Crosby-Signed Thesis - Alliance Digital Repository
Crosby-Signed Thesis - Alliance Digital Repository
Crosby-Signed Thesis - Alliance Digital Repository
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Regis University<br />
College for Professional Studies Graduate Programs<br />
Final Project/<strong>Thesis</strong><br />
Disclaimer<br />
Use of the materials available in the Regis University <strong>Thesis</strong> Collection<br />
(“Collection”) is limited and restricted to those users who agree to comply with<br />
the following terms of use. Regis University reserves the right to deny access to<br />
the Collection to any person who violates these terms of use or who seeks to or<br />
does alter, avoid or supersede the functional conditions, restrictions and<br />
limitations of the Collection.<br />
The site may be used only for lawful purposes. The user is solely responsible for<br />
knowing and adhering to any and all applicable laws, rules, and regulations<br />
relating or pertaining to use of the Collection.<br />
All content in this Collection is owned by and subject to the exclusive control of<br />
Regis University and the authors of the materials. It is available only for research<br />
purposes and may not be used in violation of copyright laws or for unlawful<br />
purposes. The materials may not be downloaded in whole or in part without<br />
permission of the copyright holder or as otherwise authorized in the “fair use”<br />
standards of the U.S. copyright laws and regulations.
IMPACT OF IPV6 TRANSITION MECHANISMS<br />
ON THE NETWORK FORENSICS PROCESS<br />
A THESIS<br />
SUBMITTED ON THE 18TH OF MARCH, 2011<br />
TO THE DEPARTMENT OF INFORMATION TECHNOLOGY<br />
OF THE SCHOOL OF COMPUTER & INFORMATION SCIENCES<br />
OF REGIS UNIVERSITY<br />
IN PARTIAL FULFILLMENT OF THE REQUIREMENTS OF MASTER OF SCIENCE IN<br />
INFORMATION ASSURANCE<br />
BY<br />
KRIS R. CROSBY<br />
Charles Thies, <strong>Thesis</strong> Advisor<br />
Daniel M. Likarish<br />
Douglas I. Hart
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
i<br />
Abstract<br />
IPv6 based attack vectors will become more common within traditional IPv4 networks as<br />
attackers recognize the opportunity to exploit an unmonitored path into the network. Previous<br />
research addressed IPv6 security, architecture, and implementations; however, only Nikkel<br />
(2007) has presented a basic investigation framework to address this gap. This study developed a<br />
methodology for investigating and analyzing transitional networks. The active research<br />
methodology was employed to evaluate the IPv6 transition mechanisms, operating systems, and<br />
attack vectors in a process structured around the reconnaissance, exploitation, reinforcement,<br />
consolidation and pillage phases of a typical network attack. The research environment consisted<br />
of local and remote virtual networks with Windows, Linux, FreeBSD, and Solaris UNIX nodes<br />
that were configured to communicate using the 6to4, Teredo, intra-site automatic tunnel<br />
addressing protocol (ISATAP), and Tunnel-Broker IPv6 transition mechanisms. Observations<br />
during the research process generated four primary conclusions. First, the addressing schemes<br />
and forensic properties of the transition mechanisms facilitated a methodological approach to<br />
investigating physical nodes, analyzing network traces, sourcing addresses, correlating events,<br />
and identifying threats. Second, IPv6 traffic existed when IPv6 packets were not observed in a<br />
network trace. Third, the transition mechanisms significantly increased the number of packet<br />
source addresses representing a single node. Finally, global IPv6 addresses were automatically<br />
configured that exposed a node to external attacks. While these contributions begin to address<br />
deficiencies in the research, there remains a need to unify the academic, practitioner, and legal<br />
communities under a common process that builds a scientific foundation for the network forensic<br />
discipline.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
ii<br />
Acknowledgements<br />
I would like to thank my advisor, Charles Thies, for his support and guidance throughout<br />
the thesis process. I would also like to thank my wife Angela for her support and patience during<br />
the many hours of work that were required to complete this project.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
iii<br />
Table of Contents<br />
CHAPTER 1 – INTRODUCTION.............................................................................................. 1<br />
THESIS STATEMENT ..................................................................................................................... 1<br />
PROBLEM STATEMENT ................................................................................................................. 1<br />
BACKGROUND AND SIGNIFICANCE OF THE STUDY ....................................................................... 2<br />
RESEARCH OBJECTIVE ................................................................................................................. 3<br />
DELIMITATIONS AND LIMITATIONS .............................................................................................. 4<br />
CHAPTER 2 – REVIEW OF LITERATURE AND RESEARCH .......................................... 5<br />
DIGITAL FORENSICS DISCIPLINE .................................................................................................. 5<br />
<strong>Digital</strong> forensic models. .......................................................................................................... 6<br />
Network data as evidence. .................................................................................................... 11<br />
<strong>Digital</strong> evidence handling. .................................................................................................... 13<br />
<strong>Digital</strong> investigations............................................................................................................ 17<br />
IPV6 FORENSIC ANALYSIS AND INVESTIGATION........................................................................ 21<br />
IPV6 TRANSITION MECHANISMS................................................................................................ 26<br />
Dual-stack. ............................................................................................................................ 27<br />
Tunneling. ............................................................................................................................. 29<br />
6to4. .................................................................................................................................. 30<br />
Tunnel-Brokers. ................................................................................................................ 31<br />
Intrasite automatic tunnel addressing protocol (ISATAP)................................................ 32<br />
Teredo. .............................................................................................................................. 33<br />
Protocol translation.............................................................................................................. 36<br />
Stateless IPv4/IPv6 translation algorithm (SIIT).............................................................. 36
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
iv<br />
Network address translation and protocol translation (NAT-PT)..................................... 38<br />
Bump-in-the-stack (BIS)................................................................................................... 39<br />
Bump-in-the-API (BIA).................................................................................................... 39<br />
SOCKS64.......................................................................................................................... 40<br />
Transport relay translator (TRT)....................................................................................... 41<br />
Other gateway based translation methods......................................................................... 41<br />
IPV6 OPERATING SYSTEM SUPPORT .......................................................................................... 42<br />
Windows operating systems. ................................................................................................. 42<br />
Linux, FreeBSD and UNIX operating systems. .................................................................... 48<br />
Ubuntu Linux.................................................................................................................... 48<br />
CentOS.............................................................................................................................. 49<br />
FreeBSD............................................................................................................................ 49<br />
Sun Solaris. ....................................................................................................................... 50<br />
Apple/MAC operating systems.............................................................................................. 51<br />
IPV6 VULNERABILITIES AND ATTACK VECTORS........................................................................ 52<br />
Reconnaissance..................................................................................................................... 55<br />
Denial of service attacks....................................................................................................... 55<br />
IPv6 protocol DoS attacks. ............................................................................................... 56<br />
Neighbor discovery DoS attacks....................................................................................... 57<br />
Man-in-the-middle attacks. ................................................................................................... 59<br />
IPv6 covert channels............................................................................................................. 60<br />
Security control bypass. ........................................................................................................ 63<br />
IPv6 worms. .......................................................................................................................... 63
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
v<br />
IPv6 transition mechanisms.................................................................................................. 64<br />
SUMMARY OF IPV6 FORENSIC RESEARCH AND IDENTIFIED GAPS .............................................. 67<br />
CHAPTER 3 – METHODOLOGY........................................................................................... 70<br />
CHARACTERISTICS OF ACTION RESEARCH ................................................................................. 70<br />
CLIENT/SYSTEM INFRASTRUCTURE............................................................................................ 71<br />
Environment.......................................................................................................................... 72<br />
Resources .............................................................................................................................. 73<br />
Participants........................................................................................................................... 76<br />
Boundaries ............................................................................................................................ 77<br />
Entry and Exit Points ............................................................................................................ 77<br />
Responsibilities ..................................................................................................................... 77<br />
PROCESS STEP 1: DIAGNOSING .................................................................................................. 78<br />
Research Problems ............................................................................................................... 78<br />
Assumptions .......................................................................................................................... 79<br />
PROCESS STEP 2: ACTION PLANNING ......................................................................................... 80<br />
Procedures ............................................................................................................................ 81<br />
Approach for Change............................................................................................................ 83<br />
PROCESS STEP 3: ACTION TAKING ............................................................................................. 83<br />
PROCESS STEP 4: EVALUATING .................................................................................................. 84<br />
Outcomes............................................................................................................................... 84<br />
Next Steps.............................................................................................................................. 85<br />
PROCESS STEP 5: SPECIFYING LEARNING................................................................................... 85<br />
CHAPTER 4 –ANALYSIS AND RESULTS............................................................................ 86
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
vi<br />
RECONNAISSANCE ..................................................................................................................... 86<br />
Node interface addresses. ..................................................................................................... 87<br />
Address enumeration. ........................................................................................................... 89<br />
Service and port discovery.................................................................................................... 96<br />
Lessons learned................................................................................................................... 100<br />
EXPLOITATION ......................................................................................................................... 101<br />
Rogue routers and relays. ................................................................................................... 102<br />
Rogue clients....................................................................................................................... 104<br />
Lessons learned................................................................................................................... 105<br />
REINFORCEMENT ..................................................................................................................... 105<br />
Source address obfuscation. ............................................................................................... 106<br />
Data obfuscation................................................................................................................. 108<br />
Destination address obfuscation......................................................................................... 109<br />
Lessons learned................................................................................................................... 110<br />
CONSOLIDATION ...................................................................................................................... 110<br />
PILLAGE................................................................................................................................... 111<br />
CHAPTER 5 – CONCLUSIONS............................................................................................. 113<br />
IMPLICATIONS OF IPV6 TRANSITION MECHANISMS IN DIGITAL FORENSICS............................. 113<br />
OPERATING SYSTEM BEHAVIOR IN A TRANSITIONAL NETWORK ............................................. 115<br />
Windows 2008, 7 and Vista................................................................................................. 116<br />
Windows 2003 and XP. ....................................................................................................... 116<br />
Ubuntu and CentOS Linux. ................................................................................................. 117<br />
FreeBSD and Solaris UNIX. ............................................................................................... 117
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
vii<br />
FORENSIC PROPERTIES OF IPV6 TRANSITION MECHANISMS .................................................... 118<br />
Link-local. ........................................................................................................................... 118<br />
6to4. .................................................................................................................................... 119<br />
Teredo. ................................................................................................................................ 120<br />
ISATAP................................................................................................................................ 122<br />
Tunnel-Broker. .................................................................................................................... 123<br />
PROPOSED METHODOLOGY FOR THE FORENSIC ANALYSIS OF IPV6 TRAFFIC IN A TRANSITIONAL<br />
NETWORK ................................................................................................................................ 124<br />
Physical node investigation. ............................................................................................... 124<br />
Network traces analysis. ..................................................................................................... 125<br />
Event Correlation................................................................................................................ 126<br />
Threat Identification. .......................................................................................................... 127<br />
Addresses sourcing. ............................................................................................................ 128<br />
LIMITATIONS AND FUTURE RESEARCH .................................................................................... 131<br />
REFERENCES.......................................................................................................................... 132<br />
APPENDIX A - DIGITAL FORENSIC FRAMEWORKS................................................... 152<br />
APPENDIX B - BASE OPERATING SYSTEM CONFIGURATIONS.............................. 155<br />
TARGET NODE 1: WINDOWS SERVER 2008 R2 DATACENTER EDITION V6.1 (64-BIT).............. 166<br />
TARGET NODE 2: WINDOWS SERVER 2003 R2 ENTERPRISE EDITION V5.2 SP2 (64-BIT) ......... 170<br />
TARGET NODE 3: MICROSOFT WINDOWS 7 ENTERPRISE V6.1 (64-BIT).................................... 172<br />
TARGET NODE 4: MICROSOFT WINDOWS VISTA ENTERPRISE V6.0 SP2 (64-BIT) .................... 177<br />
TARGET NODE 5: MICROSOFT WINDOWS XP PROFESSIONAL V5.1 SP3 (32-BIT)..................... 181<br />
TARGET NODE 6:. LINUX UBUNTU DESKTOP V10.10 (64-BIT KERNEL V2.6.35) ...................... 183
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
viii<br />
TARGET NODE 7: CENTOS V5.5 (64-BIT RED HAT BASE KERNEL V2.6.18)............................ 186<br />
TARGET NODE 8: FREEBSD V8.1 (64-BIT).............................................................................. 189<br />
TARGET NODE 9: ORACLE SOLARIS 11 EXPRESS V5.11 (64-BIT) ............................................ 191<br />
RESEARCH NODE 1: LINUX BACKTRACK V4 R2 (32-BIT UBUNTU BASE KERNEL V 2.6.35.8) .. 193<br />
RESEARCH NODE 2: LINUX UBUNTU DESKTOP V10.10 (32-BIT KERNEL V2.6.35).................... 194<br />
RESEARCH NODE 3: LINUX UBUNTU DESKTOP V10.10 (32-BIT KERNEL V2.6.32).................... 196<br />
ANNOTATED BIBLIOGRAPHY .......................................................................................... 198
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
ix<br />
List of Figures<br />
Figure 1. Dual-stack Architecture and Operation......................................................................... 28<br />
Figure 2. 6to4 Transition Mechanism Architecture and Operation .............................................. 31<br />
Figure 3. Tunnel-Broker Transition Mechanism Architecture and Operation ............................. 32<br />
Figure 4. ISATAP Transition Mechanism Architecture and Operation ....................................... 33<br />
Figure 5. Teredo Transition Mechanism Architecture and Operation.......................................... 35<br />
Figure 6. Active Research Process Model .................................................................................... 71<br />
Figure 7. Action Planning Process Tree ....................................................................................... 80<br />
Figure 8. IPv6 Transition Mechanism State Determination in Win, Linux, BSD, and UNIX ... 125<br />
Figure 9. IPv6 Transition Mechanism Detection in a Network Trace........................................ 126<br />
Figure 10. Physical Source Node Determination from a Link-Local Address........................... 129<br />
Figure 11. Physical Source Node Determination from a 6to4 Address...................................... 129<br />
Figure 12. Physical Source Node Determination from a Teredo Address.................................. 130<br />
Figure 13. Physical Source Node Determination from a ISATAP Address ............................... 130<br />
Figure 14. Physical Source Node Determination from a Tunnel-Broker Address ..................... 130
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
x<br />
List of Tables<br />
Table 1. Comparison of <strong>Digital</strong> Forensic Framework Processes.................................................. 10<br />
Table 2. IPv6 Scoped Architecture ............................................................................................... 24<br />
Table 3. Tunnel Header Encapsulation Scheme (Gilligan & Nordmark, 2000)........................... 30<br />
Table 4. Teredo Addressing Scheme ............................................................................................ 34<br />
Table 5. SIIT ICMP Message Translation .................................................................................... 37<br />
Table 6. SIIT ICMP Error Translation.......................................................................................... 37<br />
Table 7. SIIT IPv4 to IPv6 Header Translation ............................................................................ 38<br />
Table 8. SIIT IPv6 to IPv4 Header Translation ............................................................................ 38<br />
Table 9. 6to4 Relay Application Traffic Observed by Savola (2005) .......................................... 43<br />
Table 10. Covert Channels in IP Communications....................................................................... 61<br />
Table 11. Research Nodes, Target Nodes, and Tools Used in the Study ..................................... 74<br />
Table 12. Primary Research Problem and Sub-Problems............................................................. 78<br />
Table 13. Research Assumptions.................................................................................................. 79<br />
Table 14. Sample Data Matrix...................................................................................................... 84<br />
Table 15. Employed Reconnaissance Tools ................................................................................. 87<br />
Table 16. Properties of Assigned IPv6 Addresses........................................................................ 88<br />
Table 17. IPv6 Address Enumeration for the Base OS from Outside the Network...................... 90<br />
Table 18. IPv6 Address Enumeration for the Base OS from Inside the Network ........................ 91<br />
Table 19. IPv6 Address Enumeration for IPv6 Enabled OS from Outside the Network.............. 93<br />
Table 20. IPv6 Address Enumeration for IPv6 Enabled OS from Inside the Network ................ 94<br />
Table 21. IPv6 Service and Port Enumeration for the Base OS from Outside the Network ........ 96<br />
Table 22. IPv6 Service and Port Enumeration for Base OS from Inside the Network................. 97
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
xi<br />
Table 23. IPv6 Service and Port Enumeration for IPv6 OS from Outside the Network .............. 98<br />
Table 24. IPv6 Service and Port Enumeration for IPv6 Enabled OS from Inside the Network... 99<br />
Table 25. Employed Exploitation Tools and Techniques........................................................... 101<br />
Table 26. IPv6 Address Auto-Configuration from Outside the Network................................... 102<br />
Table 27. IPv6 Address Auto-Configuration from Inside the Network...................................... 103<br />
Table 28. IPv6 Communication with a Rogue Node from Outside the Network....................... 104<br />
Table 29. IPv6 Communication with a Rogue Node from Inside the Network.......................... 104<br />
Table 30. Employed Reinforcement Tools and Techniques....................................................... 106<br />
Table 31. Source Address Obfuscation using IPv6 Privacy Extensions..................................... 107<br />
Table 32. Source Address Obfuscation in a Two-Way Channel using IPv6 Router Redirects.. 108<br />
Table 33. Data Obfuscation in a Two-Way Channel using IPv6 Fragments.............................. 109<br />
Table 34. Destination Address Obfuscation in a Two-Way Channel using IPv6 Multicast....... 109<br />
Table 35. Employed Consolidation Tools and Techniques ........................................................ 111<br />
Table 36. Persistent IPv6 Backdoor............................................................................................ 111<br />
Table 37. IPv6 Transition Mechanism Address Correlation Elements....................................... 127<br />
Table 38. IPv6 Transition Mechanism Traffic Classification Scheme....................................... 128<br />
Table B1. Commands Used to Extract the Operating System Data ........................................... 155<br />
Table B2. Commands Used to Setup the IPv6 Tunnel Client..................................................... 155<br />
Table B3. Commands Used to Setup Teredo/Miredo................................................................. 156<br />
Table B4. Commands Used to Setup ISATAP ........................................................................... 158<br />
Table B5. Commands Used to Setup Privacy Extensions .......................................................... 160<br />
Table B6. Commands Used to Setup Netcat............................................................................... 161<br />
Table B7. Configured IPv6 Addresses........................................................................................ 161
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
1<br />
Chapter 1 – Introduction<br />
<strong>Thesis</strong> Statement<br />
Because the existence and nature of internet protocol version six (IPv6) traffic within<br />
traditional internet protocol version four (IPv4) networks has been overlooked by network<br />
forensic analysts, investigators, and researchers, covert IPv6 based attack vectors will become<br />
more common as attackers recognize the opportunity to exploit an unmonitored and unguarded<br />
path into the network.<br />
Problem Statement<br />
Network forensic analysts and investigators rely on a well defined methodology to<br />
determine the nature of IPv4 packet flows within a network; however, there is less understanding<br />
of IPv6 traffic that may also be traversing these networks. Security implications of the IPv6<br />
transition has been researched by Caicedo, Joshi, & Tuladhar (2009), Warfield (2003), Zagar,<br />
Grgic, & Rimac-Drlje (2007) and others; however, only Nikkel (2007) has presented a basic<br />
investigation framework for IPv6 networks and no academic research has been done to<br />
determine the nature of the traffic. The unfamiliar IPv6 domain combined with the fusion of the<br />
new protocol and common devices creates an opportunity for attackers to develop effective<br />
attacks that requires new techniques and considerations when analyzing network traffic in<br />
forensic investigations. This study developed a proposed methodology for properly analyzing<br />
and investigating IPv6 traffic within transitional networks to help forensic analysts and<br />
investigators recognize IPv6 based attack vectors.<br />
To accomplish this goal, the study addressed the question: What is the nature of IPv6<br />
traffic that may be traversing traditional IPv4 networks? In answering this questions, the
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
2<br />
following sub-questions were structured around the five phases of a network attack as outlined<br />
by Bejtlich (2004):<br />
Reconnaissance<br />
• What methods can be used to enumerate IPv6 addresses and services in a transitional<br />
network?<br />
• What is the context of IPv6 traffic produced by nodes in an IPv4 network?<br />
Exploitation<br />
• What methods can be used to attack the network topography in a transitional network?<br />
• What are the characteristics of malicious and suspicious traffic that traverse IPv4<br />
networks using the IPv6 protocol?<br />
Reinforcement<br />
• What methods can be used to obfuscate an attack in a transitional network and how<br />
could the true source be determined?<br />
Consolidation<br />
• What methods can be used to create a persistent commutations channel in a<br />
transitional network and how could that channel be detected?<br />
Pillage<br />
• What additional risks should be considered in a transitional network?<br />
Background and Significance of the Study<br />
IPv6 traffic will become more common over time and will coexist with IPv4 on the same<br />
networks. Most operating systems support IPv6 in their default states and solution providers have<br />
begun to roll out IPv6 based applications that are running on machines within traditional<br />
networks using transition methods to traverse the IPv4 networks.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
3<br />
While the new protocol has quietly penetrated the network environment, the academic<br />
and business communities have neglected research and development in this area. Despite<br />
consumer device support, network security vendors have been slow to support IPv6 in their<br />
products because low utilization rates make it difficult to realize a return on investment.<br />
Researchers have addressed general security in IPv6; however, they have neglected a technical<br />
discussion of the context and nature of the traffic. Attackers will exploit attack vectors that offer<br />
the greatest chance of success with the least chance of being discovered. The IPv6 protocol is<br />
available and can covertly traverse the network which opens up an opportunity that will lead to<br />
growth in IPv6 based attacks.<br />
Research Objective<br />
The primary objective of this study was to develop a practical methodology for<br />
investigating and analyzing transitional networks. To accomplish this goal, the study employed a<br />
qualitative method based on the active research methodology to evaluate the IPv6 transition<br />
mechanisms, operating systems, and attack vectors. First, the literature review enumerated<br />
current research in digital forensics, IPv6 transition mechanisms, operating system support, and<br />
IPv6 vulnerabilities. Second, a virtual lab environment was created and testing procedures were<br />
designed to answer the research sub-problems. Third, the procedures were implemented while<br />
the researcher recorded operating system states, tool output, and other observations. Finally, the<br />
discoveries and results were analyzed and distilled into three outputs that supported the proposed<br />
investigative methodology. First, the implications of IPv6 transition mechanisms on the digital<br />
forensics discipline were outlined. Second, a summary of the behaviors of each transition<br />
mechanism and operating system in the study was presented from the perspective of a forensic
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
4<br />
investigator or investigator. Finally, a methodology was proposed for the forensic analysis of<br />
IPv6 traffic in a transitional network.<br />
Delimitations and Limitations<br />
This study did not address networks where the IPv6 protocol was a planned part of the<br />
infrastructure. Organizations that plan and implement IPv6 would likely implement security<br />
controls and have an enhanced understanding of the context of traffic within the network.<br />
Therefore, the study did not address hardware transition mechanisms and IPv6 hardware nodes<br />
that required a planned implementation.<br />
This study also did not serve as an analysis of IPv6 attacks or highlight new methods of<br />
exploiting IPv6 clients. In order for an investigator or analyst to identify suspicious or malicious<br />
traffic, they must first understand the context of normal traffic within the network. The study<br />
analyzed selected attacks to provide a better understanding of potential malicious packets;<br />
however, the focus of the study was on providing a basis for identifying unknown or suspicious<br />
traffic for further analysis.<br />
Additionally, this study was not an analysis of tools used in forensic analysis or the<br />
performance factors involved with network monitoring. Network monitoring tools provide<br />
common functions such as protocol analysis, packet captures and injections. Tools were selected<br />
for use in the study; however, the focus was on the context of the packets.<br />
Time and resource limitations controlled the scope of the study by limiting the transition<br />
mechanisms and source nodes that were analyzed. The study focused on the most common nodes<br />
and transition mechanisms that were freely available for use in the testing environment.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
5<br />
Chapter 2 – Review of Literature and Research<br />
At the most basic level, forensics requires that investigators establish who, what, where,<br />
when, why, and how an event occurred and then analysts produce legally admissible evidence<br />
that proves to the jury that the required components of the statute has been violated. To<br />
accomplish the first goal, an investigator must understand the technology and methods used by<br />
the perpetrators to commit the crime. Current research into IPv6 technology and attack vectors is<br />
adequate to implement and operate the technology; however, it does not address the unique<br />
needs and considerations for investigating and analyzing criminal events in distributed<br />
environments and IPv6 networks. To accomplish the second goal, the forensic techniques used<br />
must be an established discipline formally founded in the academic research. Network forensics<br />
is a new science with basic procedural models focused on physical nodes; however, the research<br />
does not adequately address the complex evidence collection, analysis, and presentation<br />
requirements of IPv6 network investigations. The need to supplement this research will become<br />
more critical as IPv6 becomes more widely implemented and a common mechanism in criminal<br />
acts.<br />
<strong>Digital</strong> Forensics Discipline<br />
The word forensics originates from the Latin term forensis and is the “scientific test or<br />
technique used in the detection of crime” (Bishop, et al., 2008 p3). <strong>Digital</strong> forensics at a basic<br />
level comprises a sub-discipline of forensics that applies tests and techniques to devices that<br />
produce digital or binary data in order to detect and prosecute criminal offenses. Within this<br />
discipline, researches have focused on defining forensic models, evidence collection, handling<br />
procedures, and processes for digital investigations.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
6<br />
<strong>Digital</strong> forensic models.<br />
A variety of research efforts have defined unique frameworks for use in the digital<br />
forensics discipline. Despite having similar objectives, many of the proposed frameworks<br />
presented the process from a legal, scientific, or practitioner perspective that inadequately<br />
addressed the other views. Developing a forensic framework for addressing digital crime will<br />
ultimately serve to create a comprehensive process to prosecute crime.<br />
Leong (2006) proposed that a digital forensic framework should be based on the<br />
principles of reconnaissance, reliability, and relevancy; however, the lack of a single unifying<br />
model negates these tenants in practice. In their research, Carr, Gunsch, and Reith (2002),<br />
Bishop, et al. (2008), Cohen (2009), Ciardhuáin (2004), and Leong found that the lack of<br />
unification is due to the ad-hoc application of research and practices by disconnected<br />
participants. Bishop, et al. illustrated the different procedural models that have been introduced<br />
by practitioners who focused on evidence collection, computer scientists who focused on tools<br />
and techniques, and the legal community who focused on analysis and presentation. The lack of<br />
communication between these groups has prevented a single unifying model from being<br />
developed. For example, a large percentage of digital cases handled by practitioners in the law<br />
enforcement community involved child pornography which does not require the sophisticated<br />
tools and analysis techniques that make up the research focus of many computer scientists<br />
(Littlefield, 2007, June as cited by Bishop, et al. 2008).<br />
Advancing the digital forensic sciences requires the creation of a unifying framework that<br />
integrates components from all views and consists of the best ideas from both computer science<br />
and the legal community. Carr, et al (2002) argued that frameworks are necessary to help<br />
investigators apply consistent and well defined procedures. Bishop, et al. (2008) added that a
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
7<br />
framework must defend the validity of the results and improve the accuracy of the data to a high<br />
standard that is representative of a scientific discipline. Currently, there are no standard tools and<br />
techniques that are used to prove digital cases in a court of law. Additionally, there is a gap<br />
between technology and the judicial process that makes decision making difficult for judges and<br />
juries who often do not understand the underlying technology involved in a case (Bishop, et al.,<br />
2008; Leong, 2006). For example, in 2007, a Connecticut teacher was convicted of contributing<br />
to the delinquency of a minor after a spyware program displayed pornography to one of the<br />
students. The conviction was later overturned; however, this case highlights the knowledge<br />
issues faced in digital forensics (Cowan, 2007, Feb 14 as cited by Bishop, et al., 2008).<br />
A common set of six digital forensic frameworks are represented in the literature. The<br />
incident response framework focused on integrating the forensic process into digital defenses and<br />
is most relevant to organizations that have existing security monitoring procedures (Mandia &<br />
Prosise, 2001 as cited by Carr, et al. 2002). The Department of Justice (DOJ) defined a<br />
framework that is oriented towards practitioners and investigators; however, Shin (2008) argued<br />
that the analysis process is poorly defined ("Electronic crime scene investigation: A guide for<br />
first responders," 2001 as cited by Carr, et al. 2002). The <strong>Digital</strong> Forensics Research Workshop<br />
created a framework based on input from academia and the law enforcement community that<br />
created a reference for work for the field (Gary Palmer, 2001 as cited by Carr, et al. 2002). Lee,<br />
Palmbach, and Miller (as cited by Ciardhuáin, 2004) defined a scientific framework that utilized<br />
logic trees to create a systematic and methodological investigation model. Casey (as cited by<br />
Ciardhuáin, 2004) defined a model that can be applied to networks and is focused on<br />
practitioners. Carrier and Spafford (2003) developed a framework to link the physical
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
8<br />
investigative process to the digital world. The procedural steps and language used in each of<br />
these models is outlined in Appendix A, <strong>Digital</strong> Forensic Frameworks.<br />
Carr, et al. (2002), Cohen (2009), Ciardhuáin (2004), and Shin (2008) presented<br />
comprehensive digital forensic frameworks that built upon the prior research efforts. Carr, et al.<br />
developed a comprehensive framework that outlined the process from identification of the crime<br />
through the return of evidence to its owner after a case has concluded. Cohen focused on creating<br />
a cost effective forensic model that could be employed by prosecutors. Ciardhuáin added<br />
information flows to the framework that helped to establish the chain of custody in a case. Shin<br />
created a comprehensive and detailed framework that addressed the analysis process more<br />
thoroughly than in his prior work. The procedural steps and language used in each of these<br />
models is outlined in Appendix A, <strong>Digital</strong> Forensic Frameworks.<br />
The combination and comparison of these ten frameworks enumerated the strengths and<br />
weaknesses of each model and provided a unified research platform for forensic frameworks.<br />
This combined framework can be summarized with the following process steps:<br />
1. Identify the legal issues and develop an awareness of when a crime has been<br />
committed.<br />
2. Provide ongoing training and appropriate tools for identifying crime and conducting<br />
an investigation.<br />
3. Seek authorization from superiors for any targeted investigations.<br />
4. Create a hypothesis for what events lead up the crime identified.<br />
5. Plan an investigation that identifies steps that need to be taken to prove the<br />
hypothesis.<br />
6. Notify stakeholders and other users impacted by the investigation when possible.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
9<br />
7. Search for evidence.<br />
8. Collect the evidence.<br />
9. Preserve, transport, copy, and store the evidence for analysis.<br />
10. Examine and verify the integrity and validity of the evidence in relation to the<br />
identified events and internal data relationships.<br />
11. Classify and separate the evidence into individual components.<br />
12. Prioritize the evidence by identifying the most compelling components.<br />
13. Reconstruct the events and link the physical data to the milestones in the event<br />
history.<br />
14. Consult experts and other specialists when necessary.<br />
15. Analyze and document the conclusions.<br />
16. Verify the availability of resources to advance the investigation or case.<br />
17. Verify if the schedule and event history is feasible given the facts of the case.<br />
18. Decide whether to move forward, look for more evidence, or drop the case.<br />
19. Profile and summon suspects.<br />
20. Present the evidence and case to the prosecutor and court.<br />
21. Prove the case and challenge any presented defenses.<br />
22. Return the evidence to the owner and restore affected systems to their previous states.<br />
23. Disseminate the knowledge and improve criminal profiles to aid in future cases.<br />
Table 1 illustrates which of the ten frameworks presented in the document explicitly contain<br />
elements of the twenty-three common processes.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
10<br />
Table 1. Comparison of <strong>Digital</strong> Forensic Framework Processes<br />
Co- Ciard- Incident DFR- Carr-<br />
Process Carr hen huáin Shin Response DOJ WS ier Lee Casey<br />
Identify legal issue X X X X X<br />
Provide training and tools X X X X<br />
Seek authorization<br />
X<br />
Create hypothesis X X<br />
Plan investigation X X X<br />
Notify stakeholders<br />
X<br />
Search for evidence X X X X X<br />
Collect evidence X X X X X X X<br />
Preserve evidence X X X X X X X<br />
Examine and verify evidence X X X X X X X X<br />
Classify and individualize X X X<br />
Prioritize evidence<br />
X<br />
Reconstruct events X X X<br />
Consult external experts<br />
X<br />
Analyze and document X X X X X X X X<br />
Verify available resources<br />
X<br />
Determine schedule<br />
X<br />
Decide on course of action<br />
X<br />
Profile and summon suspects<br />
X<br />
Presentation and reporting X X X X X X X<br />
Proof and defense of case<br />
X<br />
Restore and recovery X X<br />
Dissemination of knowledge X X<br />
The available research presented a fractured and ad-hoc approach to forensic frameworks<br />
for digital investigations despite the importance of unifying under a single comprehensive model.<br />
By merging a number of frameworks into one procedural model, we begin to see an integration<br />
of ideas that could be used by both academia and the legal community. While these approaches<br />
serve forensics in general, they do not adequately address the complex nature and unique<br />
requirements of network forensic investigations. The processes that are most impacted by this
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
11<br />
complexity are in the search, collection, handling, analysis of evidence and the reconstruction of<br />
events. Additionally, the planning of the investigation, involvement of experts, training, and<br />
presentation will be impacted by the increase in resource requirements needed to support the<br />
case.<br />
Network data as evidence.<br />
Sommer (1999) conducted early research into the implications of using network data as<br />
evidence. This research presented an example case, the problems associated with using network<br />
data as evidence, the questions of admissibility and weight of network based evidence, and<br />
suggestions for successfully using network data as evidence in a case. Sommer concluded that<br />
the key to successful prosecution is to have streams of corroborating evidence from multiple<br />
sources. Evidence can be derived from network data, logs, direct testimony, and documentary<br />
evidence that supports the timeline and facts in a case.<br />
To illustrate this point, Sommer (1999) presented a criminal case where a hacker gained<br />
unauthorized access to classified United States Air Force (USAF) documents. To prove their<br />
case, the prosecution used intrusion detection system (IDS) network data, chat logs with other<br />
hackers, phone logs showing calls placed to servers, files discovered on the defendants seized<br />
hard drive, and logs from the targeted computers. This evidence was then tied together into an<br />
event timeline to present the series of events that predicated the crime.<br />
Sommer (1999) identified a number of problems that could arise with network based<br />
evidence that the defense could call into question. First, the data may not contain enough details<br />
to correlate with actual events. Second, the evidence may not exist for the specific time period in<br />
question or elements may be missing. Third, the data could have been compromised or altered<br />
during or after the crime. Finally, the analysis may lead to misleading results.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
12<br />
These factors affect the admissibility and weight of the evidence that determine whether<br />
the prosecution can present the evidence to the court (Sommer, 1999). Evidence admissibility<br />
derives from the rules of the court. Although, each jurisdiction and court may have their own<br />
rules, the following types of evidence are generally allowed: real physical evidence, eyewitness<br />
testimony, documentary evidence, expert opinions, and derived evidence created from other<br />
sources (Sommer, 1999). Technical evidence admissibility is often based on the precedent set in<br />
Daubert v. Merrell Dow Pharmaceuticals Inc ("Daubert v. Merrell Dow Pharmaceuticals Inc.,"<br />
1993 as cited by Sommer, 1999). This case defined four tests used to determine whether<br />
scientific evidence could be admissible in a court of law. First, the technique or theory must have<br />
been tested. Second, the error rate of the technique must be known. Third, the technique must<br />
have been published in a peer reviewed journal. Finally, the technique must have gained wide<br />
acceptance in the field.<br />
The weight derives from how understandable and convincing the evidence is when<br />
presented to the court. It is affected by the context and handling processes of the evidence. The<br />
evidence must be authentic and linked to the circumstances in question. It must be accurate and<br />
complete to tell a full and truthful story. The chain of custody must have been maintained and the<br />
evidence must be transferable to third parties as part of the discovery process.<br />
Sommer (1999) presented a number of best practices for network based evidence.<br />
Although network data is documentary evidence, Sommer recommended supporting that<br />
evidence with both expert testimony and derived evidence. Time stamps should be synchronized<br />
between different data sources to ensure timeline accuracy. If possible, evidence and live<br />
network data should be protected from compromise using hashes or other encryption techniques.<br />
Raw data should accompany the derived data and the chain of custody should be maintained.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
13<br />
Sommer (1999) and Daubert v. Merrell Dow Pharmaceuticals Inc ("Daubert v. Merrell<br />
Dow Pharmaceuticals Inc.," 1993) both provided suggestions for effectively collecting and<br />
handling network based evidence. The prosecutor’s objective should be to present the data with<br />
the aid of expert testimony and derived presentations and then corroborate the facts with other<br />
evidence. This research presented some of the considerations for IPv6 evidence that could<br />
present a problem for investigators. The lack of research into IPv6 investigation techniques<br />
decreases the admissibility of the evidence under the Daubert standard which requires<br />
evidentiary techniques to be based on established academic disciplines.<br />
<strong>Digital</strong> evidence handling.<br />
The procedural standards and admissibility issues surrounding digital evidence collection,<br />
storage, analysis, and presentation are well represented in the literature. Although, the standards<br />
for processing digital evidence follows a fairly standard structure, jurisdictional differences in<br />
legal precedent and statutes create challenges in formulating a solid procedural framework for<br />
digital evidence processing.<br />
<strong>Digital</strong> evidence is relevant data used to prove that a crime or event has taken place (Lan,<br />
et al., 2005). The research by Lan, Lin, Lin, and Wu (2005) identified the characteristics of<br />
digital evidence as being technical, changeable, invisible, and flexible. It further identified three<br />
classifications of digital evidence. Document evidence is content that can be printed or viewed<br />
like document, text, and log files. Material evidence is content that can be read when executed by<br />
another application like executable (EXE) or Moving Picture Experts Group Layer-3 (MP3)<br />
files. Other evidence is content that cannot be printed or viewed like compressed (ZIP) and<br />
dynamic link library (DLL) files.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
14<br />
<strong>Digital</strong> evidence collection and processing procedures do not follow an established<br />
standard; although, different applications often have similar components. Lan, et al. (2005)<br />
described the Federal Bureau of investigation’s (FBI) Regional Computer Forensics Laboratory<br />
digital evidence collection process to include surveying and maintain the site, search and seizure,<br />
and evidence packing and delivery.<br />
In their research, Lan, et al. (2005) proposed a similar operating procedure for digital<br />
evidence collection and processing. The objective was to maintain the legal admissibility of<br />
digital evidence by: maintaining the legal basis for actions leading up to the seizure, collecting<br />
evidence as soon as possible, maintaining the chain of custody, ensuring proper supervision in<br />
the process, and restricting access to the evidence. Three digital evidence handling process were<br />
proposed. First, evidence collection followed the FBI’s process and involved site survey and<br />
maintenance, search and seizure, and packing and delivery. Second the analysis process involved<br />
backup, inspection, and maintaining the chain of custody. Finally, the forensics process involved<br />
identification, recognition and reporting.<br />
Kerr’s (2005, Jan) expands the digital evidence handling process by adding a description<br />
of the courtroom processes used by a prosecutor. In a criminal case, the prosecutor will first call<br />
the victim to testify about the crime. Other parties will be called to establish their link in the<br />
crime if the suspect used other computers to access the victim’s machine. Then, the forensic<br />
analyst will present the evidence to link the crime to the suspect. Finally, the investigator will<br />
testify that the computer was recovered in the possession of the suspect. This process provides<br />
the necessary elements to establish that a crime has been committed, define the actions used to<br />
commit the crime, and link the suspect to the actions.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
15<br />
The cyber tool on-line search for evidence (CTOS) project was a European Union funded<br />
research project designed to establish a common architecture, processes, and tools for digital<br />
investigations (Broucek & Turner, 2004). Broucek and Turner (2004) described the CTOS<br />
project in their research which follows similar processes to those outlined by Lan, et al. and Kerr.<br />
The digital evidence processing phases included preparation, running, assessment, investigation,<br />
and learning. The focus of the overall process was on collecting evidence that is legally<br />
admissible in a court of law.<br />
To produce legally admissible evidence, investigations involving digital evidence require<br />
a different approach than those involving only physical evidence. Kerr (2005, Jan) illustrated<br />
these differences in a comparison of a physical and virtual bank robbery. In a physical bank<br />
robbery, the investigator interviews eye witnesses, attempts to identify a suspect using these<br />
accounts and other physical evidence at the scene, and collects additional physical evidence from<br />
the premises to support the prosecution of the identified suspects. In a digital bank robbery there<br />
is no eye witness to the crime. The evidence that is available to lead the investigator to a suspect<br />
often involves a chain of innocent victims. It is possible that the suspect is a victim of a third<br />
party who launched the crime from their machine.<br />
The challenges of proving possession in cases involving digital evidence is analyzed in<br />
the research by Losavio (2005). United States case law has established that possession in a<br />
digital case can be established even if the data is stored on a remote machine that is not<br />
physically accessible to the suspect. To prove a case, the forensic analyst must establish<br />
possession, overcome possible defenses, and provide enough weight to meet the burden of proof<br />
in the case. Losavio described some of the defenses used by defense attorneys to create<br />
reasonable doubt by associating actions with other parties. For example, a suspect could claim
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
16<br />
that another perpetrator accessed their unsecure wireless access point to launch attacks without<br />
their knowledge. A suspect in a child pornography possession case could claim the files in<br />
question were stored on their computer without their knowledge because a peer-to-peer file<br />
sharing program was left open. The most common defense in digital cases involves claiming that<br />
a Trojan Horse or other malicious application perpetrated the offences without the suspects<br />
knowledge (Losavio, 2005). While these defenses present some problems for prosecutors, the<br />
extent of evidence required to establish possession often comes down to the openness of the<br />
systems involved.<br />
Losavio (2005) further expand some of the issues that may arise in digital cases. Losavio<br />
identified that the probability of access, alteration, or spoofing may cause a judge to require a<br />
