FTP ResearchFTP ResearchConvert investigation of ftp Convert investigation of ftp servers and other file to file servers and other file to file

platforms platforms

The ProjectionThe Projection

Having had some Having had some time to conduct test’s time to conduct test’s and research in this and research in this area. It became clear area. It became clear that there is three that there is three main segments to the main segments to the project.project.

How ever these How ever these segments also hold segments also hold sub-segmentssub-segments

ftp covert investigation

Detection Surveillance Incursion

Detection Detection

Port scannerPort scanner Service’s detection Service’s detection

Server profiling Server profiling ((this is currently one of the main areas of the this is currently one of the main areas of the

research)research)

Service authentication Service authentication The use of the packet headers to detect the true The use of the packet headers to detect the true

service type service type

SurveillanceSurveillance

Traffic monitoring remotely Traffic monitoring remotely A type of IDS Signature detection of a remote A type of IDS Signature detection of a remote

source[1]source[1]

Pattern detection of previous illicitly Pattern detection of previous illicitly installed FTP serversinstalled FTP servers

Open proxy gateway traffic logs (hosted by Open proxy gateway traffic logs (hosted by the system)the system)

Proxy gatewayProxy gateway The system uses a set of proxies to The system uses a set of proxies to

distribute the port scanningdistribute the port scanning These could be configured to act as These could be configured to act as

transporting FTP proxy gateways transporting FTP proxy gateways This would allow passwords and user This would allow passwords and user

names to be gathered along with other names to be gathered along with other such data like FTP IP address’s and any such data like FTP IP address’s and any other information that the system might other information that the system might needneed

IncursionIncursion

After the target system has been identified After the target system has been identified as a positive the time for incursion into the as a positive the time for incursion into the server/servers for further evidence server/servers for further evidence gathering. gathering.

This should attempt to leave as little foot This should attempt to leave as little foot print as possible, in order not to change print as possible, in order not to change anything on the target system. anything on the target system.

Incursion EventsIncursion Events

EntryEntry Do this and stay looking like a standard user Do this and stay looking like a standard user

MappingMapping Fully map the file structureFully map the file structure

Evidence gatheringEvidence gathering Gather as much information about the content Gather as much information about the content

while still looking like a standard user and not while still looking like a standard user and not altering the evidence or influencing it.altering the evidence or influencing it.

Typical system layoutTypical system layout

1.1. The CS (control system) starts the port scan and services detection this is The CS (control system) starts the port scan and services detection this is done via the proxy networkdone via the proxy network

2.2. The CS uses the information gathered to profile the system this profile can The CS uses the information gathered to profile the system this profile can be used to select if the target need further investigation be used to select if the target need further investigation

3.3. The CS then set up part of the proxy network to monitor traffic if this traffic The CS then set up part of the proxy network to monitor traffic if this traffic is determined as a positive (using the signature matching)is determined as a positive (using the signature matching)

4.4. The remaining part of the proxy network would go to work on the intrusion The remaining part of the proxy network would go to work on the intrusion

WEB

Target systemControl system

proxies

So where am I So where am I At current I am some where between the first two sections (detection and At current I am some where between the first two sections (detection and

surveillance)surveillance) I currently have a port scanner that identifies ports and the services running I currently have a port scanner that identifies ports and the services running

(need to finish looking at making a profiling plug in ) (need to finish looking at making a profiling plug in ) My Resreach at the moment is looking at remote traffic monitoring on a My Resreach at the moment is looking at remote traffic monitoring on a

different network to the program. I’m looking at few things to help with this different network to the program. I’m looking at few things to help with this they are IDS and hacking methodologies. I will also be approaching Brian they are IDS and hacking methodologies. I will also be approaching Brian and graham to see what work they have done in this area. I have been and graham to see what work they have done in this area. I have been looking at the work done by others in this area such as :-looking at the work done by others in this area such as :- K Thompson, GJ Miller, R Wilder [2] K Thompson, GJ Miller, R Wilder [2] M Polychronakis, EP Markatos, KG Anagnostakis [3]M Polychronakis, EP Markatos, KG Anagnostakis [3] B Pande[4]B Pande[4]

Looking at proxy gateways as a way to monitor traffic and detect possible Looking at proxy gateways as a way to monitor traffic and detect possible targets for investigationtargets for investigation

Looking for an external for my transfer to PHD from MPhilLooking for an external for my transfer to PHD from MPhil Writing up my transfer paperWriting up my transfer paper Writing papersWriting papers

Papers and PostersPapers and Posters

Ecce paper Ecce paper Transferring crime fighting methods to the internetTransferring crime fighting methods to the internet

Static remote server profiling. outline done)Static remote server profiling. outline done) What is wire taping and what is not, when it What is wire taping and what is not, when it

comes to internet investigation? comes to internet investigation? Remote traffic analysis for internet forensics, is it Remote traffic analysis for internet forensics, is it

possible?possible? Who is learning from who?, what can we learn Who is learning from who?, what can we learn

from the internet criminal networks such as from the internet criminal networks such as hackers and virus programmers.hackers and virus programmers.

ReferencesReferences

1.1. JE Dickerson, JA Dickerson - Fuzzy JE Dickerson, JA Dickerson - Fuzzy Information Processing Society, 2000. Information Processing Society, 2000. NAFIPS. 19th , 2000 - ieeexplore.ieee.org NAFIPS. 19th , 2000 - ieeexplore.ieee.org

2.2. K Thompson, GJ Miller, R Wilder - IEEE NetwoK Thompson, GJ Miller, R Wilder - IEEE Network Magazine, 1997 -rk Magazine, 1997 -netlab.cs.tsinghua.edu.cnnetlab.cs.tsinghua.edu.cn

3.3. M Polychronakis, EP Markatos, KG M Polychronakis, EP Markatos, KG Anagnostakis - Network Operations and Anagnostakis - Network Operations and Management Symposium, 2004. NOMS 2004, Management Symposium, 2004. NOMS 2004, 2004 - ieeexplore.ieee.org 2004 - ieeexplore.ieee.org

4.4. B Pande - 2002 - cse.iitk.ac.in B Pande - 2002 - cse.iitk.ac.in