Page 29: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/29.jpg)
Protecting and Preserving Network-Based Evidence
Create derivative evidence1. Ensure you have a hash of the original file stored in a safe
location.2. After verifying the hashes match, use the desired Packet
Analysis to extract packets of interest to a new file and directory.
3. Hash the resulting file 4. Make multiple copies of the new local evidence file, and
analyze them at will.5. Document these steps on both platforms.
![Page 30: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/30.jpg)
Analyzing Network-Based Evidence
• Validate results with more than one system• Beware of malicious traffic• Document not just what you find, but how you found it• Follow a methodology
![Page 31: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/31.jpg)
Trends
• Significant increase in network-based DoS attacks over the last year– Attackers’ growing accessibility to networks– Growing number of organizations connected to
networks• Vulnerability
– Most networks have not implemented spoof prevention filters
– Very little protection currently implemented against attacks
![Page 32: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/32.jpg)
Goals of Attacks
• Prevent another user from using network connection– “Smurf” attacks, “pepsi” (UDP floods), ping floods
• Disable a host or service– “Land”, “Teardrop”, “Bonk”, “Boink”, SYN
flooding, “Ping of death”• Traffic monitoring
– Sniffing
![Page 33: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/33.jpg)
“Smurfing”
• Very dangerous attack– Network-based, fills access pipes– Uses ICMP echo/reply packets with broadcast networks to multiply
traffic– Requires the ability to send spoofed packets
• Abuses “bounce-sites” to attack victims– Traffic multiplied by a factor of 50 to 200– Low-bandwidth source can kill high-bandwidth connections
• Similar to ping flooding, UDP flooding but more dangerous due to traffic multiplication
![Page 34: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/34.jpg)
“Smurfing” (cont’d)
Internet
Perpetrator
Victim
ICMP echo (spoofed source address of victim)Sent to IP broadcast address
ICMP echo reply
![Page 35: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/35.jpg)
“Smurfing” trend
• Smurf attacks are still “in style” for attackers• Significant advances made in reducing the
effects– Education campaigns through the use of white
paper and other education by NOCs has reduced the average “smurf” attack from 80 Mbits/sec to 5 Mbits/sec
• Most attacks can still inundate a T1 link
![Page 36: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/36.jpg)
“Teardrop”, “Bonk”, “Boink”, “Ping of Death”
• Goal is to severely impair or disable a host or its IP stack
• Use packet fragmentation and reassembly vulnerabilities
• Require that a host IP stack be able to receive a packet from an attacker
![Page 37: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/37.jpg)
SYN flooding
• Goal is to deny access to a TCP service running on a host
• Creates a number of half-open TCP connections which fill up a host’s listen queue; host stops accepting connections
• Requires the TCP service be open to connections from the victim
![Page 38: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/38.jpg)
Sniffing
• Goal is generally to obtain information– Account usernames, passwords– Source code, business critical information
• Usually a program placing an Ethernet adapter into promiscuous mode and saving information for retrieval later
• Hosts running the sniffer program is compromised using host attack methods.
![Page 39: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/39.jpg)
39
Network Packet Analysis
![Page 40: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/40.jpg)
40
Packet Switched Networks
• Each message is divided into small data blocks called packets
• Packets are stored, and forwarded by intermediate nodes
• Packets from different nodes, and process get intermixed in the network
• Packets may follow different routes
• Shortest path to the destination
![Page 41: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/41.jpg)
41
Sender
Process
Router
Receiver
…
……
Packet Route
![Page 42: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/42.jpg)
42
Sender
Process
Router
Receiver
…
……
Packet Route
![Page 43: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/43.jpg)
43
Benefits
• No user can monopolise the link for long time
• Network traffic load balancing
• Doesn’t waste resources of network
• No congestion at connection setup time
![Page 44: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/44.jpg)
44
Drawbacks
• Packets may arrive out of order. Message needs to be re-assembled at receiving end.
• May cause delay in real-time applications (audio/video)
• Service is not guaranteed
![Page 45: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/45.jpg)
45
– Is a formatted block of data carried by a computer network
– Internet, LAN uses packet technology to transfer data
– Key components are header and data
Packet
DataHeader
Packet
![Page 46: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/46.jpg)
46
Data
• Information to be conveyed between sender and the receiver
• It can be text or binary– Images, documents, web page, email …
• It may be small enough to store in a single packet or else it has to be split and stored in multiple packets
![Page 47: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/47.jpg)
47
Header
• Meta information added to the data
• With the help of header data reach the destination correctly
• Header contains Address, Length, Type, Error detection code, Packet order, Status flag …
![Page 48: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/48.jpg)
48
Why header is needed?