greater foundation in the evidence to prove possession. The source internet protocol (IP) address<br />
or account used in the crime does not necessarily mean the owner in question committed the<br />
crime. The evidence necessary to link the suspect to the actions involving the IP or account may<br />
be substantial and, in the case of network evidence, may need to be recovered immediately after<br />
a crime to be considered valid.<br />
Kerr, (2005, Jan) addressed some of the legal implications of digital evidence in the<br />
search and seizure process. The Fourth Amendment of the constitution prohibits unreasonable<br />
searches and seizures. In physical cases a law enforcement officer cannot enter a private space<br />
without cause; however, this legal standard is not as clear in cases involving digital evidence.<br />
Kerr, questioned whether collecting digital evidence from third party source violates this legal<br />
standard as well as privacy laws. Additionally, Kerr suggested that seizing a computer to<br />
investigate the data contained inside may be deemed excessive. It parallels seizing an entire<br />
house to inspect the contents of one room for evidence. Traditional warrants for evidence
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
17<br />
collection requires an explicit declaration of the specific evidence that is being search for;<br />
however, this is not possible in a digital investigation. <strong>Digital</strong> evidence can exist in many forms<br />
and located in any digital storage location within the physical computer. It is often impossible to<br />
know what will be found until the analysis is complete.<br />
<strong>Digital</strong> evidence processes and issues identified in the literature by Broucek and Turner<br />
(2004), Kerr (2005, Jan), Lan, et al. (2005), and Losavio (2005) are focused on investigations<br />
where a computer is physically analyzed by a forensic examiner. Network based forensic<br />
investigations present unique challenges because the evidence may involve complex arrays of<br />
actions that take place on many disbursed machines. Additionally, network forensic data analysis<br />
is complex and new issues arise from its interpretation. Because it is a subset of digital evidence,<br />
network data analysis processes can follow the general procedural framework laid out in the<br />
current literature; however, further research is needed to develop handling procedures specific to<br />
its unique characteristics and challenges.<br />
<strong>Digital</strong> investigations.<br />
The digital forensic frameworks developed by practitioners and the law enforcement<br />
community are often applied to processes used in real investigations to verify their applicability.<br />
Three have been selected for presentation to describe the practical steps used by investigators in<br />
digital cases. The Fraud Examiners Manual ("Fraud Examiners Manual," 2008) provided<br />
characteristics, legal precedent, and investigation processes for practitioners investigating digital<br />
crime and fraud. Schroeder (2005) described the digital investigation that lead up to the case<br />
United States vs. Gorshkov that involved multiple computer intrusion and fraud violations.<br />
Carrier and Spafford (2003) applied their forensic model to a typical child pornography case.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
18<br />
The Fraud Examiners Manual ("Fraud Examiners Manual," 2008) presented procedures<br />
and guidelines for a hypothetical computer seizure case to ensure evidentiary requirements are<br />
met in criminal cases. After obtaining warrants for specific computers and hardware, the<br />
investigator verified that adequate resources are available to help with the search and seizure,<br />
including support personnel that can identify the components listed in the warrant. After arriving<br />
on the scene, only the individuals involved in the investigation were allowed in the area where<br />
the computers were located. The image on the screen and the layout of the computer and all the<br />
cables were photographed. The computer was not moved and nothing was typed on the<br />
keyboard. The state of all computers, screen images, cables, and locations were documented.<br />
Devices were turned off and disconnected from the wall outlet before peripheral cables were<br />
labeled and removed. Media, documents, and manuals covered by the warrant were seized. The<br />
collected media, computers, peripherals, and other evidence was sealed and labeled in paper,<br />
cardboard, or static proof containers for transportation. Finally, all evidence was inventoried and<br />
transported to the evidence storage location.<br />
The Fraud Examiners Manual ("Fraud Examiners Manual," 2008) also outlined some<br />
basic considerations for the analysis of digital evidence. First, the proper handling and recording<br />
of digital evidence is critical to avoid liability and the exclusion of damaged evidence. Second,<br />
the examiner has a number of considerations when analyzing the digital evidence. Analysis<br />
should be performed on copies of the evidence to prevent source corruption. The drives should<br />
be scanned for viruses to avoid an accusation that the examiner corrupted the drive. A keyword<br />
search of the drive can help locate specific items and reduce the argument that the search was<br />
overly broad. Finally, the examiner should search for hidden and encrypted files and investigate<br />
the file slack space for any additional evidence.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
19<br />
Schroeder (2005) outlined the events and investigative steps in the case United States vs.<br />
Gorshkov. Ivanov and Gorshkov were Russian citizens lured to the United States by the prospect<br />
of a job offer by the Seattle based company Invita. They described their hacking skills and<br />
previous exploits to an undercover FBI agent and demonstrated their skills on a honeypot setup<br />
at Invita. Gorshkov admitted to hacking servers at several banks and claimed he had a small team<br />
of programmers working for him in Russia and could modify programs in any language. After<br />
the meeting, Ivanov and Gorshkov were arrested and the FBI copied the contents of their<br />
computers in Russia to a server in the US using the passwords they exposed when demonstrating<br />
their hacking skills. A warrant was then obtained to view the evidence contained in the<br />
downloaded copies.<br />
The forensic analysis of the downloaded copies of Ivanov and Gorshkov computers lead<br />
to evidence of a number of illegal activities presented in the case (Schroeder, 2005). The<br />
investigators found a practical extraction and report language (PERL) program that automated<br />
the signup process for e-mail and PayPal accounts. With the help of administrators at PayPal,<br />
they discovered thousands of accounts created by the program. These were linked to the<br />
activities to two IP addresses that identified a number of illegal transfers and withdrawals that<br />
cost PayPal over $800,000 in charge backs. Ivanov and Gorshkov were able to transfer money<br />
from PayPal accounts held by legitimate customers to their fraudulently created accounts by<br />
sending e-mails to users that appeared to be from PayPal but directed the user to the spoofed site<br />
PayPai.com that was setup to capture user IDs and passwords. They also linked the IPs used in<br />
setting up the PayPal accounts to multiple computer intrusion and hacking attempts in the United<br />
States. Some of these attacks were followed by e-mails from Gorshkov offering to reveal his<br />
techniques for a fee which provided further evidence of extortion.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
20<br />
Carrier and Spafford (2003) applied their proposed procedure model to the investigation<br />
of child pornography on a suspect’s computer. Prior to seizing the suspect’s computer, a warrant<br />
is obtained for the residence based on identifying information contained in a parallel<br />
investigation of a web server discovered to contain child pornography. This included any<br />
financial records of purchases made with the company that operated the server and logs that<br />
showed a particular IP that downloaded an illegal file. The physical address of the account that<br />
held that IP lease at the time of the download is obtained from the Internet Service Provider<br />
(ISP) and the warrant is requested for that location.<br />
The FBI executed the warrant to seize the computer in question. First, the suspect is<br />
separated from the computer and detained. Photos are taken of the scene including the layout of<br />
the computer, the connection of any cables, and anything displayed on the screen. The<br />
investigators search for other evidence like storage media and documents related to the case. The<br />
keyboard and mouse are dusted for fingerprints and the hard drives are removed from the seized<br />
machines. The hard drives are connected to a portable Linux machine where an MD5 hash value<br />
is calculated to prove integrity of the data and a then a forensic copy is created. The evidence is<br />
packaged, inventoried, and sent to the evidence storage while the forensic copies are sent to the<br />
forensic lab for analysis.<br />
In this case, the analysis of the forensic copies of the drive is narrowly focused on<br />
searching for illegal images. Forensic tools are used that search for images, analyze the web<br />
cache, and look for any encrypted files. Passwords were analyzed to determine if they were easy<br />
to guess and the analyst identified any evidence of a computer compromise that could indicate a<br />
3 rd party committed the offense. A detailed report is created that outlines the illegal images<br />
found, the creation and access dates of the files in question, the timeline of events, and the
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
21<br />
linkage to the logs contained on the web server that was previously seized. Finally, the case is<br />
presented to the court and the illegal images are added to the hash database to enhance future<br />
searches for illegal files.<br />
The computer seizure case described in the Fraud Examiners Manual (2008), the hacking<br />
case presented by Schroeder (2005), and the child pornography case presented by Carrier and<br />
Spafford (2003) follow similar overall processes that can be effectively represented in a<br />
universal digital forensic framework; however, their differences require unique approaches to<br />
meet the objectives of the case. While the previously discussed frameworks could be used as a<br />
general guide for the digital forensics discipline, specific applications necessary to create a<br />
scientific basis for individual situations is needed. The ideal framework would address the<br />
overall process in terms of the legal process while employing flexible components that adapt to<br />
the needs of each case. IPv6 forensic analysis would be one possible component that could be<br />
present in the collection and analysis stages of the overall digital forensic framework.<br />
IPv6 Forensic Analysis and Investigation<br />
There is limited research into the analysis and investigation of IPv6 traffic in a network.<br />
Nikkel (2007) presented a holistic and basic discussion of investigating IPv6 networks. Nikkel’s<br />
work provides a good introduction for investigators focused on addressing the gap in knowledge<br />
that exists when non-technical investigators are confronted with an IPv6 network investigation.<br />
Network security monitoring research that is used in intrusion detection and response systems is<br />
well defined for IPv4 traffic; however, there is little research for IPv6 traffic. Tseng, Chen, and<br />
Laih (2006), Lee, Shin, Choi, and Son (2007), and Huang, Zhang, and Yao (2009) proposed new<br />
intrusion detection engines for IPv6 traffic. Phang, Lee, and Lim (2008) proposed an improved<br />
IPv6 packet sniffer. While this research does identify possible considerations for IPv6 analysis, it
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
22<br />
does not present a detailed framework for determining the nature of IPv6 traffic in forensic<br />
investigations.<br />
The IPv6 protocol was defined in the 1990s to address the shortcomings of the IPv4<br />
protocol (Bruce J Nikkel, 2007 p2). Originally, IPv6 was designed to address the pending<br />
exhaustion of the public IPv4 address space, improve the quality of services within the network,<br />
and enhance security. Nikkel (2007) concluded that the introduction of network address<br />
translation (NAT), IPv4 application layer security, and high-speed internet access eliminated<br />
many IPv4 issues and slowed the implementation of IPv6. Nikkel predicted that mobile devices<br />
and operating system integration will renew interest in IPv6 and require forensic investigators to<br />
have a basic understanding of the protocol to successfully conduct investigations.<br />
Investigators and forensic analysts must be able to identify the characteristics of an IPv6<br />
address when conducting an investigation. Nikkel (2007), Conta and Deering (1998), and others<br />
provide descriptions of the IPv6 address structure. An IPv4 address that is used to identify nodes<br />
on a network is 32 bits while an IPv6 address is 128 bits. IPv4 addresses are represented by four<br />
groups of decimal numbers separated by a period that ranges from 0 to 255. For example,<br />
123.123.123.255 is an IPv4 address. IPv6 addresses are represented in eight groups of<br />
hexadecimal numbers separated by a colon that range from 0 to FFFF. For example,<br />
2001:0000:0000:0000:0000:0000:0000:ABCD is an IPv6 address. IPv6 addresses can also be<br />
compacted by replacing the internal zeros with a double colon character. For example, the<br />
previous address could be represented as 2001::ABCD. Additionally, Nikkel pointed out that<br />
Media Access Control (MAC) addresses and IPv4 addresses may also be represented within the<br />
IPv6 address in some implementations.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
23<br />
Understanding the different IPv6 address types is important to identifying the source and<br />
flow of traffic. Nikkel (2007) and Conta and Deering (1998) identified three types of IPv6<br />
address destinations that defined how packets are processed by network devices. A packet sent to<br />
a unicast IP address will be delivered to a single destination. Anycast addresses allow a packet to<br />
be sent to a group of destinations and delivered to the one that is the closest to the source.<br />
Packets sent to multicast addresses are delivered to all destinations defined for the group. For<br />
example, sending a packet to the multicast address FF02::1 will send the packet to all nodes on<br />
the network and address FF02::2 will send the packets to all routers. The list of reserved unicast,<br />
anycast, and multicast addresses is maintained by the Internet Assigned Numbers Authority<br />
(IANA).<br />
Nikkel (2007) and Deering, Haberman, Jinmei, Nordmark, and Zill (2005) identified the<br />
IPv6 address scope as a method of controlling the routing of packets on a network. Each address<br />
is defined by IANA to have a link-local, site-local, or global scope except for the loopback<br />
address of 0::1 and the unspecified address of 0::0. These two special addresses do not have a<br />
scope and cannot be assigned to a device. A link-local scoped address begins with FE8 and is<br />
designed to pass packets from one physical device in a network to another. Packets that have<br />
link-local destination addresses do not get routed so there needs to be a direct path to the<br />
destination for the packets to be delivered. Site-local scoped addresses begin with FEC and are<br />
designed to be routed within a single internal network. Devices that are assigned site-local<br />
addresses can only communicate with other devices within the same site. Global-scoped<br />
addresses are publically available addresses that often begin with 2001 or 2002 and are routed on<br />
the Internet. If a device is assigned a globally-scoped address, it can communicate with any other
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
24<br />
global IPv6 node located on the Internet. Table 2 illustrates the different scopes defined by an<br />
IPv6 address.<br />
Table 2. IPv6 Scoped Architecture<br />
Scope Identifier Prefix Subnet ID Interface ID<br />
Link-local<br />
(10 bits) (54 bits)<br />
(64 bits)<br />
FE80::ABCD:ABCD:ABCD:ABCD<br />
FE8 0<br />
ABCD:ABCD:ABCD:ABCD<br />
Site-Local<br />
(10 bits) (38 bits) (16 bits) (64 bits)<br />
FEC0::DCBA:ABCD:ABCD:ABCD:ABCD<br />
Global<br />
2001:DCBA:ABCD:ABCD:ABCD:ABCD:<br />
ABCD:ABCD<br />
Loopback Address<br />
0:0:0:0:0:0:0:1<br />
FEC 0<br />
(x bits)<br />
2001<br />
DCBA<br />
(y bits)<br />
DCBA<br />
(127 bits)<br />
0<br />
ABCD:ABCD:ABCD:ABCD<br />
(128-x-y bits)<br />
ABCD:ABCD:ABCD:ABCD<br />
:ABCD:ABCD<br />
(1 bit)<br />
1<br />
Unspecified Address<br />
0:0:0:0:0:0:0:0<br />
(128 bits)<br />
0<br />
Techniques used by forensic analysts and investigators to determine the registrar of IPv4<br />
addresses will also work in IPv6 investigations. Nikkel (2007) identified IANA as the root<br />
registrar for all IP addresses, including IPv6. Under IANA, regional registrars assign IP address<br />
blocks to individual organizations. This includes; ARIN for North America, LACNIC for South<br />
America, APNIC for Asia and the Pacific, RIPE for Europe, the Middle East, and Central Asia,<br />
and AFRINIC for Africa. Standard whois lookup queries used with IPv4 addresses can identify<br />
IP registration information for IPv6 addresses using either the full or compact address notation.<br />
Additionally, IPv6 addresses may also be contained in standard DNS records with a record type<br />
of AAAA or as standard MX records for e-mail servers.<br />
Nikkel (2007) concluded that the forensic analysis of IPv6 traffic is similar to techniques<br />
used for IPv4; however, certain protocol differences require unique considerations. Forensic<br />
tools used to capture and analyze packet flows like TCPDUMP and Wireshark already support
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
25<br />
IPv6 and many tools are being developed specifically for IPv6 traffic. Nikkel identified log<br />
analysis as a forensic technique that remains unchanged under IPv6; however, the investigator<br />
will have to consider both IPv4 and IPv6 address notations in the search for evidence. IPv6<br />
addresses in the log may be represented in compressed notation or full-length notation.<br />
Additionally, Nikkel’s research discussed additional risks that should be considered when<br />
conducting an IPv6 investigation. For example, IPv6 traffic may affect the security of a network<br />
by bypassing the firewall through a tunneling mechanism and the source or destination of the<br />
tunnel may be difficult to determine.<br />
IPv6 forensic analysis is also represented in IDS research. Tseng, Chen, and Laih (2006),<br />
Lee, Shin, Choi, and Son (2007), and Huang, Zhang, and Yao (2009) contributed research that<br />
proposed new network intrusion systems for IPv6 traffic and Phang, et al. (2008) proposed a new<br />
IPv6 protocol analysis tool that provided better performance than the TCPDUMP tool. Lee, et al<br />
(2007) adapted the existing Internet Engineering Task Force (IETF) standard for IP flow<br />
information export (IPFIX), to support anomaly detection. IPFIX is a flow based reporting<br />
standard that is included on most routers and switches to provide summarized reports of network<br />
data. Lee’s research created new report templates that included source and destination addresses,<br />
ports, MAC addresses, protocol and internet control message protocol version six (ICMPv6) type<br />
code to identify possible IPv6 denial of service (DoS) attacks, covert channels, or IPv6 tunnels.<br />
Tseng, Chen, and Laih (2006) proposed an IPv6 IDS that adapted established Snort IDS<br />
signatures to create a new signature file. Huang, Zhang, and Yao (2009) proposed an IPv6 IDS<br />
that combines pattern detection and protocol anomaly detection to identify potential attacks.<br />
While IDS research may identify some of the analysis techniques needed for a forensic
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
26<br />
investigation, the research lacks the details needed to address the specific characteristics of IPv6<br />
in an investigation.<br />
The research presented by Nikkel (2007) provided a basic overview of conducting an<br />
investigation when IPv6 traffic is present in the network. Tseng, Chen, and Laih (2006), Lee,<br />
Shin, Choi, and Son (2007), and Huang, Zhang, and Yao (2009) began to define analysis<br />
techniques that can be used in the forensic investigation of an IPv6 network. This research lacks<br />
details that are necessary to successfully conduct an investigation. For example, Nikkel provided<br />
a definition of IPv6; however, there is only a cursory consideration for how an investigator or<br />
analyst should analyze, interpret, and present IPv6 network evidence. Additionally, there is a<br />
lack of discussion on IPv6 transition mechanisms, sources of traffic, security implications, and<br />
attack vectors that will impact the forensic analysis of IPv6 traffic in an investigation.<br />
IPv6 Transition Mechanisms<br />
Transition mechanisms facilitate communications between IPv4 and IPv6 endpoints.<br />
Tantayakul, Kamolphiwong, and Angchuan (2008) attributed the need for transition mechanisms<br />
to the difficulty of converting the wide variety of network architectures to the new protocol; the<br />
complexity of routing, the domain name system (DNS), and error handling; and the requirement<br />
that all applications must remain operational during the transition. Yan-ge, Shui-mu, and Junying<br />
(2009) classified transition methods into IPv4 to IPv6 interconnection, transparent<br />
interconnection, and IPv6 to IPv4 interconnection while other researchers classified transition<br />
techniques into dual-stack, tunneling, and protocol translation methods. Dual-stack is a transition<br />
method that requires a network interface card (NIC) to supports both protocols. Tunneling<br />
includes the 6to4, Tunnel-Broker, intra site automatic tunnel addressing protocol (ISATAP), and<br />
Teredo methods. It involves creating a temporary path through an IPv4 network to facilitate IPv6
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
27<br />
communications. Protocol translation includes the stateless IP/ICMP translation (SIIT), network<br />
address translation – protocol translation (NAT-PT), bump in the stack (BIS), bump in the API<br />
(BIA), Socks64, transport relay translator (TRT), and other gateway based methods. Although<br />
these transition mechanisms facilitate communications between IPv4 and IPv6 endpoints, their<br />
application is intended to be a temporary solution until IPv6 becomes the native protocol on the<br />
network.<br />
Dual-stack.<br />
The dual-stack transition mechanism requires that the NIC on the host supports both IPv4<br />
and IPv6. The network must also support both protocols on the link leading to the wide area<br />
network (WAN) (Jamhour & Storoz, 2002). According to Tantayakul, et al. (2008) and Mackay,<br />
Edwards, Dunmore, Chown, and Carvalho (2003, May-June), dual-stack is the simplest and most<br />
widely deployed transition mechanism. Afifi and Toutain (1999) added that applications running<br />
on the host chooses the correct protocol stack to use for communications in a dual-stack<br />
installation. Gilligan and Nordmark (2000) identified three possible modes of operation for the<br />
dual-stack host. This includes the IPv4 stack enabled and the IPv6 stack disabled; the IPv6<br />
enabled and IPv4 disabled; and both stacks enabled.<br />
The dual-stack packet handling process is best outlined in the research by Wei, Jiang-wei,<br />
& Guo-dong (2009). The decision to use IPv4 or IPv6 for outbound traffic is based on the<br />
destination address contained in a packet. If the address is an IPv4 or IPv6 address, packets are<br />
forwarded to the IPv4 or IPv6 networks respectively. If the destination address is an IPv6 address<br />
that is compatible with IPv4, packets are forwarded to the IPv4 network. If the destination<br />
address is a domain name, a request is sent to the DNS server on either the IPv4 or IPv6<br />
networks. Determining the correct protocol stack for inbound traffic requires the inspection of
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
28<br />
the version field contained in the IP header of the packet. If the version field is four, the packet<br />
should be processed up the IPv4 stack and if the version is six, the IPv6 stack should be used to<br />
process the packet. Figure 1 illustrates the architecture and operation of a dual-stack<br />
environment.<br />
IPv6<br />
Network<br />
IPv6<br />
Application<br />
IPv6 Host<br />
IPv4<br />
Application<br />
Dual Stack<br />
Host<br />
Key<br />
Dual Stack<br />
Switch<br />
IPv4/IPv6<br />
Router<br />
IPv4<br />
Network<br />
IPv4 Host<br />
IPv4 Traffic<br />
IPv6 Traffic<br />
IPv4/IPv6 Traffic<br />
Figure 1. Dual-stack Architecture and Operation<br />
Dual-stack methods were expanded in the research by Xie, Bi, and Wu (2007), who<br />
proposed the site multi-homing by IPv6 intermediation (SHIM6) redundancy approach. SHIM6<br />
allows hosts with multiple network cards to benefit from redundant network connections by<br />
inserting a new layer between the network and transport layers to mitigate connectivity<br />
problems. Xie, Bi, and Wu’s approach is to use SHIM6 with multiple transition mechanisms like<br />
Tunnel-Brokers and 6to4 to ensure full and reliable connectivity with IPv4 and IPv6 hosts.<br />
Dual-stack methods alone do not affect the IPv6 forensic processes for transitional<br />
networks. In a properly configured environment, dual-stack nodes will send both native IPv6 and<br />
IPv4 traffic and the routers, switches, and other network devices will act on these packets as<br />
designed. The nature of native IPv4 and IPv6 traffic is well defined in the research and not a<br />
subject for this study.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
29<br />
Tunneling.<br />
Tunneling involves creating a temporary virtual path between two endpoints for the<br />
purpose of exchanging data. The research by Hsieh and Kao (2005), Jamhour and Storoz (2002),<br />
and Tantayakul, et al. (2008) illustrated the use of tunneling as an IPv6 transition mechanism.<br />
IPv6 tunnels utilize an existing IPv4 infrastructure and encapsulate or decapsulate IPv4 and IPv6<br />
packets between two endpoints. These endpoints can be either a host or a router; however, Yange,<br />
et al. (2009) pointed out that both endpoints must have implemented the same type of tunnel.<br />
The typography and types of tunnels for IPv6 transition are discussed by Gilligan and<br />
Nordmark (2000). Tunnels can be created between a router and host, host and router, host and<br />
host, or router and host. Additionally, Gilligan and Nordmark classified tunnels as either<br />
configured, semi-automatic, or automatic. Configured tunnels require prior setup to function and<br />
require the tunnel creator to specify the tunnel endpoint. Semi-automatic tunnels, like Tunnel-<br />
Brokers, require prior configuration but, operate independently after they are configured by the<br />
user. Automatic tunnels, like 6to4, ISATAP, and Teredo operate transparently and require little<br />
interaction from the user to configure the tunnel.<br />
Gilligan and Nordmark (2000) outlined the encapsulation and decapsulation process.<br />
During this process, the sending node encapsulates the IPv6 packet inside of an IPv4 header and<br />
sends the frame to the tunnel endpoint while fragmenting and maintaining the connection state if<br />
necessary. The tunnel endpoint decapsulates the packet by removing the IPv4 header and sending<br />
the packet through the IPv6 network. Encapsulated packets are identified by observing the<br />
protocol number 41 in the IP header protocol field. Gilligan and Nordmark recommended that<br />
packets bearing invalid source IPv4 or IPv6 addresses should be discarded and that virtual<br />
interfaces used by tunnels should be link-local addresses with the address scheme of
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
30<br />
FE80::a.b.c.d where a.b.c.d is the IPv4 address of the tunnel. Table 3 lists values for the IPv4<br />
header fields used to encapsulate a packet.<br />
Table 3. Tunnel Header Encapsulation Scheme (Gilligan & Nordmark, 2000)<br />
IPv4 Header Field<br />
Value in Encapsulated Header<br />
Version 4<br />
Header Length 5<br />
ToS 0<br />
Length<br />
Payload + IPv4 header + IPv6 header<br />
ID<br />
Dynamically Calculated<br />
Flags<br />
Used for fragmentation if needed<br />
Fragment Offset<br />
Used for fragmentation if needed<br />
TTL<br />
Selected Value<br />
Protocol 41<br />
Checksum<br />
Calculated<br />
Source Address<br />
IPv4 address of outgoing interface<br />
Destination Address<br />
IPv4 address of endpoint<br />
Data<br />
IPv6 Packet starting with IPv6 Header<br />
6to4.<br />
Mackay, et al. (2003, May-June) described the 6to4 transition mechanism as a unicast<br />
point-to-point link-layer tunnel. It allows IPv6 applications to communicate over IPv4 networks<br />
using a simplified encapsulation method without requiring an explicitly defined tunnel. Tunnels<br />
are automatically defined based on an addressing standards described in the research by Friacas,<br />
Baptista, Domingues, and Ferreira (2006), Jamhour and Storoz (2002), and Hsieh and Kao<br />
(2005). IANA assigned the 2002::/16 address block to be used for 6to4 packets. To address a<br />
specific host, the IPv4 address can be added to the prefix in HEX notation. For example, the host<br />
address of 208.112.13.12 can be represented in HEX as D070:0D0C and becomes a 6to4 IP
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
31<br />
address by adding the prefix resulting in 2002: D070:0D0C::/48. When a 6to4 compatible router<br />
or host receives a packet with this type of address, it encapsulates the IPv6 packet inside of an<br />
IPv4 header and sends it to the IPv4 destination specified in the 6to4 address. This process is<br />
illustrated in Figure 2.<br />
Figure 2. 6to4 Transition Mechanism Architecture and Operation<br />
Tunnel-Brokers.<br />
Mackay, et al. (2003, May-June), Yan-ge, et al. (2009), and Durand, Fasano, Guardini,<br />
and Lento (2001) defined a Tunnel-Broker as a client-to-server transition mechanism that<br />
automatically manages tunnel requests from clients. The tunnel server becomes a bridge for<br />
clients on both networks and allows individual IPv4 hosts to connect to the IPv6 network.<br />
Durand, et al. (2001) described the purpose of Tunnel-Brokers as an easy way for users to make<br />
the transition; however, Friacas, et al. (2006) argued that latency is a problem with this method<br />
that may limit its application.<br />
The architecture and operation of the Tunnel-Broker transition mechanism is outlined by<br />
Durand, et al. (2001) as a client-server model that provides virtual private network (VPN) like<br />
connectivity to the IPv6 network. Clients on the IPv4 network create an account with a Tunnel
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
32<br />
Broker service provider. The Tunnel-Broker provider operates a dual-stack tunnel server that<br />
manages client registration, authentication, and tunnel management. Before clients send IPv6<br />
packets from their machine, they authenticate with the tunnel server. The tunnel server verifies<br />
the client’s credentials and responds with connection setup parameters including the IPv6<br />
domain, assigned address, tunnel lifetime, and designated gateway for IPv6 communications.<br />
The tunnel server registers the client’s IPv6 address in the DNS and begins tunneling traffic<br />
between the client and IPv6 network. The process is reversed for response traffic as the Tunnel-<br />
Broker maintains state information to route the packets to the correct client. Figure 3 illustrates<br />
the architecture and operation of the Tunnel-Broker transition mechanism.<br />
IPv6 Network<br />
IPv4 Host<br />
Key<br />
IPv4 Router<br />
Dual Stack<br />
Tunnel Broker<br />
IPv6 Router<br />
IPv4 Traffic<br />
IPv6 Traffic<br />
Figure 3. Tunnel-Broker Transition Mechanism Architecture and Operation<br />
Intrasite automatic tunnel addressing protocol (ISATAP).<br />
Mackay, et al. (2003, May-June), and Templin, Gleeson, and Thaler (2008) defined<br />
ISATAP as an IPv6 transition mechanism that provides a link-layer tunnel through an IPv4<br />
network. It is best used to connect isolated dual-stack IPv6 hosts over IPv4 networks and is<br />
similar to the 6to4 transition mechanism. The addressing scheme is (prefix::0:5EFE:IPv4<br />
Address in Hex) and is defined in the research by Hsieh and Kao (2005), Templin, et al., and<br />
Visoottiviseth and Bureenok (2008). For example, an ISATAP host with the IPv4 address of
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
33<br />
208.112.13.12 (D070:0D0C Hex) can be assigned link-local IPv6 address FE80:: 0:5EFE:<br />
D070:0D0C.<br />
The ISATAP process flow is outlined in the research by Visoottiviseth and Bureenok<br />
(2008) and includes dual-stack routers and hosts that provide ISATAP support. Routers advertise<br />
prefixes for ISATAP clients to use and also forward the packets that they receive. To initiate a<br />
connection, the client sends a router solicitation message to the ISATAP router and receives a<br />
configuration information message that is used to create a virtual interface. This interface is used<br />
to send IPv6 packets to the router which encapsulates the packets and sends them over the IPv4<br />
network until it reaches the host or another ISATAP router to reverse the process. Figure 4<br />
illustrates the ISATAP process.<br />
Figure 4. ISATAP Transition Mechanism Architecture and Operation<br />
Teredo.<br />
Mackay, et al.(2003, May-June), Jamhour and Storoz (2002), and S. M. Huang, Wu, and<br />
Lin (2005) defined Teredo as a mechanism to tunnel IPv6 packets over the User Datagram<br />
Protocol (UDP) to support clients within NAT environments that have not been assigned a global<br />
IPv4 address. Huitema (2006) and Mackay, et al. added that Teredo is a service of last resort and
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
34<br />
should only be implemented in environments where other transition mechanisms are not possible<br />
because of an existing NAT infrastructure. Teredo clients communicate with a Teredo server to<br />
obtain configuration information and relay IPv6 packets using stateless connections to the<br />
Teredo relay servers.<br />
The architecture and operation of the Teredo mechanism is described by S. M. Huang, et<br />
al. (2005). The Teredo architecture consists of clients within an IPv4 network, dual-stack Teredo<br />
servers that provide IPv6 addresses to clients, and dual-stack Teredo relays that encapsulate and<br />
decapsulate packets between clients and IPv6 hosts. Clients initiate a connection by sending a<br />
request to the Teredo server. The server responds with an IPv6 addresses assignment based on<br />
the IPv4 information of the client. This address consists of: a prefix which is usually<br />
2001:0000::/32, 32 bit IPv4 address of the Teredo server, 16 bit flags, FFFF exclusive or (XOR)<br />
of the 16 bit assigned port number of the public NAT connection, and the FFFF:FFFF XOR of<br />
the 32 bit assigned IPv4 address of the public NAT connection. The XOR operation is necessary<br />
to avoid IP substitution from NAT devices that support application layer IP replacement. An<br />
example of the addressing scheme is displayed in Table 4.<br />
Table 4. Teredo Addressing Scheme<br />
IPv4 Address of NAT Outbound Port NAT Public Address for<br />
Prefix Teredo Server Flags for Client Connection Client Connection<br />
Decimal 208.112.13.12 0 2048 13.12.208.112<br />
Hex 2001:0000 D070:0D0C 0000 0800 0D0C:D070<br />
Operation<br />
FFFF X OR X FFFF:FFFF X OR X<br />
IPv6 2001:0000: D070:0D0C: 0000: F7FF:<br />
F2F3:2F8F<br />
After the IPv6 address is assigned, the client sends packets to the Teredo relay server<br />
closest to the destination node as outlined in research by Huitema (2006). Relay discovery occurs<br />
when an ICMPv6 echo request is sent to the destination through the assigned Teredo server. The
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
35<br />
closest relay will be the last hop listed in the reply before the destination. Once the relay is<br />
determined, the relay-to-destination association is stored in a buffer for future use and the client<br />
encapsulates the IPv6 packet in an IPv4 header and forwards it to the relay. The relay<br />
decapsulates the packet and forwards it to the IPv6 destination node. The return path reverses the<br />
process using the IP and port number embedded in the source address that the relay uses to route<br />
response packets to the client. There may also be periodic empty packets or bubbles sent from<br />
the client to the Teredo relay or server to keep the connection and NAT entries alive. This<br />
process is illustrated in Figure 5.<br />
Figure 5. Teredo Transition Mechanism Architecture and Operation<br />
Tunnel-Brokers, 6to4, and Teredo are the most common tunnel based IPv6 transition<br />
mechanisms; however, there has been other methods introduced in the research like 6over4,<br />
peer-to-peer (P2P), Cisco 6 Provider Edge (6PE), IPv6 over asynchronous transfer mode (ATM)<br />
and IPv6 over multiprotocol label switching (MPLS). The 6over4 method is very similar to<br />
ISATAP and 6to4. Leng, Bi, Zhang, and Wu (2007), Bi, Leng, and Wu (2007), Shengyang and<br />
Yanlei (2010), and Zhou and Renesse (2004) proposed a P2P based overlay network that<br />
forwards IPv6 encapsulated packets from node to node until an IPv6 connection is detected.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
36<br />
Yan-ge, et al. (2009) discussed the 6PE method which uses MPLS from within edge routers to<br />
tunnel IPv6 packets between two sites. Mackay, et al. (2003, May-June) briefly outlined IPv6<br />
over ATM.<br />
Tunnel based IPv6 transition mechanisms impact forensic analysis. Investigators and<br />
forensic analysts must understand the characteristics of these mechanisms, how tunnels are<br />
created and maintained, and how to assess the nature of traffic that they contain. Additionally,<br />
the modification of header information and existence of traffic relays introduces concerns of<br />
spoofing and data integrity that impact evidence admissibility. While the standards for tunneling<br />
mechanisms are defined in the literature, there are no sources that address the possible<br />
implications on forensic analysis.<br />
Protocol translation.<br />
Protocol translation involves using an algorithm to convert an IPv4 packet into an IPv6<br />
packet and vice-versa. Carpenter and Jung (1999) and Mackay, et al. (2003, May-June) wrote<br />
that protocol translation allows IPv4 only nodes to communicate with IPv6 only nodes. Mackay,<br />
et al. and Tantayakul, et al. (2008) described a translation process that can occur in the network,<br />
transport, or application layers.<br />
Stateless IPv4/IPv6 translation algorithm (SIIT).<br />
Nordmark (2000), Mackay, et al. (2003, May-June), Yan-ge, et al. (2009), and Afifi and<br />
Toutain (1999) defined SIIT as a method of translating IPv4 headers into IPv6 headers and viceversa.<br />
The algorithm facilitates communications between IPv4 only hosts and IPv6 only hosts<br />
and is used as a basic model in other transition methods like NAT-PT. Nordmark, Afifi, and<br />
Toutain defined the addressing structure of a SIIT translation. The IPv4 SIIT host uses the last 32<br />
bits of the IPv6 address as a source IPv4 address. The IPv6 SIIT host uses an address of
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
37<br />
0::FFFF:0: during translation of IPv4 packets. For example, the address<br />
0::FFFF:0:D070:0D0C represents the host at IP 208.112.13.12. Packets are exchanged and<br />
translated by each client over a stateless connection.<br />
The details of the SIIT algorithms are outlined by Afifi and Toutain (1999) and involves<br />
translation between IPv4 headers to IPv6 header, ICMP to ICMPv6, and IPv6 headers to IPv4<br />
headers. Table 5 and Table 6 illustrate the translation scheme for ICMP messages and error<br />
codes, Table 7 displays the IPv4 to IPv6 translation, and Table 8 outlines the IPv6 to IPv4<br />
translation using the SIIT algorithm.<br />
Table 5. SIIT ICMP Message Translation<br />
IPv4 Type Action IPv6 Type<br />
Echo - 8 Translate 128<br />
Reply - 0 Translate 129<br />
Info request/reply, timestamp, address mask, router<br />
Drop<br />
advertisement, router solicitation, unknown types<br />
Table 6. SIIT ICMP Error Translation<br />
IPv4 Type Action IPv6 Type<br />
Unreachable/route failed – (0,1,4,5,6,7,8,11,12) Translate No route – (0)<br />
Protocol unreachable/prohibited (2,9,10) Translate Prohibited – (1)<br />
Port unreachable – (3) Translate Port unreachable – (4)<br />
Redirect, source quench, time exceeded, parameter problem Drop
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
38<br />
Table 7. SIIT IPv4 to IPv6 Header Translation<br />
Field<br />
Translated Value<br />
Version 6<br />
Traffic Class 0<br />
Flow Label 0<br />
Payload length<br />
Length from IPv4 header<br />
Next Header<br />
Protocol Field from IPv4 header<br />
Hop Limit<br />
TTL from IPv4<br />
Source Address<br />
0::FFFF:0:<br />
Destination Address<br />
0::FFFF:0:<br />
Table 8. SIIT IPv6 to IPv4 Header Translation<br />
Field<br />
Translated Value<br />
Version 4<br />
Length 5<br />
ID 0<br />
Flags<br />
1 (Don’t Fragment Flag)<br />
Fragment offset 0<br />
Time to Live<br />
Hop limit from IPv6 header<br />
Protocol<br />
Next header field from IPv6<br />
Checksum<br />
Calculated<br />
Source address<br />
Lower order 32 bits of IPv6 source address<br />
Destination address<br />
Lower order 32 bits of IPv6 destination address<br />
Network address translation and protocol translation (NAT-PT).<br />
Tsirtsis and Srisuresh (2000), Mackay, et al. (2003, May-June), Afifi and Toutain (1999),<br />
and Hsieh and Kao (2005) defined NAT-PT as a translation mechanism that combines NAT with<br />
the SIIT algorithm. The IPv6 hosts are assigned IPv4 addresses and the NAT device uses the<br />
SIIT algorithm to translate the packets between the IPv4 and IPv6 hosts.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
39<br />
Bump-in-the-stack (BIS).<br />
Yan-ge, et al. (2009), Mackay, et al. (2003, May-June), and Jamhour and Storoz (2002)<br />
defined BIS as a tranlation method that converts headers in the protocol stack of the host. BIS<br />
requires translation software and a dual-stack host connected to either an IPv4 or IPv6 network.<br />
Tsuchiya, Higuchi, and Atarashi (2000) cautioned that BIS only works with unicast traffic,<br />
doesn’t work with header options, and can’t be used with embedded IP addresses. Mackay, et al.<br />
outlined the operation of BIS as an additional segment integrated into the host’s IP processing<br />
stack that performs functions similar to the operation of NAT-PT.<br />
BIS transparently translates packet header between IPv4 and IPv6 from within the<br />
network stack. The research by Tsuchiya, et al. (2000) provided a detailed account of the<br />
operation of BIS. Packet data is analyzed between the network card driver and TCP modules.<br />
When an application sends an outbound DNS request, the BIS module analyzes the response. If<br />
the DNS response specifies an IPv4 address, the response is forwarded up the stack to the<br />
application. If the DNS response is an IPv6 address, an internal IPv4 address is mapped to the<br />
session and the DNS response is forwarded to the application after being modified to include<br />
only this IPv4 address. When the local application sends subsequent packets to the internal IPv4<br />
address, the BIS module uses the SIIT algorithim to convert the packets and destination<br />
addresses to IPv6 before forwarding them down the IPv6 stack to the destination host. Return<br />
traffic from the IPv6 host is also intercepted by the BIS module, converted to IPv4 using the SIIT<br />
algorithm, and forwarded to the local application using the internal IPv4 address.<br />
Bump-in-the-API (BIA).<br />
The BIA IPv6 transition method is similar to the BIS method. S. Lee, Shin, Kim,<br />
Nordmark, and Durand (2002) and Mackay, et al. (2003, May-June) identified the remote
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
40<br />
location of the translation function outside of the transmission control protocol/Internet protocol<br />
(TCP/IP) protocol stack as the primary difference between the BIA and BIS mechanisms. BIA<br />
functions do not translate headers. Instead, application programming interface (API) calls from<br />
the application to the TCP/IP protocol stack are intercepted and converted to the equivalent API<br />
call from the other protocol. Jamhour and Storoz (2002) noted that, like BIS, BIA requires either<br />
an IPv4 or IPv6 network and BIA software. Additionally, the research by S. Lee, et al. identified<br />
limits on the internally assigned addresses and incompatable IPv4 and IPv6 API functions as the<br />
primary issues with this method.<br />
S. Lee, et al. (2002) and Jamhour and Storoz (2002) detailed the operation and<br />
components of the BIA IPv6 transition method. An application making a connection to a remote<br />
host using TCP or UDP first calls API functions designed to interface with the local network<br />
stack. The application uses different API functions for IPv4 and IPv6 communications. BIA<br />
monitors API calls and converts the input and function called to the corresponding API function<br />
when necessary using the same logic as in BIS. For example, if an IPv4 application sends a DNS<br />
request and receives an IPv6 address in response, BIA assigns an internal IPv4 address to the<br />
session and translates the IPv4 API call from the application to the IPv6 API call needed to<br />
communicate with the remote host.<br />
SOCKS64.<br />
Kitamura (2001), Yan-ge, et al. (2009), and Mackay, et al. (2003, May-June) summarized<br />
the SOCKS64 transition method and Jamhour and Storoz (2002) outlined its basic operation.<br />
SOCKS is a client-to-server proxy service designed to facilitate controlled access to external<br />
network resources when firewalls are employed. Clients that have the SOCKS applications<br />
installed use the SOCKS server as a gateway to communicate with remote hosts. SOCKS64
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
41<br />
functions the same as BIA, except the translation occurs in the SOCKS function calls with the<br />
proxy server instead of the API function calls within the host.<br />
Transport relay translator (TRT).<br />
Another gateway based transition mechanism is the Transport relay translator (TRT)<br />
method. Jamhour and Storoz (2002) defined TRT as a method that utilizes an intermediary<br />
device to act as a translator and gateway. Mackay, et al. (2003, May-June) added that TRT is a<br />
method to transport and relay TCP and UDP traffic at the border of the network. TRT allows<br />
clients in IPv4 networks to communicate with external IPv6 hosts and vice-versa. The addressing<br />
scheme to represent the IPv4 host in the IPv6 network is constructed from ::. For example, if the TRT gateway operates from FEC8:0:0:1::/64 and the IPv4 host is<br />
at 208.112.13.12 the IPv6 address of the IPv4 host would be FEC8:0:0:1:: D070:0D0C.<br />
The operation of TRT is outlined by Hagino and Yamamoto (2001). TRT requires a dualstack<br />
edge router and a device or host to provide translation. When an IPv4 client sends a packet<br />
to an external IPv6 host, the TRT gateway creates a connection with the internal IPv4 host and<br />
the external IPv6 host. As packets are exchanged, the TRT gateway translates the packets<br />
between the protocols using the SIIT protocol.<br />
Other gateway based translation methods.<br />
Other gateway based translation methods that are hybrids of standard methods have been<br />
proposed by researchers. AlJa'afreh, Mellor, Kamala, and Kasasbeh (2008) proposed a method<br />
that uses a network of IPv4, IPv6, and IPv4/6 DNS servers to manage virtual IP addresses and a<br />
dual-stack gateway to provide protocol translation. Hsieh and Kao (2005) proposed a gateway<br />
that supports all of the transition mechanisms to provide the most flexibility to devices on the<br />
network. A NAT-PT based gateway using SIIT is proposed by Seo and Kong (2005). A gateway
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
42<br />
that utilizes dual-stack transition mechanism (DSTM) to translate traffic between different<br />
protocols is proposed by Jamhour and Storoz (2002). Carpenter and Moore (2001) proposed a<br />
gateway based encapsulation method that requires only one routing entry and no host<br />
configuration to facilitate translation.<br />
Translation mechanisms modify the original packets and have implications on forensic<br />
analysis. Investigators and analysts must understand how to identify packets that have been<br />
modified by translation mechanisms and what elements have been changed to accurately<br />
determine the nature of network traffic. Although, the operation of these translation mechanisms<br />
have been defined in the research, the implications on forensic analysis and investigation have<br />
not been addressed.<br />
IPv6 Operating System Support<br />
IPv6 has been integrated into popular operating systems for many years. Windows 7,<br />
2008, 2003, XP, and Vista provide IPv6 functionality that is enabled in the default configuration<br />
or can be setup with minor configuration. Recent UNIX based kernels and the Apple Mac<br />
operating systems have IPv6 integrated; however, additional configuration or package<br />
installations may be necessary enable the protocol.<br />
Windows operating systems.<br />
Microsoft has supported IPv6 as a communications protocol in all versions of the<br />
Windows operating system beginning in 1998 (Tulloch, 2006). Microsoft released an optional<br />
package for Windows 95, 98, and 2000 that installed a limited version of the IPv6 stack.<br />
Windows XP service pack 1 and Windows 2003 included a full version of the IPv6 protocol<br />
stack and an optional package that included an IPv6 firewall. Transition methods were later<br />
included in XP service pack 2. Windows Vista, Windows 7, and Windows Server 2008 added
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
43<br />
improvements to IPv6 security and performance and established the protocol as an integrated<br />
component of the network operating system.<br />
A 2005 study by Savola provided information about IPv6 usage in the Windows<br />
operating system. The study used server logs to analyze 6to4 traffic passing through a small relay<br />
in Finland from October 2001 to April 2004. Traffic from Windows clients was identified by the<br />
way the IPv4 address was embedded into the 6to4 address as 2002:::. A significant number of probes were sent from clients to the relay server. These<br />
probes consisted of ICMP echo request with an IPv6 hop limit of 1 that were sent to discover and<br />
select the relay with the best response time. By default, these probes were sent every 24 hours or<br />
when the IPv4 routing or client address changes. Savola found a large increase from 100,000 to 2<br />
million unique IPv4 addresses per month in the first months of 2004. The study also noted that<br />
only 1 in 100 nodes utilized the relay to send traffic that was not a probe. The applications used<br />
by the clients based on the known port number are listed in Table 9. This study occurs during a<br />
time when most of the clients observed are likely to be Windows XP SP1. IPv6 support in SP1<br />
was an optional component and the traffic observed in the study would require IPv6 to be<br />
explicitly configured by the user. When Windows XP SP2, Vista, and Windows 7 were released,<br />
IPv6 with 6to4 was integrated, resulting in a likely surge in probe traffic.<br />
Table 9. 6to4 Relay Application Traffic Observed by Savola (2005)<br />
Application<br />
Internet Control Message Protocol (ICMP)<br />
Domain Name System (DNS) Query<br />
Secure Shell (SSH)<br />
Simple Mail Transfer Protocol (SMTP)<br />
Hypertext Transfer Protocol (HTTP)<br />
BitTorrent (BT) P2P File Sharing<br />
Traffic Volume<br />
High<br />
High<br />
Moderate<br />
Moderate<br />
Moderate<br />
Moderate
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
44<br />
Application<br />
Traceroute<br />
Peer Name Resolution Protocol (PNRP)<br />
IRC, FTP, IMAP, NNTP, POP3, IDENT, IPv6 Tunnels<br />
Traffic Volume<br />
Moderate<br />
Moderate<br />
Low<br />
IPv6 functional enhancements in the Windows 7, Vista, and 2008 operating systems was<br />
outlined by Tulloch, Northrup, Honeycutt, and Wilson (2010). IPv6 is installed and enabled by<br />
default in these releases and the IPv6 and IPv4 components are integrated into a single stack to<br />
improve communications performance. A new graphical user interface (GUI) for IPv6<br />
configuration was added and full internet protocol security (IPSec) functionality was added to<br />
the Windows firewall. The default operating status of the Teredo transition mechanism was<br />
changed to disabled and link-local multicast name resolution (LLMNR) using randomly<br />
generated interface IDs was added to allow directly connected peers to communicate.<br />
Additionally, Tulloch, et al. (2010) identified new IPv6 features that have been added from the<br />
standards defined in Request of Comment (RFC) documents. This includes support for; multicast<br />
listener discovery version 2 (MLDv2) that allows a host to register their interest or disinterest in<br />
specific multicast traffic; the IPv6 version of the dynamic host configuration protocol<br />
(DHCPv6); IPv6 control protocol (CP) to support remote connections using an IPv6 node<br />
configured on a point-to-point protocol (PPP) link; IP hypertext transfer protocol secure (IP<br />
HTTPS) that creates an alternative to 6to4 and Teredo when a proxy or firewall blocks the<br />
traffic; and Direct-Access that uses an IPSec tunnel to connect a client to a remote network<br />
without a VPN.<br />
Viewing the status of IPv6 in the Windows operating system is described by Tulloch, et<br />
al. (2010) and Davies (2008). The IPv6 interfaces are enabled by default and the interface ID<br />
used in IPv6 addressing is randomly generated. A user can use the command “NETSH
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
45<br />
INTERFACE IPV6 SHOW INTERFACE” or “IPCONFIG /ALL” to show the configured<br />
interfaces. The host routing table defines the handling of packets and both Windows Server 2008<br />
and Windows 7 can be configured to act as an ISATAP router for other hosts. The command to<br />
display the host routing table is “NETSH INTERFACE IPV6 SHOW ROUTE”<br />
Tulloch, et al. (2010) and Davies (2008) described the process to disable IPv6 for<br />
environments where the protocol will present security issues. The GUI local area network (LAN)<br />
properties dialog in the network adapter properties presents an option to disable the IPv6<br />
protocol for the adapter; however, the IPv6 loopback and tunnel interfaces will remain active. A<br />
bitmask vale can be added to the registry to disable IPv6; however, the IPv6 loopback adapter<br />
will still be enabled. Disabling the IP helper service will effectively disable all IPv6 transition<br />
technology on the host or the netsh command can be used to selectively disable individual<br />
components. If a client is operating behind a firewall, blocking protocol 41 will disable 6to4 and<br />
ISATAP, and blocking UPD port 3544 will disable Teredo.<br />
Tulloch, et al. (2010) indicated that IPv6 interface addresses can originate from a<br />
DHCPv6 server, router advertisements, or address auto-configuration. IPv6 addresses are<br />
automatically allocated and configured for the interface if a DHCPv6 server is available. A local<br />
router can advertise an IPv6 prefix that allows an address to be automatically allocated and<br />
configured for the interface. If router or DHCPv6 advertisements are not reaching the host, linklocal<br />
addresses are configured for the interface using the prefix FE80::/64. These addresses are<br />
not registered in the DNS and allow directly connected hosts to communicate after neighbor<br />
discovery occurs. The IPv6 address for each interface carries a status of either; tentative to<br />
indicate that the uniqueness of the address is being verified; valid or preferred to indicate a<br />
unique address that can be used in unicast communications; depreciated to indicate an expired
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
46<br />
address that can be used by existing sessions only, and invalid to indicate an expired address that<br />
cannot be used. To get more information about the addresses and neighbors, Tulloch, et al.<br />
