network forensics pprinciples of network forensicsnetwork forensics kim, et al (2004) “a fuzzy...
TRANSCRIPT
1
Network ForensicsRichard Baskerville
Georgia StateUniversity
2
PPrinciples of Network Forensics
PTerms & Log-based Tracing
PApplication Layer Log Analysis
PLower Layer Log Analysis
Agenda
3
Network ForensicsPrinciples
4
The action of capturing, recording, andanalyzing network audit trails in order todiscover the source of security breaches orother information assurance problems.
Network ForensicsKim, et al (2004) “A fuzzy expert system for network
fornesics”, ICCSA 2004, Berlin: Springer-Verlag, p. 176
5
PProtocol< Eg, SQL-Injection
PMalware< Eg, Virus, Trojan, Worm
PFraud< Eg, Phishing, Pharming, etc.
Network Attacks
6
PSuccessful< Obfuscation of residue
PUnsuccessful< Residue is intact
Attack Residue
7
PManaging data volume
PManaging logging performance
PEnsuring logs are useful to reconstruct theAttack
PCorrelation of data in logs< Importance of timestamping
Network Traffic CaptureLogging Issues Driving Automated Support
8
Honeytraps
Systems Designed to be Compromised and Collect AttackData
From Yasinac, A. andManzano, Y. (2002)“Honeytraps, A NetworkForensic Tool” FloridaState University.
9
PSessionizing
PProtocol parsing and analysis
PDecryption
PSecurity of Analysis and Data< Avoiding detection and analysis-data compromise
Network Traffic AnalysisUsually Requires Software Tools
10
PMinimizing distance to source
PTraversing firewalls, proxies and addresstranslation
PMuliple cooroborating collectors
PTime and location stamping
Traceback Evidence Processing
11
Terms and Log-basedTracing
12
PPromiscuous Mode< An Ethernet Network Interface Card (NIC) in promiscuous mode is a
configuration that will pass all traffic received by the card to theoperating system, rather than just packets addressed to it. Thisfeature is normally used for packet sniffing.
P IPSpoofing< Forging the source address in the header of an IP packet so that it
contains a different address, making it appear that the packet wassent by a different machine. Responses to spoofed packets will goto the forged source address. Mainly used for Denial of Servicewhere the attacker does not care about the response, or defeatingIP-based authentication. It is sometimes possible for an attacker torecover responses, when the spoofed address is on LAN or WANcontrolled by the attacker.
Two Important Terms
13
P Blackhat software that gains control over a computer ornetwork. "Root" refers to the administrative (superuser)computer account. Kit refers to mechanisms that initiateentry into the target computer modify it for later, andmore simplified means of access (a backdoor).
P Rootkits will usually erase the system event loggingcapacity in an attempt to hide attack evidence and maydisclose sensitive data. A well designed rootkit willreplace parts of the operating system with rootkitprocesses and files, and obscure itself from securityscanning.
Rootkit
14
P A network host computer serving only the purpose ofattracting network-based attacks. Because a honeypotis intended to host no legitimate activity, any activitydetected on this host is assumed to be intrusion activity.
P Data on honeypot activity is carefully captured to avoiddetection and corruption. It is used to study ongoingnetwork-based attacks for the purpose of developingdefenses and remedies for potential or experiencedcompromises
Honeypot Data
15
Log-based Tracing
Data
Data + TL Pr
Data + TL/IL Pr
Application
Transport
Internet
Network
Data + TL/IL/NA Pr
HTTP
TCP
IP
X.25
Data
Data + TL Pr
Data + TL/IL Pr
HTTP
TCP
IP
X.25
ServerClient
Sniffers
ServerLog
Proxy orFirewallLog
RouterLog
ForensicsAnalysis
16
P Issues of efficiency in logfile space andprocessing time
PSometimes options, e.g.,< Off< Succinct< Verbose
Logging Options
17
Application Layer LogAnalysis
18
P Access Log File< Access log file contains a log of all the requests.
P Proxy Access Log File< (If directed) a separate log of proxy transactions
(otherwise logged to Access Log)
P Cache Access Log< (If directed) a separate log of cache accesses (otherwise
logged to Access Log)
P Error Log File< Log of errors
Web Server Logs
Example of Application Layer Logging
19
P Format: remotehost rfc931 authuser [date] "request" status bytes< remotehost
– Remote hostname (or IP number if DNS hostname is not available, or ifDNSLookup is Off.
< rfc931– The remote logname of the user.
< authuser– The username as which the user has authenticated himself.
< [date]– Date and time of the request.
< "request"– The request line exactly as it came from the client.
< status– The HTTP status code returned to the client.
< bytes– The content-length of the document transferred.