• To ensure delivery to the right receiver• To ensure correctness and order of data• Proper routing of packets
![Page 49: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/49.jpg)
49
Packetisation
TCP/IP Protocol
Stack
Message
Packets
Sender
NIC
Process
TCP/IP Protocol
Stack
Message
Packets
Receiver
Process
Communication Link
Network Interface Card
1 2 1 2
NIC
Eg. Internet Explorer
Eg. Web server
MesH1 sageH2 MesH1 sageH2
![Page 50: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/50.jpg)
50
Protocol Suite• Collection of protocols to deliver data• Eg. TCP/IP, Xerox XNS, DECnet, AppleTalk
Application
Transport
Internet
Link
TCP/IPApplication
Transport
Network
Data Link
Physical
ISO/OSI
Presentation
Session
Xerox XNSLevel 4+
Level 2
Level 1
Level 0
Level 3
![Page 51: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/51.jpg)
51
TCP/IP Layers - Link Layer
• Main responsibility is to move the packet between hosts through physical medium
• Network interface card and its device driver does this
• Adds the link layer specific address and other details to the packet
• Has mechanism to resolve the physical address from logical address, in broadcast networks
• Characteristics of the communication signal is handled here
![Page 52: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/52.jpg)
52
TCP/IP Layers - Network Layer• Main responsibility is to move the packet between network and
to reach the final destination (Routing)
• This is an unreliable protocol, higher layers has to add reliability
• Handles fragmentation and reassembly of packets, when passed through different networks.
• Facility for error handling and diagnosis – special protocols for conveying the intermediate node status and errors occurred
![Page 53: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/53.jpg)
53
TCP/IP Layers - Transport Layer• End to end message transfer facility or process to process
communication
• Have facility for flow control and error control
• This layer can add reliability to the data transferred
• Splits the large data in to small chunks for the network layer
• This layer associates the packet with a particular application through ports
• Port - Port is a logical address, it has nothing to do with the physical ports present on a computer.
![Page 54: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/54.jpg)
54
TCP/IP Layers - Application Layer
• Handles the details of particular application, eg. Email, web
• Adds meta information to the actual data to send (or Formats the data)
• This formatted message is encapsulated in transport layer protocol
• The respective applications can interpret this message
• The message may be plain text or binary and can be encrypted or compressed
![Page 55: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/55.jpg)
55
TCP/IP stack with sample protocols
Application
Link
Transport
Internet
HTTP SMTP POP3 FTP Telnet
TCP UDP
IP
Ethernet
DNS
ICMP
ARP RARPFDDI SLIP PPP
![Page 56: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/56.jpg)
56
The way a packet is formed (Encapsulation)
App layer
Link Layer
Trans Layer
Network Layer
HTTP
TCP
IP
Ethernet
![Page 57: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/57.jpg)
57
Packet Analysis
![Page 58: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/58.jpg)
58
Uses of Packet Analysis
• Forensics analysis• Trouble shooting and debugging• Collect sensitive information• Misuse detection• Gather Network Statistics
![Page 59: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/59.jpg)
59
Forensics analysis
• To collect evidence• To track the source of attack• To learn the attacker behavior
![Page 60: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/60.jpg)
60
Trouble shooting and debugging
• Debugging network applications• Trouble shooting network problems
![Page 61: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/61.jpg)
61
Collect sensitive information
• Passwords• Emails• Other confidential data
![Page 62: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/62.jpg)
62
Misuse detection
• Company policy violation– Accessing restricted sites– Bandwidth misuse
• Email spoofing• IP spoofing• ARP spoofing
![Page 63: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/63.jpg)
63
Gather network statistics
• To collect bandwidth utilization information• To find misbehaving nodes in the network
![Page 64: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/64.jpg)
64
• Manual inspection• Filtering • Statistics• Session reconstruction
Packet Analysis Methods
![Page 65: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/65.jpg)
65
Manual Inspection
• Text search• Binary pattern search• Packet inspection• Protocol verification
![Page 66: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/66.jpg)
66
Filtering
• Filtering based on– MAC– IP– Date, Time– Pattern
• Combinations of the above– Packets between a particular date and time– Packets from a particular IP
• Complex filter expressions
![Page 67: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/67.jpg)
67
Statistics
• Based on– Bandwidth utilization– IP– Date and time– Protocol based (Email, FTP, HTTP… )
• Eg. Top mail sender
![Page 68: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/68.jpg)
68
Statistics based analysis
1.1.1.1 1.1.1.2 1.1.1.3 1.1.1.4
Nodes
Mai
ls
10
20
50
40
30
Date
1/12/1
3/14/1
Time
M B
ytes
/Sec