suggested the command “NETSH INTERFACE IPV6 SHOW ADDRESSES” to show all IPv6<br />
interface addresses and “NETSH INTERFACE IPV6 SHOW NEIGHBORS” to list discovered<br />
IPv6 neighbors that can be contacted using the link-local address.<br />
The operation of DNS in an IPv6 transition is detailed by Tulloch, et al. (2010). Queries<br />
for AAAA records that contain IPv6 addresses are only requested when there is an interface that<br />
is assigned an address that is not a link-local or Teredo address and only after requesting and<br />
receiving a successful response for the domain’s A record. DNS servers will automatically<br />
register a client’s non link-local IPv6 addresses. Windows 2003 can be configured to listen for<br />
DNSv6 queries and Windows 7 and Windows Server 2008 listen by default.<br />
Davies (2008) details ISATAP support on Windows 7, Vista, and Windows 2008. The<br />
ISATAP interface is disabled by default unless there is an ISATAP router present or if the node<br />
is running Windows Vista with no service packs. Hosts can communicate with other IPv6 nodes<br />
by tunneling across an IPv4 network if there is an ISATAP router available. Additionally, any<br />
Windows 7, Vista, or Windows Server 2008 clients can act as an ISATAP router for other clients<br />
if both IPv6 and IPv4 links are available.<br />
Windows 7, Vista and Windows Server 2008 support for 6to4 is outlined by Davies<br />
(2008). 6to4 is enabled for any interface that has a public IPv4 address and can reach a 6to4<br />
relay. Windows clients configure the 6to4 interface by querying the domain<br />
6to4.ipv6.microsoft.com for the IPv4 address of a 6to4 relay, setting the address to 2002::::, and adding a route to the
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
47<br />
hosts table for 2002:::1. Like ISATAP, Windows 7, Vista, and<br />
Windows Server 2008 can be configured as a 6to4 router.<br />
Davies (2008) described Teredo support in Windows 7, Vista, and Windows Server 2008.<br />
Teredo is disabled by default and uses the address 2001:::: as described in the Teredo<br />
section on page 33. It is automatically enabled when an application sends a packet to another<br />
Teredo address or when the Windows firewall is configured to allow Teredo connections. Teredo<br />
can be manually enabled by setting the “Teredo Default Qualified” setting to enabled in the<br />
group policy module under computer configuration > administrative templates > network ><br />
TCPIP settings > IPv6 transition technologies. Teredo can be configured to function within an<br />
enterprise network using the command “NETSH INTERFACE TEREDO SET<br />
STATE TYPE=ENTERPRISECLIENT” and the port number used by Teredo can be set using<br />
the command “NETSH INTERFACE TEREDO SET STATE CLIENTPORT=”.<br />
Data traffic consists of encapsulated packets consisting of an IPv4 header, UDP header, IPv6<br />
header, and the IPv6 payload. Bubble packets may also be sent to keep the NAT port assignment<br />
active; however, Windows nodes do not use this information. Teredo packets are routed either<br />
directly to other clients when the destination has a Teredo address or to the relay closest to the<br />
destination when communicating with an IPv6 node.<br />
Microsoft Windows is the most common operating system on the market and the majority<br />
of forensic analysis and investigations will involve Windows nodes. As a result, investigators<br />
and analysts will need to understand the capability and operation of IPv6 in the Windows<br />
environment to determine the nature of traffic on transitional networks. The research presented a<br />
basic analysis of the types and characteristics of Windows IPv6 traffic; however, the implications
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
48<br />
to a forensic investigation are unclear. Microsoft publications present a detailed account of IPv6<br />
capabilities in their products; however, this information does not address the analysis or handling<br />
of network data.<br />
Linux, FreeBSD and UNIX operating systems.<br />
IPv6 is supported in the Linux, FreeBSD, and UNIX operating systems. Ubuntu, CentOS,<br />
FreeBSD, and Sun Solaris provide simple IPv6 configuration procedures in their administration<br />
guide to setup interfaces, 6to4, and tunneling. Unlike the Windows operating system, none of<br />
these operating systems natively support ISATAP or Teredo; however, third party packages are<br />
available that provide the functionality.<br />
Ubuntu Linux.<br />
Ercferret (2010) outlined Ubuntu Linux setup for native IPv6 and tunneling using<br />
FreeNet6, SixXS, Go6.net, and Miredo. To add a static IPv6 address to an interface, edit the file<br />
“/ETC/NETWORK/INTERFACES” and add the lines “IFACE INET6 STATIC“,<br />
“ADDRESS ”, and “NETMASK ”. To configure Ubuntu to act as an<br />
IPv6 router, enable forwarding by editing the file “/ETC/SYSCTL.CONF” and un-commenting<br />
the line “NET.IPV6.CONF.DEFAULT.FORWARDING=1”. Then install RADVD using the<br />
command “SUDO APTITUDE INSTALL RADVD” and edit the file “/ETC/RADVD.CONF” to<br />
add the IPv6 address prefix for routing advertisements. SixXS tunneling is setup by installing the<br />
aiccu client using the command “SUDO APTITUDE INSTALL AICCU”. Freenet6 is setup by<br />
installing the signaling protocol to negotiate tunnel setup parameters (TSPC) and editing the<br />
configuration file “/ETC/TSP/TSPC.CONF”. Both of these tunneling methods require<br />
registration on the applicable web sites to obtain setup information; however, freenet6 offers a<br />
limited anonymous account with the default installation. Miredo is a Teredo package that is
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
49<br />
installed with the command “SUDO APTITUDE INSTALL MIREDO”. It will create a new<br />
interface with the 2001 address prefix.<br />
CentOS.<br />
Faye (2008) defined CentOS IPv6 setup for native IPv6 and tunneling. IPv6 features must<br />
be installed and enabled manually. To determine if IPv6 is installed, verify the existence of<br />
“/ETC/SYSCONFIG/NETWORK-SCRIPTS/NETWORK-FUNCTIONS-IPV6” and run the<br />
command “MODPROBE -C | GREP IPV6” to verify that the response is “ALIAS NET-PF-10<br />
IPV6”. If this is not the response, edit the file “/ETC/SYSCONFIG/NETWORK<br />
SCRIPTS/IFCFG-” and add or edit the lines “IPV6INIT=YES”,”<br />
IPV6_AUTOCONF=NO”, and “IPV6ADDR=”. Then add a route for the default<br />
IPv6 gateway with the command “ROUTE -A INET6 ADD DEFAULT GW ”. Connectivity can be tested using IPv6 commands ping6, traceroute6, ip6tables,<br />
and tracepath6. Tunnels are setup by creating an interface “SIT” and editing<br />
the file “/ETC/SYSCONFIG/NETWORK-SCRIPTS/IFCFG-SIT” with the<br />
lines “DEVICE="SIT"”, “BOOTPROTO="NONE"”, “ONBOOT="YES"”,<br />
“IPV6INIT="YES"”, and “IPV6TUNNELIPV4=""”.<br />
FreeBSD.<br />
The FreeBSD online manual ("Chapter 31 advanced networking," 2010) indicated that<br />
the operating system utilizes the KAME IPv6 reference implementation and supports native,<br />
SixXS, 6to4, and freenet6 connections. Auto-configuration of IPv6 on each interface can be<br />
setup by running the command “IPV6_ENABLE="YES"”. To assign a static IPv6 address to an<br />
interface, run the command “IPV6_IFCONFIG_>=""”. To assign a<br />
default router, run the command “IPV6_DEFAULTROUTER=""”. A tunnel is
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
50<br />
configured by adding a “GIF” interface and then running the commands<br />
“GIFCONFIG_GIF=" "”,”<br />
IPV6_IFCONFIG_GIF=""”, and<br />
“IPV6_DEFAULTROUTER=""”. To configure the system to<br />
operate as an IPv6 router, run the commands, “IPV6_GATEWAY_ENABLE="YES"” to enable<br />
the gateway, “RTADVD_ENABLE="YES"” to enable router advertisements,<br />
“RTADVD_INTERFACES=""” to set the router interface, and edit the file<br />
“/ETC/RTADVD.CONF” with the lines “:\”, and<br />
“:ADDRS#1:ADDR="::":PREFIXLEN#:TC=ETHER:”.<br />
Sun Solaris.<br />
The Sun Solaris administration guide for IP services ("System administration guide: IP<br />
services," 2009) provided a detailed description of the IPv6 protocol and configuration in the<br />
Solaris UNIX environment. Solaris Sendmail, Network File System (NFS), HTTP, DNS,<br />
Lightweight Directory Access Protocol (LDAP), Network Information Service (NIS), IPSec,<br />
Internet Key Exchange (IKE), IP Quality of Service (IPQoS), and IP Network Multipathing<br />
(IPMP) support IPv6 communications. The Solaris Kernel automatically adds IPv6 nodes to the<br />
all nodes, all routers, and solicited nodes multicast groups. Solaris does not support the<br />
configuration of anycast groups; however, outbound traffic can be sent to anycast addresses.<br />
Interfaces are assigned an IPv6 address through auto or manual configuration that is<br />
defined in the System administration guide for IP services (2009). Solaris automatically assigns a<br />
link-local address to the interface with the lowest interface number. Additionally, an interface<br />
will be automatically configured if router advertisements are received. To manually configure an<br />
interface for IPv6, the commands “IFCONFIG INET6 PLUMB UP” enables IPv6
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
51<br />
on the interface, and “/USR/LIB/INET/IN.NDPD” starts the NDPD service. To verify the<br />
connection, run the command “IFCONFIG -A6” and create the file<br />
“/ETC/HOSTNAME6.” to make IPv6 enabled by default. To setup a Solaris node as<br />
an IPv6 router, run the commands “ROUTEADM -E IPV6-FORWARDING -U” to enable<br />
forwarding, “ROUTEADM -E IPV6-ROUTING -U” to enable routing, create the file<br />
“/ETC/INET/NDPD.CONF” and add the advertised prefix in lines “IF DMFE0<br />
ADVSENDADVERTISEMENTS 1” and “PREFIX / DMFE0”.<br />
Solaris also supports manual IPv6 tunnels or 6to4 dynamically configured tunnels that are<br />
defined in ("System administration guide: IP services," 2009). A manual tunnel allows<br />
communications from two IPv6 nodes over an IPv4 network. It is configured by creating the file<br />
“/ETC/HOSTNAME6.IP.TUN” and adding the line “SRC TDST UP”. The 6to4 method requires a 6to4 router<br />
and is setup by creating the file “/ETC/HOSTNAME6.IP.6TO4TUN0” and adding the line<br />
“TSRC UP” for auto address assignment, or TSRC :/64 up to specify a static address.<br />
Setup can be confirmed by running the command “IFCONFIG IP.6TO4TUN0 INET6”. To use a<br />
6to4 relay as an endpoint for the tunnel instead of the 6to4 router, run the command<br />
“/USR/SBIN/6TO4RELAY –E” or edit the file “/ETC/DEFAULT/INETINIT” and change the<br />
line “ACCEPT6TO4RELAY=YES” to make 6to4 relays the default setting.<br />
Apple/MAC operating systems.<br />
The Apple online help ("Mac OS X 10.5 Help," 2010) manual provided simplified<br />
instructions to enable and configure IPv6 for Mac OS X v10 clients. Apple applications that<br />
support IPv6 communication include DNS, firewall, Mail (POP/IMAP/SMTP), Windows
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
52<br />
(SMB/CIFS), Web (Apache 2), Ping6, and Traceroute6. IPv6 is automatically configured;<br />
however, the IPv6 address, gateway, and prefix length can be manually configured by navigating<br />
to the Apple > system preferences > Network > and advanced TCP/IP for the IPv6 interface. If<br />
the client has a public IPv4 address, the 6to4 interface can be added by navigating to the Apple ><br />
system preferences > Network > (+) and then choose the 6to4 interface. The Apple firewall<br />
blocks all IPv6 traffic by default. To enable IPv6 traffic through the firewall, use<br />
SERVERADMIN to set a key by adding lines for “IPV6MODE”,<br />
“”, “IPV6CONTROL”, and<br />
“”. The can be “DENYALL”, “DENYALLEXCEPTLOCAL”, or<br />
“NORULES” which will allow the user to manually configure IPv6 firewall using a script.<br />
Although the Windows operating system dominates the client market, Linux, FreeBSD,<br />
and UNIX are common and often the operating systems of choice for attackers and malicious<br />
users. Investigators and analysts must understand how IPv6 is configured and recognize common<br />
IPv6 methods used in these environments to determine the possible source and nature of traffic<br />
in a transitional network. There was only one outdated study found that classified 6to4 traffic at a<br />
basic level and operating system documentation does not provide the details necessary to<br />
conduct a forensic investigation. Understanding the capabilities defined in this research provides<br />
a basis to investigate the nature of this traffic.<br />
IPv6 Vulnerabilities and Attack Vectors<br />
The IPv6 protocols and transition mechanisms introduce a new network surface area<br />
available for attackers to exploit. Zagar, Grgic, and Rimac-Drlje (2007) pointed out that the<br />
designers of the original IP protocol did not address security because it was assumed that<br />
security would be integrated at the application level. They also did not anticipate that the IP
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
53<br />
networks would grow from a few hundred nodes used primarily by researches, to a global<br />
network used by 1.58 billion users in 2008 ("Internet Users," 2009). IPv6 was created to address<br />
these issues; however, new threats emerged and some IPv4 issues were not resolved.<br />
The research into IPv6 vulnerabilities and attack vectors is comprehensive and<br />
theoretical; however, very little data or statistics are presented to outline actual IPv6 attacks that<br />
have occurred. Vives and Palet (2005) noted the difficulty of securing an IPv6 infrastructure that<br />
is fundamentally designed to facilitate end-to-end communications and allows nodes to be<br />
reachable from anywhere. Zagar, et al. (2007), Radhakrishnan, Majid, Shabana, and Moinuddin<br />
(2007), Caicedo, Joshi, and Tuladhar (2009), and Emre and Ali (2010) identified rogue nodes,<br />
man-in-the-middle, DoS, and application layer attacks as threats in IPv6. Convery and Miller<br />
(2004) listed layer three and four spoofing, unauthorized access, header manipulation,<br />
fragmentation, broadcast amplification, routing attacks, viruses, worms, and transition<br />
mechanisms as the key threats to IPv6 networks.<br />
It is unclear if attackers will exploit the identified IPv6 vulnerabilities in practice;<br />
however, some researchers have established that the exploitation is possible by identifying the<br />
tools and techniques necessary to conduct the attack. Warfield (2003) listed several IPv6 tools<br />
that are freely available and can be used to conduct attacks on IPv6 networks. This included<br />
protocol bouncers used to relay traffic like Relay6, NetCat6, 6Tunnel, and Iinetd; IPv6 scanners<br />
for conduction network reconnaissance like HalfScan6 and Nmap; and DoS tools used to<br />
conduct 6to4 attacks like 6to4DDoS. Caicedo, et al. (2009) added a suite of IPv6 attack tools<br />
called THC-IPv6; packet generators like MGEN, SendIP, Scapy6, and IPv6PacketGen; and tools<br />
to detect IPv6 neighbor discovery attacks like NDPmon and Ddaddos.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
54<br />
According to Caicedo, et al. (2009), the most effective method of mitigating the threats<br />
introduced by IPv6 is to apply a defense in depth strategy. This included applying existing<br />
network security best practices like establishing security policies, deploying and properly<br />
configuring firewalls, using encryption, and monitoring the network using IDS devices. These<br />
techniques must be adapted to the unique requirements of the IPv6 protocol. For example, Zagar,<br />
et al. (2007) proposed unique IDS rules for IPv6 monitoring including: identifying packets<br />
without a next header value, irregular or duplicate option headers, and fragments that are less<br />
than the maximum transmission unit (MTU) of 1280 octets but not the last packet in the flow.<br />
IPv6 security can also be enhanced by using IPSec. IPSec is a required component of IPv6 and<br />
researchers believe that it can mitigate many of the vulnerabilities introduced by the protocol.<br />
Zagar, et al. and Radhakrishnan, et al. (2007) conclude that IPSec can mitigate the impact of<br />
DoS, spoofing, and data interception by providing point-to-point access control, connection<br />
integrity, data authentication, and confidentiality using hashes and other encryption algorithms.<br />
Szigeti and Risztics (2004), Caicedo, et al., and Dobrucki (1999) conclude that IPSec will not be<br />
widely deployed because of the difficulties of key management and integration with existing<br />
security methods already built into applications. Sotillo (2006), Szigeti and Risztics, and<br />
Dobrucki argued that the most common threat is the human factor which highlighted the point<br />
made by Caicedo, et al. about the importance of employing a defense in depth strategy to<br />
mitigate threats in an IPv6 network.<br />
Despite new vulnerabilities and attack tools, IPv6 threat classifications and mitigation<br />
strategies have not changed. Researchers have identified new considerations and strategies for<br />
addressing specific IPv6 threats. These considerations and strategies can be categorized by their
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
55<br />
underlying threat as reconnaissance, denial of service attacks, man-in-the-Middle attacks, IPv6<br />
covert channels, security control bypass, IPv6 Worms, and IPv6 transition mechanisms.<br />
Reconnaissance.<br />
Network scanning remains a viable IPv6 pre-attack technique using modified methods.<br />
Zagar, et al. (2007) and Convery and Miller (2004) identified the difficulty of brute-force<br />
scanning due to the large number of address possibilities in an IPv6 network. Sotillo (2006)<br />
extended this view by calculating that it would take 584 billion years to scan every address in the<br />
default 64 bit IPv6 subnet. Szigeti and Risztics (2004) and Caicedo, et al. (2009) acknowledged<br />
that this large address space created security through obscurity; however, it can also make the<br />
detection of rogue hosts more difficult. Additionally, attackers have new methods at their<br />
disposal to make IPv6 scanning more successful. Vives and Palet (2005), Caicedo, et al., E.<br />
Davies, Krishnan, and Savola (2007), and Emre and Ali (2010) described a method where an<br />
attacker identifies a network topography by first analyzing multicast addresses like the all routers<br />
address (FF05::5). Convery and Miller suggested using DNS queries to gain preliminary IPv6<br />
addresses assigned to hosts. Because most network designers seek simplified IP address<br />
assignments, the range of addresses to be scanned can be reduced once a few legitimate<br />
addresses are know by the attacker.<br />
Denial of service attacks.<br />
The IPv6 protocol and neighbor discovery functions have introduced a number of new<br />
DoS attack vectors. E. Davies, et al. (2007) identified link-local auto-configuration as the largest<br />
opportunity for an attacker. Using local-links, a directly connected attacker can launch an attack<br />
without intervention or monitoring from security devices in an enterprise network. Yang, Ma,<br />
and Shi (2007) argued that this feature enables DoS attacks that interrupt normal
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
56<br />
communications between hosts; however, traditional DoS attacks that waste a victim’s resources<br />
like TCP floods are still possible in IPv6 networks.<br />
IPv6 protocol DoS attacks.<br />
The IPv6 protocol enables denial of service attacks that use traffic floods, broadcast<br />
amplification, fragmentation, and option headers to disrupt normal communications between<br />
victims and other hosts.<br />
Flood attacks attempt to overwhelm the resources of a victim to prevent interactions with<br />
legitimate hosts. Yang, et al. (2007) identified that traditional TCP floods using unacknowledged<br />
SYN/ACK packets, UDP floods using CHARGEN/ECHO services, and ICMPv6 floods remain<br />
an effective DoS techniques in IPv6 networks. Kempf, Nordmark, and Nikander (2004), and<br />
Convery and Miller (2004) identified that a host routing table flood would overwrite existing<br />
entries after reaching the end of the cache. Kempf, et al. introduced a potential router DoS attack<br />
that is initiated by flooding a subnet with requests to random invalid addresses that invoked a<br />
neighbor solicitation message never received a reply.<br />
Broadcast amplification or smurf attacks employ a number of innocent hosts to<br />
overwhelm a single victim using methods that multiply traffic. For example, if an ICMP ping<br />
with the spoofed source address of the victim is sent to an all-nodes broadcast address, every<br />
node on the network would receive the ping request and send the response to the victim at the<br />
same time. Yang, et al. (2007) identified RFC 2463 which prohibits an ICMP response to<br />
multicast addresses; however, Zagar, et al. (2007) and Sotillo (2006) argued that not all operating<br />
systems they tested followed this rule and error notifications may bypass this test. According to<br />
their research, a smurf attack could be successful if an ICMPv6 packet that generates an error is<br />
sent to a broadcast address resulting in a flood of error response packets being sent to the victim.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
57<br />
DoS attacks using fragmentation attempt to overwhelm a host by making them unable to<br />
maintain the packet reconstruction process. Zagar, et al. (2007) and Emre and Ali (2010)<br />
theorized that sending a large number of fragments to a host can crash the reconstruction buffer<br />
and lead to a DoS situation. E. Davies, et al. (2007) added that sending a large number of small<br />
fragments without terminating the last one will increase the effectiveness of the attack.<br />
IPv6 option headers can also be used to conduct DoS attacks against routers and other<br />
nodes. Szigeti and Risztics (2004), Sotillo (2006), and E. Davies, et al. (2007) identified the<br />
effects of flooding the network with hop-by-hop option headers. This type of header must be<br />
evaluated at each node in the route; however, the node can ignore the option if it is not<br />
recognized. E. Davies, et al. identified another technique where the router alert option is selected<br />
that causes the router to inspect the contents of the packet. An attacker who sends a large number<br />
of options headers forces every node in the route to evaluate each header individually before<br />
moving on to the next one. This has the potential to prevent the router from addressing legitimate<br />
traffic while it evaluates the headers from the attack.<br />
Neighbor discovery DoS attacks.<br />
Yang, et al. (2007) and other researchers identified several vulnerabilities in the neighbor<br />
discovery protocol that allowed an attacker to conduct DoS attacks on IPv6 network nodes. This<br />
includes attacks that exploit flaws in the duplicate address detection, neighbor solicitation and<br />
advertisement, router solicitation and advertisement, and redirect features.<br />
Duplicate address detection attacks prevent the victim from obtaining an IPv6 address on<br />
the network. The techniques used in these attacks are described by Yang, et al. (2007), Szigeti<br />
and Risztics (2004), Caicedo, et al. (2009), Lindqvist (2006), and Kempf, et al. (2004). A<br />
duplicate address detection probe is sent when a host assigns a new IPv6 address to an interface.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
58<br />
Any other node already using that IP address will respond and the host will try a different<br />
address. If an attacker responds to every duplicate address detection probe, the victim will<br />
eventually believe that all IP addresses are assigned and terminate the address selection process.<br />
Neighbor solicitation and advertisement attacks either reroute traffic for legitimate hosts<br />
or cause victims to send traffic to non-existent nodes. The Technique used in the first situation is<br />
described by Yang, et al. (2007), Vives and Palet (2005), Szigeti and Risztics (2004), and<br />
Kempf, et al. (2004). In this attack, a neighbor solicitation message is sent with a different source<br />
address that announces a link-layer address change. Packets for the victim will be sent to the new<br />
address that is controlled by the attacker. Yang, et al. and Kempf, et al. identified a flaw in the<br />
neighbor detection feature where an attacker caused a victim to attempt communications with an<br />
invalid link by responding to neighbor solicitation messages. Additionally, Wu, Hai-xin, Tao,<br />
Xing, and Jian-ping (2009) and Kim et al. (2007) determined that if an attacker sent spoofed<br />
ICMPv6 destination unreachable responses to a victim with a spoofed source address, the victim<br />
would terminate connections with the host at that source address.<br />
Router solicitation and advertisement attacks can also lead to DoS situations in IPv6<br />
networks. Yang, et al. (2007), Zagar, et al. (2007), Caicedo, et al. (2009), E. Davies, et al.<br />
(2007), and Vives and Palet (2005) described an attack to kill the router by sending spoofed<br />
router advertisements from the router with a zero lifetime. This caused a rewrite of the host’s<br />
routing table that removed the router from the cache and prevented traffic from reaching the<br />
router. Yang, et al. and Kempf, et al. (2004) described a different type of attack that sent a<br />
spoofed router advertisement for a specific IPv6 prefix. The bogus router and prefix was added<br />
to the host’s routing table and any traffic that meets the rules was sent to the bogus router.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
59<br />
Redirect messages create a DoS situation in an IPv6 network if an attacker initiates a<br />
spoofed redirect to a non-existent address. The redirect message attack, described by Yang, et al.<br />
(2007), Wu, et al. (2009), and Kim, et al. (2007), involves an attacker sending a spoofed redirect<br />
message to a node that originates from the first hop router. Because the redirect originates from a<br />
trusted router, it is accepted by the host and all traffic destined for the victim is redirected to the<br />
new address specified by the attacker.<br />
Man-in-the-middle attacks.<br />
Man-in-the-middle attacks allow an attacker to intercept or alter communications by<br />
acting as a gateway or intermediary between two points. The IPv6 protocol is susceptible to the<br />
same key exchange attacks as in IPv4 networks and there are new attack vectors that exploit IPv6<br />
router redirects and the neighbor cache.<br />
Router redirects uses the same technique the router solicitation and advertisement DoS<br />
attack mentioned on page 58 except the attacker assumes the role of a relay router. Szigeti and<br />
Risztics (2004), Kim, et al. (2007), Convery and Miller (2004), Kim, et al. (2007), and Kempf, et<br />
al. (2004) presented techniques used in this attack. An attacker launches a DoS attack against the<br />
legitimate router using the kill or flood technique. Then, the attacker sends a router<br />
advertisement to all nodes specifying a router at an address controlled by the attacker. A host<br />
sends traffic to the new router and the attacker relays the traffic between the two nodes with the<br />
ability to modify or read the communications. If the attack goes unnoticed, the attacker can<br />
easily return the legitimate relay to operating status and erase evidence that the network has been<br />
compromised.<br />
The host’s neighbor cache stores link-local addresses for neighbors that are available on<br />
the local-link. Kempf, et al. (2004) and Caicedo, et al. (2009) identified the potential for a
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
60<br />
spoofed neighbor cache entry to cause an attacker to intercept traffic destined for another host.<br />
The attacker sends a link-local neighbor solicitation redirect to an address controlled by the<br />
attacker. Hosts on the network update their neighbor cache with the new address. When a host<br />
communicates with the victim, the traffic is sent to a node controlled by the attacker and relayed<br />
to the legitimate host.<br />
IPv6 covert channels.<br />
Covert channels provide a method for malicious users or programs to hide<br />
communications. The Department of Defense defined covert channels as “communication that<br />
can be exploited by a process to violate security policy” (Zander, et al., 2007). Covert channels<br />
may be used by a user to send confidential information to a point outside the security parameter<br />
of the network or create a hidden command and control channel for botnets or backdoors.<br />
Warfield (2003) presented a simple example of an IPv6 covert channel that would bypass IPv4<br />
IDS and firewall devices. The implementation called for installing sshd on the victim,<br />
configuring a listening address of 2002::, adding the new<br />
address to the 6to4 interface, and then adding a SSH key to encrypt the traffic. The attacker<br />
would then be able to communicate covertly using the 6to4 address that was selected.<br />
Researchers have identified several methods of creating covert channels in IPv6<br />
communications. Generally, hidden communications are embedded in an unused header field<br />
that can be one bit or several bits in length. Zander, et al. (2007) identified the IPv4 type of<br />
service (TOS), do not fragment (DF), TCP urgent pointer, reset segment, or ICMP code fields as<br />
possible locations to store hidden data in packet flows.<br />
Graf (as cited by Zander, et al., 2007) Lucena, Lewandowski, and Chapin (as cited by<br />
Zander, et al., 2007) proposed methods of embedding covert channels into IPv6 extension
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
61<br />
headers. For example, Graf suggested that the covert data be encoded in an option header with a<br />
double zero as the high order bits to specify that the header should be skipped if it is not<br />
recognized by the host. The option header containing the hidden data would be ignored by<br />
legitimate nodes; however, the other party in the covert channel could decode the hidden data.<br />
Trabelsi suggested using the routing header, Graf suggested using the destination options header,<br />
and Lucena, et al. suggested the use of the hop-by-hop options, authentication, fragment, and<br />
encapsulating security payload (ESP) headers.<br />
Covert channels can also use IPv6 for secrete communications. Lindqvist (2006) and<br />
Girling (as cited by Zander, et al., 2007) proposed methods of modulating the IP address or port<br />
numbers to hide data. Lindqvist suggested using IPv6 stateless auto-configuration to embed data<br />
in the 64 bit interface ID. The recipient of the packet will decode the IPv6 source address from<br />
the received packet and the sender could easily change the interface again to send additional<br />
secrete information. Girling proposed a similar method using the source and destination port<br />
numbers. Table 10 lists other possible fields and methods attackers could use to embed covert<br />
channels in IP communication.<br />
Table 10. Covert Channels in IP Communications<br />
Field<br />
Padding<br />
TCP Sequence<br />
Number<br />
Packet length<br />
IP ID Number<br />
Description<br />
Padding to multiples of 8 octets required for options headers. Encode hidden<br />
data in padding (E. Davies, et al., 2007).<br />
Encode hidden data in TCP initial sequence number. Traffic can be bounced<br />
off a third party using a spoofed source address that generates an error reply<br />
containing the TCP sequence number (Zander, et al., 2007).<br />
Modulate the length of a packet to hide data (Girling, 1987, Feb as cited by<br />
Zander, et al., 2007).<br />
Encode hidden data in the IP ID number (Rowland, 1997, July as cited by
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
62<br />
Field<br />
Description<br />
Zander, et al., 2007).<br />
Fragment Offset Encode hidden data in the fragment offset (Rowland, 1997, July as cited by<br />
Zander, et al., 2007).<br />
TCP Checksum Modulate the checksum and add random data to the packet to correct the<br />
checksum calculation (Abad, 2001 as cited by Zander, et al., 2007).<br />
UDP Checksum Encode hidden data in optional UDP checksum (Fisk, 2002, Oct as cited by<br />
Zander, et al., 2007).<br />
TTL/Hop Limit Encode hidden data in TTL or hop limit field (Lucena, Lewandowski, &<br />
Chapin, 2005, May as cited by Zander, et al., 2007).<br />
Timestamp Modulate the lower order bit of the timestamp field by delaying transmissions<br />
until reaching a specific unit (Giffin, 2002, Apr as cited by Zander, et al.,<br />
2007).<br />
Packet Timing Modulate the time intervals between sent packets (Padlipsky, Snow, &<br />
Karger, 1978, Aug as cited by Zander, et al., 2007).<br />
Packet Loss Artificially losing packets to modulate a hidden data stream (Servetto &<br />
Vetterli, 2001, June).<br />
HTTP URL Encode hidden data in URL parameter requests sent by HTTP (Feamster,<br />
2002, Aug as cited by Zander, et al., 2007).<br />
HTTP Cookies Encode hidden data in an HTTP cookie (Castro, 2006, May as cited by<br />
Zander, et al., 2007).<br />
DNS<br />
Encode hidden data in a DNS server requests to a server controlled by the<br />
other party (Gil, 2005 as cited by Zander, et al., 2007).<br />
VoIP<br />
Modulate the low order bit of the VoIP RTCP protocol (Mazurczyk &<br />
Kotulski, 2006, Sept as cited by Zander, et al., 2007).<br />
ICMP<br />
Encode data in the ICMP payload (daemon9, 1997, Sept as cited by Zander, et<br />
al., 2007).<br />
SSH<br />
Use SSH over HTTP to encode hidden data (Padgett, 2001 as cited by Zander,<br />
et al., 2007).
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
63<br />
Security control bypass.<br />
IPv6 traffic can bypass security controls like firewalls and IDS devices by exploiting<br />
vulnerabilities in the protocol. When this occurs, malicious traffic that would have been blocked<br />
at the security perimeter enters the network and compromises internal systems. Warfield (2003)<br />
identified possible scenarios that included; IPv4 security devices that are unable to inspect TCP<br />
and UDP packets in SIIT, IPv6 security devices that are unable to inspect IPv4 and protocol 41<br />
packets, and Teredo traffic that bypasses firewalls by design. Szigeti and Risztics (2004)<br />
identified IPv6 stateless auto-configuration as a threat that allowed internal attackers to control<br />
the address space. Zagar, et al. (2007) and Kim, et al. (2007) identified a method of hiding port<br />
numbers from security devices using fragmentation. Port numbers are not read by security<br />
devices if option headers move the TCP or UDP header to a fragmented packet because<br />
intermediate nodes do not reassemble the fragments in IPv6. Convery and Miller (2004)<br />
described a method to overlap fragments so that the second fragmented packet overwrites the<br />
data in the first at the destination node. Zagar, et al., Caicedo, et al. (2009), E. Davies, et al.<br />
(2007), and Convery and Miller described a method of sending a packet to a restricted internal<br />
node by including a routing header that specifies an unrestricted internal node as a stop on the<br />
route. This would establish a path that relays traffic from the unrestricted node to a restricted<br />
node on the same network.<br />
IPv6 worms.<br />
The large address space was expected to limit worm propagation in IPv6 networks;<br />
however, researchers have identified techniques that increase the success of worm attacks.<br />
Yangui, Xiangchun, Jiachun, and Huanyan (2009) outlined traditional worm propagation<br />
techniques that included DNS and search engine queries for valid IP addresses, scans for
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
64<br />
vulnerable internal nodes, and random internal network scans after an internal node has been<br />
compromised. Yangui, et al. suggested that an IPv6 worm attempting to locate vulnerable<br />
addresses would use traditional techniques to discover external addresses and then employ new<br />
methods to limit the address range after compromising an internal node.<br />
Embedded functionality combined with the end-to-end nature of the IPv6 protocol can<br />
increase the success of worms in an IPv6 network. Zheng, Liu, Guan, Qu, and Wang (2007) and<br />
J. Yang (n.d.) described how the potential address space of 2 64 possible addresses can be reduced<br />
down to a manageable population by listening for Windows service announcements, neighbor<br />
and router discovery packets, initiating multicast pings, and relying on the tendency for<br />
administrators to assign other addresses using a similar schema. Additionally, worm propigation<br />
techniqes can be further enhanced by increasing the number of vulnerable nodes or increasing<br />
bandwidth to increase the rate of scanning activtiy. Zheng, et al. presented a simulation where all<br />
live addresses on a small IPv6 network were captured within three seconds using the neignbor<br />
discovery protocol. J. Yang presented a detailed simulation with a 75,000 population size that<br />
compared different worm propigation techniques using the enhanced methods. In the study, all<br />
nodes in an IPv4 network were infected using traditional techniques in five seconds. If the same<br />
techniques were used in an IPv6 network, it would take 22,000 years to infect all nodes;<br />
however, a gigabit network connection reduced this to 40 years, dense address assignments<br />
reduced this rate to seven days, using DNS reduced this to one day, and using the local cache and<br />
neighbor discovery protocol resulted in full infection within six hours.<br />
IPv6 transition mechanisms.<br />
The implementation of IPv6 transition mechanisms has security implications for IPv6<br />
networks. Further research into transition mechanism vulnerabilities is needed; however, limited
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
65<br />
discussions are available from a small number of sources. Convery and Miller (2004) argued that<br />
transition mechanisms may allow unauthorized traffic to traverse the internal network, forge<br />
packets to hide the origin of the traffic, and launch DoS attacks on internal targets. Szigeti and<br />
Risztics (2004) and Zagar, et al. (2007) noted that dual-stack hosts are susceptible to both IPv6<br />
and IPv4 attack. S. Lee, et al. (2002) discussed the risk of DoS attacks with BIA and BIS address<br />
pooling. Hagino and Yamamoto (2001) found that TRT could act as an open relay for attackers<br />
that bypasses traffic filtering controls. A slightly more detailed discussion of vulnerabilities was<br />
available for the 6to4 and Teredo transition mechanisms.<br />
Teredo and 6to4 are tunneling mechanisms that are generally susceptible to DoS and<br />
packet injection attacks. Zagar, et al. (2007), Szigeti and Risztics (2004), and Gilligan and<br />
Nordmark (2000) found that packets sent through a tunnel can bypass filters and lead to DoS<br />
attacks on both IPv4 and IPv6 nodes. Durand, et al. (2001) described a DoS attack that was<br />
launched against a Tunnel-Broker by requesting a large number of tunnels. Szigeti and Risztics<br />
and Caicedo, et al. (2009) outlined a packet injection attack that allowed an external user to send<br />
traffic to an internal address through a tunnel.<br />
The 6to4 transition mechanism tunnels IPv6 traffic over traditional networks using a<br />
network of 6to4 relays and routers that encapsulate and decapsulate packets into the appropriate<br />
protocol. Savola and Patel (2004) and E. Davies, et al. (2007) concluded that attack vectors result<br />
from the implied trust between hosts, 6to4 routers, and relays. IPv6 data contained within the<br />
encapsulated 6to4 packets is not controlled by the security devices operating in the traditional<br />
network. Savola and Patel found that this could lead to DoS and spoofing attacks, traffic<br />
laundering, and service theft. Additionally, Savola and Patel and Cooper and Yen (2005)<br />
outlined methods of sending malicious packets into a network using the 6to4 mechanism. A 6to4
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
66<br />
packet can be sent to a link-local IPv6 address using a valid IPv4 destination and spoofed, but<br />
valid IPv4 and IPv6 source. An internal user could broadcast to all nodes on a network by<br />
sending packets to the 6to4 router using an IPv4 broadcast address like 8.0.0.255 with IPv6<br />
destination 2002:0800:00FF::AAAA. An external user could also broadcast ICPM error<br />
messages to all internal nodes by sending packets to a valid but non-existant IPv6 address on a<br />
network with an IPv6 broadacst address as the source.<br />
Teredo vulnerabilities are identified in the research by Huitema (2006) and included DoS,<br />
man-in-the middle, and spoofing risks. First, the open firewall port and protocol requirements of<br />
the protocol decrease the effectiveness of security controls overall. Second, an attacker can send<br />
routing advertisements for a Teredo relay that they control and intercept traffic from hosts using<br />
the relay. Third, spoofed source addresses allow the attacker anonymity. Finally, several methods<br />
of Teredo based DoS attack methods are identified by Huitema and Kim, et al. (2007). This<br />
includes setting up a dead-end Teredo relay or server, flooding hosts with Teredo peer cache<br />
entries, flooding Teredo servers with traffic, and reflection using Teredo to relay attacks between<br />
the protocols.<br />
IPv6 vulnerabilities and attack vectors are critical elements of the digital forensic process.<br />
Analysts and investigators must understand the methods and techniques used by attackers in<br />
order to determine how an event occurred. IPv6 protocol vulnerabilities and exploits are similar<br />
to IPv4 and are well represented in the available research. Information about vulnerabilities in<br />
transition mechanisms is limited and it is likely to be the area that provides the highest exposure<br />
to risk. No research was located that discussed how the vulnerabilities discovered in IPv6 would<br />
be investigated using forensic analysis.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
67<br />
Summary of IPv6 Forensic Research and Identified Gaps<br />
The technical research into IPv6 covers the protocol, transition mechanisms, operating<br />
system support, security vulnerabilities, and attack vectors. Nikkel (2007) and other researchers<br />
defined the IPv6 protocol and provided a basic guide to investigators. General IPv6 transition<br />
mechanisms were described by Jamhour and Storoz (2002), Tantayakul, et al. (2008), Mackay, et<br />
al. (2003, May-June), Afifi and Toutain (1999), and Gilligan and Nordmark (2000) while Wei, et<br />
al. (2009) focused on dual-stack; Durand, et al. (2001), Visoottiviseth and Bureenok (2008),and<br />
S. M. Huang, et al. (2005) focused on 6to4, Tunnel-Broker, ISATAP, or Teredo tunneling<br />
mechanisms; and Carpenter and Jung (1999), Nordmark (2000), Tsuchiya, et al. (2000), S. Lee,<br />
et al. (2002), Kitamura (2001), Hagino and Yamamoto (2001),and AlJa'afreh, et al. (2008)<br />
focused on SIIT, NAT-PT, BIS, BIA, SOCKS64, TRT, or gateway based protocol translation<br />
mechanisms. Windows IPv6 support is defined by Tulloch, et al. (2010), and J. Davies (2008) to<br />
include support for Teredo, ISATAP, 6to4, and dual-stack. Linux, FreeBSD, UNIX, and Apple<br />
MAC operating systems provide IPv6 support for 6to4, dual-stack, and tunnels that is explained<br />
in various online vendor manuals. IPv6 vulnerabilities and attack vectors including<br />
reconnaissance, DoS, man-in-the-middle, covert channel, security control bypass, worm, and<br />
transition mechanism attacks are described by Zagar, et al. (2007), Convery and Miller (2004),<br />
E. Davies, et al. (2007), X. Yang, et al. (2007), Kempf, et al. (2004), Zander, et al. (2007), J.<br />
Yang (n.d.), Savola and Patel (2004), and Huitema (2006). Overall, the available research<br />
provides adequate information for the implementation and operation of an IPv6 network. There<br />
is a need for research that addresses the technical implications and considerations for an IPv6<br />
network investigation, provides examples of IPv6 attacks and investigations to be used as a guide
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
68<br />
for creating an applicable procedural model, and develops new information about the security<br />
factors in transition mechanisms that could be utilized in criminal acts.<br />
The research into forensic investigation addresses evidence admissibility that is based on<br />
the collection, analysis, and presentation processes. General forensic models have been proposed<br />
by Shin (2008), Cohen (2009), Ciardhuáin (2004), Carrier and Spafford (2003), Carr, et al.<br />
(2002), Electronic crime scene investigation: A guide for first responders (2001), H. C. Lee,<br />
Palmbach, and Miller (2001), Casey (2000), Palmer (2001), and Mandia and Prosise (2001).<br />
Sommer (1999) proposed methods of collecting and handling network based evidence. <strong>Digital</strong><br />
evidence handling, processing and analysis techniques are proposed by Broucek and Turner<br />
(2004), Kerr (2005, Jan), Lan, et al. (2005), and Losavio (2005) while Schroeder (2005), the<br />
Fraud Examiners Manual (2008), and Carrier and Spafford (2003) proposed process models for<br />
the physical investigation of digital crimes. Nikkel (2007) presented a basic procedural guide for<br />
conducting IPv6 investigations while Tseng, et al. (2006), Y. Lee, et al. (2007), and S. Q. Huang,<br />
et al. (2009) addressed IPv6 IDS devices. The discovered research establishes ad-hoc processes<br />
that must be combined to address the needs of investigators, analysts, and prosecutors. There is a<br />
need for defining the details of a process that supports the complex needs of an IPv6<br />
investigation, establishing a model that helps establish IPv6 network forensics as a formal<br />
scientific discipline, and developing a method to distil complex network analysis into<br />
information that non-technical judges and juries can understand.<br />
The IPv6 protocol creates unique considerations for forensic analysts and investigators<br />
that have not been adequately addressed in the research. Investigators must understand the<br />
technology as it relates to their specific needs; however, the available research is focused on<br />
implementers and operators. Prosecutors are required to present evidence that is founded in a
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
69<br />
formal scientific discipline; however, IPv6 network forensics remains a new science that lacks<br />
the necessary components to address the complexity of investigating distributed network<br />
environments. As IPv6 networks become more common, it will be important to address the<br />
unique needs of IPv6 investigations in formal academic research.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
70<br />
Chapter 3 – Methodology<br />
This study employed the qualitative method based on the active research (AR)<br />
methodology defined by Baskerville (1999). Additionally, the process consultation form was<br />
selected that utilized a reflective process model, fluid structure, and expert involvement to<br />
develop scientific knowledge within the IPv6 discipline (Baskerville, 1999, p. 10). The AR<br />
methodology complemented the interpretivist epistemology of the researcher and provided an<br />
effective framework to study complex transitional networks where little prior research has be<br />
conducted.<br />
Characteristics of Action Research<br />
Action research methods advance the perspective that complex information systems can<br />
only be understood as an entire system and the best research studies observe the effects of the<br />
changes within a system (Baskerville, 1999, pp. 3-4). IPv6 transition networks are affected by a<br />
variety of hardware and software systems; therefore, AR provided a useful framework for<br />
addressing the core research problem in the study. Action research includes the researcher as an<br />
active participant in the process and involves an interaction between the participants in the study<br />
and the client system (Byrne, 2005, p. 10; Järvinen, 2007, pp. 1,15; Susman & Evered, 1978, pp.<br />
1,8). It allows the researcher to experiment with different theories applied to real situations<br />
(Avison, Lau, Myers, & Nielsen, 1999, p. 2; Susman & Evered, 1978, p. 18). This approach<br />
produced actionable and useful results for forensic investigators and analysts in the field because<br />
the participatory process utilized the expertise of the researcher to address the root cause of the<br />
research problem. Action research is problem centric; designed to holistically create knowledge<br />
to guide future practices; and involves action, data creation, analysis, and modification in an<br />
evolving research process (Baskerville, 1999, p. 9; Järvinen, 2007, p. 15; Susman & Evered,
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
71<br />
1978, p. 9). This facilitated a deep and relevant analysis of IPv6 transition networks that were<br />
affected by a diverse set of unknown variables in practical settings.<br />
The active research framework consists of five iterative process steps centered around the<br />
client/system infrastructure. The client/system infrastructure is the research environment where<br />
the actions will occur (Baskerville, 1999, p. 14). The process steps are diagnosing, action<br />
planning, action taking, evaluating, and specifying learning (Baskerville, 1999, p. 15; Susman &<br />
Evered, 1978, p. 7). Figure 6 illustrates the active research process.<br />
Figure 6. Active Research Process Model (Baskerville, 1999, pp. 14-16)<br />
Client/System Infrastructure<br />
The client/system infrastructure defines the environment where the research process takes<br />
place and includes the resources utilized, information about the participants in the study,
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
72<br />
boundaries and constraints, entry and exit points, and responsibilities (Baskerville, 1999, pp. 14<br />
15). This study required an environment where IPv6 transitional mechanisms could be<br />
configured, various nodes running different operating systems were able to communicate, and<br />
network traffic could be captured and analyzed.<br />
Environment<br />
The primary research environment consisted of a virtual network of nodes running on<br />
Oracle Virtualbox Version 4.0.2 Release 69518 virtualization software ("Virtualbox", n.d.). This<br />
software was running on a Lenovo T410 laptop with the 64 bit edition of Microsoft Windows 7<br />
Ultimate Edition. Oracle Virtualbox provided a virtual environment for 32 or 64 bit operating<br />
system nodes, local console access, and network interconnection. Nodes in the virtual network<br />
could be configured for local communications to simulate a LAN, local with a public gateway<br />
that simulated a NAT environment, and pass thought mode to simulate a direct connection to the<br />
Internet. Public IPv4 Internet connectivity on the host was provided by an AT&T 3G wireless<br />
card build into the Lenovo Laptop and was shared with the virtual nodes when needed.<br />
Additionally, snapshots of the virtual hard drives were taken at regular intervals so that the base<br />
operating system configurations could be restored easily.<br />
The secondary research environment consisted of a single 32 bit Ubuntu Linux node<br />
running on a virtual private server (VPS) hosted by Linode ("Linode", n.d.). This VPS node has<br />
access to 512MB of RAM and 16GB of hard drive space. The network environment provided a<br />
dedicated IPv4 address to the Internet for remote testing of the nodes in the primary research<br />
environment.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
73<br />
Resources<br />
This study utilized Windows, Linux, FreeBSD, and UNIX operating system nodes. The<br />
target nodes observed in the study consisted of the Microsoft Windows 2003 and 2008 server<br />
editions, Windows 7, Vista, and XP workstation editions, the Ubuntu and CentOS Linux<br />
distributions, FreeBSD, and Solaris UNIX ("CentOS", n.d.; FreeBSD", n.d.; Oracle Solaris",<br />
n.d.; Ubuntu", n.d.),. These operating systems were selected for use in the study because they<br />
represented a large share of the total installs in the market ("DistroWatch.com", n.d.). Each node<br />
was configured with a base installation of the operating system using the default options and all<br />
required and optional updates and patches applied through January 4, 2011. The research nodes<br />
were used to run the tools in the study and consisted of a 32 bit version of the Ubuntu and<br />
Backtrack Linux distributions ("BackTrack Linux", n.d.). Backtrack was selected because many<br />
of the tools were preconfigured in the default installation and Ubuntu provided an environment<br />
to run any other security tools that were not available on the Backtrack distribution. Appendix B<br />
provides a detailed listing of the operating system versions, network interface card details, and<br />
the Virtualbox configuration settings that defined the simulated environment where the operating<br />
systems were running during the study.<br />
Tools were selected to generate, capture, and analyze IPv6 traffic at each node. Packet<br />
captures for use in the traffic analysis was performed using TCPdump on Linux and FreeBSD<br />
nodes, Winpcap that is included as part of the Wireshark installation on Microsoft Windows<br />
nodes, and the Snoop tool that is a native install on the Solaris node ("TCPdump", n.d.;<br />
Winpcap", n.d.). Traffic analysis was performed using the Wireshark tool running on the<br />
Backtrack Linux research node ("Wireshark", n.d.). Packet generation tools were used to conduct<br />
network scanning, launch exploits, and forge packets for analysis. Nmap and Halfscan6 were
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
74<br />
used to scan the IPv6 network. Metasploit, THC-IPv6, and the Netcat version that is part of the<br />
Nmap installation were used to launch IPv6 exploits against the target nodes in the study<br />
("Halfscan6", n.d.; Metasploit", n.d.; Nmap", n.d.; THC-IPv6", n.d.). Netdude, TCPReplay,<br />
Ostinato, and Scapy were used to forge IPv6 packets to launch exploits that could not be<br />
generated by other tools ("Netdude", n.d.; Ostinato", n.d.; Scapy", n.d.; TCPReplay", n.d.). Table<br />
11 lists the nodes and tools that were used in the study.<br />
Table 11. Research Nodes, Target Nodes, and Tools Used in the Study<br />
Node Tool Version Source<br />
Target Node 1: Microsoft Windows Server 2008 R2 Datacenter Edition v6.1 (64-bit)<br />
Target Node 2: Microsoft Windows Server 2003 R2 Enterprise Edition v5.2 SP2 (64-bit)<br />
Target Node 3: Microsoft Windows 7 Enterprise v6.1 (64-bit)<br />
Target Node 4: Microsoft Windows Vista Enterprise v6.0 SP2 (64-bit)<br />
Target Node 5: Microsoft Windows XP Professional v5.1 SP3 (32-bit)<br />
Wireshark 1.4.3 ("Wireshark", n.d.)<br />
Winpcap 4.1.2 ("Winpcap", n.d.)<br />
Netcat 5.21 ("Netcat", n.d.)<br />
Gogoc 1.2 ("gogoCLIENT", n.d.)<br />
Target Node 6: Linux Ubuntu Desktop v10.10 (64-bit Kernel v2.6.35) ("Ubuntu", n.d.)<br />
Wireshark 1.2.11 ("Wireshark", n.d.)<br />
Tcpdump 4.1.1 ("TCPdump", n.d.)<br />
Miredo 1.2.3 ("Miredo", n.d.)<br />
Gogoc 1.2 ("gogoCLIENT", n.d.)<br />
Netcat 5.21 ("Netcat", n.d.)<br />
Target Node 7: CentOS v5.5 (64-bit Red Hat Base Kernel v2.6.18) ("CentOS", n.d.)<br />
Wireshark 1.0.15 ("Wireshark", n.d.)<br />
Tcpdump 3.9.4 ("TCPdump", n.d.)<br />
Miredo 1.2.3 ("Miredo", n.d.)<br />
Gogoc 1.2 ("gogoCLIENT", n.d.)
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
75<br />
Node Tool Version Source<br />
Netcat 5.51 ("Netcat", n.d.)<br />
Target Node 8: FreeBSD v8.1 (64-bit) ("FreeBSD", n.d.)<br />
Tcpdump 3.9.8 ("TCPdump", n.d.)<br />
Gateway6 6.0 /usr/ports/net/gateway6<br />
Miredo 1.2.2 /usr/ports/net/miredo<br />
Netcat 5.36 ("Netcat", n.d.)<br />
Target Node 9: Oracle Solaris 11 Express v5.11 (64-bit) ("Oracle Solaris", n.d.)<br />
Snoop N/A Native<br />
Research Node 1: Linux Backtrack v4 R2 (32-bit Kernel v 2.6.35.8) ("BackTrack Linux", n.d.)<br />
Scapy 2.1-bt1 ("Scapy", n.d.)<br />
Metasploit 3.5.1 svn 11780 ("Metasploit", n.d.)<br />
THC-IPv6 1.2-bt0 ("THC-IPv6", n.d.)<br />
Nmap 5.35-bt0 ("Nmap", n.d.)<br />
Wireshark 1.4.1 ("Wireshark", n.d.)<br />
Gogoc 1.2 ("gogoCLIENT", n.d.)<br />
Netdude 0.3.3 ("Netdude", n.d.)<br />
TCPreplay 3.3.1 ("TCPReplay", n.d.)<br />
Netcat 5.35DC1 ("Netcat", n.d.)<br />
Research Node 2: Linux Ubuntu Desktop v10.10 (32-bit Kernel v2.6.35) ("Ubuntu", n.d.)<br />
Ostinato 0.3 ("Ostinato", n.d.)<br />
Wireshark 1.2.11 ("Wireshark", n.d.)<br />
Halfscan6 0.2 ("Halfscan6", n.d.)<br />
Gogoc 1.2 ("gogoCLIENT", n.d.)<br />
Research Node 3: Linux Ubuntu VPS v10.10 (32-bit Kernel v2.6.32) ("Linode", n.d.)<br />
Wireshark 1.2.11 ("Wireshark", n.d.)<br />
Nmap 5.21 ("Nmap", n.d.)<br />
THC-IPv6 1.2 ("THC-IPv6", n.d.)<br />
Halfscan6 0.2 ("Halfscan6", n.d.)<br />
Scapy 2.1.1 ("Scapy", n.d.)<br />
Gogoc 1.2 ("gogoCLIENT", n.d.)
