network forensics: when conventional forensic analysis is not enough
DESCRIPTION
Network Forensics: When conventional forensic analysis is not enough. Manuel Humberto Santander Peláez GIAC GCFA Gold, GNET Silver, GCIA Gold. Network Security Perimeter. Firewalls NIDS/NIPS VPN Concentrator NAC (Switches) Antivirus Antispyware Content Filtering. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Network Forensics: When conventional forensic analysis is not enough](https://reader035.vdocument.in/reader035/viewer/2022062314/568137df550346895d9f82f1/html5/thumbnails/1.jpg)
Network Forensics: When Network Forensics: When conventional forensic analysis conventional forensic analysis
is not enoughis not enough
Manuel Humberto Santander Peláez
GIAC GCFA Gold, GNET Silver, GCIA Gold
![Page 2: Network Forensics: When conventional forensic analysis is not enough](https://reader035.vdocument.in/reader035/viewer/2022062314/568137df550346895d9f82f1/html5/thumbnails/2.jpg)
Network Security PerimeterNetwork Security Perimeter
• Firewalls
• NIDS/NIPS
• VPN Concentrator
• NAC (Switches)
• Antivirus
• Antispyware
• Content Filtering
![Page 3: Network Forensics: When conventional forensic analysis is not enough](https://reader035.vdocument.in/reader035/viewer/2022062314/568137df550346895d9f82f1/html5/thumbnails/3.jpg)
Network Security PerimeterNetwork Security Perimeter
Firewall Switch (NAC)
VPN Concentrator
NIDS
Security Event Correlator
![Page 4: Network Forensics: When conventional forensic analysis is not enough](https://reader035.vdocument.in/reader035/viewer/2022062314/568137df550346895d9f82f1/html5/thumbnails/4.jpg)
Network ForensicsNetwork Forensics
• Capture, recording and analysis of network events
• Need to discover source and type of network attacks
• Big amount of logs and traffic
• Network Security Perimeter devices gives lots of interesting info
![Page 5: Network Forensics: When conventional forensic analysis is not enough](https://reader035.vdocument.in/reader035/viewer/2022062314/568137df550346895d9f82f1/html5/thumbnails/5.jpg)
Network ForensicsNetwork Forensics
• Network traffic gives evidence of attacks like:– Exploit attacks
– Virus breach attempts
– MITM
• Valuable if possible to correlate to computer breaches.
• Can find the missing information on a computer attack (“missing puzzle”)
![Page 6: Network Forensics: When conventional forensic analysis is not enough](https://reader035.vdocument.in/reader035/viewer/2022062314/568137df550346895d9f82f1/html5/thumbnails/6.jpg)
Billing Information Change Billing Information Change using a network attackusing a network attack• Colombia Utility Company is the biggest
utility company in all Colombia
• Massive change of billing amount on 10000 installations, about 40% less on each invoice
• Once invoice is delivered, no change can be made (Law 142 of 1994 Colombian Congress)
• Where was the breach? How can this be prevented?
![Page 7: Network Forensics: When conventional forensic analysis is not enough](https://reader035.vdocument.in/reader035/viewer/2022062314/568137df550346895d9f82f1/html5/thumbnails/7.jpg)
Billing Information Change Billing Information Change using a network attackusing a network attack• Billing process is a daily batch process
• 98% of invoices were altered
• Billing Calculations are done by stored procedures on the database
• First evidence gathered was report of users executing the offending transactions on the application (August 25/2007)
![Page 8: Network Forensics: When conventional forensic analysis is not enough](https://reader035.vdocument.in/reader035/viewer/2022062314/568137df550346895d9f82f1/html5/thumbnails/8.jpg)
Billing Information Change Billing Information Change using a network attackusing a network attack
![Page 9: Network Forensics: When conventional forensic analysis is not enough](https://reader035.vdocument.in/reader035/viewer/2022062314/568137df550346895d9f82f1/html5/thumbnails/9.jpg)
Billing Information Change Billing Information Change using a network attackusing a network attack
Same result obtained on every computer analyzed from the obtained table
![Page 10: Network Forensics: When conventional forensic analysis is not enough](https://reader035.vdocument.in/reader035/viewer/2022062314/568137df550346895d9f82f1/html5/thumbnails/10.jpg)
Billing Information Change Billing Information Change using a network attackusing a network attack• IDS alerts showed ARP address change for main
router several times, No firewall or NAC alert• Found 4970 alerts for August 25/2007• Investigation showed a local desktop machine
claimed to be the router for the whole network segment
• All billing department people in that segment logged on the application
![Page 11: Network Forensics: When conventional forensic analysis is not enough](https://reader035.vdocument.in/reader035/viewer/2022062314/568137df550346895d9f82f1/html5/thumbnails/11.jpg)
Billing Information Change Billing Information Change using a network attackusing a network attack
![Page 12: Network Forensics: When conventional forensic analysis is not enough](https://reader035.vdocument.in/reader035/viewer/2022062314/568137df550346895d9f82f1/html5/thumbnails/12.jpg)
Billing Information Change Billing Information Change using a network attackusing a network attack
Oexplore access time matches the first access at the database. Passwords found cracked by Cain.
![Page 13: Network Forensics: When conventional forensic analysis is not enough](https://reader035.vdocument.in/reader035/viewer/2022062314/568137df550346895d9f82f1/html5/thumbnails/13.jpg)
Billing Information Change Billing Information Change using a network attackusing a network attack
![Page 14: Network Forensics: When conventional forensic analysis is not enough](https://reader035.vdocument.in/reader035/viewer/2022062314/568137df550346895d9f82f1/html5/thumbnails/14.jpg)
Billing Information Change Billing Information Change using a network attackusing a network attack
![Page 15: Network Forensics: When conventional forensic analysis is not enough](https://reader035.vdocument.in/reader035/viewer/2022062314/568137df550346895d9f82f1/html5/thumbnails/15.jpg)
Lessons LearnedLessons Learned
• Network Forensics completes computer forensic evidence when evidence found inside computers doesn’t give enough clues.
• Network Forensics evidence must be correlated with the evidence found in computers to be valuable.
• Security Perimeter devices gives valuable information if well configured.