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
12
56
4
7
31.1.1.1
1.1.1.2
1.1.1.3
Mail traffic of individuals on different days
Data traffic to different servers
![Page 69: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/69.jpg)
69
Session reconstruction
• TCP session reconstruction– Images, emails and other files
• UDP stream reconstruction– Streamed video, audio, VoIP and other types of
communications
Packet 1 P2 P3 Pn… File 1 F2 Fm…
![Page 70: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/70.jpg)
Network Forensics
70Network Forensics
![Page 71: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/71.jpg)
Computer Forensics VS Network Forensics
71Network Forensics
![Page 72: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/72.jpg)
Legal Issues
• You may not be able to use hacker techniques against them
• Laws for gathering evidence are confusing• Logs may or may not be admissible• Perpetrator may or may not be prosecutable• It is important to know about:
– Local laws on computer-related crimes– Legal processes and how to build a criminal case
72Network Forensics
![Page 73: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/73.jpg)
Network Traffic
Network Forensics 73
![Page 74: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/74.jpg)
Online Analysis of Network Traffic
Network Forensics 74
![Page 75: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/75.jpg)
Online Monitoring
• If you need to have online analysis of network you need to capture packets.
• Network Traffic Analysis requires online capturing and analysis of packets in real time.
• Used in Stateful Analysis• IPS• IDS• Firewall
Network Forensics 75
![Page 76: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/76.jpg)
Collecting Network Traffic as Evidence
Network Forensics 76
![Page 77: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/77.jpg)
Protecting and Preserving Network-Based Evidence
• Hash traces after collection and store hashes elsewhere• Copy evidence to read-only media when possible• Create derivative evidence• Follow chains of evidence• Understand forms of evidence• Best evidence should, to the extent practically possible, never be
analyzed directly. – Rather, investigators should make working copies of the best
evidence, and analyze those duplications.– Network traffic saved on a sensor is the best evidence available.– Copies of that traffic transferred to a central location become
working copies.
Network Forensics 77
![Page 78: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/78.jpg)
Protecting and Preserving Network-Based Evidence
Network Forensics 78
![Page 79: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/79.jpg)
Network Forensics Procedure
Network Forensics 79
![Page 80: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/80.jpg)
Network Forensics Procedure
Network Forensics 80
![Page 81: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/81.jpg)
Analyzing Network-Based Evidence
Network Forensics 81
![Page 82: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/82.jpg)
Live Analysis
• Allows for collection of data from volatile locations such as RAM and cache.
• Often will provide extremely useful data.• Requires installation of software to capture data,
possibly erasing critical data and spoiling the “preservation” of the system.
Network Forensics 82
![Page 83: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/83.jpg)
Live Forensics - Goals
Network Forensics 83
• Gathers data from running systems
• Diagnosing your system without killing it first.
• Snapshot of the state of the computer
What’s
happening n
ow?Who is doing what?
![Page 84: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/84.jpg)
Live Forensics
Network Forensics 84
![Page 85: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/85.jpg)
Live / Volatile Data
Network Forensics 85
![Page 86: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/86.jpg)
Gathering Data
• Volatile data– registers, cache contents– memory contents– network connections– running processes
• Non-volatile data– content of filesystems and drives– content of removable media
Network Forensics 86
more volatile
less volatile
![Page 87: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/87.jpg)
Presentation And Preservation
Network Forensics 87
![Page 88: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/88.jpg)
Typical Scenario• “Dead” forensics information incomplete
– discovered to be incomplete– predicted to be incomplete
• Non-local attacker or local user using network in inappropriate fashion
• Generally, another event triggers network investigation
• Company documents apparently stolen• Denial of service attack• Suspected use of unauthorized use of file sharing
software• “Cyberstalking” or threatening email
![Page 89: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/89.jpg)
Information Available• Summary information (router flow logs)
– Routers generally provide this information– Includes basic connection information
• source and destination IP address and ports• connection duration• number of packets sent
– No content! Can only surmise what was sent– Can establish that connections between machines were
established– Can corroborate data from log files (e.g., ssh’ing from one
machine to another to another within a network)– Unusual ports (rootkits? botnet?)– Unusual activity (spam generator?)