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
76<br />
Native IPv6 transition mechanisms were used when they were provided as part of the<br />
operating system. The Teredo, ISATAP, and 6to4 mechanisms are integrated into the Windows<br />
operating system. The Linux, FreeBSD, and Solaris nodes support dual-stack and 6to4<br />
mechanisms in their native configurations and require third-party components for Teredo and<br />
ISATAP. Miredo was used on the Linux and FreeBSD nodes to support Teredo; however,<br />
Teredo support for the Solaris node was not located at the time of this study ("Miredo", n.d.).<br />
ISATAP support for the Ubuntu Linux node was provided by the isatapd client. The researcher<br />
was unable to install ISATAP functionality on the CentOS, FreeBSD, or Solaris nodes. IPv6<br />
tunneling support for all nodes was setup using an anonymous account on Freenet6 with the IPv6<br />
client provided by gogoNet ("gogoCLIENT", n.d.). Appendix B lists the installation and<br />
configuration commands used to install the clients.<br />
Participants<br />
The researcher worked from the interpretivist epistemology and was also the participant<br />
in the study. Interpretivist thinking allows for more than one solution to a problem and is<br />
appropriate for complex IPv6 traffic analysis where there may be multiple solutions to a<br />
problem. The researcher has twelve years of experience administering and using the Microsoft<br />
Windows operating system, three years of experience creating and managing virtual networks,<br />
and one year of experience administering and using the Linux, FreeBSD, and Solaris operating<br />
systems. Additionally, the researcher has completed the course requirements for a Master’s<br />
degree in information assurance focused in network forensics which provides the foundation for<br />
the traffic analysis and tools used in the study.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
77<br />
Boundaries<br />
This study is limited by the resources available to the researcher. Academic and open<br />
source licensing allowed the selected operating systems to be included in the study; however, the<br />
Apple operating system could not be included because the researcher did not have access to a<br />
machine running the operating system. Additionally, time limitations for the study did not permit<br />
the testing of every available operating system that supported IPv6. The size of the network and<br />
the number of nodes running at the same time was limited by the available four gigabits of RAM.<br />
Finally, the transition mechanisms and tools that were included in the study had to support IPv6<br />
and either be native to the operating system or available as third-party installations.<br />
The scope of the research problem was narrowly defined around likely IPv6 network<br />
vulnerabilities. The study focused on network protocol based exploits and not on vulnerabilities<br />
in network services running on physical nodes. Additionally, the study did not address denial of<br />
service attacks.<br />
Entry and Exit Points<br />
Virtual desktops and shared network drives were the primary entry and exit points in the<br />
study. The Oracle Virtualbox hypervisor provided a virtual desktop for each running node where<br />
the researcher could interact with the operating system and tools. Additionally, Virtualbox<br />
supported access to shared folders on the host to facilitate the sharing of information between the<br />
nodes.<br />
Responsibilities<br />
The researcher had a responsibility to protect third-party networks that were utilized in<br />
the study. This included the Linode VPS network, the AARNet IPv6 tunneling network, the<br />
public Teredo, ISATAP, and 6to4 relays, and the AT&T 3G network used to provide Internet
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
78<br />
access for the host. The exploits and traffic in the study were designed to be low flow and target<br />
the virtual nodes running on the researcher’s laptop to minimize the risks to these networks.<br />
Process Step 1: Diagnosing<br />
The diagnosing process step identifies the holistic research problems and underlying<br />
assumptions that guide the process actions (Baskerville, 1999, p. 15).<br />
Research Problems<br />
The primary research problem in the study was: what is the nature of IPv6 traffic that<br />
may be traversing traditional IPv4 networks? The research sub-problems were structured around<br />
the five phases of a network attack outlined by Bejtlich (2004) and were designed to present a<br />
framework for analyzing or investigating IPv6 traffic in transitional networks. Table 12 outlines<br />
the primary research problem and sub-problems for the study.<br />
Table 12. Primary Research Problem and Sub-Problems<br />
What is the nature of IPv6 traffic that may be traversing traditional IPv4 networks?<br />
1. Reconnaissance • What methods can be used to enumerate IPv6 addresses and services<br />
in a transitional network?<br />
• What is the context of IPv6 traffic produced by nodes in an IPv4<br />
network?<br />
2. Exploitation • What methods can be used to attack the network topography in a<br />
transitional network?<br />
• What are the characteristics of malicious and suspicious traffic that<br />
traverse IPv4 networks using the IPv6 protocol?<br />
3. Reinforcement What methods can be used to obfuscate an attack in a transitional network<br />
and how could the true source be determined?<br />
4. Consolidation What methods can be used to create a persistent commutations channel in<br />
a transitional network and how could that channel be detected?<br />
5. Pillage What additional risks should be considered in a transitional network?
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
79<br />
Assumptions<br />
The interpretivist epistemology assumed that there is more than one way to solve the<br />
research problems. For example, the researcher attempted to enumerate the IPv6 address and<br />
services within the network using the available tools; however, there is likely other ways to<br />
gather the same information. Additionally, an unsuccessful exploit or enumeration of a node<br />
within the study did not imply that another method could not yield a positive result. Table 13<br />
lists the research assumptions for each of the five sub-problem categories.<br />
Table 13. Research Assumptions<br />
What is the nature of IPv6 traffic that may be traversing traditional IPv4 networks?<br />
1. Reconnaissance – Network Enumeration and Context<br />
• Nodes behind a NAT will be protected from network scanners.<br />
• Operating systems with IPv6 enabled by default will have exposed services and<br />
emanate IPv6 packets into the IPv4 network.<br />
• Nodes with public IPv6 addresses using transitional networks will have publically<br />
exposed services.<br />
2. Exploitation – Topography Attacks and Context<br />
IPv6 traffic flows and addressing can be modified remotely using protocol attacks.<br />
3. Reinforcement – Obfuscation and Sourcing<br />
• Privacy extensions, redirects, and address auto-configuration can be used to obfuscate<br />
traffic from an attacker and it will not be possible to determine the true source.<br />
• Fragmentation can be used to obfuscate the port or source address for a traffic flow.<br />
• Multicast or anycast can be used to obfuscate the source or destination node in an<br />
attack.<br />
4. Consolidation - Persistent Channels and Detection<br />
a. A remote command shell can be created through a transitional network over IPv6<br />
using common tools.<br />
5. Pillage – Additional Risks<br />
a. Undetected covert channels will be the primary additional risk.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
80<br />
Process Step 2: Action Planning<br />
The action planning process step outlines the procedures necessary to address the<br />
research problems in light of the underlying assumptions and are designed to lead to the future<br />
state in the study (Baskerville, 1999, p. 15). Additionally, this step identifies the approach for<br />
addressing changes to the procedures as observations are made. The procedures used in the study<br />
were designed to facilitate an iterative framework to address the full context of the research<br />
problems within the five phases of a network attack. Figure 7 illustrates this framework.<br />
Reconnaissance Exploitation Reinforcement Consolidati Pillage<br />
on<br />
Behind NAT Exposed IPs Behind NAT Exposed IPs<br />
Network<br />
Mapping<br />
Rogue Devices<br />
Obfuscation Backdoors Covert<br />
Channels<br />
Addresses Services/ Routers/ Nodes/ Privacy Redirects Fragments Multicast<br />
Ports Relays Clients Extensions<br />
Base/ Base/ Base 6 Enabled 6 Enabled 6 Enabled 6 Enabled 6 Enabled<br />
6 Enabled 6 Enabled Win 28K Win 28K Win 28K Win 28K Win 28K Win 28K<br />
Win 28K Win 28K Win 23K Win 23K Win 23K Win 23K Win 23K Win 23K<br />
Win 23K Win 23K Win 7 Win 7 Win 7 Win 7 Win 7 Win 7<br />
Win 7 Win 7 Win Vista Win Vista Win Vista Win Vista Win Vista Win Vista<br />
Win Vista Win Vista Win XP Win XP Win XP Win XP Win XP Win XP<br />
Win XP Win XP Lin Ubuntu Lin Ubuntu Lin Ubuntu Lin Ubuntu Lin Ubuntu Lin Ubuntu<br />
Lin Ubuntu Lin Ubuntu Lin CentOS Lin CentOS Lin CentOS Lin CentOS Lin CentOS Lin CentOS<br />
Lin CentOS Lin CentOS FreeBSD FreeBSD FreeBSD FreeBSD FreeBSD FreeBSD<br />
FreeBSD FreeBSD Solaris Solaris Solaris Solaris Solaris Solaris<br />
Solaris Solaris<br />
Local Local Teredo Local Local Local Local Local<br />
Teredo Teredo ISATAP Teredo Teredo ISATAP Teredo<br />
ISATAP ISATAP 6to4 ISATAP ISATAP 6to4 ISATAP<br />
T-Broker T-Broker T-Broker T-Broker T-Broker<br />
6to4 6to4 6to4 6to4 6to4<br />
Wireshark Nmap Miredo OS OS THC-IP6 Netdude OS Netcat<br />
Nmap Halfscan6 Netdude Scapy OS<br />
Metasploit OS TCPreplay<br />
THC-IP6<br />
OS<br />
Halfscan6<br />
OS<br />
Figure 7. Action Planning Process Tree
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
81<br />
Procedures<br />
The reconnaissance phase of an attack may occur from inside and outside the network;<br />
therefore, the research procedures were defined to mirror tests for victim nodes that are<br />
publically exposed and protected by a NAT device. The tests were designed to identify network<br />
mapping techniques that attackers may use to identify addresses and services to target in the next<br />
stage of the attack. The same tests and procedures were duplicated for each operating system and<br />
transition method covered in the scope of the study. Additionally, each operating system was<br />
tested in its base configuration and a state configured with a full installation of IPv6 services.<br />
The testing procedures for the reconnaissance phase were:<br />
• Enumerate IPv6 addresses from outside the network for all operating systems in the base<br />
configuration and all transition mechanisms.<br />
• Enumerate IPv6 addresses from inside the network for all operating systems in the base<br />
configuration and all transition mechanisms.<br />
• Enumerate IPv6 addresses from outside the network for all operating systems in the fully<br />
configured configuration and all transition mechanisms.<br />
• Enumerate IPv6 addresses from inside the network for all operating systems in the fully<br />
configured configuration and all transition mechanisms.<br />
• Enumerate IPv6 services and ports from outside the network for all operating systems in<br />
the base configuration and all transition mechanisms.<br />
• Enumerate IPv6 services and ports from inside the network for all operating systems in<br />
the base configuration and all transition mechanisms.<br />
• Enumerate IPv6 services and ports from outside the network for all operating systems in<br />
the fully configured configuration and all transition mechanisms.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
82<br />
• Enumerate IPv6 services and ports from inside the network for all operating systems in<br />
the fully configured configuration and all transition mechanisms.<br />
The exploitation phase testing procedures were duplicated for exposed nodes, NAT<br />
protected nodes, each operating system and transition mechanism defined in the scope of the<br />
study. This phase focused on network exploits that established rogue relays, routers, or client<br />
nodes. Each operating system was tested in its base state and with IPv6 services fully configured.<br />
The testing procedures for the exploitation phase were:<br />
• Assign an address to a node running any of the operating systems with IPv6 services<br />
configured using a Teredo, ISATAP, or 6to4 router from outside the network.<br />
• Assign an address to a node running any of the operating systems with IPv6 services<br />
configured using a Teredo, ISATAP, or 6to4 router from inside the network.<br />
• Communicate with a node running any of the IPv6 configured operating systems over<br />
any of the transition mechanisms from a rogue node operating outside the network.<br />
• Communicate with a node running any of the IPv6 configured operating systems over<br />
any of the transition mechanisms from a rogue node operating inside the network.<br />
The reinforcement phase of the testing procedures attempted to obfuscate the traffic using<br />
privacy extensions, redirects, fragments, and multicast. Each operating system was tested will<br />
IPv6 services fully configured for each possible transition mechanism. The testing procedures for<br />
the reinforcement phase were:<br />
• Obfuscate the source address in a two-way communication channel using IPv6 privacy<br />
extensions for all of the IPv6 configured operating systems and transition mechanisms.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
83<br />
• Obfuscate the source address in a two-way communication channel using IPv6 redirects<br />
to redirect traffic for all of the IPv6 configured operating systems and transition<br />
mechanisms.<br />
• Obfuscate the payload in a two-way communication channel using IPv6 fragments for all<br />
of the IPv6 configured operating systems and transition mechanisms.<br />
• Obfuscate the destination address in a two-way communication channel using IPv6<br />
multicast or anycast addressing for all of the IPv6 configured operating systems.<br />
The consolidation and pillage phases focused on establishing backdoors and covert<br />
channels. At this stage of the exploitation, the attacker has control of the victim node; therefore,<br />
the operating systems and transition mechanisms becomes irrelevant. The testing procedures in<br />
these phases focused on sampling possible techniques used by attackers. The testing procedures<br />
for the consolidation and pillage phases are:<br />
• Establish a persistent backdoor to a node over IPv6.<br />
• Send data from the victim node using a covert channel.<br />
Approach for Change<br />
Procedures were defined around a single tool or technique and subsequent iterations<br />
changed the tool or technique until a positive result was reached. For example, if the Nmap tool<br />
was unable to map the address of the Solaris target node during the reconnaissance test phase,<br />
another testing iteration was performed using the Metasploit tool.<br />
Process Step 3: Action Taking<br />
The action taking process step involved the implementation of the action planning<br />
procedures and the recording of observations (Baskerville, 1999, pp. 15-16). The observations
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
84<br />
were collected and reported in chapter 4 of the study using matrixes similar to the sample<br />
displayed in Table 14.<br />
Table 14. Sample Data Matrix<br />
OS Local Teredo ISATAP TBroker 6to4<br />
28K<br />
23K<br />
7<br />
Vista<br />
XP<br />
Ubuntu<br />
CentOS<br />
FreeBSD<br />
Solaris<br />
Process Step 4: Evaluating<br />
The evaluating process step analyzes the outcomes of the actions taken in light of the<br />
assumptions and outlines the next steps in the study (Baskerville, 1999, p. 16). The iterative<br />
process step for each procedure was complete if a favorable outcome was reached. The<br />
assumptions were adjusted to reflect the new knowledge and an additional iteration occurred if<br />
necessary.<br />
Outcomes<br />
Observations and outcomes in the study were determined based on the output from the<br />
packet captures and the commands run from the research or target nodes. The reconnaissance<br />
testing phase collected the output of the tools run against the target nodes to determine if the<br />
IPv6 addresses and services were successfully mapped. The rogue router testing measured the<br />
output of the ipconfig or ifconfig commands to determine if the router successfully configured an
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
85<br />
IPv6 address. The rogue node testing procedures captured packet level details on the target node<br />
to determine if the victim accepted the unsolicited traffic. The reinforcement, consolidation, and<br />
pillage phases captured and analyzed packet level details received by the research and target<br />
nodes to determine a successful outcome.<br />
Next Steps<br />
Each testing procedure was performed using a tool or technique selected by the<br />
researcher. The procedure was repeated using a different tool or technique when the first test did<br />
not yield a successful outcome. The procedure iterations were terminated when a successful<br />
outcome for a test was not reached and the researcher was unaware of any additional techniques<br />
to generate the expected results.<br />
Process Step 5: Specifying Learning<br />
The specifying learning process step detailed the lessons learned in the current iteration<br />
and identified additional knowledge that was needed to fully address the research problem<br />
(Baskerville, 1999, p. 16). An observation summary statement was constructed at the conclusion<br />
of each testing procedure. These statements were used to address the specific research subproblems.<br />
Finally, the core research problem was addressed by listing the types of IPv6 traffic<br />
that may be traversing a transition network and techniques that may be used to identify the nature<br />
of that traffic.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
86<br />
Chapter 4 –Analysis and Results<br />
Observations derived from the research were recorded to address the nature of IPv6<br />
traffic that may be traversing transitional networks. The observed results and lessons learned<br />
were structured around the five phases of a network attack that included address and service<br />
enumeration in the reconnaissance phase, rogue nodes in the exploitation phase, obfuscation in<br />
the reinforcement phase, backdoors in the consolidation phase, and covert channels in the pillage<br />
phase (Bejtlich, 2004). These sections were further delineated into individual procedures<br />
designed to address each of the research sub-problems with results that indicated the tool or<br />
technique that was used to produce a positive result.<br />
Reconnaissance<br />
The reconnaissance phase of this study addressed tools and techniques that could be used<br />
to enumerate IPv6 addresses and services in a transitional network. Very few tools were found<br />
that supported IPv6 address and service scanning and none of the tools supported address sweeps<br />
to discover unknown addresses on a remote network. Address and service enumeration was<br />
attempted from outside the network using Nmap, Ping6, the THC-IPv6 implementation6<br />
function, and Halfscan6. The Nmap tool performed a port scan of an address using TCP or UDP<br />
connection requests while the other tools utilized ICMPv6. Additional tools and techniques were<br />
discovered to scan nodes from inside the network on the local-link. This included sniffing the<br />
network traffic using Wireshark; neighbor discovery tools like IP neigh, the THC-IPv6 detectnew-ip6<br />
function, the Metasploit module ipv6_neighbor and<br />
ipv6_neighbor_router_advertisement; and multicast ping tools like ping6, the THC-IPv6 alive6<br />
function, and the Metasploit module ipv6_multicast_ping. Table 15 lists the tools employed in
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
87<br />
the reconnaissance phase, the function names that are referenced in the results tables, and the<br />
command sequences employed in the tests.<br />
Table 15. Employed Reconnaissance Tools<br />
Tool Function Commands<br />
Native Ping6(A)<br />
Ping6(MC)<br />
IP neigh<br />
>ping6 <br />
>ping6 -I ff02::1<br />
>ip neigh<br />
Sniffing a Sniffing >wireshark<br />
Nmap Nmap(A) >nmap -6 <br />
>nmap -6 -Pn <br />
>nmap -6 -PA <br />
>nmap -6 -PS <br />
THC-IPv6 a DetNew6 >./detect-new-ip6 <br />
Alive6 >./alive6 <br />
Imp6(A) >./implementation6 <br />
Metasploit a 6Neigh Module= auxiliary/scanner/discovery/ipv6_neighbor<br />
6MCPing<br />
6RA<br />
Module=auxiliary/scanner/discovery/ipv6_multicast_ping<br />
Module= auxiliary/scanner/discovery/ipv6_<br />
neighbor_router_advertisement<br />
Halfscan6 b Halfscan6 >./halfscan6 <br />
Note. a The tool provides functionality that is designed only for local-links.<br />
b<br />
The tool did not function properly for any of the tests for unknown reasons.<br />
Node interface addresses.<br />
The assigned interface addresses were recorded for each node at various points in time<br />
during the study. Detailed IP address and MAC assignments for the local-link, 6to4, Teredo,<br />
Tunnel-Broker, and ISATAP interfaces were recorded in Appendix B. Table 16 lists a summary<br />
of the details that includes a sample address for each node and transition mechanism, whether the
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
88<br />
address assignment was static or dynamic, and if the interface portion of the address was based<br />
on the MAC address assigned to the interface.<br />
Table 16. Properties of Assigned IPv6 Addresses<br />
OS Protocol Static MAC Based<br />
Sample Addresses<br />
28K 6to4 Yes -<br />
fe80::bcb6:88ca:6a61:e2d8<br />
Win 7 - - 2002:a6cb:5cb6:35:bcb6:88ca:6a61:e2d8<br />
Vista Teredo - - fe80::280a:c40:5934:a349<br />
- - 2001:0:4137:9e76:280a:c40:5934:a349<br />
T-Broker - - fe80::edc2:969:1155:f9a6<br />
- - 2001:5c0:1400:a::11b<br />
ISATAP Yes - fe80::5efe:10.1.1.11<br />
Yes - 3ffe:ffff:1234:5678:0:5efe:10.1.1.11<br />
23K 6to4 Yes Yes fe80::a00:27ff:fe2f:fd98<br />
XP - Yes 2002:a6d9:4c6d:34:a00:27ff:fe2f:fd98<br />
Teredo - Yes 2001:0:4137:9e76:0:1a61:5926:b392<br />
T-Broker - - fe80::50:f2ff:fe00:1<br />
- - 2001:5c0:1000:b::8dff<br />
ISATAP Yes - fe80::5efe:10.1.1.12<br />
Yes - 3ffe:ffff:1234:5678:0:5efe:10.1.1.12<br />
Ubuntu 6to4 Yes Yes fe80::a00:27ff:fe8a:e479<br />
CentOS - Yes 2002:20b2:fee8:34:a00:27ff:fe8a:e479<br />
Teredo - - 2001:0:53aa:64c:3c6f:80b:df4d:117<br />
T-Broker - - 2001:5c0:1000:b::8e61<br />
ISATAP Yes - fe80::5efe:a01:110<br />
Yes - 3ffe:ffff:1234:5678:0:5efe:0a01:0110<br />
FreeBSD 6to4 - Yes fe80::a00:27ff:fea8:9f8e<br />
- Yes 2002:20b2:fee8:34:a00:27ff:fea8:9f8e<br />
Teredo - - 2001:0:53aa:64c:1c29:a6c:df4d:117<br />
T-Broker Yes - fe80::a00:27ff:fea8:9f8e<br />
- - 2001:5c0:1000:b::8dd5
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
89<br />
OS Protocol Static MAC Based Sample Addresses<br />
Solaris 6to4 Yes Yes fe80::a00:27ff:fe9a:f546<br />
- Yes 2002:20b2:fee8:34:a00:27ff:fe9a:f546<br />
IPv6 Addresses were dynamically assigned in most cases and were rarely based on the<br />
MAC address of the interface. The Teredo addresses were always dynamically assigned;<br />
however, there are operating system settings that would have established a static address.<br />
Additionally, the Tunnel-Broker addresses were always dynamically assigned; however, signing<br />
up for a service account with the provider would have created a static address. The ISATAP<br />
address was static based on the prefix in the router advertisement and could be set to a public<br />
address. Overall, there were a significant number of different IPv6 addresses to manage with few<br />
methods that could be used to link a physical node to a particular address assignment.<br />
Address enumeration.<br />
The tools and techniques listed in Table 15 were run against each node and transition<br />
mechanism to enumeration the IPv6 addresses. There were two types of results from the address<br />
enumeration tools. Tools that required an explicit address were only able to verify that an active<br />
node was assigned to the address. Other tools could detect unknown addresses of nodes on the<br />
local network.<br />
The first attempt to enumerate addresses was performed against the base installation of<br />
the nodes from outside the network. A base installation included the operating system configured<br />
at the point immediately after the default installation without additional configuration or<br />
application installations. The details of each base installation are listed in Appendix B. Only the<br />
Teredo and 6to4 mechanisms were tested because local-link packets are not routed across the<br />
WAN and the ISATAP and Tunnel-Broker mechanisms were not configured in the base
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
90<br />
installations of the nodes. The tools that successfully enumerated addresses from outside the<br />
network in a base installation are listed in Table 17.<br />
Table 17. IPv6 Address Enumeration for the Base OS from Outside the Network<br />
OS Teredo 6to4<br />
28K None Nmap a b<br />
23K / XP<br />
- c - c<br />
7<br />
None<br />
Nmap<br />
Vista None None<br />
Ubuntu<br />
c<br />
- Ping6 b Nmap b<br />
CentOS<br />
c<br />
- Ping6 b<br />
FreeBSD<br />
c<br />
- Ping6 b Nmap<br />
Solaris - c Ping6 Nmap Imp6<br />
Note. ISATAP and Tunnel-Brokers were not part of the base installation and Local-link<br />
addresses are not routed.<br />
a<br />
Used Nmap with the PA or PS options, explicit address, and ports 135 or 445.<br />
b<br />
Successful enumeration only when the victim was communicating using the 6to4 interface.<br />
c<br />
Not configured as part of the base installation.<br />
The 6to4 addresses were enumerated on the majority of the nodes and there were no<br />
methods found to enumerate the Teredo addresses from outside the network. All of the target<br />
nodes were able to ping6 other IPv6 address assigned to the research nodes. The research node<br />
was able to ping6 the Linux and FreeBSD targets using the 6to4 addresses only when the target<br />
node was using or recently used the 6to4 interface. The research node was able to verify the 6to4<br />
address on the Solaris node using any of the tools employed.<br />
The second attempt to enumerate addresses was performed on the base installation from<br />
inside the network. Operating from a local-link expanded the number of available tools to<br />
include neighbor and router advertisement functionality. Tests were run on the local-link,<br />
Teredo, and 6to4 addresses because the ISATAP and Tunnel-Broker mechanism were not
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
91<br />
configured in the base installations. The tools that successfully enumerated addresses on the base<br />
installation from inside the network are listed in Table 18.<br />
Table 18. IPv6 Address Enumeration for the Base OS from Inside the Network<br />
OS Local Teredo 6to4<br />
28K Sniffing DetNew6 None<br />
Sniffing<br />
Nmap a Imp6<br />
IP neigh<br />
6RA<br />
23K / XP - c - c - c<br />
7 Sniffing DetNew6 None<br />
Sniffing<br />
6RA Imp6<br />
DetNew6<br />
Vista Sniffing None<br />
Sniffing<br />
6RA<br />
DetNew6<br />
Ubuntu<br />
CentOS<br />
FreeBSD<br />
DetNew6<br />
Imp6<br />
Sniffing b 6MCPing - c<br />
Ping6(A) 6RA<br />
Ping6(MC) Alive6 Nmap<br />
IP neigh DetNew6<br />
Alive6<br />
Nmap Imp6<br />
DetNew6<br />
6Neigh<br />
Imp6<br />
Sniffing b 6MCPing - c Sniffing b<br />
Ping6(A) 6RA<br />
Ping6(A)<br />
Ping6(MC) Alive6 Nmap<br />
IP neigh DetNew6<br />
Alive6<br />
6Neigh Imp6<br />
DetNew6<br />
Sniffing b 6MCPing - c<br />
Sniffing b<br />
Ping6(A) 6RA<br />
Ping6(A)<br />
Ping6(MC) Alive6 Nmap<br />
IP neigh<br />
Nmap<br />
DetNew6<br />
Imp6<br />
Sniffing b<br />
Ping6(A)<br />
Alive6<br />
DetNew6<br />
Nmap a<br />
DetNew6<br />
Imp6
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
92<br />
OS Local Teredo 6to4<br />
6Neigh<br />
c<br />
Solaris Sniffing b 6MCPing - Sniffing b Imp6<br />
Ping6(A) 6RA Ping6(A)<br />
Ping6(MC) Alive6 Nmap<br />
Nmap Imp6 Alive6<br />
6Neigh<br />
DetNew6<br />
Note. ISATAP and Tunnel-Brokers were not part of the base installation.<br />
a<br />
Used Nmap with the PA or PS options, explicit address, and ports 135 or 445.<br />
b<br />
While Windows nodes broadcast solicitation messages regularly, these nodes were quiet.<br />
c<br />
Not installed as part of the base installation.<br />
All of the targets, except for the Windows XP and 2003 nodes, received auto-configured<br />
local-link addresses in the default state. All of the Windows targets with local-link addresses<br />
received an auto-configured Teredo address when the node also had WAN connectivity. All the<br />
targets, except for the Windows XP and 2003 nodes, received auto-configured 6to4 addresses in<br />
the default state when the node also had WAN connectivity.<br />
Sniffing the local-link and detecting duplicate address detection (DAD) packets using the<br />
THC-IPv6 detect-new-ip6 function when the victim boots was the most reliable method for<br />
enumerating 6to4 and local-link addresses. No methods were discovered to enumerate the<br />
Teredo addresses. The target’s 6to4 and local-link addresses were contained in the last 128 bits<br />
of the IMCPv6 neighbor solicitation (type 135) packets sent to the local-link multicast address<br />
during the boot process. The 6to4 and local-link addresses were linked to the target’s IPv4<br />
address by locating other IPv4 packets from the same MAC address. The Windows firewall<br />
blocked most of the ICMPv6 based scanning tools; however, a Metasploit module that sent<br />
router advertisements to all local-links (FF02::1) enumerated the local-link addresses.<br />
Additionally, when the Windows network was set to “public” instead of “private,” the firewall
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
93<br />
blocked the Nmap scans. The Linux, FreeBSD, and UNIX targets were not protected by software<br />
firewalls and most of the ICMPv6 tools were able to enumerate the local-link addresses.<br />
The third attempt to enumerate addresses was performed from outside the network on<br />
target nodes that were configured to communicate using the IPv6 transition mechanisms. This<br />
included installing or configuring the Teredo and the Tunnel-Broker mechanisms on the<br />
Windows, Linux, and FreeBSD nodes. Additionally, the 6to4 mechanism was configured on the<br />
Windows 2003 and XP nodes. Testing was not performed on the Solaris node because the<br />
researcher was unable to install Teredo and Tunnel-Broker applications. The tools that<br />
enumerated the IPv6 addresses from outside the network are listed in Table 19.<br />
Table 19. IPv6 Address Enumeration for IPv6 Enabled OS from Outside the Network<br />
OS Teredo TBroker 6to4<br />
28K Nmap(A) None See Table 17<br />
23K Nmap(A) Nmap(A) Nmap(A)<br />
Ping6(A)<br />
Ping6(A)<br />
Imp6(A)<br />
7 / Vista None None See Table 17<br />
XP Ping6(A) Ping6(A) None<br />
Ubuntu / CentOS / Nmap(A) Nmap(A) See Table 17<br />
FreeBSD Ping6(A) Ping6(A)<br />
Solaris - - See Table 17<br />
Note. The ISATAP and local-link addresses were not global.<br />
There were no tools or techniques discovered to enumerate a range of addresses from<br />
outside the network. Teredo addresses were easily enumerated using Nmap and ping6 in all<br />
operating systems except Window 7 and Vista. The Tunnel-Broker addresses were enumerated<br />
using Nmap and ping6 on the Linux and FreeBSD nodes; however, the Windows firewall<br />
blocked the Nmap and ping6 probes when it was enabled.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
94<br />
The fourth attempt to enumerate addresses was performed from inside the network<br />
against target nodes with the IPv6 transition mechanisms configured. The tools and techniques<br />
that successfully enumerated the addresses for each node and transition mechanism are listed in<br />
Table 20.<br />
Table 20. IPv6 Address Enumeration for IPv6 Enabled OS from Inside the Network<br />
OS Local Teredo ISATAP TBroker 6to4<br />
28K See Table 18 Sniffing a Nmap(A) Sniffing b See Table 18<br />
Ubuntu See Table 18 Nmap(A) Nmap(A) Sniffing b See Table 18<br />
23K Sniffing<br />
Nmap(A)<br />
Ping6(A)<br />
Ping6(M)<br />
6Neigh<br />
6MCPing<br />
6RA<br />
DetNew6<br />
Imp6(A)<br />
Nmap(A)<br />
Sniffing c<br />
Nmap(A)<br />
Ping6(A)<br />
Ping6(A)<br />
Nmap(A)<br />
Ping6(A)<br />
Sniffing b<br />
Nmap(A)<br />
Ping6(A)<br />
Imp6(A)<br />
Sniffing<br />
Nmap(A)<br />
Ping6(A)<br />
DetNew6<br />
Alive6<br />
Imp6(A)<br />
7 See Table 18 Sniffing Nmap(A) Sniffing b See Table 18<br />
Vista See Table 18<br />
Nmap(A)<br />
Imp6(A)<br />
None<br />
Ping6(A)<br />
None<br />
Imp6(A)<br />
Sniffing b See Table 18<br />
XP<br />
Sniffing<br />
Ping6(A)<br />
Ping6(M)<br />
6Neigh<br />
6RA<br />
DetNew6<br />
Imp6(A)<br />
Sniffing<br />
Ping6(A)<br />
Ping6(A) Sniffing b<br />
Ping6(A)<br />
Imp6(A)<br />
Sniffing<br />
Ping6(A)<br />
DetNew6<br />
Imp6(A)
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
95<br />
OS Local Teredo ISATAP TBroker 6to4<br />
Ping6(A) Ping6(A) Nmap(A)<br />
Imp6(A)<br />
Ping6(A)<br />
Imp6(A)<br />
CentOS / See Table 18 Nmap(A) - Sniffing b See Table 18<br />
FreeBSD Ping6(A) Nmap(A)<br />
Imp6(A)<br />
Ping6(A)<br />
Imp6(A)<br />
Solaris See Table 18 - - - See Table 18<br />
Note.<br />
a<br />
Wireshark filter for “Teredo” revealed local-link and public Teredo addresses.<br />
b<br />
The TBroker IPv6 address was contained in a UDP packet to 64.86.88.116<br />
(montreal.freenet6.net). The address starts in the ninth octet of the UDP payload and began with<br />
HEX 2001.<br />
c<br />
Detectable only after the host communicated over the Teredo interface. There is an initial<br />
packet containing the Teredo address that Wireshark identified as Teredo and then the remainder<br />
of the conversations were encapsulated in a UDP packet.<br />
Nmap was the most effective tool at enumerating the Teredo, ISATAP, and Tunnel-<br />
Broker addresses; however, it was not effective against the Windows Vista and XP nodes. The<br />
Teredo addresses were enumerated by capturing the boot traffic of the Windows nodes; however,<br />
the Linux, FreeBSD, and Vista nodes did not send Teredo traffic during the boot process. The<br />
Teredo conversations began with a packet that Wireshark identified as the Teredo protocol and<br />
then continued with a series of encapsulated UDP packets. The Teredo UDP stream always had<br />
the source or destination IPv4 address of the Teredo relay. The Tunnel-Broker addresses were<br />
enumerated by sniffing the node boot process and looking for the UDP tunnel initiation packets<br />
that contained the IPv6 addresses. The Tunnel-Broker traffic was always a UDP stream to or<br />
from the tunnel endpoint and was initiated with a packet that negotiated the IPv6 addresses used<br />
by the host. The ISATAP address could not be explicitly determined from the boot process trace;
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
96<br />
however, it could be inferred using the router advertisements containing the address prefix and<br />
the IPv4 address of the hosts.<br />
Service and port discovery.<br />
The first attempt to enumerate services and ports on the target nodes was attempted from<br />
outside the network against the base installation of the operating systems. Nmap was the only<br />
tools found that supported port enumeration on IPv6 nodes. The results of the external port scan<br />
of the 6to4 and Teredo addresses assigned to each node in the base configurations are listed in<br />
Table 21.<br />
Table 21. IPv6 Service and Port Enumeration for the Base OS from Outside the Network<br />
OS Teredo 6to4<br />
28K None Nmap a<br />
23K / XP - f - f<br />
7 None Nmap b<br />
Vista None None<br />
Ubuntu - f Nmap c<br />
CentOS - f None<br />
FreeBSD - f Nmap d<br />
Solaris - f Nmap e<br />
Note. ISATAP and Tunnel-Brokers were not part of the base installation. Local-link addresses<br />
are not global.<br />
a<br />
Enumerated TCP ports 135/msrpc, 445/msds, and 49155/unknown using PA or PS options<br />
while the target is communicating over the 6to4 interface.<br />
b<br />
Enumerated TCP ports 135/msrpc, 445/microsoftds, and unknown ports 5357, 49152, 49153,<br />
49154, 49155, 49156, 49157 using the Pn option<br />
c<br />
Enumerated TCP ports 119 /nntp and 32782/unknown while target is communicating over the<br />
6to4 interface.<br />
d<br />
Default scan enumerated TCP ports 22/ssh, 111/rpc bind, 119/nntp, and 2049/nfs.<br />
e<br />
Default scan enumerated TCP ports 22/ssh, 111/ rpc bind, and 119//nntp.<br />
f<br />
Not installed as part of the base installation.<br />
Ports bound to 6to4 addresses could be enumerated using the Nmap scanning tool for the<br />
Windows 2008, Windows 7, Ubuntu, FreeBSD, and Solaris targets. The Windows firewall
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
97<br />
blocked the Nmap scans in all targets except the Windows 2008 and 7 nodes which allowed a<br />
scan only using the PA (TCP ACK) or PS (TCP SYN) options on ports 135 or 445. The scans of<br />
the Windows systems revealed that the node was listening on ports for the remote procedure call<br />
service (MSRPC: TCP port 135), the Microsoft domain service port (MSDS: TCP port 445) that<br />
is used by Active Directory, and a few unknown ports. The base configurations of the Ubuntu<br />
Linux target allowed the default Nmap scans and indicated open ports for the network news<br />
transfer protocol (NNTP: TCP port 119) and an unknown port. The FreeBSD target was listening<br />
on the secure shell (SSH: TCP port 22), remote procedure call (RPC: TCP port 111), and NNTP<br />
(TCP port 119) ports. The FreeBSD node was listening on the same ports as the Solaris node<br />
with the addition of the port used by the NFS (TCP port 2049).<br />
The second attempt to enumerate services and ports was performed from inside the<br />
network on the base installation of each node. Nmap was the only tool that supported port scans<br />
on IPv6 addresses. The results of these scans from inside the network are listed in Table 22.<br />
Table 22. IPv6 Service and Port Enumeration for Base OS from Inside the Network<br />
OS Local Teredo 6to4<br />
28K Nmap a None Nmap a<br />
23K / XP - - -<br />
7 / Vista None None None<br />
Ubuntu None - None<br />
CentOS<br />
FreeBSD<br />
Solaris<br />
None<br />
Nmap c<br />
Nmap d -<br />
-<br />
-<br />
Nmap b<br />
Nmap c<br />
Nmap d<br />
Note. ISATAP and Tunnel-Brokers were not part of the base installation.<br />
a<br />
Nmap scan with -PA135 option enumerated ports 135/msrpc, 445/msds, and 49155/ unknown.<br />
b<br />
Enumerated TCP ports 22/ssh and 631/ipp using the Pn option.<br />
c<br />
Default scan enumerated TCP ports 22/ssh, 111/rpcbind, 772/unknown, and 2049/nfs open.<br />
d<br />
Default scan enumerated TCP ports 22/ssh, 111/rpcbind, and 50932/unknown.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
98<br />
Service and ports bound to 6to4 and local-link addresses were enumerated using the<br />
Nmap scanning tool for the Linux, FreeBSD, UNIX, and Windows 2008 targets. The Windows<br />
firewall configured with the private network setting blocked the Nmap scans in all targets except<br />
Windows 2008 which allowed a scan only using the PA (TCP ACK) or PS (TCP SYN) options<br />
on port 135 or 445. The scans of this node revealed listening services on the ports associated<br />
with MSRPC (TCP port 135), MSDS (TCP port 445) that is used by Active Directory, and one<br />
unknown port. The base configuration of the Ubuntu Linux target allowed the default Nmap<br />
scan; however, there were no ports open in the IPv6 address space. The CentOS target was<br />
listening on the SSH (TCP port 22) and the Internet printing protocol (IPP: TCP 631). The base<br />
configurations of the FreeBSD and UNIX targets were listening on the SSH (TCP port 22), RPC<br />
(TCP port 111), NFS (TCP port 2049), and two unknown ports (TCP ports 772 and 50932)<br />
The third attempt to enumerate services and ports was performed from outside the<br />
network on nodes that were configured for IPv6 services. Nmap was the only tool found that<br />
supported port and service enumeration on IPv6 addresses. The results of the scans on each node<br />
from outside the network are listed in Table 23.<br />
Table 23. IPv6 Service and Port Enumeration for IPv6 OS from Outside the Network<br />
OS Teredo TBroker 6to4<br />
28K None Nmap b See Table 21<br />
23K Nmap a Nmap c None<br />
7 / Vista None None See Table 21<br />
XP None None None<br />
Ubuntu Nmap d Nmap d See Table 21<br />
CentOS Nmap e Nmap e See Table 21<br />
FreeBSD Nmap f Nmap f See Table 21<br />
Solaris - - See Table 21<br />
Note. The ISATAP and link-local addresses are not global.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
99<br />
a<br />
Enumerated TCP ports 106/ pop3pw,119/ nntp, 1310/ unknown, and 19780/ unknown on one<br />
scan, no open ports on a second scan, and 119/ nntp on a third scan using –Pn option. The tool<br />
provided inconsistent results.<br />
b<br />
Enumerated TCP ports 135/ msrpc, 445/ microsoftds, 49155/ unknown using the –Pn option.<br />
c<br />
Enumerated TCP ports 135/msrpc, and 1026/LSAornterm.<br />
d<br />
Enumerated TCP port 119/nntp<br />
e<br />
Enumerated TCP ports 22/ssh and 631/ipp using –Pn option.<br />
f<br />
Enumerated TCP ports 22/ssh, 111/rpcbind, 119/nntp, and 2049/nfs<br />
The Windows firewall blocked the external Nmap scans on the Teredo and Tunnel-<br />
Broker addresses; however, the Linux and FreeBSD nodes were successfully scanned. The<br />
Windows nodes that could be scanned were listening on ports for RPC (TCP port 135), MSDS<br />
(TCP port 445), and the remote login (NTERM: TCP port 1026). The Linux and FreeBSD nodes<br />
had the SSH (TCP port 22), RPC (TCP port 111), and NNTP (TCP port 119), IPP (TCP port<br />
632), and the NFS (TCP port 2049) services bound to IPv6 addresses.<br />
The fourth attempt at enumerating services and ports was performed from inside the<br />
network on nodes that were configured for IPv6 communications. Nmap was the only tool that<br />
supported port scans of IPv6 addresses. The results of these scans are listed in Table 24.<br />
Table 24. IPv6 Service and Port Enumeration for IPv6 Enabled OS from Inside the Network<br />
OS Local Teredo ISATAP TBroker 6to4<br />
28K<br />
23K<br />
7<br />
See Table 22<br />
Nmap d<br />
See Table 22<br />
None<br />
Nmap b<br />
Nmap f<br />
Nmap a<br />
Nmap e<br />
Nmap f<br />
Nmap c<br />
Nmap d<br />
None<br />
See Table 22<br />
Nmap d<br />
See Table 22<br />
Vista See Table 22 None None None See Table 22<br />
XP None None None None See Table 22<br />
Ubuntu<br />
CentOS<br />
FreeBSD<br />
See Table 22<br />
See Table 22<br />
See Table 22<br />
Nmap g<br />
Nmap h<br />
Nmap i<br />
None<br />
-<br />
-<br />
None<br />
Nmap h<br />
Nmap i See Table 22<br />
See Table 22<br />
See Table 22<br />
Solaris See Table 22 - - - See Table 22<br />
Note.<br />
a<br />
Nmap scan with PA135 option enumerated ports 135/msrpc, 445/msds, and 49155/unknown.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
100<br />
b<br />
Enumerated TCP ports: 1218/aeroflightads, 17938/lgtomapper, and unknwn ports 122, 5718,<br />
5907, 49159, 50389. Subsequent scans were not consistent and netstat on the victim did not<br />
indicate that these ports were open. This is likely a false positive.<br />
c<br />
Enumerated TCP ports 135/ msrpc, 445/msds, 49155/unknown using the Pn option.<br />
d<br />
Enumerated TCP ports 135/msrpc, 445/msds, and 1026/LSA or nterm.<br />
e<br />
Enumerated TCP ports 135/msrpc, and 1026/LSA or nterm.<br />
f<br />
Enumerated TCP ports 135/msrpc, 445/msds, and unknown ports 5357, 49152, 49153, 49154,<br />
49155, 49156, 49157.<br />
g<br />
Enumerated TCP port 119/nntp<br />
h<br />
Enumerated TCP ports 22/ssh and 631/ipp using the Pn option.<br />
i<br />
Enumerated TCP ports 22/ssh, 111/rpcbind, 119/nntp, and 2049/nfs<br />
Services were enumerated on the Windows 7, 2003, 2008, Linux and FreeBSD nodes.<br />
The Windows 7 services were enumerated on the Teredo and ISATAP addresses. The Windows<br />
2008 services were enumerated on the ISATAP and Tunnel-Broker addresses. The Ubuntu<br />
services were enumerated on the Teredo address and the CentOS and FreeBSD services were<br />
enumerated on the Teredo and Tunnel-Broker addresses. The ports and services that were<br />
enumerated for each node are listed in the notes of Table 24.<br />
Lessons learned.<br />
Address and port enumeration of the target nodes in the study were possible from inside<br />
and outside the network. Tools that utilized router and neighbor advertisement messages were<br />
able to detect addresses configured on the local-link; however, TCP connection based tools like<br />
Nmap required the address to be known before a scan could be performed. The software<br />
firewalls configured by default on the Windows and CentOS nodes prevented many of the tools<br />
from generating positive results.<br />
The assumptions identified for this phase of the study included: (1) nodes behind a NAT<br />
will be protected from network scanners; (2) operating systems with IPv6 enabled by default will<br />
have exposed services and emanate IPv6 packets into the IPv4 network; (3) and nodes with<br />
public IPv6 addresses using transitional networks will have publically exposed services. The first
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
101<br />
assumption was proven false because the IPv6 addresses assigned to each node established a<br />
publically accessible IP address that was not restricted by private address assignments. The other<br />
two assumptions were validated in this study by the presence of IPv6 traffic in the network traces<br />
during the boot process and the successful enumeration of ports bound to IPv6 services.<br />
Exploitation<br />
The exploitation phase of the study identified tools and techniques that attacked the<br />
network topography in a transitional network. Tools and techniques were tested from inside and<br />
outside the network on nodes configured with default installations or IPv6 configured<br />
installations. This included attempts to establish rogue routers in the network and to<br />
communicate with rogue nodes. Native ICMPv6 ping6 requests were employed to establish and<br />
verify that a node was able to communicate with the rogue nodes. Router advertisements were<br />
generated using the THC-IPv6 fake_router6 function and the Netdude tool that allowed the<br />
researcher to generate and send custom packets. Additionally, DNS and network name spoofing<br />
was tested or proposed to direct the nodes to a rogue router. The tools and techniques employed<br />
in the exploitation phase of the testing are listed in Table 25.<br />
Table 25. Employed Exploitation Tools and Techniques<br />
Tool Function Commands<br />
Native RA Set the hostname for the local ISATAP router to “isatap”<br />
Native Ping >ping -6 -S <br />
>ping6 -I <br />
DNS DNS DNS injection for Teredo.ipv6.microsoft.com that pointed to attacker<br />
controlled Teredo server.<br />
THC- F_Router > ./fake_router6 /<br />
IPv6<br />
<br />
Netdude Netdude Craft and send a router advertisement packet with a global address.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
102<br />
Rogue routers and relays.<br />
A rogue router or relay alters the flow of network traffic through a point controlled by an<br />
attacker and establishes an address to attack the victim or other nodes on the network. Teredo<br />
and Tunnel-Broker addresses are configured by the Teredo or Tunnel-Broker servers during the<br />
initial communications channel negotiation; therefore, a successful result would redirect the<br />
initial negotiations to a rogue router. The ISATAP and 6to4 addresses are established using<br />
router advertisements.<br />
The first test established rogue Teredo, ISATAP, and 6to4 routers and then prompted the<br />
victim nodes to auto-configure an address from outside the network. Netdude was used to craft a<br />
custom router advertisement packet and TCPReplay was used to send the packet to the target.<br />
The results of attempting to establish a rogue router from outside the network are listed in Table<br />
26.<br />
Table 26. IPv6 Address Auto-Configuration from Outside the Network<br />
OS Teredo ISATAP 6to4<br />
28K / 7 / Vista None None None<br />
23K / XP - - -<br />
Ubuntu / CentOS / FreeBSD / Solaris - - None<br />
Note: Test performed using the Netdude tool.<br />
There were no methods discovered that configured an address on a victim node using a<br />
router advertisement from outside of the network. The Teredo and Tunnel-Broker relay<br />
addresses default to explicit domain aliases and it may be possible to spoof a DNS reply from the<br />
domains to redirect the relay server to an attacker controlled node. The ISATAP and 6to4<br />
address auto-configuration functions relied upon router advertisements and name lookup services
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
103<br />
that only operated at the local-link level. None of the nodes configured a 6to4 address when the<br />
destination of the router advertisement packet was changed to a global scope IPv6 address.<br />
The second test established rogue routers and then prompted a node to auto-configure an<br />
address from inside the network. DNS, hostname spoofing, and the THC-IPv6 fake_router6<br />
function were employed in this process. The results of attempting to establish a rogue router or<br />
relay from inside the network are listed in Table 27.<br />
Table 27. IPv6 Address Auto-Configuration from Inside the Network<br />
OS Teredo ISATAP 6to4<br />
28K / 7 / Vista DNS b RA a F_Router<br />
23K / XP - - -<br />
Ubuntu / centos / FreeBSD / Solaris - - F_Router<br />
Note.<br />
a<br />
Required the router host (ISATAP) to be a Windows node to respond via local-link Multicast<br />
Name Resolution (LLNBS) (Vista, Win 7, 28K) or Netbios Name Service (NBNS).<br />
b<br />
Teredo is disabled in the base configuration.<br />
Configuring an IPv6 address on an internal victim node from inside the network was a<br />
simple process with the 6to4 mechanism and slightly more complex with the ISATAP and<br />
Teredo mechanisms. The IP address for the default Teredo relay could be redirected to an<br />
attacker controlled relay by intercepting and replying to the DNS queries for<br />
teredo.ipv6.microsoft.com on the local-link. The default Windows installations determined the<br />
address of the local ISATAP server by broadcasting a query using LLMNR (Vista, Win 7, 28K)<br />
or Netbios name service (NBNS). A Windows node hosting the ISATAP server that was<br />
configured with “isatap” as the computer name successfully configured an ISATAP address on<br />
the victim nodes. Additionally, router advertisements broadcast to the all nodes multicast address<br />
(FF01::1) caused a 6to4 address to be configured on the victim nodes.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
104<br />
Rogue clients.<br />
The next stage of the exploitation phase attempted to establish a two-way<br />
communications channel between the victim and attacker nodes. Connectivity was verified using<br />
the native ICMPv6 ping6 tool. Table 28 lists the results of establishing a two-way<br />
communications channel with a rogue node that is located outside the network. Table 29 lists the<br />
results of establishing a two-way communications channel with a rogue node that is located<br />
inside the network.<br />
Table 28. IPv6 Communication with a Rogue Node from Outside the Network<br />
OS Teredo TBroker<br />
28K / 23K / 7 / Vista / XP Ping Ping<br />
Ubuntu / Solaris Ping Ping<br />
CentOS None Ping<br />
FreeBSD Ping a Ping a<br />
Note. The test used the 6to4 auto-configured address as the source by specifying the –S option in<br />
the ping6 command (Windows) or –I option in the Linux/BSD/Solaris nodes. The outside<br />
research node did not support the 6to4 transition mechanism.<br />
a<br />
The test was successful only when communicating over the Tunnel-Broker Interface.<br />
Table 29. IPv6 Communication with a Rogue Node from Inside the Network<br />
OS Local Teredo ISATAP b TBroker 6to4<br />
28K / 23K / XP Ping Ping Ping Ping Ping<br />
7 / Vista Ping Ping a Ping Ping Ping<br />
Ubuntu Ping None Ping Ping Ping<br />
CentOS Ping None - Ping Ping<br />
FreeBSD Ping Ping c - Ping c Ping<br />
Solaris Ping Ping - Ping Ping<br />
Note. The test used the 6to4 auto-configured address as the source by specifying the –S option in<br />
the ping6 command (Windows) or –I option in the Linux/BSD/Solaris nodes.<br />
a<br />
Was only able to communicate with the node using the Teredo interface.<br />
b<br />
The test was successful only when using the ISATAP interface.<br />
c<br />
The test was successful only when using the Tunnel-Broker Interface.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
105<br />