The Common Logfile FormatWorld Wide Web Consortium (W3C)
20
Web Server Logfile Example
209.240.221.71 - - [03/Jan/2001:15:20:06 -0800] "GET /Inauguration.htm HTTP/1.0"200 8788 "http://www.democrats.com/" "Mozilla/3.0 WebTV/1.2 (compatible; MSIE2.0)"
Thamason, L. (2001) “Analyzing Web Site Traffic”,NetMechanic (4)11. http://www.netmechanic.com/news/vol4/promo_no11.htm
21
IIS Logging Options
22
Web Server Access Log
23
Web Server Log Analysis Tools: Page Delivery
Usually Intended for Management
24
Web Server Log Analysis Tools: File Delivery
25
Web Server Log Analysis Tools: Users
26
131.96.102.37 - - [27/Mar/2010:22:27:03 -0400]"GET /cis8080/readings/SEC_YOU.pdf HTTP/1.0"401 0 0 "-" "eliza-google-crawler (Enterprise; S5-JDM5GCVTD6NJB;[email protected],[email protected])"
Web Server Logfile Live Example #1
Unauthorized
Nothing delivered
27
Simple “Who Is” Tracing
Subject to Spoofing
28
208.61.220.34 - infosecstudent [25/Mar/2010:13:34:38 -0400]"GET /cis8080/readings/StratISRM_Final_Typescript.pdfHTTP/1.1" 200 60818 125"http://cis.gsu.edu/~rbaskerv/cis8080/readings.html""Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NETCLR 2.0.50727)"
Web Server Logfile Live Example #2
Request fulfilled
60KB delivered
29
Simple “Who is” Tracing
Help for Tracing Abuse
30
Lower Layer Log Analysis
31
Transport, Internet, Network Access Logging
Data + TL Pr
Data + TL/IL Pr
Transport
Internet
Network
TCP
IP
X.25
Server
Sniffers
ServerLog
Proxy orFirewallLog
RouterLog
32
P Logs record packet headers, not sessions or flows
P Logs usually ignore packet contents for efficiency
P Flow can be logically reconstructed from< IP addresses< Port numbers< Implied Protocols< Sequencing
Reconstructing Data Flows
Reconstructing TCP flows from raw IP network traffic. From E. Casey (2004) “Network Traffic as a source of evidence”, DigitalInvestigation 1 (1) 28-43.
33
TCP Connection Graph
Network Analysis Tools
Port 139: This is the single most dangerous port on the Internet. All "File and PrinterSharing" on a Windows machine runs over this port. About 10% of all users on theInternet leave their hard disks exposed on this port. This is the first port hackers want toconnect to, and the port that firewalls block.
Example from Raynal, et al. (2004) “Honeypot Forensics” IEEE Security & Privacy 72-77.
34
Incoming TCP Connection Graph
Inbound port 139connections suggestthe firewall and the hostare controlled byintruders.
Example from Raynal, et al. (2004)“Honeypot Forensics” IEEE Security& Privacy 72-77.
35
Outgoing TCP Connection Graph
These outgoing port139 connectionssuggest this machinehas beencompromised byintruders.
Example from Raynal, et al. (2004) “Honeypot Forensics”IEEE Security & Privacy 72-77.
36
Detecting the Moment of Compromise
Port 42895 is not “listening”, attempts to connect are “reset” (RST).
Port 42895 starts “listening”, attempts to connect “finish” (FIN), somesoftware has started monitoring this port at 5:50:37
Example from Raynal, et al. (2004) “Honeypot Forensics” IEEE Security & Privacy 72-77.
37
Free packet analyzer that allows a computer to intercept anddisplay packets transmitted and received over its attachednetwork. Runs on Unix-like operating systems and there is aport to Windows (WinDump). Uses packet capture engineslibpcap (or WinPcap). Tcpdump file format is standard now.
tcpdump
38
Free open source network intrusion prevention and detectionsystem that logs packets and analyzes traffic on IP networks.It performs protocol analysis, content searching/matching, andactively blocks or passively detects many attacks and probes,such as buffer overflows, stealth port scans, web applicationattacks, SMB probes, and OS fingerprinting attempts.
Snort
39
Continuous capture and warehousing of network packets andstatistics. Alerts on signatures, traffic patterns. and statisticalanomalies. Reconstructs web, email, instant messaging, FTP,Telnet, etc.
NetDetector
40
Captures and stores LAN traffic in raw dump files using apromiscuous Ethernet card and a modified UNIX kernel. Canwrite directly to removable media or network transfer to othermachines for archiving. Stream reconstruction on demand.Assembles user-defined range of packets into networkconnection data streams. The analysis subsystem isgraphical, constructing a tree stored in an SQL database.
NetIntercept
41
Network ForensicsRichard Baskerville
Georgia StateUniversity
42