![Page 90: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/90.jpg)
Information Available (2)• Complete information (packet dumps)
– from programs like Ethereal/Wireshark, snort, tcpdump– on an active net, can generate a LOT of data– can provide filter options so programs only capture certain
traffic (by IP, port, protocol)– includes full content—can reconstruct what happened
(maybe)– reconstruct sessions– reconstruct transmitted files– retrieve typed passwords– identify which resources are involved in attack– BUT no easy way to decrypt encrypted traffic
![Page 91: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/91.jpg)
Information Available (3)
• Port scans (nmap, etc.)– Identifies machines on your network
• Often can identify operating system, printer type, etc., without needing account on the machine
• “OS fingerprinting”– Identifies ports open on those machines
• Backdoors, unauthorized servers, …– Identifies suspicious situation (infected machine,
rogue computer, etc.)– nmap: lots of options
![Page 92: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/92.jpg)
Analysis• Does not exist in a vacuum• Link information in analysis to network and host log
files– who was on the network– who was at the keyboard– what files are on the disk and where
• Look up the other sites (who are they, where are they, what’s the connection)
• Otherwise, network traces can be overwhelming• Potentially huge amounts of data• Limited automation!
![Page 93: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/93.jpg)
Normal ICMP Traffic (tcpdump)• Pings
IP BOUDIN.mshome.net > www.google.com: icmp 40: echo request seq 6400IP www.google.com > BOUDIN.mshome.net: icmp 40: echo reply seq 6400IP BOUDIN.mshome.net > www.google.com: icmp 40: echo request seq 6656IP www.google.com > BOUDIN.mshome.net: icmp 40: echo reply seq 6656IP BOUDIN.mshome.net > www.google.com: icmp 40: echo request seq 6912IP www.google.com > BOUDIN.mshome.net: icmp 40: echo reply seq 6912IP BOUDIN.mshome.net > www.google.com: icmp 40: echo request seq 7168IP www.google.com > BOUDIN.mshome.net: icmp 40: echo reply seq 7168
• Host unreachable
xyz.com > boudin.cs.uno.edu: icmp: host blarg.xyz.com unreachable
• Port unreachable
xyz.com > boudin.cs.uno.edu: icmp: blarg.xyz.com port 7777 unreachable
![Page 94: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/94.jpg)
HTTP Connections• 3-way TCP handshake as laptop begins HTTP communication
with a google.com server
IP tasso.1433 > qb-in-f104.google.com.80: S 3064253594:306425359 4(0) win 16384 <mss 1460,nop,nop,sackOK>
IP qb-in-f104.google.com.80 > tasso.1433: S 2967044073:296704407 3(0) ack 3064253595 win 8190 <mss 1460>
IP tasso.1433 > qb-in-f104.google.com.80: . ack 1 win 17520
![Page 95: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/95.jpg)
Fragmentation Visualization
• Fragmentation can be seen by tcpdump
whatever.com > me.com: icmp: echo request (frag 5000:1400@0+)
whatever.com > me.com: (frag 5000:1000@1400)
ID
size
offset
more frags flagNote that 2nd fragisn’t identifiable as ICMPecho request…
![Page 96: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/96.jpg)
Starting Nmap 4.11 ( http://www.insecure.org/nmap ) at 2006-10-24 19:32
Interesting ports on 137.30.120.1:Not shown: 1679 closed portsPORT STATE SERVICE23/tcp open telnetMAC Address: 00:0D:ED:41:A8:40 (Cisco Systems)All 1680 scanned ports on 137.30.120.3 are closedMAC Address: 00:0F:8F:34:7E:C2 (Cisco Systems)All 1680 scanned ports on 137.30.120.4 are closedMAC Address: 00:13:C3:13:B4:41 (Cisco Systems)All 1680 scanned ports on 137.30.120.5 are closedMAC Address: 00:0F:90:84:13:41 (Cisco Systems)……
nmap 137.30.120.*
![Page 97: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/97.jpg)
nmap 137.30.120.*Interesting ports on mailsvcs.cs.uno.edu (137.30.120.32):Not shown: 1644 closed portsPORT STATE SERVICE7/tcp open echo9/tcp open discard13/tcp open daytime19/tcp open chargen21/tcp open ftp22/tcp open ssh23/tcp open telnet25/tcp open smtp37/tcp open time79/tcp open finger80/tcp open http110/tcp open pop3111/tcp open rpcbind143/tcp open imap443/tcp open https512/tcp open exec……
![Page 98: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/98.jpg)
Wireshark (aka Ethereal)
Detailed packet data at various protocol levels
Packet listing
Raw data
![Page 99: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/99.jpg)
Wireshark: Following a TCP Stream
![Page 100: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/100.jpg)
Wireshark: FTP Control Stream
![Page 101: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/101.jpg)
Wireshark: FTP Data Stream