The victim nodes were almost always able to initiate a two-way communications channel<br />
with a rogue node that was located inside or outside the network. The CentOS node was unable<br />
to communicate over the Teredo interface to a rogue node located inside or outside the network<br />
and the Ubuntu node could not communicate to an internal node over the Teredo interface. All<br />
other attempts to initiate a two-way communications channel were successful; however, this<br />
result often depended on communicating over an interface that operated using the same transition<br />
mechanism.<br />
Lessons learned.<br />
Rogue routers were established inside the network and the victim nodes were able to<br />
initiate two-way communication channels with rogue nodes operating inside and outside the<br />
network. The assumption for this section of the study was that IPv6 traffic flows and addressing<br />
can be modified remotely using protocol attacks. This assumption has been proven partly true.<br />
Rogue routers operating inside the network successfully modified traffic and addressing on<br />
remote victim nodes using router advertisement attacks; however, success was not achieved from<br />
points outside the network.<br />
Reinforcement<br />
The reinforcement phase of the study identified tools and techniques that could be used to<br />
obfuscate an attack in a transitional network. This included methods to hide the source, context,<br />
or target of an attack. The THC-IPv6 redire6 function obfuscates the source of an attack by<br />
routing traffic through a rogue router that can modify the source details of a traffic flow.<br />
Fragmentation obfuscates the context of an attack by breaking up payloads into multiple packets<br />
and making contextual threat analysis difficult from intermediate nodes. The ability for a node to<br />
reassemble fragmented packets was tested with the ICMPv6 ping6 function. The target of an
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC 106<br />
attack is obfuscated by sending the same traffic to multiple nodes and this functionality was<br />
verified by sending ICMPv6 ping6 packets to the solicited nodes multicast address. The tools<br />
and techniques employed in the reinforcement phase of the study are listed in Table 30.<br />
Table 30. Employed Reinforcement Tools and Techniques<br />
Tool Function Commands<br />
Native FragPing >ping6 -I -s 1508 <br />
Native Multicast Assigned the same IPv6 address to multiple nodes and then pinged the<br />
Solicited node multicast addresses FF02::1:FF<br />
("Multicast IPv6 addresses," 2005)<br />
THC- Redir >./redir6 <br />
IPv6<br />
<br />
Redirect routing for a specific address to a new local-link address which<br />
appears as a neighbor discovery cache entry.<br />
Source address obfuscation.<br />
The first attempt to obfuscate the source address was performed by evaluating the<br />
correlation between the logical address assignments and the physical nodes. Address assignments<br />
that are random and change frequently can obfuscate the source of a packet. Two evaluations<br />
were performed on each node in the study. First, operating system support was determined for<br />
IPv6 privacy extensions that assigned temporary addresses to an interface. Second, operating<br />
system support was determined for assigning random interface identifiers during address autoconfiguration.<br />
A detailed address assignment listing is included in Appendix B and the results of<br />
the address evaluations are listed in Table 31.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
107<br />
Table 31. Source Address Obfuscation using IPv6 Privacy Extensions<br />
OS Local Teredo ISATAP TBroker 6to4<br />
28K / 7 / Vista R_Int T_Addr<br />
R_Int<br />
None T_Addr<br />
R_Int<br />
T_Addr<br />
R_Int<br />
23K / XP None T_Addr None T_Addr T_Addr<br />
R_Int<br />
R_Int<br />
Ubuntu None T_Addr None T_Addr T_Addr<br />
R_Int R_Int R_Int<br />
CentOS / FreeBSD None T_Addr<br />
R_Int<br />
- T_Addr<br />
R_Int<br />
T_Addr<br />
R_Int<br />
Solaris None - - - T_Addr<br />
R_Int<br />
Note: R_Int = Node supported random interface ids. T_Addr = Node supported temporary<br />
addresses.<br />
IPv6 address randomization is possible on all nodes, either because the interface portion<br />
is randomized by default or because the MAC addresses can be manually changed with registry<br />
settings or configuration files. Local-link addresses were linked to the interface MAC addresses<br />
on all nodes except for the Windows 7, 2008, and Vista nodes. Teredo, 6to4, and Tunnel-Broker<br />
addressing randomized the local portion of the address. Teredo and 6to4 addresses contained the<br />
public IPv4 address used by the interface; however, the true source could be obfuscated in a<br />
network that shares a public IPv4 address among more than one node. The Tunnel-Broker<br />
interface generated an anonymous interface ID that requires input from the service provider to<br />
determine the source IPv4 address. The service provider was determined using a whois query on<br />
the first four octets of the configured address. ISATAP provided a fixed address for an interface<br />
based on the router prefix; however, the attacker could obfuscate the address if they were in<br />
control of the router advertisement that was sent.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
108<br />
The second attempt to obfuscate the source address utilized IPv6 router redirects that<br />
altered the flow of traffic through a rogue router for a particular destination address. The rogue<br />
router would forward the traffic and alter the source address to hide the true origin of the packets.<br />
The THC-IPv6 redirect6 function was used to redirect traffic from the target nodes to the<br />
specified address. The results of redirecting traffic using this tool are included in Table 32. The<br />
local-link, 6to4, and ISATAP addresses on a local network were redirected to a secondary router<br />
controlled by an attacker. The tool created neighbor cache records on the target node for the<br />
destination and the new router. The new forwarding router is obtained from the neighbor cache<br />
when the target sends packets to the rerouted destination address.<br />
Table 32. Source Address Obfuscation in a Two-Way Channel using IPv6 Router Redirects<br />
OS Local Teredo ISATAP TBroker 6to4<br />
28K / 23K / 7 / Vista / XP Redir None Redir None Redir<br />
Ubuntu Redir None Redir None Redir<br />
CentOS / FreeBSD Redir None - None Redir<br />
FreeBSD Redir None - None Redir<br />
Solaris Redir - - - Redir<br />
Note. The results are based on observations of the neighbor cache after running the specified<br />
tool; however, successful two-way communications could not be verified because the simulated<br />
network did not support multiple routers operating in the same network.<br />
Data obfuscation.<br />
The attempt to obfuscate the data in a packet employed payload fragmentation that<br />
divided the context of a single commutations chain into multiple packets. First, the Netdude tool<br />
was used to construct and TCPReplay was used to send fragmented ICMPv6 ping6 packets<br />
containing a word that was divided over two packets. Second, the native ping6 function was<br />
utilized to construct and send fragmented ICMPv6 packets and verify that each node<br />
reassembled the fragments and responded to the request. The nodes that successfully responded
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC 109<br />
to the fragmented ping6 request are listed in Table 33. All nodes that responded to ICMPv6<br />
ping6 requests correctly handled fragmented packets.<br />
Table 33. Data Obfuscation in a Two-Way Channel using IPv6 Fragments<br />
OS Local Teredo ISATAP TBroker 6to4<br />
28K / 7 / Vista FragPing None a FragPing FragPing FragPing<br />
23K / XP FragPing FragPing FragPing FragPing FragPing<br />
Ubuntu FragPing FragPing FragPing FragPing FragPing<br />
CentOS / FreeBSD FragPing FragPing - FragPing FragPing<br />
Solaris FragPing - - - FragPing<br />
Note. All nodes were tested with the firewall disabled.<br />
a<br />
The node did not respond to non-fragmented ping6 requests.<br />
Destination address obfuscation.<br />
The attempt to obfuscate the destination address of a source utilized the solicited node<br />
multicast address to create a two-way communications channel with multiple destination nodes.<br />
First, two nodes were assigned a 6to4 address where the last three octets of the interface<br />
identifier were equal. Second, communications with both nodes was verified when both nodes<br />
replied to a single ICMPv6 ping6 request sent to the solicited nodes multicast address. Table 34<br />
lists the nodes that responded to the ping6 request that was sent to the solicited node multicast<br />
address.<br />
Table 34. Destination Address Obfuscation in a Two-Way Channel using IPv6 Multicast<br />
OS<br />
28K / 7 / Vista / XP<br />
23K<br />
Ubuntu / CentOS / FreeBSD / Solaris<br />
Local<br />
None<br />
Multicast<br />
Multicast
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
110<br />
Lessons learned.<br />
Tools and techniques were identified that obfuscated the source addresses, data, and<br />
destination addresses of an IPv6 traffic flow. The assumptions for this stage of the study were:<br />
(1) Privacy extensions, redirects, and address auto-configuration protocols can be used to<br />
obfuscate traffic from an attacker and it will not be possible to determine the true source. (2)<br />
Fragmentation can be used to obfuscate the port or source address for a traffic flow. (3) Multicast<br />
or anycast addressing can be used to obfuscate the source or destination node in an attack. The<br />
first assumption was validated for a multi-node internal network with a shared public IPv4<br />
address; however, the true source could be determined from the Teredo, ISATAP or 6to4 address<br />
in a network containing a single node. The study did not validate the second assumption because<br />
the researcher could not find a method to obfuscate the headers containing the addresses or port<br />
numbers. The third assumption was validated by establishing a two-way communications<br />
channel between two hosts using the solicited nodes multicast address.<br />
Consolidation<br />
The consolidation phase of the study identified methods to create a persistent backdoor<br />
into a transitional network using IPv6. The Netcat tool that is part of the Nmap installation<br />
included a version of Netcat that supports IPv6 addressing, secure socket layer (SSL) encryption,<br />
and remote shell execution. The command sequences that established a remote shell on the<br />
Linux, FreeBSD, and Windows nodes from the Linux research node are listed in Table 35. The<br />
results of attempting to establish a remote shell on each node are listed in Table 36.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
111<br />
Table 35. Employed Consolidation Tools and Techniques<br />
Tool Function Commands<br />
Netcat Nc_Win Listening/Victim<br />
>ncat -l6p -ssl -e cmd.exe<br />
Connecting/Attacker (Linux)<br />
>ncat -6 -ssl <br />
Netcat Nc_Lin Listening/Victim<br />
>ncat -l6p -ssl -c /bin/bash<br />
Connecting/Attacker (Linux)<br />
>ncat -6 -ssl <br />
Table 36. Persistent IPv6 Backdoor<br />
OS<br />
Technique Used<br />
28K / 23K / 7 / Vista / XP<br />
Nc_Win<br />
Ubuntu / CentOS / FreeBSD<br />
Nc_Lin<br />
Solaris -<br />
Note. Firewalls were disabled on all nodes for the test.<br />
An encrypted remote shell was established between the target nodes and the research<br />
node using the Netcat tool and the 6to4 addresses. The assumption for this section of the study<br />
was: A remote command shell can be created through a transitional network over IPv6 using<br />
common tools. This assumption was validated because the Netcat tool is a common tool that<br />
successfully established a remote command prompt using IPv6.<br />
Pillage<br />
The pillage phase of the study addressed additional risks that should be considered in a<br />
transitional network. Covert channels were assumed to be the primary risk factor for this phase.<br />
Although, risk ratings for various scenarios may differ by environment, data leakage would<br />
normally be a major concern. The testing and analysis in this study revealed a few of the possible
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC 112<br />
techniques that could be used to create covert channels using IPv6 transition mechanisms. First,<br />
data can be hidden in extension headers. Second, invalid or unnecessary extension headers that<br />
would normally be discarded by the host can be used to carry covert data channels. Finally,<br />
unused fields that are part of the IPv6 or transition mechanism can use used for covert channels.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
113<br />
Chapter 5 – Conclusions<br />
This study investigated the nature of IPv6 traffic in a transitional network to develop a<br />
new methodology for network forensic analysis. The results of this study have implications on<br />
two of the digital forensic process steps presented in chapter 2. First, a better understanding of<br />
the characteristics and behaviors of operating systems and transition mechanisms supplemented<br />
the process step, “provide training and tools,” that was defined by Carr, Gunsch, and Reith<br />
(2002), Ciardhuáin (2004), Shin (2008), and Mandia and Prosise (2001). Second, a new<br />
methodology was developed to address IPv6 traffic in a transitional network to support the<br />
process step, “analyze and document,” that was defined by Carr, et al. (2002), Cohen (2009),<br />
Shin (2008), the DOJ (2001), Mandia and Prosise (2001), Palmer (2001), Carrier and Spafford<br />
(2003), and Casey (2000). While these contributions begin to address deficiencies in digital<br />
forensic research, there remains a need to develop additional details in the discipline as well as a<br />
unification of forensic frameworks from which to base future efforts in the field.<br />
Implications of IPv6 Transition Mechanisms in <strong>Digital</strong> Forensics<br />
The IPv6 transition mechanisms have the most significance on the forensic pursuit of<br />
questioning who was involved in a particular event and how the event occurred. Analysts and<br />
investigators must understand how their processes will change when dealing with a transitional<br />
network.<br />
First, the addressing scheme changes from 32 bits to 128 bits when analyzing a<br />
transitional network and the lack of IPv6 addresses in a network trace does not imply the absence<br />
of IPv6 traffic. The 128 bit addressing scheme of various IPv6 transition mechanisms was<br />
adequately described by Nikkel (2007), Conta, and Deering (1998), Deering, Haberman, Jinmei,<br />
Nordmark, and Zill (2005); although, additional details were necessary for forensic analysis. For
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
114<br />
example, traffic sourcing often required converting a portion of a hexadecimal (base 16) IPv6<br />
address to a decimal (base 10) IPv4 address. Also, tunneling mechanisms like Teredo and<br />
Tunnel-Broker encapsulated IPv6 packets inside IPv4 traffic; therefore, IPv6 packets were<br />
observed traversing the network even when the network trace lacked packets with IPv6<br />
addresses.<br />
Second, the numbers of distinct packet source addresses representing a single node in a<br />
network are significantly higher in a transitional network than in an IPv4 network. Mechanisms<br />
like Teredo and Tunnel-Brokers generated new addresses as frequently as every few minutes.<br />
IPv6 address auto-configuration and privacy extensions produced new addresses approximately<br />
every 24 hours or at an interval selected by the user. This problem altered the methods used to<br />
correlate events and source traffic. Event correlation accuracy may be enhanced by linking<br />
packets to the IPv4 gateway address that is embedded in the IPv6 source address; however, this<br />
also may decrease accuracy when more than one node shares an IPv4 address. The public source<br />
IPv4 address embedded in the IPv6 address may lead to a physical network; although, node<br />
based address assignments lacked a centralized address logging mechanism that would allow an<br />
analyst or investigator to determine the physical source in a multi-node network. This<br />
characteristic may be used to support legal defense arguments and further strengthen Losavio’s<br />
(2005) argument that successful prosecution of digital cases requires streams of collaborating<br />
evidence.<br />
Third, IPv6 transition mechanisms establish a globally accessible address that exposes a<br />
node to external attacks that were previously mitigated through the use of NAT on an IPv4<br />
network. Nearly all of the operating systems automatically configured a global 6to4 address that<br />
was addressable from outside the NAT used in the study. Analysts and investigators should
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
115<br />
approach an investigation with the assumption that each node is globally addressable so that the<br />
full range of possible event sequences is considered.<br />
Finally, Vives and Palet (2005), Caicedo, Joshi, and Tuladhar (2009), Davies, Krishnan,<br />
and Savola (2007), Emre and Ali (2010)and Nikkel (2007) correctly stated that IPv6 support is<br />
already included in many standard forensic tools; however, the limitations of these tools prevents<br />
the types of analysis that is possible in an IPv4 network. For example, the researcher was unable<br />
to find a tool that scans a range of IPv6 addresses to solve the address enumeration problems<br />
discussed by Zagar, Grgic, and Rimac-Drlje (2007) and Convery and Miller (2004).<br />
Additionally, many of the tools and techniques discussed in the research were not designed to<br />
target external nodes. The most useful tools, like Metasploit and THC-IPv6 (Caicedo, et al.,<br />
2009), provided functionality using local router advertisements and multicast traffic that can only<br />
be sent to other directly connected nodes.<br />
Operating System Behavior in a Transitional Network<br />
This study focused on the current distributions of the Windows, Ubuntu, CentOS,<br />
FreeBSD, and Solaris operating systems. All of these operating systems, except for Windows<br />
2003 and XP, configured global 6to4 and link-local IPv6 addresses after a default installation.<br />
This behavior required a 6to4 router to be present in the network; however, the researcher did not<br />
install or configure a device to provide this functionality. The Teredo, Tunnel-Broker and<br />
ISATAP mechanisms required additional configuration or third-party installations that are<br />
accurately described in instruction manuals for Oracle Solaris (2009) or FreeBSD (2010) and<br />
research by Tulloch (2006), Tulloch, Northrup, Honeycutt, and Wilson (2010), J. Davies (2008),<br />
Ercferret (2010), and Faye (2008). These sources provided configuration procedures;<br />
nevertheless, they lacked the details needed by forensic analysts and investigators.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
116<br />
Windows 2008, 7 and Vista.<br />
Forensic analysts and investigators will observe IPv6 traffic from Windows 7, 2008 and<br />
Vista in network traces unless the protocol and transition mechanisms are disabled. The most<br />
recent versions of Windows natively supported the 6to4, Teredo, and ISATAP transition<br />
mechanisms and third-party support if available for the Tunnel-Broker mechanism. The 6to4<br />
mechanism was enabled in the default installations of these operating systems. The link-local and<br />
ISATAP addressing schemes were static while the other assigned addresses were randomly<br />
generated. The Nmap tool was able to enumerate addresses and services on the Windows 7 and<br />
2008 nodes from outside the network; although, the Windows Vista firewall blocked the inbound<br />
scans. Address and port enumeration was successful from inside the network using Nmap,<br />
sniffing, and other tools. Additionally, the Windows firewall protected the nodes from most<br />
uninitiated inbound IPv6 traffic; however, malicious router advertisements, fragments, and<br />
backdoor techniques were successfully employed against these nodes.<br />
Windows 2003 and XP.<br />
IPv6 traffic from Windows 2003 and XP will not be observed in network traces unless<br />
the protocol is installed by the user. The default installations of these older distributions were not<br />
configured with IPv6 support. After the user installed IPv6, MAC based link-local and 6to4<br />
addresses were automatically assigned to the interfaces with optional support for privacy<br />
extensions. The ISATAP, Teredo, and Tunnel-Broker mechanisms were easily installed and<br />
configured on these nodes. The Windows 2003 node was found to be vulnerable to Nmap and<br />
Ping scans from inside and outside the network because the Windows firewall was disabled in<br />
the default state. Windows XP was vulnerable to Ping scans from outside the network and<br />
sniffing, ping scans, and other tools from inside the network. Nmap was unable to scan the XP
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
117<br />
node from inside or outside the network because of the Windows firewall. Additionally,<br />
malicious router advertisements, fragments, and backdoor techniques were successfully<br />
employed against these nodes.<br />
Ubuntu and CentOS Linux.<br />
Forensic analysts and investigators will observe IPv6 traffic from Ubuntu and CentOS<br />
distributions of Linux in network traces when the protocol is installed during or after the<br />
installation process. These two distributions of Linux configured 6to4 and link-local addresses<br />
when the IPv6 option was selected during the installation process. The 6to4 and link-local<br />
addresses were based on the interface MAC address with optional support for privacy extensions<br />
that generated random addresses. Teredo, Tunnel-Broker, and ISATAP support required thirdparty<br />
packages to be installed that were available from the native package manager on the<br />
Ubuntu node or from source code on the CentOS node. The software firewall that was enabled<br />
by default in the CentOS distribution protected the 6to4 interface from uninitiated inbound IPv6<br />
traffic; however, the node was still vulnerable to Nmap scans from outside the network over the<br />
Teredo and Tunnel-Broker interfaces and to Nmap, ping, and other scans from inside the<br />
network. The Ubuntu distribution was not protected by a firewall; therefore, it was vulnerable to<br />
Nmap and ping scans from both inside and outside the network. Additionally, the Linux nodes<br />
were vulnerable to the malicious router advertisements, fragments, solicited node pings, and<br />
backdoor techniques that were employed during the study.<br />
FreeBSD and Solaris UNIX.<br />
IPv6 traffic from the FreeBSD and Solaris UNIX nodes will be observed in network<br />
traces if the protocol is installed during or after installation. Both distributions natively supported<br />
link-local and 6to4 addressing and Teredo, Tunnel-Broker, and ISATAP support required source
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
118<br />
code installations. The FreeBSD ports collection contained source code installations that<br />
provided support for Teredo and the Tunnel-Broker; however, the complexity of program<br />
dependencies and space limitations prevented the configuration of third-party transition<br />
mechanisms on the Solaris node. Both nodes configured MAC based 6to4 and link-local<br />
addresses with optional support for privacy extensions that provided randomly generated<br />
addresses. Both nodes were vulnerable to scans from Nmap, ping, and other tools from inside<br />
and outside the network. Additionally, the nodes were vulnerable to the malicious router<br />
advertisements, fragments, solicited node pings, and backdoor techniques that were employed<br />
during the study.<br />
Forensic Properties of IPv6 Transition Mechanisms<br />
This study evaluated network communications using local-link addresses and the 6to4,<br />
Teredo, ISATAP, and Tunnel-Broker transition mechanisms. Huang, Wu, and Lin (2005),<br />
Huitema (2006), Visoottiviseth and Bureenok (2008), Durand, Fasano, Guardini, and Lento<br />
(2001), and others have adequately discussed the implementations, architectures, and addressing<br />
schemes of these mechanisms; nevertheless, forensic analysts and investigators require<br />
additional details that are not contained in this research.<br />
Link-local.<br />
Link-local addresses are prefixed with FE8::/10 and are assigned to each interface on a<br />
node (Friacas, Baptista, Domingues, & Ferreira, 2006). The Windows 7, 2008, and Vista nodes<br />
assigned a random 64 bit interface identifier to the prefix and the Windows 2003, XP, Linux,<br />
FreeBSD, and Solaris nodes generated an interface address where the last three octets of the<br />
address matched the last three octets of the interface MAC address. The source of a local-link<br />
packet that is not spoofed can be determined by determining the MAC address contained in the
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
119<br />
Ethernet header and comparing the value to the interfaces installed on other nodes that have a<br />
direct network path to the host.<br />
Event correlation can be performed on either the link-local address or the source MAC<br />
address. Normal local-link traffic includes DHCPv6 (UDP), router solicitations (ICMPv6 type<br />
133), neighbor solicitations (ICMPv6 type 135), neighbor advertisements (ICMPv6 type 136),<br />
LLMNR queries or responses, multicast domain name system (MDNS UDP) queries or<br />
responses, and router advertisements (ICMPv6 type 134) that advertise legitimate router<br />
prefixes. Other traffic using local-link addresses would be considered suspicious unless a<br />
legitimate purpose for the communications was established. Malicious traffic includes router<br />
advertisements (ICMPv6 type 136) and redirects (ICMPv6 type 137) that originate from<br />
illegitimate sources.<br />
6to4.<br />
The 6to4 transition mechanism generates global addresses that are prefixed with<br />
2002::/16 and are assigned to the physical network card that possessed WAN connectivity<br />
(Friacas, et al., 2006). The address schema (2002:PPPP:PPPP:SSSS::IIII) consists of the prefix<br />
(2002), IPv4 address that is used as a gateway (P), a subnet identifier (S), and the interface<br />
identifier (I) (Friacas, et al., 2006; Hsieh & Kao, 2005; Jamhour & Storoz, 2002). The Windows<br />
7, 2008, and Vista nodes assigned a random 64 bit interface identifier to the prefix and the<br />
Windows 2003, XP, Linux, FreeBSD, and Solaris nodes generated an interface address where<br />
the last three octets of the address matched the last three octets of the interface MAC address.<br />
A definitive destination network can be determined from a 6to4 address that is not<br />
spoofed; however, the physical location of the source node may be ambiguous. The source<br />
network of the traffic was determined by converting the gateway IPv4 address (P)
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
120<br />
(PPPP:PPPP 16 =PP.PP.PP.PP 10 ) from hexadecimal to decimal notation and pursuing traditional<br />
forensic techniques to determine the physical source of the traffic. The physical source node can<br />
be determined if the node is assigned a static IPv4 address, is the only node on the network<br />
assigned to the public IP address, or is using a MAC based address scheme. When privacy<br />
extensions are enabled or the network node is running Windows 7, 2008 or Vista, the physical<br />
source node is determined by locating the node that is advertising the address prefix and then<br />
finding the local node that sent neighbor solicitations (ICMPv6 type 135) for that address.<br />
Unfortunately 6to4 addresses may change frequently; therefore, physical sourcing often depends<br />
on having packet capture capabilities in place during the events in question.<br />
Event correlation can be performed on the entire 6to4 address or the portion of the<br />
address that represents the gateway or subnet identifier. The 6to4 address may be used to<br />
communicate with external nodes. Normal 6to4 traffic includes neighbor solicitations (ICMPv6<br />
type 135), neighbor advertisements (ICMPv6 type 136), and router advertisements (ICMPv6<br />
type 134) that advertise legitimate router prefixes. Other traffic using 6to4 addresses would be<br />
considered suspicious unless a legitimate purpose for the communications was established.<br />
Malicious traffic includes router advertisements (ICMPv6 type 136) and redirects (ICMPv6 type<br />
137) that originate from illegitimate sources.<br />
Teredo.<br />
Teredo is a tunneling mechanism that generates global addresses with the 2001:0000::/32<br />
prefix (Huang, et al., 2005). Windows nodes established a Teredo interface and configured an<br />
address that was assigned by the Microsoft Teredo server when a node had internet connectivity;<br />
although, Teredo communications was disabled by the firewall in the default state. The Linux<br />
and FreeBSD nodes required the third-party application Miredo to be installed to communicate
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
121<br />
using the Teredo mechanism. The Teredo address<br />
(2001:0:TTTT:TTTT:XXXX:PPPP:NNNN:NNNN) consists of the prefix (2001:0), 32 bit IPv4<br />
address of the Teredo server (T), 16 bit flags (X), FFFF XOR of the 16 bit assigned port number<br />
of the public NAT connection (P), and the FFFF:FFFF XOR of the 32 bit assigned IPv4 address<br />
of the public NAT connection (N) (Huang, et al., 2005).<br />
A definitive destination network can be determined from a Teredo address that is not<br />
spoofed; however, the physical location of the source node may be ambiguous without log data<br />
that correlates internal nodes with outbound ports. The source IPv4 address of a Teredo packet<br />
can be determined by calculating the exclusive OR of the last four octets (N) of the Teredo<br />
address and FFFF:FFFF and then converting the result from hexadecimal to decimal<br />
(FFFF:FFFF XOR NNNN:NNNN = XXXX:XXXX 16 = XX.XX.XX.XX 10 ). For example, the<br />
source IPv4 network in the Teredo address 2001:0:53AA:64C:3C6F:80B:DF4D:0117 is<br />
determined using the formula: DF4D:0117 XOR FFFF:FFFF = 20B2:FEE8 = 20.B2.FE.E8 16 =<br />
32.178.254.232 10 . The port number that the internal node used to communicate using the Teredo<br />
interface can be determined by calculating the exclusive OR of the two octets preceding the<br />
source IPv4 address and FFFF and then converting to result from hexadecimal to a decimal. In<br />
the preceding example, the port number would be determined with the following formula: 080B<br />
XOR FFFF = F7F4 16 = 63,476 10 . The physical source of a packet would be definitive if the<br />
source’s IPv4 address was statically assigned or there was only one node on the network. Logs<br />
that capture port to node assignments or traffic captures that lead to MAC addresses would be<br />
needed to trace the physical source of the Teredo traffic if the node was part of a multi-node<br />
network that shared the public IPv4 address.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
122<br />
Event correlation can be performed on the entire Teredo address or a portion of the<br />
address that represents the source’s public IPv4 address or port number. Teredo is used to<br />
communicate with external IPv6 hosts over an encapsulated IPv4 channel. Normal Teredo traffic<br />
includes router solicitations (ICMPv6 type 133), router advertisements (ICMPv6 type 134) that<br />
advertise the Teredo prefix, Teredo packets without a payload (Bubble packets), and DNS<br />
queries and responses that determine the IPv4 address of the Teredo server. Other IPv6 traffic<br />
from the Teredo addresses or IPv4 traffic between the host and the Teredo server would be<br />
considered suspicious unless a legitimate purpose for the communications was established.<br />
ISATAP.<br />
The ISATAP mechanism assigns a custom prefix to a node with the last 32 bits of the<br />
address containing the IPv4 address of the node. The Windows and Linux nodes automatically<br />
configured an ISATAP address when they located an ISATAP router that answered LLMNR or<br />
NetBIOS (NBNS) name queries for “isatap”.<br />
A definitive destination node can be determined from an ISATAP address that is not<br />
spoofed if the IPv4 address can be traced back to a physical node. The prefix used in an ISATAP<br />
address can be based on a public IPv6 address, a local address, or another transition mechanism.<br />
A whois query of the public IPv6 address or an analysis of the transition mechanism address will<br />
lead to the location of the ISATAP router. The physical source node on the local network can be<br />
determined by tracing the IPv4 address contained in the last 32 bits of the ISATAP address to the<br />
physical nodes connected to the same network as the router.<br />
Event correlation can be performed on the ISATAP address. This transition mechanism<br />
facilitates local or remote communications with other IPv6 nodes. Normal traffic includes router<br />
advertisements (ICMPv6 type 134), NetBIOS name service (NBNS) queries and responses for
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
123<br />
“ISATAP” and LLMNR queries and responses for “ISATAP”. Other IPv6 traffic would be<br />
considered suspicious unless a legitimate purpose for the communications was established.<br />
Malicious traffic includes router advertisements (ICMPv6 type 136) and redirects (ICMPv6 type<br />
137) that originate from illegitimate sources.<br />
Tunnel-Broker.<br />
The Tunnel-Broker mechanism configured a global address that was assigned by the<br />
service provider. The Windows, Linux, FreeBSD, and Solaris nodes required the installation of<br />
third-party applications to communicate using the Tunnel-Broker mechanism. The interface<br />
identifier on the assigned IPv6 addresses changed as frequently as every few minutes; although,<br />
a static address could be obtained after establishing a free account with the service provider.<br />
Traffic that originated from Tunnel-Broker clients had an IPv6 address that was registered to a<br />
Tunnel-Broker service provider. The physical source of the traffic can only be determined with<br />
cooperation from the service provider to trace the packets back to the IPv4 address of the source<br />
node.<br />
Event correlation can be based on a static Tunnel-Broker address; however, anonymous<br />
addressing schemes require correlating to the prefix assigned to the service provider. Normal<br />
Tunnel-Broker traffic includes IPv4 packets with a source or destination address assigned to the<br />
tunnel server endpoint. These packets include an initial conversation with payloads containing<br />
setup parameters and then subsequent communications that maintain the connection state.<br />
Suspicious traffic includes any other IPv4 traffic with the source or destination of the tunnelserver<br />
that contains encapsulated IPv6 packets.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
124<br />
Proposed Methodology for the Forensic Analysis of IPv6 Traffic in a Transitional Network<br />
The purpose of this study was to present a methodology for properly analyzing and<br />
investigating IPv6 traffic within transitional networks to help forensic analysts and investigators<br />
recognize IPv6 based attack vectors. This methodology applies to five key network forensic<br />
process steps: investigating physical nodes, analyzing network traces, sourcing addresses,<br />
correlating events, and identifying threats.<br />
Physical node investigation.<br />
Understanding the state of IPv6 transition mechanisms installed on a physical node is an<br />
important consideration for network forensic analysis. Figure 8 illustrates the proposed process<br />
flow methodology for determining the state of IPv6 transition mechanism installed on a node<br />
running the Windows, Linux, FreeBSD, or UNIX operating systems. The flow is designed to be<br />
iterative and repeat from the beginning for every targeted interface and IPv6 address.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
125<br />
Windows<br />
Linux/BSD/UNIX<br />
Run ipconfig<br />
Run ifconfig<br />
yes<br />
Multiple address<br />
yes<br />
6to4 with<br />
privacy extensions<br />
Interface<br />
has IPv4 Internet<br />
connectivity<br />
no<br />
yes<br />
Evaluate assigned<br />
addreses<br />
IPv6<br />
address with<br />
2002<br />
prefix<br />
no<br />
IPv6<br />
address with<br />
FE8<br />
prefix<br />
yes<br />
no<br />
6to4<br />
Link-local<br />
Run whois query on<br />
global IPv6 address<br />
no<br />
Other<br />
IPv6 prefixs<br />
yes<br />
Dual-stack IPv6 or<br />
another mechanism<br />
no<br />
IPv6 not Installed<br />
on the interface<br />
2001:0<br />
prefix and<br />
results indicate<br />
IANA Reserved<br />
Block<br />
no<br />
Result<br />
indicates known<br />
Tunnel-Broker<br />
provider<br />
yes<br />
yes<br />
Teredo<br />
Tunnel-Broker<br />
no<br />
Evaluate Installed<br />
programs<br />
Tunnel-Broker<br />
software created<br />
interface<br />
no<br />
yes<br />
Result = node<br />
IPv4 address<br />
no<br />
yes<br />
IPv6<br />
address with<br />
FE8<br />
prefix<br />
yes<br />
ISATAP<br />
Link-local<br />
Convert last 4 octets<br />
of IPv6 address to<br />
decimal (IPv4 address)<br />
no<br />
Dual-stack or<br />
another mechanism<br />
Figure 8. IPv6 Transition Mechanism State Determination in Win, Linux, BSD, and UNIX<br />
Network traces analysis.<br />
Accurate network trace analysis depends on understanding if traffic has flowed through<br />
an IPv6 transition mechanism. The proposed process flow methodology is illustrated in Figure 9.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
126<br />
It is designed to follow an iterative analysis process that repeats for each group of conversations<br />
that has not been classified.<br />
Start<br />
Filter IPv6 packets<br />
ie.freenet6.net<br />
and sixxs.net<br />
Tunnel-<br />
Broker domains<br />
observed<br />
yes<br />
Endpoint<br />
is an ISATAP<br />
server<br />
ie.teredo.ipv6.microsoft.com and<br />
teredo.remlab.net<br />
yes<br />
Tunnel-Broker<br />
and ISATAP<br />
no<br />
no<br />
Tunnel-Broker<br />
IPv6<br />
packets<br />
observed<br />
no<br />
Resolve IPv4<br />
addresses<br />
yes<br />
Teredo<br />
domains<br />
observed<br />
yes<br />
Endpoint<br />
is an ISATAP<br />
server<br />
yes<br />
Teredo<br />
And ISATAP<br />
yes<br />
Filter Teredo<br />
packets<br />
yes<br />
2001<br />
address prefix<br />
observed<br />
no<br />
no<br />
Teredo<br />
No transition<br />
mechanisms<br />
Teredo<br />
packets<br />
observed<br />
no<br />
FE8<br />
address prefix<br />
observed<br />
yes<br />
Local-Link<br />
no<br />
List IPv6 endpoint<br />
addresses<br />
2002<br />
Endpoint<br />
no<br />
address prefix yes is an ISATAP yes 6to4 and ISATAP<br />
observed<br />
server<br />
no<br />
no<br />
6to4<br />
Resolve IPv6<br />
addresses<br />
Endpoint<br />
is an ISATAP<br />
server<br />
yes<br />
ISATAP<br />
no<br />
Native IPv6 or<br />
other mechanism<br />
Figure 9. IPv6 Transition Mechanism Detection in a Network Trace<br />
Event Correlation.<br />
Event correlation associates similar activities in a trace to better understand what is<br />
occurring and who is responsible. Correlation is often based on the source IP address; however,<br />
some of the IPv6 transition mechanisms in this study established dynamic addresses that changed
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC 127<br />
frequently. Table 37 presents the address schemas for each transition mechanism and possible<br />
traffic correlation elements that can be used to develop a better understanding of network events.<br />
Table 37. IPv6 Transition Mechanism Address Correlation Elements<br />
Transition<br />
Mechanism Address Schema Correlation Elements<br />
6to4 2002:PPPP:PPPP:SSSS::IIII Entire Address<br />
(P=node GW, S=subnet, I=interface ID) PPPP:PPPP<br />
PPPP:PPPP:SSSS<br />
Teredo 2001:0:TTTT:TTTT:FFFF:PPPP:NNNN:NNNN Entire Address<br />
(T=Teredo GW, F=flags, P=port, N=node GW) NNNN:NNNN<br />
PPPP:NNNN:NNNN<br />
ISATAP XXXX::XXXX:MMMM:MMMM Entire Address<br />
Tunnel<br />
(X=prefix, M=node IPv4 Address)<br />
XXXX::YYYY<br />
Entire Address<br />
Broker (X=Tbroker range, Y=node/client ID) XXXX<br />
Threat Identification.<br />
The classification of network events in a transitional network depends on understanding<br />
the nature of normal, suspicious, and malicious traffic. Table 38 presents a list of traffic<br />
classifications that were observed in this study to help the analyst or investigator understand the<br />
nature of the traffic observed in a network trace. Each environment has unique characteristics;<br />
therefore, this list is designed to establish a generic baseline from which to develop a<br />
classification scheme for a particular environment.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
128<br />
Table 38. IPv6 Transition Mechanism Traffic Classification Scheme<br />
Transition<br />
Suspicious<br />
Mechanism Normal Traffic Traffic Malicious Traffic<br />
Link-Local DHCPv6<br />
LLMNR<br />
MDNS<br />
Router Solicit. (T133)<br />
Router Ads. (T134)<br />
Neighbor Solicit. (T135)<br />
Neighbor Ads. (T136)<br />
6to4<br />
Router Ads. (T134)<br />
Neighbor Solicit. (T135)<br />
Neighbor Ads. (T136)<br />
Teredo IPv4 DNS Query<br />
Teredo Bubble packets<br />
Router Solicit. (T133)<br />
Router Ads. (T134)<br />
ISATAP NBNS Queries for isatap<br />
LLMNR Queries for isatap<br />
Router Ads. (T134)<br />
Tunnel-Broker<br />
All other unknown Unknown Router Ads<br />
traffic<br />
Redirects (T137)<br />
All other unknown Unknown Router Ads<br />
traffic<br />
Redirects (T137)<br />
All other unknown<br />
traffic<br />
All other unknown Unknown Router Ads<br />
traffic<br />
Redirects (T137)<br />
All other unknown<br />
traffic<br />
Addresses sourcing.<br />
Issue resolution or criminal prosecution depends on tracing packets back to the physical<br />
machine from which it originated. Figure 10 to 14 illustrate a methodology for tracing a source<br />
address for each transition mechanism. The proposed process flow utilizes the sourcing<br />
techniques developed in this study; although, the result may lead to an inconclusive or inaccurate<br />
result if the results are not substantiated with information from other sources.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
129<br />
Figure 10. Physical Source Node Determination from a Link-Local Address<br />
6to4<br />
Convert octet 3 to 6 of IPv6<br />
address to decimal to obtain<br />
gateway IPv4 address.<br />
i.e. Convert part P in address<br />
2002:PPPP:PPPP:SSSS::IIII where<br />
PPPP:PPPP 16 = PP.PP.PP.PP 10<br />
Trace IPv4 address of<br />
gateway to network node.<br />
Static<br />
IPv4 address or<br />
single-node<br />
network<br />
yes<br />
Physical source<br />
no<br />
Run address trace route<br />
to find final hop switch<br />
Node responded<br />
yes<br />
Locate node with<br />
configured address<br />
Physical source<br />
i.e. Part M in address<br />
2002::XXXX:XXMM:MMMM equals<br />
part A in the node MAC address<br />
where the interface MAC =<br />
XX:XX:XX:AA:AA:AA<br />
no<br />
Compare last 3 octets of<br />
address to last 3 octets of<br />
MAC on local nodes<br />
Match<br />
found and OS<br />
is Win 23K, XP,<br />
Linux, BSD,<br />
or UNIX<br />
yes<br />
Physical source<br />
no<br />
Obtain logs or<br />
network traces of<br />
switch traffic during<br />
the time period in<br />
question<br />
Filter for link-local<br />
addresses with same<br />
interface ID<br />
i.e. Locallink address calculated form<br />
portion E in 6to4 address<br />
2002:XXXX::EEEE:EEEE:EEEE:EEEE =<br />
FE80::EEEE:EEEE:EEEE:EEEE<br />
Traffic found<br />
yes<br />
Compare source<br />
MAC to local<br />
nodes<br />
Match found<br />
yes<br />
Physical source<br />
no<br />
Filter for traffic<br />
containing the same<br />
address<br />
Traffic found<br />
yes<br />
no<br />
Inconclusive: Node not<br />
found or MAC altered<br />
no<br />
Figure 11. Physical Source Node Determination from a 6to4 Address
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
130<br />
Figure 12. Physical Source Node Determination from a Teredo Address<br />
Figure 13. Physical Source Node Determination from a ISATAP Address<br />
Figure 14. Physical Source Node Determination from a Tunnel-Broker Address
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
131<br />
Limitations and Future Research<br />
This study was limited by resource availability and scope in four primary areas. First, the<br />
researcher did not have access to every operating system or the time to evaluate every transition<br />
mechanism that could have been investigated. Future research is needed to identify the behavior<br />
of other operating systems like the Apple Mac OS and other distributions of Linux. Additionally,<br />
future research could evaluate transition mechanisms that were not included in the study like<br />
SIIT, NAT-PT, BIA, BIS, SOCK64, and TRT. Second, the virtual network that was employed in<br />
the study simulated a network of nodes connected to a single switch; however, the availability of<br />
a single physical host prevented the testing of nodes on multiple subnets. Future research is<br />
needed to evaluate the behavior of transition mechanisms in a multi-layer enterprise network.<br />
Third, time limitations narrowed the scope of this study to include only two-way<br />
communications between network nodes. Future research is needed to profile IPv6 based<br />
application vulnerabilities and attack vectors. Finally, this study contributed a small piece of a<br />
disjointed and unorganized body of knowledge and there remains a significant need to unify the<br />
academic, practitioner, and legal communities under a common process that builds a scientific<br />
foundation for the network forensic discipline.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
132<br />
References<br />
Abad, C. (2001). IP Checksum Covert Channels and Selected Hash Collision, Tech Republic,<br />
UCLA. from http://http://gray-world.net/papers/ipccc.pdf<br />
Afifi, H., & Toutain, L. (1999). Methods for IPv4-IPv6 transition. Paper presented at the IEEE<br />
Symposium on Computers and Communications. Retrieved from<br />
http://doi.ieeecomputersociety.org/10.1109/ISCC.1999.780953<br />
AlJa'afreh, R. e..Mellor, J..Kamala, M., & Kasasbeh, B. (2008). Bi-directional mapping system<br />
as a new IPv4/IPv6 translation mechanism. Paper presented at the Tenth International<br />
Conference on Computer Modeling and Simulation. Retrieved from<br />
http://doi.ieeecomputersociety.org/10.1109/UKSIM.2008.90<br />
An, G., & Kim, K. (2008). Real-time IP checking and packet marking for preventing ND-DoS<br />
attack employing fake source IP in IPv6 LAN. Paper presented at the Proceedings of the<br />
5th international conference on Autonomic and Trusted Computing, Oslo, Norway.<br />
Anaya, E. A..Miyatake, M. N., & Meana, H. M. P. (2009). Network forensics with neurofuzzy<br />
techniques. Paper presented at the Midwest Symposium on Circuits and Systems.<br />
Retrieved from http://doi.ieeecomputersociety.org/10.1109/MWSCAS.2009.5235900<br />
Avison, D. E..Lau, F..Myers, M. D., & Nielsen, P. A. (1999). Action research. Communications<br />
of the ACM, 42(1), 94-97. doi: 10.1145/291469.291479<br />
Ayres, D. (2010). Need help setting up a teredo client, Windows Developer Center. Retrieved<br />
Feb 22, 2011, from<br />
http://social.msdn.microsoft.com/Forums/en/peertopeer/thread/4d1c1762-1e04-442c<br />
810e-82b44d88d460
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
133<br />
Backtrack IPv6 Configuration. (n.d.). Retrieved Feb 16, 2011, from<br />
http://zerohat.de/_shared_files/videos/BT4_IPv6_Quick/<br />
BackTrack Linux. (n.d.). Retrieved Feb 9, 2011, from http://backtrack-linux.org<br />
Baryamureeba, V., & Tushabe, F. (2004). The enhanced digital investigation process model.<br />
Makerere University.<br />
Retrieved from<br />
Baskerville, R. L. (1999). Investigating information systems with action research. Commun. AIS,<br />
2(3es), 4.<br />
Beebe, N. L., & Clark, J. G. (2005). A hierarchical, objectives-based framework for the digital<br />
investigations process. <strong>Digital</strong> Investigation, 2(2), 147-167. doi:<br />
10.1016/j.diin.2005.04.002<br />
Bejtlich, R. (2004). The tao of network security monitoring: Beyond intrusion detection. New<br />
York: Addison-Wesley Publishing, Inc.<br />
Bi, J..Leng, X., & Wu, J. (2007). Scalable IPv4/IPv6 transition: a peer-to-peer based approach.<br />
Paper presented at the Proceedings of the 2005/2006 International Conference on<br />
Databases, Information Systems, and Peer-to-Peer Computing, Trondheim, Norway.<br />
Bishop, M..Marzullo, K., & Peisert, S. (2008). Computer forensics in forensis. SIGOPS<br />
Operating System Review, 42(3), 112-122. doi:<br />
http://doi.acm.org/10.1145/1368506.1368521<br />
Brenner, S. W. (2007). "AT LIGHT SPEED": ATTRIBUTION AND RESPONSE TO<br />
CYBERCRIME/TERRORISM/WARFARE. [Article]. Journal of Criminal Law &<br />
Criminology, 97(2), 379-475.<br />
Broadway, J..Turnbull, B., & Slay, J. (2008). Improving the Analysis of Lawfully Intercepted<br />
Network Packet Data Captured for Forensic Analysis. Paper presented at the The Third
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
134<br />
International Conference on Availability, Reliability and Security. Retrieved from<br />
http://doi.ieeecomputersociety.org/10.1109/ARES.2008.122 doi:10.1109/ARES.2008.122<br />
Broucek, V., & Turner, P. (2004). Computer incident investigations: e-forensic insights on<br />
evidence acquisition. Paper presented at the European Institute for Computer Anti-Virus<br />
Research, Copenhagen.<br />
Byrne, E. (2005). Using action research in information systems design to address change: A<br />
South African health information systems case study. Paper presented at the Proceedings<br />
of the 2005 annual research conference of the South African institute of computer<br />
scientists and information technologists on IT research in developing countries, White<br />
River, South Africa.<br />
Caicedo, C. E..Joshi, J. B. D., & Tuladhar, S. R. (2009). IPv6 security challenges. Perspectives,<br />
42, 36-42. Retrieved from http://doi.ieeecomputersociety.org/10.1109/MC.2009.54<br />
Candolin, C., & Nikander, P. (2001). IPv6 source addresses considered harmful. Paper presented<br />
at the Sixth Nordic Workshop on Secure IT.<br />
Carpenter, B., & Jung, C. (1999). Transmission of IPv6 over IPv4 domains without explicit<br />
tunnels. RFC 2529: Internet Engineering Task Force (IETF).<br />
Carpenter, B., & Moore, K. (2001). Connection of IPv6 domains via IPv4 clouds. RFC 3056:<br />
Internet Engineering Task Force (IETF).<br />
Carr, C..Gunsch, G., & Reith, M. (2002). An examination of digital forensic models.<br />
International Journal of <strong>Digital</strong> Evidence, 1(2).<br />
Carrier, B., & Spafford, E. H. (2003). Getting physical with the digital investigation process.<br />
International Journal of <strong>Digital</strong> Evidence, 2(2).<br />
Casey, E. (2000). <strong>Digital</strong> evidence and computer crime. San Diego: Academic Press.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
135<br />
Casey, E. (2004). Network traffic as a source of evidence: tool strengths, weaknesses, and future<br />
needs. <strong>Digital</strong> Investigation, 1(1), 28-43. doi: 10.1016/j.diin.2003.12.002<br />
Castro, S. (2006, May). Cooking Channels. hakin9 Magazine, 50-57.<br />
CentOS. (n.d.). Retrieved Feb 9, 2011, from http://centos.org/<br />
Chapter 31 advanced networking. (2010). FreeBSD Handbook. Retrieved Aug 6, 2010, from<br />
http://www.freebsd.org/doc/en/books/handbook/network-ipv6.html<br />
Choi, D..Fischer, C..Lee, A. Y..Lou, E. L..Chung-Zin, L., & Hsien-Chuen, Y. (2006). Transition<br />
to IPv6 and support for IPv4/IPv6 interoperability in IMS. Bell Labs Technical Journal,<br />
10(4), 261-270. doi: 10.1002/bltj.20138<br />
Ciardhuáin, S. Ó. (2004). An extended model of cybercrime investigations. International Journal<br />
of <strong>Digital</strong> Evidence, 3(1).<br />
Cohen, F. (2009). Two models of digital forensic examination. Paper presented at the Fourth<br />
IEEE International Workshop on Systematic Approaches to <strong>Digital</strong> Forensic Engineering.<br />
Retrieved from http://doi.ieeecomputersociety.org/10.1109/SADFE.2009.8<br />
doi:10.1109/SADFE.2009.8<br />
Cohen, M. I. (2008a). PyFlag - An advanced network forensic framework. <strong>Digital</strong> Investigation,<br />
5(Supplement 1), S112-S120. doi: 10.1016/j.diin.2008.05.016<br />
Cohen, M. I. (2008b). Source attribution for network address translated forensic captures. <strong>Digital</strong><br />
Investigation, 5(3-4), 138-145. doi: 10.1016/j.diin.2008.12.002<br />
Conta, A., & Deering, S. (1998). Internet control message protocol (ICMPv6) for the Internet<br />
protocol version 6 (IPv6) specification. RFC 2463: Internet Engineering Task Force<br />
(IETF).
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
136<br />
Convery, S., & Miller, D. (2004). IPv6 and IPv4 threat comparison and best-practice evaluation<br />
(v1.0): Cisco Systems. Retrieved from<br />
http://www.cisco.com/web/about/security/security_services/ciag/documents/v6-v4<br />
threats.pdf<br />
Cooper, M., & Yen, D. C. (2005). IPv6: business applications and implementation concerns.<br />
Computer Standards & Interfaces, 28(1), 27-41. doi: 10.1016/j.csi.2004.11.001<br />
Cowan, A. L. (2007, Feb 14). Teacher Faces Jail Over Pornography on Class Computer, New<br />
York Times.<br />
daemon9. (1997, Sept). LOKI2: The Implementation. Phrack Magazine, 7(51).<br />
Daubert v. Merrell Dow Pharmaceuticals Inc., 579 (U.S 1993). Retrieved from<br />
http://www.law.cornell.edu/supct/html/92-102.ZS.html<br />
Davies, E..Krishnan, S., & Savola, P. (2007). IPv6 transition/coexistence security<br />
considerations. RFC 4942: Internet Engineering Task Force (IETF).<br />
Davies, J. (2008). Understanding IPv6 (2nd ed.): Microsoft Press.<br />
Deering, S..Haberman, B..Jinmei, T..Nordmark, E., & Zill, B. (2005). IPv6 Scoped Address<br />
Architecture. RFC 4007: Internet Engineering Task Force (IETF).<br />
DistroWatch.com. (n.d.). Netsonic.com. Retrieved Dec 14, 2010, from http://distrowatch.com/<br />
Dobrucki, M. (1999). The effects of the transition to IPv6 on Internet security.<br />
Durand, A..Fasano, P..Guardini, I., & Lento, D. (2001). IPv6 tunnel broker. RFC 3053: Internet<br />
Engineering Task Force (IETF).<br />
Electronic crime scene investigation: A guide for first responders. (2001). Technical Working<br />
Group for Electric Crime Scene Investigation.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
137<br />
Elgoarany, K., & Eltoweissy, M. (2007). Security in mobile IPv6: A survey. Information<br />
Security Technical Report, 12, 32-43. doi: 10.1016/j.istr.2007.02.002<br />
Elmaghraby, A..Higgins, G..Keeling, D. W..Losavio, M., & Shutt, J. (2008). Implications of<br />
attorney experiences with digital forensics and electronic evidence in the United States.<br />
Paper presented at the Third International Workshop on Systematic Approaches to<br />
<strong>Digital</strong> Forensic Engineering. Retrieved from<br />
http://doi.ieeecomputersociety.org/10.1109/SADFE.2008.11<br />
doi:10.1109/SADFE.2008.11<br />
Emre, D., & Ali, B. (2010). IPV4/IPV6 security and threat comparisons. Procedia - Social and<br />
Behavioral Sciences, 2, 5285-5291. doi: 10.1016/j.sbspro.2010.03.862<br />
Enabling IPv6 Privacy Extensions on Ubuntu Linux. (2011). IPv6 Related Stuff. Retrieved Mar<br />
4, 2011, from http://ipv6-or-no-ipv6.blogspot.com/2011/02/enabling-ipv6-privacyextensions-on.html<br />
Ercferret18 (2010). IPv6 Retrieved Aud 6, 2010, from https://wiki.ubuntu.com/IPv6<br />
Faye, F. (2008). IPV6 configuration on REDHAT CENTOS FEDORA Retrieved Aug 6, 2010,<br />
from http://www.generationip.com/documentation/system-documentation/73-ipv6<br />
configuration-on-redhat-centos-fedora<br />
fdz. (2010). ISATAP client on Linux, The IPv6 Portal. Retrieved Feb 24, 2011, from<br />
http://www.ipv6<br />
portal.com/index.php?option=com_content&view=article&id=14:isatap-client-onlinux&catid=13:howto&Itemid=4&lang=en<br />
Feamster, N. (2002, Aug). Infranet: Circumventing Web Censorship and Surveillance. Paper<br />
presented at the 11th USENIX Security Symposium.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
138<br />
Fisk, G. (2002, Oct). Eliminating Steganography in Internet Traffic with Active Wardens. Paper<br />
presented at the 5th International Workshop on Information Hiding.<br />
Fraud Examiners Manual. (2008). Association of Certified Fraud Examiners.<br />
FreeBSD. (n.d.). Retrieved Feb 9, 2011, from http://freebsd.org<br />
Friacas, C..Baptista, M..Domingues, M., & Ferreira, P. (2006). 6TO4 versus<br />
TUNNELBROKERS. Paper presented at the Proceedings of the International Multi-<br />
Conference on Computing in the Global Information Technology (ICCGI'06). Retrieved<br />
from http://doi.ieeecomputersociety.org/10.1109/ICCGI.2006.1<br />
Giffin, J. (2002, Apr). Covert Messaging Through TCP Timestamps. Paper presented at the<br />
Privacy Enhancing Technologies Workshop (PET).<br />
Gil, T. M. (2005). IP-over-DNS using NSTX, from http://thomer.com/howtos/nstx/<br />
Gilligan, R., & Nordmark, E. (2000). Transition mechanisms for IPv6 hosts and routers. RFC<br />
2893: Internet Engineering Task Force (IETF).<br />
Girling, C. G. (1987, Feb). Covert Channels in LAN’s. IEEE Transactions in Software<br />
Engineering, SE-13(2), 292-296.<br />
gogoCLIENT. (n.d.). Retrieved Feb 9, 2011, from<br />
http://gogonet.gogo6.com/profile/gogoCLIENT<br />
GosevaPopstojanova, K..Miller, B..Pantev, R., & Dimitrijevikj, A. (2010). Empirical Analysis of<br />
Attackers Activity on Multi-tier Web Systems. Paper presented at the 24th IEEE<br />
International Conference on Advanced Information Networking and Applications.<br />
Retrieved from http://doi.ieeecomputersociety.org/10.1109/AINA.2010.138<br />
doi:10.1109/AINA.2010.138
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
139<br />
Graf, T. (2003). Messaging over IPv6 destination options. Swiss Unix User Group. Retrieved<br />
from http://grayworld.net/papers/messip6.txt<br />
Grobler, C. P..Louwrens, C. P., & Solms, S. H. V. (2010). A framework to guide the<br />
implementation of proactive digital forensics in organisations. Paper presented at the<br />
International Conference on Availability, Reliability and Security. Retrieved from<br />
http://doi.ieeecomputersociety.org/10.1109/ARES.2010.62 doi:10.1109/ARES.2010.62<br />
Hagino, J., & Yamamoto, K. (2001). An IPv6-to-IPv4 transport relay translator. RFC 3142:<br />
Internet Engineering Task Force (IETF).<br />
Halfscan6. (n.d.). Retrieved Feb 9, 2011, from http://freshmeat.net/projects/halfscan6<br />
Hogg, S. (2009). Windows 7 IPv6 Support, Network World. Retrieved 2011, Mar 4, from<br />
http://www.networkworld.com/community/node/37947<br />
Hsieh, I. P., & Kao, S. J. (2005). Managing the co-existing network of IPv6 and IPv4 under<br />
various transition mechanisms. Paper presented at the Proceedings of the Third<br />
International Conference on Information Technology and Applications (ICITA’05).<br />
Retrieved from http://doi.ieeecomputersociety.org/10.1109/ICITA.2005.175<br />
Huang, S. M..Wu, Q., & Lin, Y. B. (2005). Tunneling IPv6 through NAT with Teredo<br />
mechanism. Paper presented at the Proceedings of the 19th International Conference on<br />
Advanced Information Networking and Applications (AINA’05). Retrieved from<br />
http://doi.ieeecomputersociety.org/10.1109/AINA.2005.333<br />
Huang, S. Q..Zhang, H. M., & Yao, G. X. (2009). Research of NIDS in IPV6 based on protocol<br />
analysis and pattern matching. Paper presented at the Second International Workshop on<br />
Knowledge Discovery and Data Mining. Retrieved from<br />
http://doi.ieeecomputersociety.org/10.1109/WKDD.2009.24
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
140<br />
Huitema, C. (2006). Teredo: tunneling IPv6 over UDP through network address translations<br />
(NATs). RFC 4380: Internet Engineering Task Force (IETF).<br />
Internet Users. (2009). World Bank. from http://databank.worldbank.org<br />
Jamhour, E., & Storoz, S. (2002). Global mobile IPv6 addressing using transition mechanisms.<br />
Paper presented at the Proceedings of the 27th Annual IEEE Conference on Local<br />
Computer Networks (LCN02). Retrieved from<br />
http://doi.ieeecomputersociety.org/10.1109/LCN.2002.1181816<br />
Järvinen, P. (2007). Action research is similar to design science. Quality & Quantity, 41(1), 37<br />
54. doi: 10.1007/s11135-005-5427-1<br />
Jones, B. R. (2007). COMMENT: VIRTUAL NEIGHBORHOOD WATCH: OPEN SOURCE<br />
SOFTWARE AND COMMUNITY POLICING AGAINST CYBERCRIME. [Article].<br />
Journal of Criminal Law & Criminology, 97(2), 601-629.<br />
Kammas, P..Komninos, T., & Stamatiou, Y. C. (2009). Modeling the co-evololution DNS worms<br />
and anti-worms in IPv6 networks. Paper presented at the Fifth International Conference<br />
on Information Assurance and Security. Retrieved from doi:10.1109/IAS.2009.334<br />
Kempf, J..Nordmark, E., & Nikander, P. (2004). IPv6 neighbor discovery (ND) trust models and<br />
threats. RFC 3756: Internet Engineering Task Force (IETF).<br />
Kerr, O. S. (2005, Jan). <strong>Digital</strong> evidence and the new criminal procedure. Columbia Law Review.<br />
Kim, J. W..Cho, H. H..Mun, G. J..Seo, J. H..Noh, B. N., & Kim, Y. M. (2007). Experiments and<br />
countermeasures of security vulnerabilities on next generation network. Paper presented<br />
at the Future Generation Communication and Networking. Retrieved from<br />
http://doi.ieeecomputersociety.org/10.1109/FGCN.2007.122
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
141<br />
Kitamura, H. (2001). A SOCKS-based IPv6/IPv4 gateway mechanism. RFC 3089: Internet<br />
Engineering Task Force (IETF).<br />
Lan, T. H..Lin, A. C..Lin, I. L., & Wu, T. (2005). Establishment of the standard operating<br />
procedure (SOP) for gathering digital evidence. Paper presented at the First International<br />
Workshop on Systematic Approaches to <strong>Digital</strong> Forensic Engineering (SADFE’05).<br />
Retrieved from http://doi.ieeecomputersociety.org/10.1109/SADFE.2005.12<br />
doi:10.1109/SADFE.2005.12<br />
Lee, H. C..Palmbach, T. M., & Miller, M. T. (2001). Henry Lee’s crime scene handbook. San<br />
Diego: Academic Press.<br />
Lee, S..Shin, M.-K..Kim, Y.-J..Nordmark, E., & Durand, A. (2002). Dual stack hosts using<br />
"bump-in-the-API" (BIA). RFC 3338: Internet Engineering Task Force (IETF).<br />
Lee, Y..Shin, S..Choi, S., & Son, H. g. (2007). IPv6 anomaly traffic monitoring with IPFIX.<br />
Paper presented at the Second International Conference on Internet Monitoring and<br />
Protection (ICIMP 2007). Retrieved from<br />
http://doi.ieeecomputersociety.org/10.1109/ICIMP.2007.23<br />
Leng, X..Bi, J..Zhang, M., & Wu, J. (2007). Connecting IPvX networks over IPvY with a P2P<br />
method. Journal of Network System Management, 15, 383-399. doi: 10.1007/s10922-007<br />
9071-z<br />
Leong, R. S. C. (2006). FORZA - <strong>Digital</strong> forensics investigation framework that incorporate<br />
legal issues. <strong>Digital</strong> Investigation, 3(Supplement 1), 29-36. doi:<br />
10.1016/j.diin.2006.06.004
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
142<br />
Lindqvist, J. (2006). IPv6 stateless address autoconfiguration considered harmful. Paper<br />
presented at the MILCOM. Retrieved from<br />
http://doi.ieeecomputersociety.org/10.1109/MILCOM.2006.302471<br />
Linode. (n.d.). Retrieved Feb 15, 2011, from http://www.linode.com/<br />
Littlefield, M. (2007, June). Emerging legal and forensic issues for computer scientists teaching<br />
digital forensics and information assurance: The import of United States v. Garnier.<br />
Paper presented at the <strong>Digital</strong> Forensics Working Group Workshop. Retrieved from<br />
Losavio, M. M. (2005). The law of possession of digital objects: Dominion and control issues for<br />
digital forensics investigations and prosecutions. Paper presented at the First<br />
International Workshop on Systematic Approaches to <strong>Digital</strong> Forensic Engineering<br />
(SADFE’05). Retrieved from<br />
http://doi.ieeecomputersociety.org/10.1109/SADFE.2005.25<br />
doi:10.1109/SADFE.2005.25<br />
Lucena, N. B..Lewandowski, G., & Chapin, S. J. (2005, May). Covert Channels in IPv6. Paper<br />
presented at the Privacy Enhancing Technologies (PET).<br />
Lutchann. (2002). Linux ISATAP setup. Retrieved Feb 23, 2011, from<br />
http://www.litech.org/isatap/<br />
Mac OS X 10.5 Help. (2010). Apple Inc. Retrieved Aug 6, 2010, from http://docs.info.apple.com<br />
Mackay, M..Edwards, C..Dunmore, M..Chown, T., & Carvalho, G. (2003, May-June). A<br />
scenario-based review of IPv6 transition tools. IEEE Internet Computing, 27-35.<br />
Retrieved from http://doi.ieeecomputersociety.org/10.1109/MIC.2003.1200298<br />
Mandia, K., & Prosise, C. (2001). Incident response: Osborne/McGraw-Hill.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
143<br />
Mazurczyk, W., & Kotulski, Z. (2006, Sept). New VoIP Traffic Security Scheme with <strong>Digital</strong><br />
Watermarking. Paper presented at the International Conference on Computer Safety,<br />
Reliability, and Security (SafeComp).<br />
Metasploit. (n.d.). Retrieved Feb 9, 2011, from http://metasploit.com<br />
Miredo. (n.d.). Retrieved Feb 9, 2011, from http://remlab.net/miredo<br />
Multicast IPv6 addresses. (2005). Microsoft Technet. from http://technet.microsoft.com/enus/library/cc781068(WS.10).aspx<br />
Naqvi, S..Dallons, G., & Ponsard, C. (2010). Applying digital forensics in the future internet<br />
enterprise systems - European SME's perspective. Paper presented at the Fifth<br />
International Workshop on Systematic Approaches to <strong>Digital</strong> Forensic Engineering.<br />
Retrieved from http://doi.ieeecomputersociety.org/10.1109/SADFE.2010.28<br />
doi:10.1109/SADFE.2010.28<br />
Netcat. (n.d.). Nmap. Retrieved Mar 6, 2011, from http://nmap.org/ncat/<br />
Netdude. (n.d.). Retrieved Mar 3, 2011, from http://netdude.sourceforge.net/<br />
Netsh Commands for Interface (IPv4 and IPv6). (2008). Microsoft. Retrieved Feb 23, 2011, from<br />
http://technet.microsoft.com/en-us/library/cc770948(WS.10).aspx<br />
Nikkel, B. J. (2005). Generalizing sources of live network evidence. <strong>Digital</strong> Investigation, 2(3),<br />
193-200. doi: 10.1016/j.diin.2005.08.001<br />
Nikkel, B. J. (2006). Improving evidence acquisition from live network sources. <strong>Digital</strong><br />
Investigation, 3(2), 89-96. doi: 10.1016/j.diin.2006.05.002<br />
Nikkel, B. J. (2007). An introduction to investigating IPv6 networks. <strong>Digital</strong> Investigation, 4(2),<br />
59-67. doi: 10.1016/j.diin.2007.06.001<br />
Nmap. (n.d.). Retrieved Feb 9, 2011, from http://nmap.org
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
144<br />
Nordmark, E. (2000). Stateless IP/ICMP translation algorithm (SIIT). RFC 2765: Internet<br />
Engineering Task Force (IETF).<br />
Nute, E. (2010). Installing gogoc in Ubuntu 10.10 Maverick Meerkat is easy except DNS.<br />
Retrieved Feb 1, 2011, from http://gogonet.gogo6.com/forum/topics/installing-gogoc-inubuntu?commentId=3731159:Comment:118717<br />
Oracle Solaris. (n.d.). Retrieved Feb 9, 2011, from http://oracle.com/solaris<br />
Ostinato. (n.d.). Retrieved Feb 9, 2011, from http://code.google.com/p/ostinato<br />
Padgett, P. (2001). Corkscrew. from http://www.agroman.net/corkscrew/<br />
Padlipsky, M. A..Snow, D. W., & Karger, P. A. (1978, Aug). Limitations of End-to-End<br />
Encryption in Secure Computer Networks, Tech Republic, ESD-TR-78-158, Mitre<br />
Corporation. from http://stinet.dtic.mil/cgibin/GetTRDoc?AD=A059221&Location=U2&doc=GetTRDoc.pdf<br />
Palmer, G. (2001). A road map for digital forensics research. Utica, NY: First <strong>Digital</strong> Forensic<br />
Research Workshop (DFRWS). Retrieved from<br />
Palmer, G. (2001, Aug). A road map for digital forensic research. Paper presented at the First<br />
<strong>Digital</strong> Forensic Workshop, DFRWS Technical Report DTR-T001-01.<br />
Park, T. K., & Ra, I. (2008). Design and evaluation of a network forensic logging system. Paper<br />
presented at the Third International Conference on Convergence and Hybrid Information<br />
Technology. Retrieved from http://doi.ieeecomputersociety.org/10.1109/ICCIT.2008.28<br />
doi:10.1109/ICCIT.2008.28<br />
Phang, S. Y..Lee, H., & Lim, H. (2008). Design and implementation of V6SNIFF: An efficient<br />
IPv6 packet sniffer. Paper presented at the Third 2008 International Conference on
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
145<br />
Convergence and Hybrid Information Technology. Retrieved from<br />
http://doi.ieeecomputersociety.org/10.1109/ICCIT.2008.279<br />
Ponec, M..Giura, P..Bronnimann, H., & Wein, J. (2007). Highly efficient techniques for network<br />
forensics. Paper presented at the Proceedings of the 14th ACM Conference on Computer<br />
and Communications Security, Alexandria, Virginia, USA. Retrieved from<br />
doi:10.1145/1315245.1315265<br />
Radhakrishnan, R..Majid, J..Shabana, M., & Moinuddin, M. (2007). Security issues in IPv6.<br />
Paper presented at the Third International Conference on Networking and<br />
Services(ICNS'07). Retrieved from<br />
http://doi.ieeecomputersociety.org/10.1109/ICNS.2007.106<br />
Rowland, C. H. (1997, July). Covert Channels in the TCP/IP Protocol Suite. First Monday.<br />
Savola, P. (2005). Observations of IPv6 traffic on a 6to4 relay. SIGCOMM Computer<br />
Communications Review, 35(1), 23-28. doi: http://doi.acm.org/10.1145/1052812.1052821<br />
Savola, P., & Patel, C. (2004). Security considerations for 6to4. RFC 3964: Internet Engineering<br />
Task Force (IETF).<br />
Scapy. (n.d.). Retrieved Feb 9, 2011, from http://www.secdev.org/projects/scapy<br />
Schroeder, S. C. (2005). How to be a digital forensic expert witness. Paper presented at the<br />
Proceedings of the First International Workshop on Systematic Approaches to <strong>Digital</strong><br />
Forensic Engineering (SADFE’05). Retrieved from<br />
http://doi.ieeecomputersociety.org/10.1109/SADFE.2005.18<br />
Seo, S. H., & Kong, I. Y. (2005). A performance analysis model of PC-based software router<br />
supporting IPv6-IPv4 translation for residential gateway. Paper presented at the<br />
Proceedings of the Fourth Annual ACIS International Conference on Computer and
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
146<br />
Information Science (ICIS’05). Retrieved from<br />
http://doi.ieeecomputersociety.org/10.1109/ICIS.2005.14<br />
Servetto, S. D., & Vetterli, M. (2001, June). Communication Using Phantoms: Covert Channels<br />
in the Internet. Paper presented at the IEEE International Symposium on Information<br />
Theory (ISIT).<br />
Shengyang, C., & Yanlei, S. (2010). P2P communication mechanism based on request<br />
forwarding in IPv4 and IPv6 coexistence network. Paper presented at the International<br />
Conference on e-Education, e-Business, e-Management and e-Learning. Retrieved from<br />
http://doi.ieeecomputersociety.org/10.1109/IC4E.2010.16<br />
Shin, Y. (2008). New digital forensics investigation procedure model. Paper presented at the<br />
Fourth International Conference on Networked Computing and Advanced Information<br />
Management. Retrieved from http://doi.ieeecomputersociety.org/10.1109/NCM.2008.116<br />
doi:10.1109/NCM.2008.116<br />
Sommer, P. (1999). Intrusion detection systems as evidence. Computer Networks, 31(23-24),<br />
2477-2487. doi: 10.1016/s1389-1286(99)00113-9<br />
Sotillo, S. (2006). IPv6 security issues.<br />
Susman, G. I., & Evered, R. D. (1978). An assessment of the scientific merits of action research.<br />
Administrative Science Quarterly, 23(4), 582-603.<br />
System administration guide: IP services. (2009). Sun Microsystems. Retrieved Aug 6, 2010,<br />
from http://docs.sun.com/app/docs/doc/816-4554/ipv6-ref-83?l=en&a=view<br />
Szigeti, S., & Risztics, P. (2004). Will IPv6 Bring Better Security? Paper presented at the The<br />
30th EUROMICRO Conference. Retrieved from<br />
http://doi.ieeecomputersociety.org/10.1109/EURMIC.2004.1333418
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
147<br />
Tadayoshi, K. (2005). Remote Physical Device Fingerprinting. IEEE Transactions on<br />
Dependable and Secure Computing, 2, 93-108.<br />
Tantayakul, K..Kamolphiwong, S., & Angchuan, T. (2008). IPv6@HOME. Paper presented at<br />
the Proceedings of the International Conference on Mobile Technology, Applications,<br />
and Systems, Yilan, Taiwan. Retrieved from<br />
http://doi.acm.org/10.1145/1506270.1506383<br />
TCPdump. (n.d.). Retrieved Feb 9, 2011, from http:/tcpdump.org<br />
TCPReplay. (n.d.). Retrieved Mar 3, 2011, from http://tcpreplay.synfin.net/<br />
Templin, F..Gleeson, T., & Thaler, D. (2008). Intra-site automatic tunnel addressing protocol<br />
(ISATAP). RFC 5214: Internet Engineering Task Force (IETF).<br />
THC-IPv6. (n.d.). Retrieved Feb 9, 2011, from http://freeworld.thc.org/thc-ipv6<br />
Tseng, B..Chen, C. Y., & Laih, C. S. (2006). Design and implementation of an IPv6-enabled<br />
intrusion detection system (6IDS). Paper presented at the International Computer<br />
Symposium, Taipei, Taiwan.<br />
http://dspace.lib.fcu.edu.tw/dspace/bitstream/2377/1860/1/ce07ics002004000116.pdf<br />
Tsirtsis, G., & Srisuresh, P. (2000). Network address translation - protocol translation (NAT<br />
PT). RFC 2766: Internet Engineering Task Force (IETF).<br />
Tsuchiya, K..Higuchi, H., & Atarashi, Y. (2000). Dual stack hosts using the "bump-in-the-stack"<br />
technique (BIS). RFC 2767: Internet Engineering Task Force (IETF).<br />
Tulloch, M. (2006). IPv6 Support in Microsoft Windows Retrieved Sept 6, 2010, from<br />
http://www.windowsnetworking.com/articles_tutorials/IPv6-Support-Microsoft<br />
Windows.html
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
148<br />
Tulloch, M..Northrup, T..Honeycutt, J., & Wilson, E. (2010). Windows 7 Resource Kit:<br />
Microsoft Press.<br />
Tylbart. (2007). Teredo and the PNRP global cloud, Microsoft Peer-to-Peer Networking.<br />
Retrieved Feb 23, 2011, from http://blogs.msdn.com/b/p2p/archive/2007/03/22/teredoand-the-pnrp-global-cloud.aspx<br />
Ubuntu. (n.d.). Retrieved Feb 9, 2011, from http://www.ubuntu.com/<br />
Using Teredo in Windows XP. (2010). MSDN. Retrieved Feb 23, 2011, from<br />
http://msdn.microsoft.com/en-us/library/bb968771(v=VS.85).aspx<br />
Virtualbox. (n.d.). Retrieved Feb 9, 2011, from http://www.virtualbox.org/<br />
Visoottiviseth, V., & Bureenok, N. (2008). Performance comparison of ISATAP implementations<br />
on FreeBSD, RedHat, and Windows 2003. Paper presented at the 22nd International<br />
Conference on Advanced Information Networking and Applications - Workshops.<br />
http://doi.ieeecomputersociety.org/10.1109/WAINA.2008.79<br />
Vives, A., & Palet, J. (2005). IPv6 distributed security: problem statement. Paper presented at<br />
the The 2005 Symposium on Applications and the Internet Workshops (SAINT-W’05).<br />
Retrieved from http://doi.ieeecomputersociety.org/10.1109/SAINTW.2005.72<br />
Wagener, G..Dulaunoy, A., & Engel, T. (2008). Towards an estimation of the accuracy of TCP<br />
reassembly in network forensics. Paper presented at the Future Generation<br />
Communication and Networking. Retrieved from<br />
http://doi.ieeecomputersociety.org/10.1109/FGCN.2008.118<br />
doi:10.1109/FGCN.2008.118<br />
Wang, S. (2007). Measures of retaining digital evidence to prosecute computer-based cybercrimes.<br />
Computer Standards & Interfaces, 29(2), 216-223. doi: 10.1016/j.csi.2006.03.008
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
149<br />
Wang, W., & Daniels, T. E. (2007). Diffusion and graph spectral methods for network forensic<br />
analysis. Paper presented at the Proceedings of the 2006 Workshop on New Security<br />
Paradigms, Germany.<br />
Warfield, M. H. (2003). Security implications of IPv6. Internet Security Systems. Retrieved<br />
from http://www.blackhat.com/presentations/bh-federal-03/bh-federal-03-warfield/bhfed-03-warfield.pdf<br />
Wei, X..Jiang-wei, Z., & Guo-dong, Z. (2009). Application research on IPv4/IPv6 dual stack<br />
technology. Paper presented at the International Conference on Signal Processing<br />
Systems. Retrieved from http://doi.ieeecomputersociety.org/10.1109/ICSPS.2009.200<br />
Weissmann, P. (n.d.). FreeBSD IPv6. Retrieved Mar 4, 2011, from<br />
http://ipv6int.net/systems/freebsd-ipv6.html<br />
WenQi, W., & Weiguang, L. (2009). The research on forensic model based network. Paper<br />
presented at the Second International Workshop on Computer Science and Engineering.<br />
Retrieved from http://doi.ieeecomputersociety.org/10.1109/WCSE.2009.635<br />
doi:10.1109/WCSE.2009.345<br />
Windows Sysinternals: PsInfo. (n.d.). Retrieved Jan 9, 2011, from<br />
http://technet.microsoft.com/en-us/sysinternals/bb897550<br />
Winpcap. (n.d.). Retrieved Feb 9, 2011, from http://winpcap.org<br />
Wireshark. (n.d.). Retrieved Feb 9, 2011, from http://wireshark.org<br />
Wu, L..Hai-xin, D..Tao, L..Xing, L., & Jian-ping, W. (2009). H6Proxy: ICMPv6 weakness<br />
analysis and implementation of IPv6 attacking test proxy. Paper presented at the<br />
Symposia and Workshops on Ubiquitous, Autonomic and Trusted Computing. Retrieved
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
150<br />
from http://doi.ieeecomputersociety.org/10.1109/UIC-ATC.2009.78 doi:10.1109/UIC<br />
ATC.2009.78<br />
Xie, L..Bi, J., & Wu, J. (2007). A multihoming based IPv4/IPv6 transition approach. Paper<br />
presented at the Proceedings of the 6th international IFIP-TC6 conference on Ad Hoc and<br />
sensor networks, wireless networks, next generation internet, Atlanta, GA, USA.<br />
Yan-ge, C..Shui-mu, T., & Jun-ying, G. (2009). IPv4/IPv6 intercommunication technology<br />
research. Paper presented at the International Conference on Environmental Science and<br />
Information Application Technology. Retrieved from<br />
http://doi.ieeecomputersociety.org/10.1109/ESIAT.2009.297<br />
Yang, J. (n.d.). Fast worm propagation in IPv6 networks.<br />
Yang, X., & Ma, T. (2007). A link signature based DDoS attacker tracing algorithm under IPv6.<br />
Paper presented at the Future Generation Communication and Networking. Retrieved<br />
from http://doi.ieeecomputersociety.org/10.1109/FGCN.2007.15<br />
Yang, X..Ma, T., & Shi, Y. (2007). Typical DoS/DDoS threats under IPv6. Paper presented at<br />
the Proceedings of the International Multi-Conference on Computing in the Global<br />
Information Technology (ICCGI'07). Retrieved from<br />
http://doi.ieeecomputersociety.org/10.1109/ICCGI.2007.61<br />
Yangui, X..Xiangchun, L..Jiachun, Z., & Huanyan, Q. (2009). Worm detection in an IPv6<br />
internet. Paper presented at the International Conference on Computational Intelligence<br />
and Security. Retrieved from doi:10.1109/CIS.2009.216<br />
Yao, G. x..Guan, Q. l..Lin, L. c..Huang, S. Q..Zhu, G. c..Zhang, H., et al. (2008). Research and<br />
Implementation of Next Generation Network Intrusion Detection System Based on<br />
Protocol Analysis. Paper presented at the ISECS International Colloquium on
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
151<br />
Computing, Communication, Control, and Management. Retrieved from<br />
http://doi.ieeecomputersociety.org/10.1109/CCCM.2008.30 doi:10.1109/CCCM.2008.30<br />
Zagar, D..Grgic, K., & Rimac-Drlje, S. (2007). Security aspects in IPv6 networks <br />
implementation and testing. Computers & Electrical Engineering, 33, 425-437. doi:<br />
10.1016/j.compeleceng.2007.05.008<br />
Zander, S..Armitage, G., & Branch, P. (2007). A survey of covert channels and coutermeasures<br />
in computer network protocols. IEEE Communications Surveys & Tutorials, 9(3).<br />
Zheng, Q..Liu, T..Guan, X..Qu, Y., & Wang, N. (2007). A new worm exploiting IPv4-IPv6 dualstack<br />
networks. Paper presented at the Proceedings of the 2007 ACM workshop on<br />
Recurring malcode, Alexandria, Virginia, USA.<br />
Zhou, L., & Renesse, R. v. (2004). P6P: A peer-to-peer approach to Internet infrastructure.<br />
Paper presented at the International workshop on Peer-To-Peer Systems.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
152<br />
Appendix A - <strong>Digital</strong> Forensic Frameworks<br />
Framework<br />
Carr, et al.(2002)<br />
Cohen (2009)<br />
Ciardhuáin (2004)<br />
Process Steps<br />
1. Identification<br />
2. Preparation<br />
3. Approach strategy<br />
4. Preservation<br />
5. Examination<br />
6. Analysis<br />
7. Presentation<br />
8. Return evidence<br />
1. Identify legal context<br />
2. Hypothesize claim<br />
3. Hypothesize events<br />
4. Capture traces<br />
5. Confirm internal consistency of traces<br />
6. Demonstrate consistency of traces<br />
7. Initiate forensic procedures<br />
8. Verify available resources<br />
9. Determine schedule<br />
1. Awareness<br />
2. Authorization<br />
3. Planning<br />
4. Notification<br />
5. Search for evidence<br />
6. Collection of evidence<br />
7. Transport of evidence<br />
8. Storage of evidence<br />
9. Examination of evidence<br />
10. Hypothesis of what occurred<br />
11. Presentation of hypothesis to court
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
153<br />
Framework<br />
Shin (2008)<br />
Incident Response Strategy (Mandia<br />
& Prosise, 2001)<br />
Process Steps<br />
12. Proof/Defense of hypothesis<br />
13. Dissemination of information<br />
1. Preparation<br />
2. Classify crime<br />
3. Prioritizing<br />
4. Investigate<br />
5. Protect evidence<br />
6. Preserve volatile evidence<br />
7. Disk analysis<br />
8. Network forensics<br />
9. Consult external experts<br />
10. Seize other storage media<br />
11. Criminal profiling<br />
12. Track suspects<br />
13. Investigate the crime scene<br />
14. Summon suspects<br />
15. Conduct additional investigations<br />
16. Write criminal profile<br />
17. Writing report<br />
18. Submit case to court<br />
19. Pre incident preparation<br />
20. Detection<br />
21. Initial Response<br />
22. Response strategy formulation<br />
23. Duplication<br />
24. Investigation<br />
25. Security measure implementation<br />
26. Network monitoring<br />
27. Recovery<br />
28. Reporting and follow-up
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
154<br />
Framework<br />
Process Steps<br />
Department of Justice ("Electronic 1. Collection<br />
crime scene investigation: A guide 2. Examination<br />
for first responders," 2001)<br />
3. Analysis<br />
4. Reporting<br />
<strong>Digital</strong> Forensics Research<br />
1. Identification<br />
Workshop (DFRWS) (G Palmer, 2. Preservation<br />
2001, Aug) 3. Collection<br />
4. Examination<br />
5. Analysis<br />
6. Presentation<br />
7. Decision<br />
Carrier (Carrier & Spafford, 2003) 1. Preservation<br />
2. Survey<br />
3. Documentation<br />
4. Search<br />
5. Reconstruction<br />
6. Presentation<br />
Lee’s Scientific Model (H. C. Lee, et 1. Recognition of evidence<br />
al., 2001)<br />
2. Identification of evidence<br />
3. Individualize sources of evidence<br />
4. Reconstruction to depict events<br />
Casey (E Casey, 2000)<br />
1. Recognition<br />
2. Preservation, collection, documentation<br />
3. Classification, comparison, individualization<br />
4. Reconstruction
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC 155<br />
Appendix B - Base Operating System Configurations<br />
Table B1. Commands Used to Extract the Operating System Data<br />
Operating System<br />
Windows<br />
Ubuntu<br />
CentOS<br />
FreeBSD<br />
Solaris<br />
Information<br />
General<br />
Patches<br />
General<br />
Kernel<br />
Packages<br />
General<br />
Kernel<br />
Packages<br />
General<br />
Kernel<br />
Packages<br />
General<br />
Kernel<br />
Packages<br />
Command<br />
>Psinfo -s ("Windows Sysinternals: PsInfo", n.d.)<br />
>wmic<br />
> /output:z:\.txt QFE get<br />
>uname -a<br />
>lsmod<br />
>dpkg -get-selections<br />
>uname -a<br />
>lsmod<br />
>yum list installed<br />
>uname -a<br />
>ls /boot/kernel | grep -v kernel<br />
>pkg_info<br />
>uname -a<br />
>modinfo<br />
>pkginfo<br />
Table B2. Commands Used to Setup the IPv6 Tunnel Client<br />
Operating Command<br />
System<br />
Windows 1. Download the Windows Client 32/64 bit installer. ("gogoCLIENT", n.d.)<br />
2. Run Installer<br />
Ubuntu >apt-get install gogoc (Nute, 2010)<br />
Backtrack 1. Download the Linux/Unix/Mac Client Source. ("gogoCLIENT", n.d.)<br />
Linux 2. >tar xvf .gz<br />
3. >cd <br />
4. >make
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
156<br />
Operating Command<br />
System<br />
5. >make installdir=/opt/freenet-ipv6 install<br />
6. >apt-get install radvd<br />
7. >update-rc.d -f radvd remove<br />
8. >cp /usr/share/doc/radvd/ecamples/radvd.conf.example /etc/radvd.conf<br />
9. Uncomment the line in /etc/sysctl.conf to enable packet forwarding<br />
10. >cd /opt/freenet-ipv6/bin/<br />
11. >./gogoc<br />
("Backtrack IPv6 Configuration", n.d.)<br />
CentOS 1. >yum install gcc-c++<br />
2. >yum install openssl-devel.x86_64<br />
3. Download and extract the gogoc Source ("gogoCLIENT", n.d.)<br />
4. >make<br />
5. > make installdir=/opt/freenet-ipv6 install<br />
FreeBSD 1. >cd /usr/ports/net/gateway6<br />
2. >make install clean<br />
3. Add gateway6_enable = "YES" to /etc/rc.conf<br />
4. > /Usr/local/etc/rc.d/gateway6 start<br />
Solaris Not Tested<br />
Table B3. Commands Used to Setup Teredo/Miredo<br />
Operating Command<br />
System<br />
Windows 2008<br />
1. Open gpedit.msc (Goup Policy editor)<br />
2. Navigate to Comp Config->Admin Templa->Network->TCPIP->IPv6 Trn<br />
3. Change Teredo Default Qualified State to “Enabled”<br />
4. Restart Computer<br />
5. Verify with command “netsh interface teredo show state” (qualified=on)
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
157<br />
Operating<br />
System<br />
Ubuntu<br />
Backtrack<br />
Linux<br />
CentOS<br />
FreeBSD<br />
Solaris<br />
Command<br />
(Ayres, 2010)<br />
Win 7<br />
1. Repeat steps for Windows 2008<br />
2. >netsh interface teredo set state enterpriseclient a<br />
Vista<br />
Enabled by default; however, Windows firewall must be enabled.<br />
(Tylbart, 2007)<br />
XP/2003<br />
1. > netsh interface ipv6 install<br />
2. >netsh interface ipv6 set teredo client<br />
("Using Teredo in Windows XP", 2010)<br />
>apt-get install miredo<br />
Not needed<br />
1. Download and extract the Miredo Source ("Miredo", n.d.)<br />
2. >./configure --without-Judy<br />
3. > make<br />
4. > make install<br />
1. >cd /usr/ports/net/miredo<br />
2. >make install clean<br />
3. >/usr/local/sbin/miredo<br />
Not supported on Solaris.<br />
Note. a For some reason Teredo was offline because it detected that it was in a domain when it<br />
was not.This is likely due to the Enterprise version of the operating system and would not be<br />
necessary in other versions.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
158<br />
Table B4. Commands Used to Setup ISATAP<br />
Operating<br />
System<br />
Windows<br />
Ubuntu<br />
Command<br />
2008/7 Client<br />
>netsh interface isatap set router <br />
("Netsh Commands for Interface (IPv4 and IPv6)", 2008)<br />
-or<br />
1. Open gpedit.msc (Goup Policy editor)<br />
2. Navigate to Comp Config->Admin Templa->Network->TCPIP->IPv6 Trn<br />
3. Change Teredo Default State to “Enabled”<br />
(Ayres, 2010)<br />
Vista Client<br />
>netsh interface isatap set router <br />
XP/2003<br />
> netsh interface ipv6 isatap set router <br />
Router<br />
1. >ip tunnel add is0 mode isatap local ttl 64<br />
2. >ip link set is0 up<br />
3. >ip addr add ::5efe: /64 dev is0<br />
4. >apt-get install radvd<br />
5. Uncomment line net.ipv6.conf.all.forwarding=1 in /etc/sysctl.conf<br />
6. Add the following lines to /etc/radvd.conf<br />
interface is0<br />
{<br />
AdvSendAdvert on;<br />
UnicastOnly on;<br />
AdvHomeAgentFlag off;<br />
prefix ::/64<br />
{
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
159<br />
Operating<br />
System<br />
Backtrack<br />
Linux<br />
CentOS<br />
FreeBSD<br />
Solaris<br />
Command<br />
AdvOnLink on;<br />
AdvAutonomous on;<br />
AdvRouterAddr off;<br />
};<br />
};<br />
7. >/etc/init.d/radvd start<br />
(Lutchann, 2002)<br />
Client<br />
8. >apt-get install isatapd<br />
9. Uncomment and add isatap router to key ISATAP_ROUTERS="" in<br />
/etc/default/isatapd<br />
(fdz, 2010)<br />
1. >apt-get install isatapd<br />
2. Uncomment and add isatap router to key ISATAP_ROUTERS="" in<br />
/etc/default/isatapd<br />
Not Tested<br />
Unable to find port/source for isatap<br />
Not Tested
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
160<br />
Table B5. Commands Used to Setup Privacy Extensions<br />
Operating Command<br />
System<br />
Windows 2008<br />
1. >netsh interface ipv6 set global randomizeidentifiers=enabled<br />
(default)<br />
2. >netsh interface ipv6 set privacy state=enabled<br />
Vista/7<br />
1. >netsh interface ipv6 set global randomizeidentifiers=enabled<br />
(default)<br />
2. >netsh interface ipv6 set privacy state=enabled<br />
(default)<br />
(Hogg, 2009)<br />
XP<br />
1. >netsh interface ipv6 install<br />
2. >netsh interface ipv6 set privacy state=enable<br />
(default)<br />
2003<br />
1. >netsh interface ipv6 install<br />
2. > netsh interface ipv6 set privacy state=enable<br />
CentOS/Ubuntu Add lines “net.ipv6.conf.eth0.use_tempaddr = 2”,<br />
“net.ipv6.conf.all.use_tempaddr = 2”, and “net.ipv6.conf.default.use_tempaddr<br />
= 2” to /etc/sysctl.conf<br />
("Enabling IPv6 Privacy Extensions on Ubuntu Linux", 2011)<br />
FreeBSD Add lines “net.inet6.ip6.use_tempaddr=1”, and<br />
“net.inet6.ip6.prefer_tempaddr=1” to /etc/sysctl.conf<br />
(Weissmann, n.d.)<br />
Solaris Add line “ifdefault TmpAddrsEnabled true” to /etc/inet/ndpd.conf<br />
("System administration guide: IP services", 2009)
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
161<br />
Table B6. Commands Used to Setup Netcat<br />
Operating Command<br />
System<br />
Windows 2008<br />
1. Install “Microsoft Visual C++ 2008 Redistributable Package (x86)”<br />
2. Extract ncat.exe, ssleay32.dll, and libeay32.dll from Windows nmap distr.<br />
3. Copy files to folder on target<br />
2003/7/Vista/XP<br />
1. Extract ncat.exe, ssleay32.dll, and libeay32.dll from Windows nmap distr.<br />
2. Copy files to folder on target<br />
Ubuntu >apt-get install nmap<br />
CentOS > rpm -vhU http://nmap.org/dist/ncat-5.51-1.x86_64.rpm<br />
FreeBSD 1. >cd /usr/ports/security/nmap<br />
2. >make install clean<br />
Solaris Install netcat from source code<br />
Table B7. Configured IPv6 Addresses<br />
OS Interface MAC Protocol Addresses<br />
28K EthLan 08-00-27-19 6to4 10.1.1.11<br />
74-27 2002:a6cb:5cb6:35:bcb6:88ca:6a61:e2d8<br />
2002:20b2:ebe9:33:bcb6:88ca:6a61:e2d8<br />
2002:a6cb:e5ea:33:bcb6:88ca:6a61:e2d8<br />
2002:a6cb:e5ea:33:cc64:ca1d:dbc8:1bbd<br />
fe80::bcb6:88ca:6a61:e2d8<br />
Teredo 00-00-00-00 Teredo 2001:0:4137:9e76:280a:c40:5934:a349<br />
00-00-00-E0<br />
fe80::280a:c40:5934:a349<br />
2001:0:4137:9e76:c3b:c11:5934:a349<br />
fe80::c3b:c11:5934:a349<br />
2001:0:4137:9e76:301d:b21:5934:a349<br />
2001:0:4137:9e76:38b8:bdf:5934:a349
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
162<br />
OS Interface MAC Protocol Addresses<br />
2001:0:4137:9e76:14a4:be6:5934:a349<br />
2001:0:4137:9e76:3869:be9:5934:a349<br />
2001:0:4137:9e76:1898:bf2:5934:a349<br />
fe80::1898:bf2:5934:a349<br />
2001:0:4137:9e76:c74:c02:5934:a349<br />
fe80::c74:c02:5934:a349<br />
2001:0:4137:9e76:c74:c02:5934:a349<br />
Gogo6 02-50-F2-00- T-Broker 2001:5c0:1400:a::11b<br />
00-01 fe80::edc2:969:1155:f9a6<br />
2001:5c0:1000:b::8f5f<br />
2001:5c0:1400:a::11b<br />
2001:5c0:1400:a::e5<br />
ISATAP 00-00-00-00- ISATAP 3ffe:ffff:1234:5678:0:5efe:10.1.1.11<br />
00-00-00-E0<br />
fe80::5efe:10.1.1.11<br />
23K EthLan 08-00-27-2F- 6to4 10.0.3.15<br />
FD-98<br />
2002:a6d9:4c6d:34:a00:27ff:fe2f:fd98<br />
2002:20b2:ebe9:33:a00:27ff:fe2f:fd98<br />
2002:a6cb:e5ea:33:146b:74d2:bf15:e528<br />
fe80::a00:27ff:fe2f:fd98<br />
Teredo 00-00-1A-61- Teredo 2001:0:4137:9e76:0:1a61:5926:b392<br />
59-26-B3-92<br />
2001:0:4137:9e76:0:3fe8:5934:752c<br />
fe80::ffff:ffff:fffd<br />
Gogo6 02-50-F2-00- T-Broker 2001:5c0:1000:b::8dff<br />
00-01 fe80::50:f2ff:fe00:1<br />
2001:5c0:1000:b::8b29<br />
2001:5c0:1000:b::91fd<br />
ISATAP 0A-01-01-0C ISATAP 3ffe:ffff:1234:5678:0:5efe:10.1.1.12<br />
fe80::5efe:10.1.1.12<br />
7 EthLan 08-00-27-91- 6to4 10.1.1.13<br />
78-19 2002:a6d9:4c6d:34:b032:f37b:cb41:b3b7
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
163<br />
OS Interface MAC Protocol<br />
Teredo 00-00-00-00 Teredo<br />
00-00-00-E0<br />
Gogo6 02-50-F2-00 T-Broker<br />
00-01<br />
ISATAP 00-00-00-00 ISATAP<br />
00-00-00-E0<br />
Vista EthLan 08-00-27-15 6to4<br />
3E-5B<br />
Teredo 02-00-54-55 Teredo<br />
4E-01<br />
Gogo6 02-50-F2-00 T-Broker<br />
00-01<br />
ISATAP 00-00-00-00- ISATAP<br />
00-00-00-E0<br />
Addresses<br />
2002:20b2:ebe9:33:b032:f37b:cb41:b3b7<br />
2002:20b2:ebe9:33:cd40:166b:7c6b:4200<br />
2002:a6cb:e5ea:33:248b:e4d9:3e1f:5a65<br />
fe80::b032:f37b:cb41:b3b7<br />
2001:0:4137:9e76:42b:c4e:5926:b392<br />
fe80::42b:c4e:5926:b392<br />
2001:0:4137:9e76:cb7:c4e:5926:b392<br />
fe80::cb7:c4e:5926:b392<br />
2001:5c0:1000:b::8fef<br />
fe80::30b5:d30c:f85b:3f0c<br />
2001:5c0:1000:b::8fef<br />
fe80::30b5:d30c:f85b:3f0c<br />
2001:5c0:1400:a::1af<br />
fe80::30b5:d30c:f85b:3f0c<br />
3ffe:ffff:1234:5678:0:5efe:10.1.1.13<br />
fe80::5efe:10.1.1.13<br />
10.1.1.14<br />
2002:a6d9:4c6d:34:cd49:8083:a388:129c<br />
2002:20b2:ebe9:33:cd49:8083:a388:129c<br />
fe80::cd49:8083:a388:129c<br />
2002:20b2:ebe9:33:a91f:5f83:a917:ceb7<br />
2002:a6cb:e5ea:33:d0ae:a09b:e540:bdd9<br />
2001:0:4137:9e76:345b:c65:df4d:5a84<br />
fe80::345b:c65:df4d:5a84<br />
2001:5c0:1000:b::8a39<br />
fe80::b474:128f:befe:93c2<br />
2001:5c0:1000:b::8a84<br />
fe80::345b:c65:df4d:5a84<br />
3ffe:ffff:1234:5678:0:5efe:10.1.1.14<br />
fe80::5efe:10.1.1.14
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
164<br />
OS Interface MAC Protocol Addresses<br />
XP EthLan 08-00-27-33- 6to4 10.0.3.15<br />
39-F3 2002:a6cb:ae5c:34:a00:27ff:fe33:39f3<br />
2002:a6cb:ae5c:34:a061:8dca:a57f:29d<br />
2002:a6d9:4c6d:34:558b:584e:d30f:d53a<br />
2002:a6cb:e5ea:33:7dae:ba67:4c74:538d<br />
fe80::a00:27ff:fe33:39f3<br />
Teredo 80-00-31-BA- Teredo 2001:0:4137:9e76:8000:31ba:5926:b392<br />
59-26-B3-92<br />
fe80::ffff:ffff:fffd<br />
2001:0:4137:9e76:0:291b:5926:b392<br />
Gogo6 02-50-F2-00- T-Broker 2001:5c0:1000:b::933b<br />
00-01 fe80::50:f2ff:fe00:1<br />
2001:5c0:1000:b::7b63<br />
fe80::50:f2ff:fe00:1<br />
2001:5c0:1000:b::92c5<br />
2001:5c0:1000:b::92b1<br />
ISATAP 0A-01-01-0F ISATAP 3ffe:ffff:1234:5678:0:5efe:10.1.1.15<br />
fe80::5efe:10.1.1.15<br />
Ubuntu eth4 08:00:27:8a:e4 6to4 10.1.1.16<br />
:79 2002:20b2:fee8:34:a00:27ff:fe8a:e479<br />
2002:20b2:ebe9:33:a00:27ff:fe8a:e479<br />
2002:a6cb:e5ea:33:f811:761c:ac5c:739e<br />
fe80::a00:27ff:fe8a:e479<br />
iso 00-00 ISATAP 3ffe:ffff:1234:5678:0:5efe:0a01:0110<br />
fe80::5efe:a01:110<br />
teredo 00-00 Teredo 2001:0:53aa:64c:3c6f:80b:df4d:117<br />
fe80::ffff:ffff:ffff<br />
2001:0:53aa:64c:2428:c73:df4d:117<br />
2001:0:53aa:64c:3089:406:df4d:1416<br />
tun 00-00 TBroker 2001:5c0:1000:b::8e61<br />
2001:5c0:1000:b::8cc7
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
165<br />
OS Interface MAC Protocol Addresses<br />
CentOS eth0 08:00:27:D9:B 6to4 10.1.1.17<br />
C:FB<br />
fe80::a00:27ff:fed9:bcfb<br />
2002:20b2:fee8:34:a00:27ff:fed9:bcfb<br />
2002:20b2:ebe9:33:a00:27ff:fed9:bcfb<br />
2002:a6cb:e5ea:33:65a0:db78:80a6:2647<br />
Teredo 00-00-00-00 Teredo 2001:0:53aa:64c:c54:b67:df4d:117<br />
2001:0:53aa:64c:c90:338:df4d:1416<br />
fe80::ffff:ffff:ffff<br />
tun 00-00-00-00 T-Broker 2001:5c0:1000:b::90bf<br />
2001:5c0:1000:b::889b<br />
FreeBSD em0 08:00:27:a8:9f: 6to4 10.1.1.18<br />
8e<br />
fe80::a00:27ff:fea8:9f8e<br />
fe80::a00:27ff:fed9:bcfb<br />
2002:20b2:fee8:34:a00:27ff:fea8:9f8e<br />
2002:20b2:ebe9:33:a00:27ff:fea8:9f8e<br />
2002:a6cb:e5ea:33:c505:6a57:6e19:9131<br />
tun0 00-00-00-00 T-Broker fe80::a00:27ff:fea8:9f8e<br />
2001:5c0:1000:b::8dd5<br />
2001:5c0:1000:b::8937<br />
2001:5c0:1000:b::87e5<br />
Teredo 00-00-00-00 Teredo 2001:0:53aa:64c:1c29:a6c:df4d:117<br />
2001:0:53aa:64c:1e35:a6c:df4d:117<br />
fe80::ffff:ffff:ffff<br />
Solaris eg1000 6to4 10.1.1.19<br />
fe80::a00:27ff:fe9a:f546<br />
2002:20b2:fee8:34:a00:27ff:fe9a:f546<br />
2002:20b2:ebe9:33:a00:27ff:fe9a:f546<br />
2002:a6cb:e5ea:33:7092:c44f:d37e:b7d1
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
166<br />
Target Node 1: Windows Server 2008 R2 Datacenter Edition v6.1 (64-bit)<br />
System information for \\28K01X64-PC:<br />
Kernel version: Windows Server 2008 R2 Datacenter, Multiprocessor Free<br />
Product type: Server<br />
Product version: 6.1<br />
Service pack: 0<br />
Kernel build number: 7600<br />
IE version: 8.0000<br />
System root: C:\Windows<br />
Processors: 2<br />
Processor speed: 2.5 GHz<br />
Processor type: Intel(R) Core(TM) i5 CPU M 540 @<br />
Physical memory: 0 MB<br />
Video driver: VirtualBox Graphics Adapter<br />
VirtualBox node configuration.<br />
Oracle VM VirtualBox Command Line Management Interface Version 4.0.2<br />
(C) 2005-2010 Oracle Corporation<br />
All rights reserved.<br />
Name: 1. 28K01x64<br />
Guest OS: Windows 2008 (64 bit)<br />
Memory size: 1024MB<br />
Page Fusion: off<br />
VRAM size: 64MB<br />
HPET: off<br />
Number of CPUs: 2<br />
Synthetic Cpu: off<br />
CPUID overrides: None<br />
Boot menu mode: message and menu<br />
Boot Device (1): DVD
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
167<br />
Boot Device (2): HardDisk<br />
ACPI: on<br />
IOAPIC: on<br />
PAE: off<br />
Time offset: 0 ms<br />
RTC: local time<br />
Hardw. virt.ext: on<br />
Hardw. virt.ext exclusive: off<br />
Nested Paging: on<br />
Large Pages: off<br />
VT-x VPID: on<br />
3D Acceleration: off<br />
2D Video Acceleration: off<br />
Teleporter Enabled: off<br />
Storage Controller Name (0): IDE Controller<br />
Storage Controller Type (0): PIIX4<br />
Storage Controller Instance Number (0): 0<br />
Storage Controller Max Port Count (0): 2<br />
Storage Controller Port Count (0): 2<br />
Storage Controller Name (1): SCSI Controller<br />
Storage Controller Type (1): LsiLogic<br />
Storage Controller Instance Number (1): 0<br />
Storage Controller Max Port Count (1): 16<br />
Storage Controller Port Count (1): 16<br />
NIC 1: MAC: 0800273FD422, Attachment: NAT, Cable connected: on, Trace: off<br />
(file: none), Type: 82540EM, Reported speed: 0 Mbps, Boot priority: 0<br />
NIC 1 Settings: MTU: 0, Socket( send: 64, receive: 64), TCP Window( send:64, receive:<br />
64)<br />
NIC 2: MAC: 080027A82758, Attachment: Host-only Interface 'VirtualBox Host-<br />
Only Ethernet Adapter', Cable connected: on, Trace: off (file: none), Type: 82540EM,<br />
Reported speed: 0 Mbps, Boot priority: 0
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
168<br />
Pointing Device: PS/2 Mouse<br />
Keyboard Device: PS/2 Keyboard<br />
UART 1: disabled<br />
UART 2: disabled<br />
Audio: enabled (Driver: DSOUND, Controller: AC97)<br />
Clipboard Mode: Bidirectional<br />
VRDP: disabled<br />
USB: enabled<br />
IPConfig.<br />
Windows IP Configuration<br />
Ethernet adapter Local Area Connection:<br />
Connection-specific DNS Suffix . :<br />
Link-local IPv6 Address . . . . . : fe80::bcb6:88ca:6a61:e2d8%11<br />
IPv4 Address. . . . . . . . . . . : 10.1.1.11<br />
Subnet Mask . . . . . . . . . . . : 255.255.255.0<br />
Default Gateway . . . . . . . . . : 10.1.1.1<br />
Tunnel adapter isatap.[6117A83C-3C3E-42A8-8672-0212768612B8]:<br />
Media State . . . . . . . . . . . : Media disconnected<br />
Connection-specific DNS Suffix . :<br />
Tunnel adapter Local Area Connection* 12:<br />
Media State . . . . . . . . . . . : Media disconnected<br />
Connection-specific DNS Suffix . :
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
169<br />
C:\Users\Administrator>ipconfig /all<br />
Windows IP Configuration<br />
Host Name . . . . . . . . . . . . : 28K01x64-PC<br />
Primary Dns Suffix . . . . . . . :<br />
Node Type . . . . . . . . . . . . : Hybrid<br />
IP Routing Enabled. . . . . . . . : No<br />
WINS Proxy Enabled. . . . . . . . : No<br />
Ethernet adapter Local Area Connection:<br />
Connection-specific DNS Suffix . :<br />
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Desktop Adapter<br />
Physical Address. . . . . . . . . : 08-00-27-19-74-27<br />
DHCP Enabled. . . . . . . . . . . : No<br />
Autoconfiguration Enabled . . . . : Yes<br />
Link-local IPv6 Address . . . . . : fe80::bcb6:88ca:6a61:e2d8%11(Preferred)<br />
IPv4 Address. . . . . . . . . . . : 10.1.1.11(Preferred)<br />
Subnet Mask . . . . . . . . . . . : 255.255.255.0<br />
Default Gateway . . . . . . . . . : 10.1.1.1<br />
DHCPv6 IAID . . . . . . . . . . . : 235405351<br />
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-7E-13-C2-08-00-27-3F-D4-22<br />
DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1<br />
fec0:0:0:ffff::2%1<br />
fec0:0:0:ffff::3%1<br />
NetBIOS over Tcpip. . . . . . . . : Enabled<br />
Tunnel adapter isatap.[6117A83C-3C3E-42A8-8672-0212768612B8]:
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
170<br />
Media State . . . . . . . . . . . : Media disconnected<br />
Connection-specific DNS Suffix . :<br />
Description . . . . . . . . . . . : Microsoft ISATAP Adapter<br />
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0<br />
DHCP Enabled. . . . . . . . . . . : No<br />
Autoconfiguration Enabled . . . . : Yes<br />
Tunnel adapter Local Area Connection* 12:<br />
Media State . . . . . . . . . . . : Media disconnected<br />
Connection-specific DNS Suffix . :<br />
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface<br />
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0<br />
DHCP Enabled. . . . . . . . . . . : No<br />
Autoconfiguration Enabled . . . . : Yes<br />
Target Node 2: Windows Server 2003 R2 Enterprise Edition v5.2 SP2 (64-bit)<br />
System information for \\23K01X64-PC:<br />
Kernel version: Microsoft Windows Server 2003, Multiprocessor Free<br />
Product type: Enterprise Edition<br />
Product version: 5.2<br />
Service pack: 2<br />
Kernel build number: 3790<br />
IE version: 8.0000<br />
System root: C:\WINDOWS<br />
Processors: 2<br />
Processor speed: 2.5 GHz<br />
Processor type: Intel(R) Core(TM) i5 CPU M 540 @<br />
Physical memory: 0 MB<br />
Video driver: VirtualBox Graphics Adapter
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
171<br />
VirtualBox node configuration.<br />
Oracle VM VirtualBox Command Line Management Interface Version 4.0.2<br />
(C) 2005-2010 Oracle Corporation<br />
All rights reserved.<br />
Name: 2. 23K01x64<br />
Guest OS: Windows 2003 (64 bit)<br />
Memory size: 1024MB<br />
Page Fusion: off<br />
VRAM size: 64MB<br />
HPET: off<br />
Number of CPUs: 2<br />
Synthetic Cpu: off<br />
CPUID overrides: None<br />
Boot menu mode: message and menu<br />
Boot Device (1): DVD<br />
Boot Device (2): HardDisk<br />
ACPI: on<br />
IOAPIC: on<br />
PAE: off<br />
Time offset: 0 ms<br />
RTC: local time<br />
Hardw. virt.ext: on<br />
Hardw. virt.ext exclusive: off<br />
Nested Paging: on<br />
Large Pages: off<br />
VT-x VPID: on<br />
3D Acceleration: off<br />
2D Video Acceleration: on<br />
Teleporter Enabled: off
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
172<br />
Storage Controller Name (0): IDE Controller<br />
Storage Controller Type (0): PIIX4<br />
Storage Controller Instance Number (0): 0<br />
Storage Controller Max Port Count (0): 2<br />
Storage Controller Port Count (0): 2<br />
Storage Controller Name (1): SCSI Controller<br />
Storage Controller Type (1): LsiLogic<br />
Storage Controller Instance Number (1): 0<br />
Storage Controller Max Port Count (1): 16<br />
Storage Controller Port Count (1): 16<br />
NIC 1: MAC: 080027034D17, Attachment: NAT, Cable connected: on, Trace: off<br />
(file: none), Type: 82540EM, Reported speed: 0 Mbps, Boot priority: 0<br />
NIC 1 Settings: MTU: 0, Socket( send: 64, receive: 64), TCP Window( send:64, receive:<br />
64)<br />
NIC 2: MAC: 0800277E313B, Attachment: Host-only Interface 'VirtualBox Host-<br />
Only Ethernet Adapter', Cable connected: on, Trace: off (file: none), Type: 82540EM,<br />
Reported speed: 0 Mbps, Boot priority: 0<br />
Pointing Device: PS/2 Mouse<br />
Keyboard Device: PS/2 Keyboard<br />
UART 1: disabled<br />
UART 2: disabled<br />
Audio: enabled (Driver: DSOUND, Controller: AC97)<br />
Clipboard Mode: Bidirectional<br />
VRDP: disabled<br />
USB: enabled<br />
Target Node 3: Microsoft Windows 7 Enterprise v6.1 (64-bit)<br />
System information for \\7X64-PC:<br />
Kernel version: Windows 7 Enterprise, Multiprocessor Free<br />
Product type: Professional
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
173<br />
Product version: 6.1<br />
Service pack: 0<br />
Kernel build number: 7600<br />
IE version: 8.0000<br />