![Page 102: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/102.jpg)
Wireshark: FTP Data Stream
![Page 103: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/103.jpg)
Wireshark: Extracted FTP Data Stream
![Page 104: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/104.jpg)
Wireshark: HTTP Session
save, then trim awayHTTP headers to retrieve image
Use: e.g., WinHex
![Page 105: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/105.jpg)
105
HTTP (An application layer protocol)
Request from client
Response from server
HTML web page
![Page 106: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/106.jpg)
Prevention Techniques
• How to prevent your network from being the source of the attack:– Apply filters to each customer network
• Allow only those packets with source addresses within the customer’s assigned netblocks to enter your network
– Apply filters to your upstreams• Allow only those packets with source addresses within your netblocks to
exit your network, to protect others• Deny those packets with source addresses within your netblocks from
coming into your network, to protect your network
• This removes the possibility of your network being used as an attack source for many attacks which rely on anonymity
![Page 107: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/107.jpg)
Prevention Techniques
• How to prevent being a “bounce site” in a “Smurf” attack:– Turn off directed broadcasts to networks:
• Cisco: Interface command “no ip directed-broadcast”• Proteon: IP protocol configuration “disable directed-broadcast”• Bay Networks: Set a false static ARP address for bcast address
– Use access control lists (if necessary) to prevent ICMP echo requests from entering your network
– Encourage vendors to turn off replies for ICMP echos to broadcast addresses
• Host Requirements RFC-1122 Section 3.2.2.6 states “An ICMP Echo Request destined to an IP broadcast or IP multicast address MAY be silently discarded.”
• Patches are available for free UNIX-ish operating systems.
![Page 108: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/108.jpg)
Conclusion: Network Analysis
• Potentially a source of valuable evidence beyond that available from “dead” analysis
• By the time an incident occurs, may have lost the change to capture much of the interesting traffic
• Challenging: huge volumes of data• Again, only one part of a complete investigative
strategy• This introduction didn’t include stepping stone
analysis, many other factors (limited time)
![Page 109: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/109.jpg)
THANK YOU
Network Forensics 109
![Page 110: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/110.jpg)
NeSA – Network Session Analyser
![Page 111: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/111.jpg)
Packet Capture
Dump
Packet Analyser
Packet Filter
Packet Rebuild
Packet Classifier
ProtocolDissectors
SessionParser
Packet Hex View
Packet Tree View
Pcap Format dump
NeSA Architecture
Hex View
Picture View
FileView
Mail View
(HTTP, SMTP, POP3 and FTP)
Filter Rules
Rebuild Rules
Parse Rules
MediaPlayer
Crypto
![Page 112: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/112.jpg)
Packet Capture
• Uses pcap library• Captures packet in promiscuous mode• Similar capture features as of Wireshark• Stores the captured packets to the user
specified dump file• Capture filter can be supplied
– e.g. Capture only tcp traffic
![Page 113: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/113.jpg)
Packet Filter• Based on the filter rule supplied, filters
packets as well as the TCP sessions.• Packet filter language is same as that of pcap• TCP session filter language is custom written
– Filtering based on date/time– Protcol based filter– MAC, IP and Port based filtering– Complex combinations of the above
![Page 114: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/114.jpg)
Protocol Dissector
• Shows each field of packet in very detail• Dissects very common protocols like IP,
TCP,UDP, ARP …• Useful to get a very detailed view of each
packet• Helpful in detecting malformed packets
![Page 115: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/115.jpg)
Packet Classifier
• At load time itself, classifies the packets to different groups in order to improve the performance of later analysis process
• TCP session filter (Rebuild filter) chooses only from this classified group of packets, thus it has to process only a very small portion of the entire dump file
![Page 116: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/116.jpg)
Packet Analyser