System root: C:\Windows<br />
Processors: 2<br />
Processor speed: 2.5 GHz<br />
Processor type: Intel(R) Core(TM) i5 CPU M 540 @<br />
Physical memory: 0 MB<br />
Video driver: VirtualBox Graphics Adapter<br />
VirtualBox node configuration.<br />
Oracle VM VirtualBox Command Line Management Interface Version 4.0.2<br />
(C) 2005-2010 Oracle Corporation<br />
All rights reserved.<br />
Name: 3. Vista01x64<br />
Guest OS: Windows Vista (64 bit)<br />
Memory size: 1904MB<br />
Page Fusion: off<br />
VRAM size: 64MB<br />
HPET: off<br />
Number of CPUs: 2<br />
Synthetic Cpu: off<br />
CPUID overrides: None<br />
Boot menu mode: message and menu<br />
Boot Device (1): DVD<br />
Boot Device (2): HardDisk<br />
ACPI: on<br />
IOAPIC: on<br />
PAE: off
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
174<br />
Time offset: 0 ms<br />
RTC: local time<br />
Hardw. virt.ext: on<br />
Hardw. virt.ext exclusive: off<br />
Nested Paging: on<br />
Large Pages: off<br />
VT-x VPID: on<br />
3D Acceleration: off<br />
2D Video Acceleration: off<br />
Teleporter Enabled: off<br />
Storage Controller Name (0): IDE Controller<br />
Storage Controller Type (0): PIIX4<br />
Storage Controller Instance Number (0): 0<br />
Storage Controller Max Port Count (0): 2<br />
Storage Controller Port Count (0): 2<br />
Storage Controller Name (1): SATA Controller<br />
Storage Controller Type (1): IntelAhci<br />
Storage Controller Instance Number (1): 0<br />
Storage Controller Max Port Count (1): 30<br />
Storage Controller Port Count (1): 1<br />
NIC 1: MAC: 080027E56409, Attachment: NAT, Cable connected: on, Trace: off<br />
(file: none), Type: 82540EM, Reported speed: 0 Mbps, Boot priority: 0<br />
NIC 1 Settings: MTU: 0, Socket( send: 64, receive: 64), TCP Window( send:64, receive:<br />
64)<br />
NIC 2: MAC: 080027C60E69, Attachment: Host-only Interface 'VirtualBox Host-<br />
Only Ethernet Adapter', Cable connected: on, Trace: off (file: none), Type: 82540EM,<br />
Reported speed: 0 Mbps, Boot priority: 0<br />
Pointing Device: PS/2 Mouse<br />
Keyboard Device: PS/2 Keyboard<br />
UART 1: disabled<br />
UART 2: disabled
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
175<br />
Audio: enabled (Driver: DSOUND, Controller: AC97)<br />
Clipboard Mode: Bidirectional<br />
VRDP: disabled<br />
USB: enabled<br />
IPConfig.<br />
Microsoft Windows [Version 6.1.7600]<br />
Copyright (c) 2009 Microsoft Corporation. All rights reserved.<br />
C:\Users\sabreadmin>ipconfig /all<br />
Windows IP Configuration<br />
Host Name . . . . . . . . . . . . : 3-7x64<br />
Primary Dns Suffix . . . . . . . :<br />
Node Type . . . . . . . . . . . . : Hybrid<br />
IP Routing Enabled. . . . . . . . : No<br />
WINS Proxy Enabled. . . . . . . . : No<br />
Ethernet adapter Local Area Connection 2:<br />
Connection-specific DNS Suffix . :<br />
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Desktop Adapter #2<br />
Physical Address. . . . . . . . . : 08-00-27-91-78-19<br />
DHCP Enabled. . . . . . . . . . . : No<br />
Autoconfiguration Enabled . . . . : Yes<br />
IPv6 Address. . . . . . . . . . . : 2002:20b2:1b3c:36:b032:f37b:cb41:b3b7(Pre<br />
ferred)<br />
Site-local IPv6 Address . . . . . : fec0::36:b032:f37b:cb41:b3b7%1(Preferred)<br />
Temporary IPv6 Address. . . . . . : 2002:20b2:1b3c:36:8145:25d6:cea3:f4b4(Pre
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
176<br />
ferred)<br />
Link-local IPv6 Address . . . . . : fe80::b032:f37b:cb41:b3b7%14(Preferred)<br />
IPv4 Address. . . . . . . . . . . : 10.1.1.13(Preferred)<br />
Subnet Mask . . . . . . . . . . . : 255.255.255.0<br />
Default Gateway . . . . . . . . . : fe80::a0a4:b5:662:bbe7%14<br />
10.1.1.1<br />
DHCPv6 IAID . . . . . . . . . . . : 285736999<br />
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-EE-9A-20-08-00-27-1F-4F-A1<br />
DNS Servers . . . . . . . . . . . : 8.8.8.8<br />
8.8.4.4<br />
NetBIOS over Tcpip. . . . . . . . : Enabled<br />
Tunnel adapter isatap.{5090D42E-2E3D-4F74-B5A3-8FFBFF0E1DF5}:<br />
Media State . . . . . . . . . . . : Media disconnected<br />
Connection-specific DNS Suffix . :<br />
Description . . . . . . . . . . . : Microsoft ISATAP Adapter<br />
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0<br />
DHCP Enabled. . . . . . . . . . . : No<br />
Autoconfiguration Enabled . . . . : Yes<br />
Tunnel adapter Local Area Connection* 11:<br />
Connection-specific DNS Suffix . :<br />
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface<br />
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0<br />
DHCP Enabled. . . . . . . . . . . : No<br />
Autoconfiguration Enabled . . . . : Yes<br />
IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:1c74:1242:f5fe:fef2(Pref<br />
erred)
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
177<br />
Link-local IPv6 Address . . . . . : fe80::1c74:1242:f5fe:fef2%13(Preferred)<br />
Default Gateway . . . . . . . . . :<br />
NetBIOS over Tcpip. . . . . . . . : Disabled<br />
Target Node 4: Microsoft Windows Vista Enterprise v6.0 SP2 (64-bit)<br />
System information for \\VIAST01X64-PC:<br />
Kernel version: Windows (TM) Vista Enterprise, Multiprocessor Free<br />
Product type: Professional<br />
Product version: 6.0<br />
Service pack: 2<br />
Kernel build number: 6002<br />
IE version: 8.0000<br />
System root: C:\Windows<br />
Processors: 2<br />
Processor speed: 2.5 GHz<br />
Processor type: Intel(R) Core(TM) i5 CPU M 540 @<br />
Physical memory: 0 MB<br />
Video driver: VirtualBox Graphics Adapter<br />
VirtualBox node configuration.<br />
Oracle VM VirtualBox Command Line Management Interface Version 4.0.2<br />
(C) 2005-2010 Oracle Corporation<br />
All rights reserved.<br />
Name: 4. Vista01x64<br />
Guest OS: Windows Vista (64 bit)<br />
Memory size: 1904MB<br />
Page Fusion: off<br />
VRAM size: 64MB<br />
HPET: off<br />
Number of CPUs: 2
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
178<br />
Synthetic Cpu: off<br />
CPUID overrides: None<br />
Boot menu mode: message and menu<br />
Boot Device (1): DVD<br />
Boot Device (2): HardDisk<br />
ACPI: on<br />
IOAPIC: on<br />
PAE: off<br />
Time offset: 0 ms<br />
RTC: local time<br />
Hardw. virt.ext: on<br />
Hardw. virt.ext exclusive: off<br />
Nested Paging: on<br />
Large Pages: off<br />
VT-x VPID: on<br />
3D Acceleration: off<br />
2D Video Acceleration: off<br />
Teleporter Enabled: off<br />
Storage Controller Name (0): IDE Controller<br />
Storage Controller Type (0): PIIX4<br />
Storage Controller Instance Number (0): 0<br />
Storage Controller Max Port Count (0): 2<br />
Storage Controller Port Count (0): 2<br />
Storage Controller Name (1): SATA Controller<br />
Storage Controller Type (1): IntelAhci<br />
Storage Controller Instance Number (1): 0<br />
Storage Controller Max Port Count (1): 30<br />
Storage Controller Port Count (1): 1<br />
NIC 1: MAC: 080027E56409, Attachment: NAT, Cable connected: on, Trace: off<br />
(file: none), Type: 82540EM, Reported speed: 0 Mbps, Boot priority: 0
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
179<br />
NIC 1 Settings: MTU: 0, Socket( send: 64, receive: 64), TCP Window( send:64, receive:<br />
64)<br />
NIC 2: MAC: 080027C60E69, Attachment: Host-only Interface 'VirtualBox Host-<br />
Only Ethernet Adapter', Cable connected: on, Trace: off (file: none), Type: 82540EM,<br />
Reported speed: 0 Mbps, Boot priority: 0<br />
Pointing Device: PS/2 Mouse<br />
Keyboard Device: PS/2 Keyboard<br />
UART 1: disabled<br />
UART 2: disabled<br />
Audio: enabled (Driver: DSOUND, Controller: AC97)<br />
Clipboard Mode: Bidirectional<br />
VRDP: disabled<br />
USB: enabled<br />
IPConfig.<br />
Microsoft Windows [Version 6.0.6002]<br />
Copyright (c) 2006 Microsoft Corporation. All rights reserved.<br />
C:\Users\sabreadmin>ipconfig /all<br />
Windows IP Configuration<br />
Host Name . . . . . . . . . . . . : viast01x64-PC<br />
Primary Dns Suffix . . . . . . . :<br />
Node Type . . . . . . . . . . . . : Hybrid<br />
IP Routing Enabled. . . . . . . . : No<br />
WINS Proxy Enabled. . . . . . . . : No<br />
Ethernet adapter Local Area Connection:<br />
Connection-specific DNS Suffix . :
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
180<br />
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Desktop Adapter<br />
Physical Address. . . . . . . . . : 08-00-27-15-3E-5B<br />
DHCP Enabled. . . . . . . . . . . : No<br />
Autoconfiguration Enabled . . . . : Yes<br />
IPv6 Address. . . . . . . . . . . : 2002:20b2:1b3c:36:cd49:8083:a388:129c(Pre<br />
ferred)<br />
Site-local IPv6 Address . . . . . : fec0::36:cd49:8083:a388:129c%1(Preferred)<br />
Temporary IPv6 Address. . . . . . : 2002:20b2:1b3c:36:9cc5:58e9:f459:43c(Pref<br />
erred)<br />
Link-local IPv6 Address . . . . . : fe80::cd49:8083:a388:129c%10(Preferred)<br />
IPv4 Address. . . . . . . . . . . : 10.1.1.14(Preferred)<br />
Subnet Mask . . . . . . . . . . . : 255.255.255.0<br />
Default Gateway . . . . . . . . . : fe80::a0a4:b5:662:bbe7%10<br />
10.1.1.1<br />
DHCPv6 IAID . . . . . . . . . . . : 252182567<br />
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-80-D6-C6-08-00-27-E5-64-09<br />
DNS Servers . . . . . . . . . . . : 8.8.8.8<br />
8.8.4.4<br />
NetBIOS over Tcpip. . . . . . . . : Enabled<br />
Tunnel adapter Local Area Connection* 6:<br />
Media State . . . . . . . . . . . : Media disconnected<br />
Connection-specific DNS Suffix . :<br />
Description . . . . . . . . . . . : isatap.{AE6E1630-7C91-43B0-860F-2C086B873<br />
61E}<br />
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0<br />
DHCP Enabled. . . . . . . . . . . : No<br />
Autoconfiguration Enabled . . . . : Yes
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
181<br />
Tunnel adapter Local Area Connection* 7:<br />
Connection-specific DNS Suffix . :<br />
Description . . . . . . . . . . . : Microsoft Tun Miniport Adapter<br />
Physical Address. . . . . . . . . : 02-00-54-55-4E-01<br />
DHCP Enabled. . . . . . . . . . . : No<br />
Autoconfiguration Enabled . . . . : Yes<br />
IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:14f4:1f45:f5fe:fef1(Pref<br />
erred)<br />
Link-local IPv6 Address . . . . . : fe80::14f4:1f45:f5fe:fef1%17(Preferred)<br />
Default Gateway . . . . . . . . . :<br />
NetBIOS over Tcpip. . . . . . . . : Disabled<br />
Target Node 5: Microsoft Windows XP Professional v5.1 SP3 (32-bit)<br />
System information for \\XP01X86-PC:<br />
Kernel version: Microsoft Windows XP, Uniprocessor Free<br />
Product type: Professional<br />
Product version: 5.1<br />
Service pack: 3<br />
Kernel build number: 2600<br />
IE version: 8.0000<br />
System root: C:\WINDOWS<br />
Processors: 1<br />
Processor speed: 2.4 GHz<br />
Processor type: Intel(R) Core(TM) i5 CPU M 540 @<br />
Physical memory: 512 MB<br />
Video driver: VirtualBox Graphics Adapter<br />
VirtualBox node configuration.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
182<br />
Oracle VM VirtualBox Command Line Management Interface Version 4.0.2<br />
(C) 2005-2010 Oracle Corporation<br />
All rights reserved.<br />
Name: 5. XP01x86<br />
Guest OS: Windows XP<br />
Memory size: 512MB<br />
Page Fusion: off<br />
VRAM size: 64MB<br />
HPET: off<br />
Number of CPUs: 1<br />
Synthetic Cpu: off<br />
CPUID overrides: None<br />
Boot menu mode: message and menu<br />
Boot Device (1): DVD<br />
Boot Device (2): HardDisk<br />
ACPI: on<br />
IOAPIC: on<br />
PAE: off<br />
Time offset: 0 ms<br />
RTC: local time<br />
Hardw. virt.ext: on<br />
Hardw. virt.ext exclusive: off<br />
Nested Paging: on<br />
Large Pages: off<br />
VT-x VPID: on<br />
3D Acceleration: off<br />
2D Video Acceleration: on<br />
Teleporter Enabled: off<br />
Storage Controller Name (0): IDE Controller<br />
Storage Controller Type (0): PIIX4
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
183<br />
Storage Controller Instance Number (0): 0<br />
Storage Controller Max Port Count (0): 2<br />
Storage Controller Port Count (0): 2<br />
NIC 1: MAC: 080027D245AC, Attachment: NAT, Cable connected: on, Trace: off<br />
(file: none), Type: Am79C973, Reported speed: 0 Mbps, Boot priority: 0<br />
NIC 1 Settings: MTU: 0, Socket( send: 64, receive: 64), TCP Window( send:64, receive:<br />
64)<br />
NIC 2: MAC: 0800278775E5, Attachment: Host-only Interface 'VirtualBox Host-<br />
Only Ethernet Adapter', Cable connected: on, Trace: off (file: none), Type: Am79C973,<br />
Reported speed: 0 Mbps, Boot priority: 0<br />
Pointing Device: PS/2 Mouse<br />
Keyboard Device: PS/2 Keyboard<br />
UART 1: disabled<br />
UART 2: disabled<br />
Audio: enabled (Driver: DSOUND, Controller: AC97)<br />
Clipboard Mode: Bidirectional<br />
VRDP: disabled<br />
USB: enabled<br />
Target Node 6:. Linux Ubuntu Desktop v10.10 (64-bit Kernel v2.6.35)<br />
Linux Ubuntu Desktop v10.10 (64-bit Kernel v2.6.35 http://www.ubuntu.com<br />
Linux UB01x64-PC 2.6.35-24-generic #42-Ubuntu SMP Thu Dec 2 02:41:37 UTC 2010 x86_64<br />
GNU/Linux<br />
VirtualBox node configuration.<br />
Oracle VM VirtualBox Command Line Management Interface Version 4.0.2<br />
(C) 2005-2010 Oracle Corporation<br />
All rights reserved.<br />
Name:<br />
6. UB01x64
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
184<br />
Guest OS: Ubuntu (64 bit)<br />
Memory size: 512MB<br />
Page Fusion: off<br />
VRAM size: 64MB<br />
HPET: off<br />
Number of CPUs: 2<br />
Synthetic Cpu: off<br />
CPUID overrides: None<br />
Boot menu mode: message and menu<br />
Boot Device (1): DVD<br />
Boot Device (2): HardDisk<br />
ACPI: on<br />
IOAPIC: on<br />
PAE: off<br />
Time offset: 0 ms<br />
RTC: UTC<br />
Hardw. virt.ext: on<br />
Hardw. virt.ext exclusive: off<br />
Nested Paging: on<br />
Large Pages: off<br />
VT-x VPID: on<br />
3D Acceleration: on<br />
2D Video Acceleration: off<br />
Teleporter Enabled: off<br />
Storage Controller Name (0): IDE Controller<br />
Storage Controller Type (0): PIIX4<br />
Storage Controller Instance Number (0): 0<br />
Storage Controller Max Port Count (0): 2<br />
Storage Controller Port Count (0): 2<br />
Storage Controller Name (1): SCSI Controller<br />
Storage Controller Type (1): LsiLogic
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
185<br />
Storage Controller Instance Number (1): 0<br />
Storage Controller Max Port Count (1): 16<br />
Storage Controller Port Count (1): 16<br />
NIC 1: MAC: 08002712F3B4, Attachment: NAT, Cable connected: on, Trace: off<br />
(file: none), Type: 82540EM, Reported speed: 0 Mbps, Boot priority: 0<br />
NIC 1 Settings: MTU: 0, Socket( send: 64, receive: 64), TCP Window( send:64, receive:<br />
64)<br />
NIC 2: MAC: 0800275B3ABB, Attachment: Host-only Interface 'VirtualBox Host-<br />
Only Ethernet Adapter', Cable connected: on, Trace: off (file: none), Type: 82540EM,<br />
Reported speed: 0 Mbps, Boot priority: 0<br />
NIC 3: MAC: 08002734649A, Attachment: Internal Network 'intnet', Cable<br />
connected: on, Trace: off (file: none), Type: 82540EM, Reported speed: 0 Mbps, Boot<br />
priority: 0<br />
Pointing Device: USB Tablet<br />
Keyboard Device: PS/2 Keyboard<br />
UART 1: disabled<br />
UART 2: disabled<br />
Audio: enabled (Driver: DSOUND, Controller: AC97)<br />
Clipboard Mode: Bidirectional<br />
VRDP: disabled<br />
USB: enabled<br />
Ifconfig.<br />
kcrosby@UB01x64-PC:~$ ifconfig<br />
eth4 Link encap:Ethernet HWaddr 08:00:27:8a:e4:79<br />
inet addr:10.1.1.16 Bcast:10.1.1.255 Mask:255.255.255.0<br />
inet6 addr: fec0::36:a00:27ff:fe8a:e479/64 Scope:Site<br />
inet6 addr: 2002:20b2:1b3c:36:a00:27ff:fe8a:e479/64 Scope:Global<br />
inet6 addr: fe80::a00:27ff:fe8a:e479/64 Scope:Link<br />
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br />
RX packets:3964 errors:0 dropped:0 overruns:0 frame:0
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
186<br />
TX packets:3503 errors:0 dropped:0 overruns:0 carrier:0<br />
collisions:0 txqueuelen:1000<br />
RX bytes:1117147 (1.1 MB) TX bytes:276219 (276.2 KB)<br />
lo Link encap:Local Loopback<br />
inet addr:127.0.0.1 Mask:255.0.0.0<br />
inet6 addr: ::1/128 Scope:Host<br />
UP LOOPBACK RUNNING MTU:16436 Metric:1<br />
RX packets:12 errors:0 dropped:0 overruns:0 frame:0<br />
TX packets:12 errors:0 dropped:0 overruns:0 carrier:0<br />
collisions:0 txqueuelen:0<br />
RX bytes:720 (720.0 B) TX bytes:720 (720.0 B)<br />
Target Node 7: CentOS v5.5 (64-bit Red Hat Base Kernel v2.6.18)<br />
CentOS v5.5 (64-bit Red Hat Base)<br />
Kernel: Linux localhost.localdomain 2.6.18-194.32.1.el5 #1 SMP Wed Jan 5 17:52:25 EST<br />
2011 x86_64 x86_64 x86_64 GNU/Linux<br />
http://www.centos.org<br />
VirtualBox node configuration.<br />
Oracle VM VirtualBox Command Line Management Interface Version 4.0.2<br />
(C) 2005-2010 Oracle Corporation<br />
All rights reserved.<br />
Name: 7. centOSx64<br />
Guest OS: Red Hat (64 bit)<br />
Memory size: 512MB<br />
Page Fusion: off<br />
VRAM size: 12MB<br />
HPET: off<br />
Number of CPUs: 1
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
187<br />
Synthetic Cpu: off<br />
CPUID overrides: None<br />
Boot menu mode: message and menu<br />
Boot Device (1): DVD<br />
Boot Device (2): HardDisk<br />
Boot Device (3): Not Assigned<br />
Boot Device (4): Not Assigned<br />
ACPI: on<br />
IOAPIC: on<br />
PAE: on<br />
Time offset: 0 ms<br />
RTC: UTC<br />
Hardw. virt.ext: on<br />
Hardw. virt.ext exclusive: off<br />
Nested Paging: on<br />
Large Pages: off<br />
VT-x VPID: on<br />
3D Acceleration: off<br />
2D Video Acceleration: off<br />
Teleporter Enabled: off<br />
Storage Controller Name (0): IDE Controller<br />
Storage Controller Type (0): PIIX4<br />
Storage Controller Instance Number (0): 0<br />
Storage Controller Max Port Count (0): 2<br />
Storage Controller Port Count (0): 2<br />
Storage Controller Name (1): SCSI Controller<br />
Storage Controller Type (1): LsiLogic<br />
Storage Controller Instance Number (1): 0<br />
Storage Controller Max Port Count (1): 16<br />
Storage Controller Port Count (1): 16
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
188<br />
NIC 1: MAC: 080027B5908E, Attachment: NAT, Cable connected: on, Trace: off<br />
(file: none), Type: 82540EM, Reported speed: 0 Mbps, Boot priority: 0<br />
NIC 1 Settings: MTU: 0, Socket( send: 64, receive: 64), TCP Window( send:64, receive:<br />
64)<br />
Pointing Device: PS/2 Mouse<br />
Keyboard Device: PS/2 Keyboard<br />
UART 1: disabled<br />
UART 2: disabled<br />
Audio: enabled (Driver: DSOUND, Controller: AC97)<br />
Clipboard Mode: Bidirectional<br />
VRDP: disabled<br />
USB: enabled<br />
Ifconfig.<br />
[root@localhost ~]# ifconfig<br />
eth0 Link encap:Ethernet HWaddr 08:00:27:D9:BC:FB<br />
inet addr:10.1.1.17 Bcast:10.1.1.255 Mask:255.255.255.0<br />
inet6 addr: fec0::36:a00:27ff:fed9:bcfb/64 Scope:Site<br />
inet6 addr: 2002:20b2:1b3c:36:a00:27ff:fed9:bcfb/64 Scope:Global<br />
inet6 addr: fe80::a00:27ff:fed9:bcfb/64 Scope:Link<br />
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br />
RX packets:81 errors:0 dropped:0 overruns:0 frame:0<br />
TX packets:40 errors:0 dropped:0 overruns:0 carrier:0<br />
collisions:0 txqueuelen:1000<br />
RX bytes:8402 (8.2 KiB) TX bytes:6856 (6.6 KiB)<br />
lo<br />
Link encap:Local Loopback<br />
inet addr:127.0.0.1 Mask:255.0.0.0<br />
inet6 addr: ::1/128 Scope:Host<br />
UP LOOPBACK RUNNING MTU:16436 Metric:1<br />
RX packets:8135 errors:0 dropped:0 overruns:0 frame:0
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
189<br />
TX packets:8135 errors:0 dropped:0 overruns:0 carrier:0<br />
collisions:0 txqueuelen:0<br />
RX bytes:3191000 (3.0 MiB) TX bytes:3191000 (3.0 MiB)<br />
Target Node 8: FreeBSD v8.1 (64-bit)<br />
FreeBSD freebsdx64 8.1-RELEASE FreeBSD 8.1-RELEASE #0: Mon Jul 19 02:36:49 UTC<br />
2010 root@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64<br />
VirtualBox node configuration.<br />
Oracle VM VirtualBox Command Line Management Interface Version 4.0.2<br />
(C) 2005-2010 Oracle Corporation<br />
All rights reserved.<br />
Name: 8. FreeBSDx64<br />
Guest OS: FreeBSD (64 bit)<br />
Memory size: 128MB<br />
Page Fusion: off<br />
VRAM size: 6MB<br />
HPET: off<br />
Number of CPUs: 1<br />
Synthetic Cpu: off<br />
CPUID overrides: None<br />
Boot menu mode: message and menu<br />
Boot Device (1): Floppy<br />
Boot Device (2): DVD<br />
Boot Device (3): HardDisk<br />
Boot Device (4): Not Assigned<br />
ACPI: on<br />
IOAPIC: on<br />
PAE: off<br />
Time offset: 0 ms
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
190<br />
RTC: local time<br />
Hardw. virt.ext: on<br />
Hardw. virt.ext exclusive: off<br />
Nested Paging: on<br />
Large Pages: off<br />
VT-x VPID: on<br />
3D Acceleration: off<br />
2D Video Acceleration: off<br />
Teleporter Enabled: off<br />
Storage Controller Name (0): IDE Controller<br />
Storage Controller Type (0): PIIX4<br />
Storage Controller Instance Number (0): 0<br />
Storage Controller Max Port Count (0): 2<br />
Storage Controller Port Count (0): 2<br />
Storage Controller Name (1): SCSI Controller<br />
Storage Controller Type (1): LsiLogic<br />
Storage Controller Instance Number (1): 0<br />
Storage Controller Max Port Count (1): 16<br />
Storage Controller Port Count (1): 16<br />
IDE Controller (1, 0): Empty<br />
NIC 1 Settings: MTU: 0, Socket( send: 64, receive: 64), TCP Window( send:64, receive:<br />
64)<br />
NIC 2: MAC: 080027ED4103, Attachment: Host-only Interface 'VirtualBox Host-<br />
Only Ethernet Adapter', Cable connected: on, Trace: off (file: none), Type: 82540EM,<br />
Reported speed: 0 Mbps, Boot priority: 0<br />
Pointing Device: PS/2 Mouse<br />
Keyboard Device: PS/2 Keyboard<br />
UART 1: disabled<br />
UART 2: disabled<br />
Audio: enabled (Driver: DSOUND, Controller: AC97)<br />
Clipboard Mode: Bidirectional
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
191<br />
VRDP:<br />
USB:<br />
disabled<br />
enabled<br />
Target Node 9: Oracle Solaris 11 Express v5.11 (64-bit)<br />
SunOS sol01x64 5.11 snv_151a i86pc i386 i86pc<br />
VirtualBox node configuration.<br />
Oracle VM VirtualBox Command Line Management Interface Version 4.0.2<br />
(C) 2005-2010 Oracle Corporation<br />
All rights reserved.<br />
Name: 9. sol01x64<br />
Guest OS: Solaris (64 bit)<br />
Memory size: 1024MB<br />
Page Fusion: off<br />
VRAM size: 12MB<br />
HPET: off<br />
Number of CPUs: 1<br />
Synthetic Cpu: off<br />
CPUID overrides: None<br />
Boot menu mode: message and menu<br />
Boot Device (1): DVD<br />
Boot Device (2): HardDisk<br />
ACPI: on<br />
IOAPIC: on<br />
PAE: off<br />
Time offset: 0 ms<br />
RTC: local time<br />
Hardw. virt.ext: on<br />
Hardw. virt.ext exclusive: off<br />
Nested Paging: on
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
192<br />
Large Pages: off<br />
VT-x VPID: on<br />
3D Acceleration: off<br />
2D Video Acceleration: off<br />
Teleporter Enabled: off<br />
Storage Controller Name (0): IDE Controller<br />
Storage Controller Type (0): PIIX4<br />
Storage Controller Instance Number (0): 0<br />
Storage Controller Max Port Count (0): 2<br />
Storage Controller Port Count (0): 2<br />
Storage Controller Name (1): SCSI Controller<br />
Storage Controller Type (1): LsiLogic<br />
Storage Controller Instance Number (1): 0<br />
Storage Controller Max Port Count (1): 16<br />
Storage Controller Port Count (1): 16<br />
NIC 1: MAC: 08002714A8CD, Attachment: NAT, Cable connected: on, Trace: off<br />
(file: none), Type: 82540EM, Reported speed: 0 Mbps, Boot priority: 0<br />
NIC 1 Settings: MTU: 0, Socket( send: 64, receive: 64), TCP Window( send:64, receive:<br />
64)<br />
NIC 2: MAC: 0800276921C9, Attachment: Host-only Interface 'VirtualBox Host-<br />
Only Ethernet Adapter', Cable connected: on, Trace: off (file: none), Type: 82540EM,<br />
Reported speed: 0 Mbps, Boot priority: 0<br />
Pointing Device: PS/2 Mouse<br />
Keyboard Device: PS/2 Keyboard<br />
UART 1: disabled<br />
UART 2: disabled<br />
Audio: enabled (Driver: DSOUND, Controller: AC97)<br />
Clipboard Mode: Bidirectional<br />
VRDP: disabled<br />
USB: enabled
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
193<br />
Research Node 1: Linux Backtrack v4 R2 (32-bit Ubuntu Base Kernel v 2.6.35.8)<br />
Linux Backtrack v4 R2 (32-bit Debian/Ubuntu Base)<br />
Kernel: Linux bt 2.6.35.8 #1 SMP Sun Nov 14 06:32:36 EST 2010 i686 GNU/Linux<br />
http://www.backtrack-linux.org/downloads/<br />
VirtualBox node configuration.<br />
Oracle VM VirtualBox Command Line Management Interface Version 4.0.2<br />
(C) 2005-2010 Oracle Corporation<br />
All rights reserved.<br />
Name: BTx86<br />
Guest OS: Ubuntu<br />
Memory size: 512MB<br />
Page Fusion: off<br />
VRAM size: 12MB<br />
HPET: off<br />
Number of CPUs: 2<br />
Synthetic Cpu: off<br />
CPUID overrides: None<br />
Boot menu mode: message and menu<br />
Boot Device (1): DVD<br />
Boot Device (2): HardDisk<br />
ACPI: on<br />
IOAPIC: on<br />
PAE: on<br />
Time offset: 0 ms<br />
RTC: UTC<br />
Hardw. virt.ext: on<br />
Hardw. virt.ext exclusive: off<br />
Nested Paging: on<br />
Large Pages: off
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
194<br />
VT-x VPID: on<br />
3D Acceleration: off<br />
2D Video Acceleration: off<br />
Teleporter Enabled: off<br />
Storage Controller Name (0): IDE Controller<br />
Storage Controller Type (0): PIIX4<br />
Storage Controller Instance Number (0): 0<br />
Storage Controller Max Port Count (0): 2<br />
Storage Controller Port Count (0): 2<br />
Storage Controller Name (1): SATA Controller<br />
Storage Controller Type (1): IntelAhci<br />
Storage Controller Instance Number (1): 0<br />
Storage Controller Max Port Count (1): 30<br />
Storage Controller Port Count (1): 1<br />
NIC 1: MAC: 0800275054E3, Attachment: NAT, Cable connected: on, Trace: off<br />
(file: none), Type: 82540EM, Reported speed: 0 Mbps, Boot priority: 0<br />
NIC 1 Settings: MTU: 0, Socket( send: 64, receive: 64), TCP Window( send:64, receive:<br />
64)<br />
NIC 2: MAC: 0800274D586D, Attachment: Host-only Interface 'VirtualBox Host-<br />
Only Ethernet Adapter', Cable connected: on, Trace: off (file: none), Type: 82540EM,<br />
Reported speed: 0 Mbps, Boot priority: 0<br />
Pointing Device: USB Tablet<br />
Keyboard Device: PS/2 Keyboard<br />
Audio: enabled (Driver: DSOUND, Controller: AC97)<br />
Clipboard Mode: Bidirectional<br />
VRDP: disabled<br />
USB: enabled<br />
Research node 2: Linux Ubuntu Desktop v10.10 (32-bit Kernel v2.6.35)<br />
Linux UBx32 2.6.35-24-generic #42-Ubuntu SMP Thu Dec 2 01:41:57 UTC 2010 i686<br />
GNU/Linux
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
195<br />
VirtualBox node configuration.<br />
Oracle VM VirtualBox Command Line Management Interface Version 4.0.2<br />
(C) 2005-2010 Oracle Corporation<br />
All rights reserved.<br />
Name: UBx32<br />
Guest OS: Ubuntu<br />
Memory size: 512MB<br />
Page Fusion: off<br />
VRAM size: 64MB<br />
HPET: off<br />
Number of CPUs: 2<br />
Synthetic Cpu: off<br />
CPUID overrides: None<br />
Boot menu mode: message and menu<br />
Boot Device (1): DVD<br />
Boot Device (2): HardDisk<br />
ACPI: on<br />
IOAPIC: on<br />
PAE: on<br />
Time offset: 0 ms<br />
RTC: UTC<br />
Hardw. virt.ext: on<br />
Hardw. virt.ext exclusive: off<br />
Nested Paging: on<br />
Large Pages: off<br />
VT-x VPID: on<br />
3D Acceleration: off<br />
2D Video Acceleration: off<br />
Teleporter Enabled: off
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
196<br />
Storage Controller Name (0): IDE Controller<br />
Storage Controller Type (0): PIIX4<br />
Storage Controller Instance Number (0): 0<br />
Storage Controller Max Port Count (0): 2<br />
Storage Controller Port Count (0): 2<br />
Storage Controller Name (1): SATA Controller<br />
Storage Controller Type (1): IntelAhci<br />
Storage Controller Instance Number (1): 0<br />
Storage Controller Max Port Count (1): 30<br />
Storage Controller Port Count (1): 1<br />
NIC 1: MAC: 080027D6147A, Attachment: NAT, Cable connected: on, Trace: off<br />
(file: none), Type: 82540EM, Reported speed: 0 Mbps, Boot priority: 0<br />
NIC 1 Settings: MTU: 0, Socket( send: 64, receive: 64), TCP Window( send:64, receive:<br />
64)<br />
NIC 2: MAC: 080027D08549, Attachment: Host-only Interface 'VirtualBox Host-<br />
Only Ethernet Adapter', Cable connected: on, Trace: off (file: none), Type: 82540EM,<br />
Reported speed: 0 Mbps, Boot priority: 0<br />
Pointing Device: USB Tablet<br />
Keyboard Device: PS/2 Keyboard<br />
Audio: enabled (Driver: DSOUND, Controller: AC97)<br />
Clipboard Mode: Bidirectional<br />
Video mode: 800x600x32<br />
VRDP: disabled<br />
USB: enabled<br />
Configured memory balloon size: 0 MB<br />
Research node 3: Linux Ubuntu Desktop v10.10 (32-bit Kernel v2.6.32)<br />
Linux li247-95 2.6.32.16-linode28 #1 SMP Sun Jul 25 21:32:42 UTC 2010 i686 GNU/Linux<br />
Host settings.<br />
http://www.linode.com/
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC 197<br />
Plan Linode 512<br />
Ram: 512<br />
Storage: 16GB<br />
Transfer: 200GB<br />
Data Center: Newark, NJ
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
198<br />
Annotated Bibliography<br />
Afifi, H., & Toutain, L. (1999). Methods for IPv4-IPv6 transition. Paper presented at the IEEE<br />
Symposium on Computers and Communications. Retrieved from<br />
http://doi.ieeecomputersociety.org/10.1109/ISCC.1999.780953<br />
This IEEE conference paper attempts to solve the transition problem with the IPV4 to<br />
IPv6 transition. It uses a qualitative methodology with descriptive techniques. It briefly<br />
describes dual stack, SIIT, NAT-PT, AIIH, and proposes a DNS/DNCP based static<br />
tunnel approach. The article is dated but provides come basic information on transition<br />
approaches.<br />
AlJa'afreh, R. e..Mellor, J..Kamala, M., & Kasasbeh, B. (2008). Bi-directional mapping system<br />
as a new IPv4/IPv6 translation mechanism. Paper presented at the Tenth International<br />
Conference on Computer Modeling and Simulation. Retrieved from<br />
http://doi.ieeecomputersociety.org/10.1109/UKSIM.2008.90<br />
This conference paper addresses the lack of a transparent and efficient transition<br />
mechanism between IPv4 and IPv6 networks. It is a mixed method study that includes<br />
quantitative analysis of performance and qualitative descriptions. The solution involves<br />
using a gateway that translates between IPv4 and IPv6 based on multiple host aware DNS<br />
servers. One DNS operates on the IPv6 network. One operates on the IPv4 network, and<br />
another hosts records from both and records a translation at the gateway when a request<br />
arrives for a host on a different network. The solution appears to be comprehensive and<br />
applicable for small networks; however, utilizing three different DNS servers seems<br />
excessive.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
199<br />
An, G., & Kim, K. (2008). Real-time IP checking and packet marking for preventing ND-DoS<br />
attack employing fake source IP in IPv6 LAN. Paper presented at the Proceedings of the<br />
5th international conference on Autonomic and Trusted Computing, Oslo, Norway.<br />
This conference paper addresses the problem of spoofed source addresses in IPv6 DoS<br />
network attacks. It is a mixed method study with an experiment and performance data.<br />
The research proposes that packets be directed into a high or low priority queue<br />
depending on whether the source addresses is legitimate or not. The router overhead for<br />
this method seems to be high and it is likely this would produce unacceptable bottlenecks<br />
in network trafic.<br />
Anaya, E. A..Miyatake, M. N., & Meana, H. M. P. (2009). Network forensics with neurofuzzy<br />
techniques. Paper presented at the Midwest Symposium on Circuits and Systems.<br />
Retrieved from http://doi.ieeecomputersociety.org/10.1109/MWSCAS.2009.5235900<br />
This IEEE Conference paper addresses the problem of large data sources in network<br />
forensics. Prior research includes: NIST - digital forensics stages. The research proposes<br />
a new model for researches using a qualitative methodology. Further research is needed<br />
to test other types of attacks with the proposed model. There is no research here and no<br />
arguments that have been resolved. It is only another idea that may or may not work or<br />
provide benefits.<br />
Baryamureeba, V., & Tushabe, F. (2004). The enhanced digital investigation process model.<br />
Makerere University.<br />
Retrieved from<br />
This thesis addresses the poor conviction rates in digital investigations by proposing a<br />
new investigative process model. The paper uses a qualitative methodology to propose a<br />
model based on frameworks by the US department Justice, Carrier (2003) "Getting
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
200<br />
Physical with the Investigative Process", and Kruse (2002) "Computer Forensics:<br />
Incident Response Essentials" which are referenced in other similar research in this<br />
bibliography. The proposed model consists of five stages that parallel the model used<br />
successfully in physical investigations. The process is logical and there is an apparent<br />
benefit; however, the paper is not published in a peer reviewed source and it lacks a<br />
consideration of key literature like the DFRWS workshop. Despite these facts, the<br />
arguments and presentation of the research are well laid out and more convincing than<br />
many of the other peer reviewed sources.<br />
Beebe, N. L., & Clark, J. G. (2005). A hierarchical, objectives-based framework for the digital<br />
investigations process. <strong>Digital</strong> Investigation, 2(2), 147-167. doi:<br />
10.1016/j.diin.2005.04.002<br />
This journal article published by Elsevier Science addresses the need for a detailed digital<br />
forensics framework. The paper argues that previous frameworks are abstract and fail to<br />
support the level of detail needed to conduct actual investigations. The framework<br />
presented is based on abstract models presented in: Palmer (2001) "A Road Map for<br />
<strong>Digital</strong> Forensics Research", US Department of Justice, Reith et el. (2002) "An<br />
examination of digital forensic models", Carrier (2003) "Getting Physical with the<br />
Investigative Process", Mandia (2003) "Incident Response & Computer Forensics",<br />
Mohay (2003) "Computer and Intrusion Forensics", O Ciarduain (2004) "An Extended<br />
Model of Cybercrime Investigations", and Casey (2004) ''The investigative process".<br />
Many of these are detailed in this bibliography. The paper uses a qualitative and<br />
descriptive methodology through logical comparisons and two applications of the<br />
proposed framework in case study form. This model is the first attempt to address the
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
201<br />
level of complexity and diversity of digital investigations. The paper also proposes that<br />
there is a need to apply the framework to other platforms and add additional case study<br />
examples to verify applicability. The research is compelling and detailed in content and<br />
the case studies present an account that the model can be applied in practice.<br />
Bi, J..Leng, X., & Wu, J. (2007). Scalable IPv4/IPv6 transition: a peer-to-peer based approach.<br />
Paper presented at the Proceedings of the 2005/2006 International Conference on<br />
Databases, Information Systems, and Peer-to-Peer Computing, Trondheim, Norway.<br />
This Journal article addresses the problem of IPv6 relay bottlenecks when acting on local<br />
traffic. It is a qualitative study using description and a quantitative study using lab<br />
simulation to measure performance metrics. The proposal is an algorithm that allows<br />
local P2P traffic to bypass the IPv6 relay. This solution makes sense and would make<br />
more sense as a routing protocol as opposed to P2P. This is the summary version of the<br />
Leng journal article.<br />
Bishop, M..Marzullo, K., & Peisert, S. (2008). Computer forensics in forensis. SIGOPS<br />
Operating System Review, 42(3), 112-122. doi:<br />
http://doi.acm.org/10.1145/1368506.1368521<br />
This ACM publish journal article addresses the variability in application of computer<br />
forensics systems, models, and terminology. It identified shortcomings in the following<br />
models: Andrews' (2007) "Process Model for Forensic Analysis of <strong>Digital</strong> Devices and<br />
Storage Media" model linked computer forensic processes and the law but didn't define<br />
testing and measurement; Carrier (2003) "Getting Physical with the <strong>Digital</strong> Investigation<br />
Process" mapped physical investigation to digital world but doesn't address validity;<br />
Gross (1997) "Analyzing Computer Intrusions" addresses system events in forensics but
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
202<br />
didn't separate relevant info from the system; Buchholz (2004) "Providing process origin<br />
information to aid in computer forensic Investigations" tied forensic events back to its<br />
origin; Peisert (2005) "Principles-Driven Forensic Analysis" addressed problems and<br />
constraints in forensics tools. It presents a qualitative study to describe and explain the<br />
shortcomings of forensic research and theory using narrative and logical reasoning. It<br />
further identifies high-level solutions to elevate digital forensics to a science.<br />
Additionally, the paper mentioned the need for a more accurate method of using IDS data<br />
as the source of evidence. It was interesting that Carrier and Buchholz are referenced in<br />
other studies. The paper presented some research shortcomings in the field but didn't<br />
address an approach to solve the problems.<br />
Broadway, J..Turnbull, B., & Slay, J. (2008). Improving the Analysis of Lawfully Intercepted<br />
Network Packet Data Captured for Forensic Analysis. Paper presented at the The Third<br />
International Conference on Availability, Reliability and Security. Retrieved from<br />
http://doi.ieeecomputersociety.org/10.1109/ARES.2008.122 doi:10.1109/ARES.2008.122<br />
This IEEE conference paper address the problem of the usefulness of GNU and com<br />
packet sniffers for forensic uses. Prior research includes: Casey st tes "Network traffic as<br />
a source of evidence", Feldmann "BLT: Bi-Layer Tracking of HTTP and TCP/IP',". This<br />
is a qualitative studty. The research proposes a software model that is focused on<br />
forensics, information sharing, and low tech skills. Future research is needed to develop<br />
the software. This study is more focused on software than forensics and evidence. It is<br />
unknown if the tool was ever built.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
203<br />
Broucek, V., & Turner, P. (2004). Computer incident investigations: e-forensic insights on<br />
evidence acquisition. Paper presented at the European Institute for Computer Anti-Virus<br />
Research, Copenhagen.<br />
This EICAR conference best paper identifies the legal and technical problems often<br />
associated with digital evidence collection and its admissibility in court. The paper<br />
utilizes a description methodology through the discussion of a case study with<br />
conclusions based on these findings. The authors rely heavily on their own prior research<br />
to make their arguments and an extensive list of case law. The problems with evidence<br />
collection identified in case provide an opportunity for future researchers to investigate<br />
solutions in their own work. In a slight tangent to the case study, the paper described the<br />
CTOSE project and identified it as an area that could be further developed by<br />
researchers. The problems identified are well grounded to the examples provided in the<br />
case. The CTOSE description should have been a separate paper; although, this was an<br />
interesting read because there are few sources that define this model in such detail.<br />
Caicedo, C. E..Joshi, J. B. D., & Tuladhar, S. R. (2009). IPv6 security challenges. Perspectives,<br />
42, 36-42. Retrieved from http://doi.ieeecomputersociety.org/10.1109/MC.2009.54<br />
This IEEE magazine article provides an overview of the security issues for IPv6 and<br />
proposes a possible solution. The qualitative method is employed using description. IPv6<br />
features and security issues are described including reconnaissance, host initialization,<br />
routing header, and multicast attacks. The study proposes a defense in depth strategy be<br />
employed to counteract these security issues including employing IPSec. The article<br />
presents a good argument; however, IPSec may not prove to be a feasible solution to the<br />
problems identified.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
204<br />
Candolin, C., & Nikander, P. (2001). IPv6 source addresses considered harmful. Paper presented<br />
at the Sixth Nordic Workshop on Secure IT.<br />
This IEEE conference paper addresses the threat of source addresses being a part of<br />
packet transmissions. The research proposes that including source addresses in packet<br />
flows creates privacy issues and is not necessary. The extra processing required and<br />
deviation from standards doesn't make this a very applicable argument.<br />
Carpenter, B., & Jung, C. (1999). Transmission of IPv6 over IPv4 domains without explicit<br />
tunnels. RFC 2529: Internet Engineering Task Force (IETF).<br />
This RFC 2529 IETF document briefly describes IPv4 to IPv6 protocol translation in<br />
6to4 networks. It is a very simple process that involves inserting the IPv6 packet inside<br />
the IPv4 header.<br />
Carpenter, B., & Moore, K. (2001). Connection of IPv6 domains via IPv4 clouds. RFC 3056:<br />
Internet Engineering Task Force (IETF).<br />
This is a RFC 3056 document from the IETF that describes the 6to4 transition<br />
mechanism. This protocol is based heavily on routing and involves a relay that<br />
encapsulates IPv6 packets into IPv4 payloads to send over the traditional network. Its<br />
target is to allow isolated IPv6 sites to communicate with other IPv6 sites with minimal<br />
configuration.<br />
Carr, C..Gunsch, G., & Reith, M. (2002). An examination of digital forensic models.<br />
International Journal of <strong>Digital</strong> Evidence, 1(2).<br />
Like the Shin (2008) paper, this journal article proposes a new forensic procedural model<br />
to address the lack of adequate forensic procedures. The research is based on the U.S.<br />
Department of Justice forensic model and the first DFRWS workshop as in other
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
205<br />
research. The paper applies a qualitative methodology to address specific shortcomings<br />
and propose a new nine step model that parallels and improves the DFRWS framework.<br />
The general approach is logical and understandable in practice; however, it is unlikely to<br />
have practical applications. The approach of synthesizing existing models does not seem<br />
to be needed. It might be more beneficial to create a framework that is scalable and can<br />
be broken down to the level of detail required in digital investigations.<br />
Carrier, B., & Spafford, E. H. (2003). Getting physical with the digital investigation process.<br />
International Journal of <strong>Digital</strong> Evidence, 2(2).<br />
This journal article, which is heavily referenced as a basis for other research in this<br />
bibliography, addresses the lack of an adequate process model that links the digital world<br />
with the physical investigation process. The paper applies qualitative reasoning to<br />
develop the framework and a description methodology in the application of two case<br />
studies. The basis for the research presented originates from: the US Department of<br />
justice; the first DFRWS workshop, and Mandia (2001) "Incident Response:<br />
Investigating Computer Crime" which are also referenced in other research through this<br />
bibliography. The paper contributed significantly to the field because the proposed model<br />
has been expanded and used as a basis for research a number of times. The logic and<br />
arguments are well reasoned. This appears to be the first research that defines a model for<br />
digital investigations that parallels the physical investigation process so there is many<br />
areas of potential improvement.<br />
Casey, E. (2004). Network traffic as a source of evidence: tool strengths, weaknesses, and future<br />
needs. <strong>Digital</strong> Investigation, 1(1), 28-43. doi: 10.1016/j.diin.2003.12.002
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
206<br />
This journal article, published by Elsevier Science, addresses weaknesses in tools that<br />
capture packets on a network that are used as evidence. The research is based on tool<br />
analysis defined in Casey (2004) "The Investigative Process. <strong>Digital</strong> Evidence and<br />
Computer Crime". The paper analyzed a select group of open source and commercial<br />
tools used in network forensic investigations. It also related specific requirements in the<br />
investigative process to common tool processes and identified functionality problems in<br />
specific tools. The analysis presented is an excellent training tool for anyone in the digital<br />
forensics field and could be used by tool developers to improve their code. The author<br />
identifies tool verification and testing as an area for further research. I am especially<br />
interested the implications the research has on the tools that I current use.<br />
Chapter 31 advanced networking. (2010). FreeBSD Handbook. Retrieved Aug 6, 2010, from<br />
http://www.freebsd.org/doc/en/books/handbook/network-ipv6.html<br />
This administration guide for FreeBSD outlines the setup of IPv6 and tunnel setup. The<br />
guide outlines the setup an IPv6 interface and generic tunnels that could be used with<br />
SixXS, 6to4, or Freenet6.<br />
Ciardhuáin, S. Ó. (2004). An extended model of cybercrime investigations. International Journal<br />
of <strong>Digital</strong> Evidence, 3(1).<br />
Like Carr and Shin below, this journal article addresses the lack of a comprehensive<br />
forensic procedure model to be used in digital forensic investigations. The paper<br />
identifies the shortcomings of the models proposed by: Lee et al. (2001) "Henry Lee’s<br />
Crime Scene Handbook", Casey (2000) "<strong>Digital</strong> Evidence and Computer Crime", Reith,<br />
Carr and Gunsch (2002) "An Examination of <strong>Digital</strong> Forensic Models.", and the first<br />
DFRWS workshop which are all referenced in other works described in this bibliography.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
207<br />
The paper uses a qualitative methodology with quantitative elements in the form of a<br />
survey to evaluate the model. The proposed model extends the DFRWS model and<br />
appears to be comprehensive as a high level framework to be used by investigators. The<br />
author also identifies the need for a framework that can be applied to organizations.<br />
While the logic of the argument is convincing, the survey was not conducted<br />
scientifically and the process flowcharts are meaningless. Additionally, this is another<br />
attempt to distill other research into a new idea although there is little new information<br />
presented.<br />
Cohen, F. (2009). Two models of digital forensic examination. Paper presented at the Fourth<br />
IEEE International Workshop on Systematic Approaches to <strong>Digital</strong> Forensic Engineering.<br />
Retrieved from http://doi.ieeecomputersociety.org/10.1109/SADFE.2009.8<br />
doi:10.1109/SADFE.2009.8<br />
This IEEE conference paper attempts the extend the research of the digital forensic model<br />
presented by Chow (2009) "A Cost-Effective Forensic Investigation Model" in an effort<br />
to help create a discipline more rooted in scientific process. The paper applies a<br />
descriptive methodology that presents a case based on a bit torrent investigation and its<br />
links and implications to the forensics models presented. The proposed model further<br />
extends the applicability to the forensic process and introduces a change management<br />
process. The paper concluded that the current models are not sufficient to cover the<br />
diverse range of evidence and that error rates for various investigative techniques are<br />
non-existent. The paper failed to provide a significant addition to the field despite the<br />
conclusions and I question whether forensic investigations should be tied to ROI. It<br />
seemed better oriented towards high level management and less toward practice.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
208<br />
Cohen, M. I. (2008). PyFlag - An advanced network forensic framework. <strong>Digital</strong> Investigation,<br />
5(Supplement 1), S112-S120. doi: 10.1016/j.diin.2008.05.016<br />
The journal article in Elsevier addresses the lack of integrated forensics packages that<br />
were on the market at the time. The article describes previous tools used in forensics like<br />
Wireshark, Verint’s data interception tools, and Eeye’s Iris. The conclusions are based on<br />
Kloet et al. 2007 "A library for support of the expert witness compression format". The<br />
research contributed a definition of a tool that integrates IO and eye witness evidence<br />
formats. The author's motives are unknown and may be profit based. There are no<br />
research based sources used in the journal and the research was for the Australian<br />
government which may have different requirements than the US.<br />
Cohen, M. I. (2008). Source attribution for network address translated forensic captures. <strong>Digital</strong><br />
Investigation, 5(3-4), 138-145. doi: 10.1016/j.diin.2008.12.002<br />
This Journal in Elsevier addresses a way to determine source of traffic in a NAT<br />
environment. Prior research includes: (Carrier and Shields, 2004) "The session token<br />
protocol for forensics", (Casey, 2004) "Network traffic as a source of evidence", (Nikkel,<br />
2006) "Improving evidence acquisition". This is a qualitative study using simulation. The<br />
research proposes algorithms to identifying NAT source based on algorithms. Further<br />
research includes improving the accuracy of this work and expand to other types of<br />
NATs. The sample size was too small (two computers) and it may not work with<br />
thousands of nodes under single NAT using similar Oss. It also requires knowledge of<br />
internal network to determine the source which will probably not work in most<br />
environments.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
209<br />
Convery, S., & Miller, D. (2004). IPv6 and IPv4 threat comparison and best-practice evaluation<br />
(v1.0): Cisco Systems. Retrieved from<br />
http://www.cisco.com/web/about/security/security_services/ciag/documents/v6-v4<br />
threats.pdf<br />
This Cisco whitepaper addresses the new threat model created by the IPv6 architecture. It<br />
is a qualitative study using description and an experiment that is detailed in the appendix.<br />
The study presents a comprehensive list of network vulnerabilities and describes the<br />
threats to IPv4 networks, implications, differences in IPv6 networks, and best practices<br />
for mitigation. The best practices are comprehensive and provide an excellent guide for<br />
network engineers.<br />
Cooper, M., & Yen, D. C. (2005). IPv6: business applications and implementation concerns.<br />
Computer Standards & Interfaces, 28(1), 27-41. doi: 10.1016/j.csi.2004.11.001<br />
This journal article is a literature review of IPv6 implementation that leads to some<br />
implications for future consideration. It is a qualitative study using logical conclusions.<br />
The study defines IPv6, explains the state of current deployment, business use, and<br />
lessons learned. The author predicts the growth of the protocol due to VoIP and end-toend<br />
requirements; however, business may choose not to implement IPv6 if their NAT<br />
infrastructure is sufficient. The study is weak on security implications of IPv6 which<br />
would also be a consideration for deployment.<br />
Davies, E..Krishnan, S., & Savola, P. (2007). IPv6 transition/coexistence security<br />
considerations. RFC 4942: Internet Engineering Task Force (IETF).