• Has a packet filtering scheme• Packets can be exported• Has an easily extendible packet (protocol)
dissector• Shows the dissected packets in a hex view as
well as in a tree control as that of in Wireshark
![Page 117: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/117.jpg)
Packet Rebuild
• Rebuilds the TCP session• Shows the rebuilt session in a hex view with
data direction indication• To identify different types of session,
colouring schemes can be given• Rebuilt session are passed to the session
parser
![Page 118: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/118.jpg)
Session Parser• Parses the rebuilt session and tries to extract the
available files in it.• Presently parses HTTP, SMTP, POP3 and FTP.• The above are the most common application layer
protocols• More parsers can be added• Parses MIME and extracts files from it• Shows the extracted files in a thumbnail view, file view
and mail view.• These files can be exported
![Page 119: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/119.jpg)
Distinctive Features of NeSA
• NeSA is data centric as well as packet centric, but most other tools are packet centric, This makes NeSA a distinct product– Session parser– Session filter– Session views
![Page 120: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/120.jpg)
120
NeSA (Network Session Analyser)
• A solution developed by CDAC for offline packet analysis
• Features– TCP session reconstruction and file recovery– Packet filter– Powerful session filter– Regular expression based search– File export, especially mail export– Packet dissect view
![Page 121: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/121.jpg)
121
Packet Capture
Dump
Packet Analyser
Packet Filter
Packet Rebuild
Packet Classifier
ProtocolDissectors
SessionParser
Packet Hex View
Packet Tree View
Pcap Format dump
NeSA Architecture
Hex View
Picture View
FileView
Mail View
(HTTP, SMTP, POP3 and FTP)
Filter Rules
Rebuild Rules
Parse Rules
MediaPlayer
Crypto
![Page 122: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/122.jpg)
122
Future plan –Moving to online
• Real-time packet analysis• Decryption support• Support for more protocols
![Page 123: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/123.jpg)
123
Catching Packets• Enable promiscuous mode of Ethernet card, from which packets
has to be caught • Otherwise OS will see only the packets which are destined to that
system only• Packet capture tools:
– tcpdump– wireshark
• Sample tcpdump comand:– tcpdump –s0 –ieth0 –wfile/to/store.dump– -s0 options tells to capture full length packet– -ieth0 options instructs to capture from the interface eth0– -w option indicates to which file the captured packets has to be stored
![Page 124: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/124.jpg)
124
Catching packets in an Enterprise
Switch
N2N1
N6N5Switch
Switch Switch
N4N3
Gateway
Only traffic of N4
Only traffic between N5,N6 and Gateway, no other traffic like “between N1 and N2”
Only packets passing through gateway, no local traffic like “between N1 and N2”
Place capture system accordingly
![Page 125: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/125.jpg)
125
![Page 126: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/126.jpg)
126
![Page 127: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/127.jpg)
127
![Page 128: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/128.jpg)
128
![Page 129: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/129.jpg)
129
Issues and Challenges• Processing the large data• Lack of forensics tools• Lack of proven methods• Varied attacks• Encrypted data• Partial data• Spoofed packets• Unknown protocols
![Page 130: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/130.jpg)
130
Thank you
![Page 131: Network forensics1](https://reader035.vdocument.in/reader035/viewer/2022062703/5554c730b4c90503388b523e/html5/thumbnails/131.jpg)
131
Appendix A – ICMP Message typesType Name---- ------------------------ 0 Echo Reply 1 Unassigned 2 Unassigned 3 Destination Unreachable 4 Source Quench 5 Redirect 6 Alternate Host Address 7 Unassigned 8 Echo 9 Router Advertisement 10 Router Solicitation
11 Time Exceeded 12 Parameter Problem
13 Timestamp
14 Timestamp Reply 15 Information Request
16 Information Reply
Type Name---- ------------------------- 17 Address Mask Request 18 Address Mask Reply 19 Reserved (for Security) 20-29 Reserved (for Robustness
Experiment) 30 Traceroute 31 Datagram Conversion Error 32 Mobile Host Redirect 33 IPv6 Where-Are-You 34 IPv6 I-Am-Here 35 Mobile Registration Request 36 Mobile Registration Reply 37 Domain Name Request 38 Domain Name Reply 39 SKIP 40 Photuris 41-255 Reserved