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
210<br />
This RFC 4942 document addresses security implications of the IPv6 protocol. It<br />
highlights a number of security concerns for the protocol, transition mechanisms, and<br />
proposes mitigation strategies for most if the identified vulnerabilities.<br />
Davies, J. (2008). Understanding IPv6 (2nd ed.): Microsoft Press.<br />
This Microsoft publication explains IPv6 and deployment in the Windows operating<br />
system. In includes a compilation of other research and RFC publications that explain<br />
IPv6 standards. It also details configuration of IPv6 in Windows 7, Vista and 2008. This<br />
publication provides a significant amount of information and is an excellent resource for<br />
IPv6.<br />
Dobrucki, M. (1999). The effects of the transition to IPv6 on Internet security.<br />
This unpublished study presents a dated but relevant analysis of IPv6. A qualitative<br />
method using description is used in the study. The research describes the changes in the<br />
IPv6 protocol, current threats in IPv4, implications of these threats in IPv6 and possible<br />
solutions. The author believes that IPv6 can solve some of the current threats if IPSec is<br />
employed; however, not all of them. The paper is comprehensive and provides good<br />
descriptions that are relevant in today's environment.<br />
Durand, A..Fasano, P..Guardini, I., & Lento, D. (2001). IPv6 tunnel broker. RFC 3053: Internet<br />
Engineering Task Force (IETF).<br />
This RFC 3053 IETF document discusses the tunnel broker IPv6 transition mechanism.<br />
Tunnel brokers are third party service providers that provide IPv6 network access for<br />
users with IPv4 only connections. The RFC addresses elements and operation of the<br />
tunnel broker and what occurs to setup the connection.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
211<br />
Elgoarany, K., & Eltoweissy, M. (2007). Security in mobile IPv6: A survey. Information<br />
Security Technical Report, 12, 32-43. doi: 10.1016/j.istr.2007.02.002<br />
This journal article provides a comprehensive discussion of mobile IPv6 threats. It<br />
outlines the fundamental operation of mobile IPv6 and then presents the threats and<br />
vulnerabilities that may be faced in deployment. The research is highly technical.<br />
Elmaghraby, A..Higgins, G..Keeling, D. W..Losavio, M., & Shutt, J. (2008). Implications of<br />
attorney experiences with digital forensics and electronic evidence in the United States.<br />
Paper presented at the Third International Workshop on Systematic Approaches to<br />
<strong>Digital</strong> Forensic Engineering. Retrieved from<br />
http://doi.ieeecomputersociety.org/10.1109/SADFE.2008.11<br />
doi:10.1109/SADFE.2008.11<br />
This IEEE conference paper attempts to define current and future challenges in digital<br />
evidence admissibility in court and find a basis for the use of digital forensic experts in<br />
court. The paper presents a qualitative methodology using a survey distributed to lawyers<br />
at a conference. The paper was not based on previous research and contributed an<br />
enhanced understanding of digital evidence trends in civil and criminal trials. Although<br />
the results are detailed and convincing, the survey seems ad-hoc and was not included as<br />
part of the paper. Additionally, there is not mention of how many people were given the<br />
survey; therefore, the sample may not be of sufficient size to reach accurate conclusions<br />
nationwide.<br />
Emre, D., & Ali, B. (2010). IPV4/IPV6 security and threat comparisons. Procedia - Social and<br />
Behavioral Sciences, 2, 5285-5291. doi: 10.1016/j.sbspro.2010.03.862
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
212<br />
This journal article addresses security threats in IPv6. It is a qualitative study using<br />
description. The research briefly compares the IPv6 protocol to IPv4 and then describes<br />
IPv6 security vulnerabilities that are the same and different than in IPv4. The study<br />
presents very basic information that is better represented in other research.<br />
Ercferret18 (2010). IPv6 Retrieved Aud 6, 2010, from https://wiki.ubuntu.com/IPv6<br />
This online Ubuntu Linux manual contains simple instruction for setting up IPv6. The<br />
description includes a summary of the IPv6 protocol, how to configure IPv6 in Ubuntu,<br />
and how to setup third party tunneling mechanisms including SixXS and Freenet6.<br />
Faye, F. (2008). IPV6 configuration on REDHAT CENTOS FEDORA Retrieved Aug 6, 2010,<br />
from http://www.generationip.com/documentation/system-documentation/73-ipv6<br />
configuration-on-redhat-centos-fedora<br />
This CentOS online administration manual provides the configuration steps necessary to<br />
enable IPv6 in CentOS. It provides detailed instructions to verify and enable IPv6 on the<br />
interfaces. The guide also explains how to setup a generic tunnel interface.<br />
Friacas, C..Baptista, M..Domingues, M., & Ferreira, P. (2006). 6TO4 versus<br />
TUNNELBROKERS. Paper presented at the Proceedings of the International Multi-<br />
Conference on Computing in the Global Information Technology (ICCGI'06). Retrieved<br />
from http://doi.ieeecomputersociety.org/10.1109/ICCGI.2006.1<br />
This IEEE conference paper compares the 6to4 verses Tunnel broker IPv6 transition<br />
mechanism. It is a qualitative study that uses description and simulation to illustrate the<br />
points. The study illustrates the latency problem with tunnel brokers and recommends<br />
6to4. Because the study was wart of a 6to4 project and little analysis was done on Tunnel
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
213<br />
Brokers, it is unlikely that the results were unbiased; however, the author has some good<br />
points about latency.<br />
Gilligan, R., & Nordmark, E. (2000). Transition mechanisms for IPv6 hosts and routers. RFC<br />
2893: Internet Engineering Task Force (IETF).<br />
The RFC 2896 from the IETF outlines tunneling and dual stack transition methods. It<br />
provides specific details on the different modes used by dual stack hosts and explains the<br />
operation and technical requirement of configured and automatic tunneling mechanisms.<br />
GosevaPopstojanova, K..Miller, B..Pantev, R., & Dimitrijevikj, A. (2010). Empirical Analysis of<br />
Attackers Activity on Multi-tier Web Systems. Paper presented at the 24th IEEE<br />
International Conference on Advanced Information Networking and Applications.<br />
Retrieved from http://doi.ieeecomputersociety.org/10.1109/AINA.2010.138<br />
doi:10.1109/AINA.2010.138<br />
This IEEE conference identifies that most attacks/vulnerabilities exist on web based<br />
systems. This is a qualitative study using honeynet statistics for attacks. Prior research<br />
includes: Honeynet Project, Leurre.com, R. Bloomfield, I. Gashi, A. Povyakalo, and V.<br />
Stankovic, “Comparison of empirical data from two honeynets and a distributed honeypot<br />
network,”, R. Berthier, “ On the comparison of network attack datasets: An empirical<br />
analysis, V. Yegneswaran, P. Barford, and J. Ullrich, “Internet intrusions: Global<br />
characteristics and prevalence,”. The research added an understanding of attack patterns<br />
for better creation of attack simulations. Possible future research includes the deployment<br />
of honeypots using different techniques. The research is good information but doesn't<br />
relate very much to forensics.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
214<br />
Graf, T. (2003). Messaging over IPv6 destination options. Swiss Unix User Group. Retrieved<br />
from http://grayworld.net/papers/messip6.txt<br />
This unpublished work defines a method to embed a covert channel in an ICMPv6 packet<br />
using an invalid options header. It is a valid technique, however, it could easily be<br />
detected by IDS so why not just send the data inside the payload of a packet?<br />
Grobler, C. P..Louwrens, C. P., & Solms, S. H. V. (2010). A framework to guide the<br />
implementation of proactive digital forensics in organisations. Paper presented at the<br />
International Conference on Availability, Reliability and Security. Retrieved from<br />
http://doi.ieeecomputersociety.org/10.1109/ARES.2010.62 doi:10.1109/ARES.2010.62<br />
This IEEE conference paper proposes a holistic view for organizations to approach digital<br />
forensics to more effectively meet the needs of compliance and criminal investigations. It<br />
presents a qualitative methodology that draws conclusions from the research needs<br />
identified in the first DFRWS workshop and the lack of comprehensive models that<br />
address these needs. It also draws parallels from the CobiT forensic framework, ITIL<br />
framework, and the information security discipline. The paper presents a top-down view<br />
of forensic components that are characterized as proactive, active, and reactive processes<br />
linked to people, ethics, legal and technology dimensions to improve applicability of<br />
forensics in the organization. The proposed framework is comprehensive and has similar<br />
linkages to the Zachman enterprise architecture framework. It is not well suited for<br />
criminal investigators.<br />
Hagino, J., & Yamamoto, K. (2001). An IPv6-to-IPv4 transport relay translator. RFC 3142:<br />
Internet Engineering Task Force (IETF).
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
215<br />
This RFC 3142 IETF document discusses the transport relay (TRT) mechanism. In TRT,<br />
a router and protocol translator acts in the middle of the two networks and initiates a<br />
connection with the two hosts and relays and translates packets between the protocols as<br />
necessary.<br />
Hsieh, I. P., & Kao, S. J. (2005). Managing the co-existing network of IPv6 and IPv4 under<br />
various transition mechanisms. Paper presented at the Proceedings of the Third<br />
International Conference on Information Technology and Applications (ICITA’05).<br />
Retrieved from http://doi.ieeecomputersociety.org/10.1109/ICITA.2005.175<br />
This conference paper addresses the problem of managing multiple transition<br />
mechanisms on the same network. The study uses a qualitative methodology using<br />
description. It summarizes dual stack, tunneling, and translation methods used in<br />
transitional IPv6 networks. The study then provides a possible gateway based solution to<br />
allow all mechanisms to co-exist on the same network. The proposal is unique compared<br />
to other research; however, there not enough information on the proposed solution.<br />
Huang, S. M..Wu, Q., & Lin, Y. B. (2005). Tunneling IPv6 through NAT with Teredo<br />
mechanism. Paper presented at the Proceedings of the 19th International Conference on<br />
Advanced Information Networking and Applications (AINA’05). Retrieved from<br />
http://doi.ieeecomputersociety.org/10.1109/AINA.2005.333<br />
This conference paper addresses the problem of scalability in Teredo IPv6 transition<br />
mechanisms. It is a qualitative study that uses description and a small qualitative study on<br />
performance of the proposed solution. The study introduces Teredo and proposes a<br />
possible Linux version that could be used as a relay. The description of how Teredo
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
216<br />
works is good; however, the proposed Linux solution does not contain enough detail to<br />
make it useful.<br />
Huang, S. Q..Zhang, H. M., & Yao, G. X. (2009). Research of NIDS in IPV6 based on protocol<br />
analysis and pattern matching. Paper presented at the Second International Workshop on<br />
Knowledge Discovery and Data Mining. Retrieved from<br />
http://doi.ieeecomputersociety.org/10.1109/WKDD.2009.24<br />
This IEEE conference paper addresses new intrusion detection techniques needed for<br />
detecting IPv6 based attacks. A qualitative approach using descriptions is used to present<br />
the results of the study. The paper does not outline any prior work in the IDS field related<br />
to IPv6; however it references research by; Cho, Identifying IPv6 network problems in<br />
the dualstack World; Tool, high alarm count issues in IDS rainstorm, and Zheng, A new<br />
worm exploiting IPv4-IPv6 dual-stack networks. The results of the research present a<br />
method to create a new IPv6 IDS and the resulting experiment indicated performance<br />
improvements over other solutions. The research provides sparse details and there<br />
appears to be a fully functioning program that was mentioned in the pne paragraph testing<br />
explanation. If the program operates as specified, it could be a great contribution;<br />
however, the paper does not present enough information to confirm this assumption.<br />
Huitema, C. (2006). Teredo: tunneling IPv6 over UDP through network address translations<br />
(NATs). RFC 4380: Internet Engineering Task Force (IETF).<br />
This RFC 4380 IETF document describes the operations of the Teredo IPv6 transition<br />
mechanism to tunnel through NAT using UDP. The method uses a teredo server to assign<br />
and manage tunnels and relays to transport packets. This source provides a significant<br />
amount of details about Teredo
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
217<br />
Jamhour, E., & Storoz, S. (2002). Global mobile IPv6 addressing using transition mechanisms.<br />
Paper presented at the Proceedings of the 27th Annual IEEE Conference on Local<br />
Computer Networks (LCN02). Retrieved from<br />
http://doi.ieeecomputersociety.org/10.1109/LCN.2002.1181816<br />
This IEEE conference proceeding addresses the shortage or IPv4 addresses. It is a<br />
qualitative study using descriptive techniques. The research summarizes the existing dual<br />
stack, transparent gateway, superior layer, and tunnel based IPv6 transition mechanisms.<br />
It them proposes a possible solution that is similar to the 6to4 technique but calls for no<br />
software or hardware modifications by using a gateway. Overall, this source provided the<br />
best and most logical discussion of transition mechanisms compared to Afifi, Mackay,<br />
Tantayakul, and Yan-ge and the proposed solution seems very comprehensive.<br />
Kammas, P..Komninos, T., & Stamatiou, Y. C. (2009). Modeling the co-evololution DNS worms<br />
and anti-worms in IPv6 networks. Paper presented at the Fifth International Conference<br />
on Information Assurance and Security. Retrieved from doi:10.1109/IAS.2009.334<br />
This IEEE conference paper models IPv6 worm propagation rates. It is a qualitative study<br />
using differential equations and formulas. The study describes worms that use DNS to<br />
predict potential IP addresses and suggests that DNS honeypots designed to delay worm<br />
propagation are ineffective. Although the title indicates IPv6, this is not an IPv6 paper.<br />
Kempf, J..Nordmark, E., & Nikander, P. (2004). IPv6 neighbor discovery (ND) trust models and<br />
threats. RFC 3756: Internet Engineering Task Force (IETF).<br />
This RFC 3756 document discusses security vulnerabilities of the IPv6 Neighbor<br />
Discovery Protocol. The identified threats create DoS and man-in-the-middle situations<br />
and the document proposes some mitigation techniques.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
218<br />
Kerr, O. S. (2005, Jan). <strong>Digital</strong> evidence and the new criminal procedure. Columbia Law Review.<br />
This paper, published in the Columbia Law Review, addresses the lack of an adequate<br />
legal framework for digital evidence. A qualitative methodology is used to present the<br />
current legal framework, unique attributes of digital evidence, and a new legal framework<br />
that addresses the problems identified. The arguments presented in the paper are based on<br />
specific case precedents and fourth amendment privacy implications on digital<br />
investigations. For future research, the author mentions the need to reform the legal<br />
framework of digital investigations across our borders. The ideas and suggestions are<br />
well supported and convincing. It would be interesting to investigate current law so<br />
determine if any of these suggestions were implements.<br />
Kim, J. W..Cho, H. H..Mun, G. J..Seo, J. H..Noh, B. N., & Kim, Y. M. (2007). Experiments and<br />
countermeasures of security vulnerabilities on next generation network. Paper presented<br />
at the Future Generation Communication and Networking. Retrieved from<br />
http://doi.ieeecomputersociety.org/10.1109/FGCN.2007.122<br />
This IEEE conference paper addresses specific IPv6 security vulnerabilities like those<br />
introduced by the routing header, fragment header, extension header, and neighbor<br />
discovery. It is a qualitative study using description and an experiment. The research<br />
presents a number of details that could be used to reconstruct the attacks explained. It is<br />
lacking mitigation strategies and missing descriptions for some of the vulnerabilities<br />
listed in the tables presented.<br />
Kitamura, H. (2001). A SOCKS-based IPv6/IPv4 gateway mechanism. RFC 3089: Internet<br />
Engineering Task Force (IETF).
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
219<br />
This RFC 3089 IEFT document discusses the SOCKS64 IPv6/IPv4 transition<br />
mechanism. This method involves inserting a socket between the application and the<br />
outbound NIC to allow both IPv6 and IPv4 hosts to communicate with an application<br />
through a translation API.<br />
Lan, T. H..Lin, A. C..Lin, I. L., & Wu, T. (2005). Establishment of the standard operating<br />
procedure (SOP) for gathering digital evidence. Paper presented at the First International<br />
Workshop on Systematic Approaches to <strong>Digital</strong> Forensic Engineering (SADFE’05).<br />
Retrieved from http://doi.ieeecomputersociety.org/10.1109/SADFE.2005.12<br />
doi:10.1109/SADFE.2005.12<br />
This IEEE conference paper addresses the low credibility of digital evidence in ad-hoc<br />
digital investigations. The qualitative methodology used is weakly supported by<br />
references to evidence handling procedures used by the FBI and Chinese investigators.<br />
They also base their proposed model on Lin (2000) "Study of Evidence Act on <strong>Digital</strong><br />
Data", Chang (2000) "Study of Computer crime Evidence", and Casey (2000) "Handbook<br />
of Computer Crime: Forensic Science, Computer and the Internet". The proposed model<br />
is detailed and appears to be a model that could work in practice or further developed by<br />
other researchers. The paper seems to be more like a presentation of the authors views<br />
and beliefs that may be based more on experience than on their research efforts.<br />
Lee, S..Shin, M.-K..Kim, Y.-J..Nordmark, E., & Durand, A. (2002). Dual stack hosts using<br />
"bump-in-the-API" (BIA). RFC 3338: Internet Engineering Task Force (IETF).<br />
This RFC 3338 IETF document discusses the bump in the API IPv6 transition<br />
mechanism. This mechanism inserts functions between the TCP API and the network<br />
protocol stack to translate IPv4 API calls from applications into IPv6 API calls. The
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
220<br />
components in the method include the function mapper, name resolver, and address<br />
mapper.<br />
Lee, Y..Shin, S..Choi, S., & Son, H. g. (2007). IPv6 anomaly traffic monitoring with IPFIX.<br />
Paper presented at the Second International Conference on Internet Monitoring and<br />
Protection (ICIMP 2007). Retrieved from<br />
http://doi.ieeecomputersociety.org/10.1109/ICIMP.2007.23<br />
This IEEE conference paper addresses the lack of methods to track IPv6 flow data to<br />
identify anomalous traffic flows. The paper provides an analysis of the issues<br />
surrounding anomaly traffic in IPv6 networks and proposes a new solution to track and<br />
analyze the traffic. A qualitative methodology is used that presents data in a simulation<br />
format. Research is based on IPv6 threats presented by: Kamra, The Effect of DNS<br />
Delays on Worm Propagation in an IPv6 Internet; Convery, IPv6 and IPv4 Threat<br />
Comparison and Best-Practice Evaluation; Warfield, Security Implications of IPv6;<br />
Lucena, Covert Channels in IPv6; and Graf, Messaging over IPv6 Destination Options.<br />
Future research possibilities include expanding the model to address additional anomaly<br />
traffic and providing support for packet sampling. While, analyzing network flows is<br />
beneficial to identifying some attacks, the lack of a method to monitor packets at the<br />
detail level make the research less valuable.<br />
Leng, X..Bi, J..Zhang, M., & Wu, J. (2007). Connecting IPvX networks over IPvY with a P2P<br />
method. Journal of Network System Management, 15, 383-399. doi: 10.1007/s10922-007<br />
9071-z<br />
This Journal article addresses the problem of IPv6 relay bottlenecks when acting on local<br />
traffic. It is a qualitative study using description and a quantitative study using lab
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
221<br />
simulation to measure performance metrics. The proposal is an algorithm that allows<br />
local P2P traffic to bypass the IPv6 relay. This solution makes sense and would make<br />
more sense as a routing protocol as opposed to P2P. This is the more detailed version of<br />
the Bi conference paper.<br />
Leong, R. S. C. (2006). FORZA - <strong>Digital</strong> forensics investigation framework that incorporate<br />
legal issues. <strong>Digital</strong> Investigation, 3(Supplement 1), 29-36. doi:<br />
10.1016/j.diin.2006.06.004<br />
This journal article published by Elsevier Science attempts to consolidate the large<br />
number of different frameworks that exist in the field of digital forensics. The paper<br />
applies a qualitative methodology to propose a new consolidated framework based on<br />
Zachmans framework on enterprise architecture which we have seen on the Louwrens<br />
paper. It distils the models presented by: Mark Pollitt at the first DFRWS workshop, Lee<br />
et al. (2001) "Henry Lee’s crime Scene Handbook", Casey (2003) "<strong>Digital</strong> Evidence and<br />
Computer Crime – Forensic Science, Computers and the Internet", and Reith et al. "An<br />
Examination of <strong>Digital</strong> Forensic Models". The result is an organized framework that<br />
follows established enterprise architecture engineering principles in the context of the<br />
legal requirements of a good investigation. The paper identifies the need to further extend<br />
the research towards detailed forensic procedures. The strength in this model is in its<br />
linkage to an established engineering framework; however, EA is essentially a planning<br />
process and there may be difficulties applying detailed processes to the proposed<br />
framework.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
222<br />
Lindqvist, J. (2006). IPv6 stateless address autoconfiguration considered harmful. Paper<br />
presented at the MILCOM. Retrieved from<br />
http://doi.ieeecomputersociety.org/10.1109/MILCOM.2006.302471<br />
This IEEE conference paper addresses the problem of covert channels embedded in IPv6<br />
addresses using stateless auto-configuration. This is a qualitative study that uses<br />
descriptions. The research identifies the possibility of using the duplicate address<br />
detection packets in a DoS attack. It also discusses and proposes methods that could be<br />
used to embed messages in the interface ID of an IPv6 address that would be difficult to<br />
detect. The study presents a compelling look at a vulnerability that may be limited by the<br />
64 bit length of the address; but, could be used maliciously.<br />
Losavio, M. M. (2005). The law of possession of digital objects: Dominion and control issues for<br />
digital forensics investigations and prosecutions. Paper presented at the First<br />
International Workshop on Systematic Approaches to <strong>Digital</strong> Forensic Engineering<br />
(SADFE’05). Retrieved from<br />
http://doi.ieeecomputersociety.org/10.1109/SADFE.2005.25<br />
doi:10.1109/SADFE.2005.25<br />
This IEEE conference paper identifies the problem of applying existing laws of<br />
possession to digital investigations due to the possibility of alteration that could lead to<br />
the conviction of innocent people. The paper uses a qualitative study that results in<br />
logical conclusions drawn from case law. The conclusions could lead to additional care in<br />
future investigations or new legislation that could help prevent problems from occurring<br />
in the future. There is an opportunity to extend this research by updating the conclusions
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
223<br />
based on current case law and legislation. The strengths of this research is in the<br />
presentation of concrete case law examples to draw out the conclusions.<br />
Mac OS X 10.5 Help. (2010). Apple Inc. Retrieved Aug 6, 2010, from http://docs.info.apple.com<br />
This online help manual for the Apple operating system provides simple instructions on<br />
configuring MAC clients with IPv6. It includes manual interface setup, information about<br />
Apple IPv6 application support, 6to4, and firewall configuration. The instructions are<br />
very basic but easy to follow.<br />
Mackay, M..Edwards, C..Dunmore, M..Chown, T., & Carvalho, G. (2003, May-June). A<br />
scenario-based review of IPv6 transition tools. IEEE Internet Computing, 27-35.<br />
Retrieved from http://doi.ieeecomputersociety.org/10.1109/MIC.2003.1200298<br />
This IEEE journal article addresses the problem of how to effectively transition to an<br />
IPv6 network. The research uses the qualitative methodology using descriptive<br />
techniques. It presents a summary of IPv6 transition techniques including dual stack,<br />
tunneling, and translation and then suggests implementations for different scenarios. The<br />
research is a slightly better source of information than Yan-ge and Tantayakul however, it<br />
is still very basic.<br />
Naqvi, S..Dallons, G., & Ponsard, C. (2010). Applying digital forensics in the future internet<br />
enterprise systems - European SME's perspective. Paper presented at the Fifth<br />
International Workshop on Systematic Approaches to <strong>Digital</strong> Forensic Engineering.<br />
Retrieved from http://doi.ieeecomputersociety.org/10.1109/SADFE.2010.28<br />
doi:10.1109/SADFE.2010.28<br />
This IEEE Conference addresses small to mid size business in Europe who have not<br />
adopted post incident handling of net attacks. There is not much information presented,
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
224<br />
poor examples using scientific notations, and I am not convinced SMBs need incident<br />
handling because they are not a target generally.<br />
Nikkel, B. J. (2005). Generalizing sources of live network evidence. <strong>Digital</strong> Investigation, 2(3),<br />
193-200. doi: 10.1016/j.diin.2005.08.001<br />
The journal article, published by Elsevier Science, addresses the lack of formalized<br />
methods for network forensics and the simplification of multiple types of network<br />
captures. A qualitative methodology is used to present logical arguments. Research is<br />
based on models presented in: the NIST CFTT Project; US Department of Justice; Carrier<br />
(2004) "A Hardware-Based Memory Acquisition Procedure for <strong>Digital</strong> investigations",<br />
Sommer (1999) "Intrusion Detection Systems as Evidence", Wei (2004) "A framework of<br />
distributed agent-based network forensics system", Tang (2005) "A Simple Framework<br />
for Distributed Forensics", Carrier (2003) "Defining <strong>Digital</strong> Forensic Examination and<br />
Analysis Tools Using Abstraction Layers", and Gerber (2004) "Formalization of<br />
computer input and output" which are represented in other research and part of this<br />
biography. The proposed methods have logical conclusions that have implications on<br />
sensor deployment and packet collection techniques used in organizations. Additionally,<br />
the paper identified multiple areas of future research including; verifying evidence<br />
against the source, network write blocking to protect the integrity of captured data at<br />
certain layers, more detailed capture procedures, extending the research to honeypot<br />
research, and extending the findings to other network technologies. The research was<br />
very informative and information that relates network forensics with evidence collection<br />
is not common in the research.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
225<br />
Nikkel, B. J. (2006). Improving evidence acquisition from live network sources. <strong>Digital</strong><br />
Investigation, 3(2), 89-96. doi: 10.1016/j.diin.2006.05.002<br />
This journal article, published by Elsevier Science, identifies the distributed nature of<br />
network based digital evidence and the issues and challenges associated with its<br />
collection. This paper extends the work done in Nikkel's previous work, as well as Casey<br />
(2004) "Network Traffic as a Source of Evidence", and Sommer (2005) "guide to digital<br />
investigations and evidence". The qualitative methodology is used in the research to<br />
present logical arguments to reach conclusions. The paper presents a detailed procedural<br />
framework that network forensic practitioners can use to increase the accuracy of<br />
network based evidence collection. The author further identifies the need to better define<br />
the methods and tools used in network captures. The proposed procedure appears to be a<br />
contribution to the science and is different than other digital evidence collection methods<br />
which implies a need for unique methods for different types of evidence.<br />
Nikkel, B. J. (2007). An introduction to investigating IPv6 networks. <strong>Digital</strong> Investigation, 4(2),<br />
59-67. doi: 10.1016/j.diin.2007.06.001<br />
This journal article addresses the problem of the growing popularity of IPv6 networks<br />
and the lack of awareness among investigators. The article does not present any previous<br />
research on investigating IPv6 networks; however, it supports arguments using a variety<br />
of IPv6 security and protocol informational resources. A qualitative methodology is used<br />
based on descriptive examples used to establish each point. The article provides a<br />
introductory tutorial for forensic investigators and practitioners in the field to better<br />
address IPv6 in the discipline. It provides a good introduction for non-technical
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
226<br />
practitioners, however, I think the article could have provide more technical details to<br />
provide more of an impact for the field.<br />
Nordmark, E. (2000). Stateless IP/ICMP translation algorithm (SIIT). RFC 2765: Internet<br />
Engineering Task Force (IETF).<br />
This RFC 2765 IETF document describes the technical details of the SIIT algorithm that<br />
is used in IPv4/IPv6 header translation. It outlines the fields of an IPv4 and IPv6 header<br />
and how data should be translated from one protocol to the other. This includes<br />
translating addresses, ICMP messages, and ICMP error codes.<br />
Park, T. K., & Ra, I. (2008). Design and evaluation of a network forensic logging system. Paper<br />
presented at the Third International Conference on Convergence and Hybrid Information<br />
Technology. Retrieved from http://doi.ieeecomputersociety.org/10.1109/ICCIT.2008.28<br />
doi:10.1109/ICCIT.2008.28<br />
This IEEE conference paper addresses current approaches to audit at packet/kernel level<br />
but doesn't provide enough information or security against attack to be applicable.<br />
Previous research includes: Computer Associates, eTrust Network Forensics, Goel, A<br />
robust, high-performance reconstruction system, Jeffris, The Coroner’s Toolkit: Incident<br />
Handling and Forensics, The Honeynet Project, Know Your Enemy: Learning about<br />
Security Threats. Cont: detailed definition of system and test platform. This is a<br />
qualitative study using simulation. Additional research is needed to create formatted<br />
forensic data, expand to other operating systems, and optimize the program. The proposal<br />
seems good. It Includes many different correlating evidence that can be used. May not be<br />
applicable to large networks and did not address distributed systems. Sounds like another<br />
commercial tool being defined. Security may be addressed but should monitor passively.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
227<br />
Phang, S. Y..Lee, H., & Lim, H. (2008). Design and implementation of V6SNIFF: An efficient<br />
IPv6 packet sniffer. Paper presented at the Third 2008 International Conference on<br />
Convergence and Hybrid Information Technology. Retrieved from<br />
http://doi.ieeecomputersociety.org/10.1109/ICCIT.2008.279<br />
This IEEE conference paper addresses the lack of a IPv6 packet sniffer that provides<br />
adequate performance. This is a qualitative design science based research project that<br />
presents the framework for a new product and the testing for the product. The paper<br />
mentions previous sniffers like Kismet, Wireshark, and TCPDump and dated network<br />
analysis research including: Apisdorf, OC3MON: Flexible, Affordable, High<br />
Performance Statistics Collection; Malan, An Extensible Probe Architecture for Network<br />
Protocol Performance Measurement; Keys, The Architecture of CoralReef: An Internet<br />
Traffic Monitoring Software Suite; and Anagnostakis, Efficient packet monitoring for<br />
network management. The contributions is the definition of an IPv6 sniffer that increases<br />
performance over TCPDump and future work possibilities exist for reducing packet loss<br />
in the proposed solution. The resulting product seems like it may provide another option<br />
for capturing IPv6 packets; however, it is unclear whether the product is needed or if the<br />
performance tests presented will be applicable in a live environment.<br />
Ponec, M..Giura, P..Bronnimann, H., & Wein, J. (2007). Highly efficient techniques for network<br />
forensics. Paper presented at the Proceedings of the 14th ACM Conference on Computer<br />
and Communications Security, Alexandria, Virginia, USA. Retrieved from<br />
doi:10.1145/1315245.1315265<br />
The ACM conference paper addresses the problem of payload attribution which is the<br />
saving of all packets of data on a network to associate with certain excerption as evidence
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
228<br />
which takes a lot of space and is beyond capabilities of most organizations. Previous<br />
research includes: The research increased the accuracy and reduced the size of previous<br />
methods of attribution. The study is mixed method using sampling of data. This study<br />
looks good and may help solve the problem of large forensic data sets.<br />
Radhakrishnan, R..Majid, J..Shabana, M., & Moinuddin, M. (2007). Security issues in IPv6.<br />
Paper presented at the Third International Conference on Networking and<br />
Services(ICNS'07). Retrieved from<br />
http://doi.ieeecomputersociety.org/10.1109/ICNS.2007.106<br />
This IEEE conference paper addresses features of the IPv6 protocol. The qualitative<br />
methodology using description techniques is employed in the study. IPv6 enhancements<br />
were addressed including address efficiency, administration, and security. The study<br />
concludes that it is to early to determine the impact of IPv6 on security. The information<br />
in the study is simplistic at best.<br />
Savola, P. (2005). Observations of IPv6 traffic on a 6to4 relay. SIGCOMM Computer<br />
Communications Review, 35(1), 23-28. doi: http://doi.acm.org/10.1145/1052812.1052821<br />
This journal article presents a study that analyzes statistical data about 6to4 traffic<br />
flowing through a public 6to4 relay in Finland. A quantitative methodology is used to<br />
present data from system logs at the relay over a 3 year period. The study identified a<br />
large jump in the number of Windows nodes with 6to4 enabled and within range while<br />
only 1/100 notes actually utilized the relay for IPv6 traffic. The study is very interesting<br />
and helps identify a small part of the potential IPv6 activity. The large jump from 100K<br />
to 2 million nodes per month seems to indicate some other factor instead of new nodes<br />
being added to the network.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
229<br />
Savola, P., & Patel, C. (2004). Security considerations for 6to4. RFC 3964: Internet Engineering<br />
Task Force (IETF).<br />
This RFC 3964 document details the security implications of the 6to4 transition<br />
mechanism. The research outlines the DoS based attacks that could be initiated using<br />
6to4 against other IPv6, IPv4, or 6to4 nodes. The RFC also includes mitigations<br />
strategies and detailed rules to prevent these problems.<br />
Schroeder, S. C. (2005). How to be a digital forensic expert witness. Paper presented at the<br />
Proceedings of the First International Workshop on Systematic Approaches to <strong>Digital</strong><br />
Forensic Engineering (SADFE’05). Retrieved from<br />
http://doi.ieeecomputersociety.org/10.1109/SADFE.2005.18<br />
This IEEE conference paper addresses the difficulty of adequately preparing to be an<br />
expert witness in cybercrime cases. It presents a descriptive methodology that presents a<br />
cybercrime case and the proper preparation methods for an expert witness. This research<br />
enhanced the knowledge of potential expert witnesses and provides a training tool to get<br />
them more familiar with the process. There was no prior research or areas for further<br />
research mentioned. It is difficult to classify this paper as research; however, the author<br />
worked for the DoJ which adds credibility to his perspective. It is also interesting to view<br />
a narrative of an entire cyber investigation through the criminal proceeding.<br />
Seo, S. H., & Kong, I. Y. (2005). A performance analysis model of PC-based software router<br />
supporting IPv6-IPv4 translation for residential gateway. Paper presented at the<br />
Proceedings of the Fourth Annual ACIS International Conference on Computer and<br />
Information Science (ICIS’05). Retrieved from<br />
http://doi.ieeecomputersociety.org/10.1109/ICIS.2005.14
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
230<br />
This IEEE conference proceeding addresses the problem of the lack of a comprehensive<br />
queue based method of IPv6 and IPv4 coexistence. The study is mixed method using both<br />
description and an experiment that measured performance statistics. The research created<br />
a working model for testing that created a software based gateway that uses NAPT-PT<br />
and SIIT together to translate IPv4 and IPV6 packets. The method looks very good for<br />
small networks. It will most likely allow transparent coexistence of IPv4 and IPv6<br />
network hosts; however, scalability will certainly be an issue.<br />
Shengyang, C., & Yanlei, S. (2010). P2P communication mechanism based on request<br />
forwarding in IPv4 and IPv6 coexistence network. Paper presented at the International<br />
Conference on e-Education, e-Business, e-Management and e-Learning. Retrieved from<br />
http://doi.ieeecomputersociety.org/10.1109/IC4E.2010.16<br />
This conference paper addresses the problem of transitioning IPv6 in a seamless way. It<br />
is a qualitative study that uses description and some quantitative performance elements.<br />
The research proposes building an overlay network on IPv4 that allows requests for IPv6<br />
services to be passed among P2P clients until a IPv6 client is located. The approach looks<br />
very promising as a solution to the problem identified.<br />
Shin, Y. (2008). New digital forensics investigation procedure model. Paper presented at the<br />
Fourth International Conference on Networked Computing and Advanced Information<br />
Management. Retrieved from http://doi.ieeecomputersociety.org/10.1109/NCM.2008.116<br />
doi:10.1109/NCM.2008.116<br />
This IEEE conference paper proposes a new forensic procedural model to address the<br />
lack of adequate forensic procedures. The paper specifically claims that the models<br />
proposed by the U.S. Department of Justice and Carrier (2003) "Getting Physical with
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
231<br />
the <strong>Digital</strong> Investigation Process" lacks an adequate analysis and classification process.<br />
There is a weak qualitative methodology applied based on other sources however, there is<br />
little support or basis for the results. The resulting conclusions seem somewhat obvious<br />
and it is likely that there is a research contribution in this paper.<br />
Sommer, P. (1999). Intrusion detection systems as evidence. Computer Networks, 31(23-24),<br />
2477-2487. doi: 10.1016/s1389-1286(99)00113-9<br />
This Elsevier journal article presents the problem of using IDS data as a source for digital<br />
evidence in a court of law. The research is a qualitative study using a description method<br />
to present legal information and analysis. The research concludes that digital evidence<br />
must be supported by corroborating evidence from different sources. It presents a<br />
convincing argument and is based on solid logic and facts. It also seems to be relevant<br />
today even though it was written in 1999.<br />
Sotillo, S. (2006). IPv6 security issues.<br />
This unpublished paper addresses the new security concerns for IPv6. It is a qualitative<br />
study using descriptions. The study begins by listing and explaining common IPv4<br />
vulnerabilities and IPv6 characteristics including security features. The study outlined<br />
some IPv6 security vulnerabilities including scanning, extension header DoS attacks, and<br />
multicast smurf attacks. There are some good basic points in the study; however, the<br />
content is fairly simplistic.<br />
System administration guide: IP services. (2009). Sun Microsystems. Retrieved Aug 6, 2010,<br />
from http://docs.sun.com/app/docs/doc/816-4554/ipv6-ref-83?l=en&a=view<br />
This Network Administration guide for the Solaris operating system provides a<br />
compressive description of the IPv6 protocol and setup for IPv6. This guide summarizes
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
232<br />
a number of RFC documents related to IPv6 and is an excellent source for understanding<br />
the IPv6 protocol. It also includes multiple sections about configuring IPv6 interfaces,<br />
router, and tunnels. This includes different sections for basic configuration and advanced<br />
configuration that provide more details.<br />
Szigeti, S., & Risztics, P. (2004). Will IPv6 Bring Better Security? Paper presented at the The<br />
30th EUROMICRO Conference. Retrieved from<br />
http://doi.ieeecomputersociety.org/10.1109/EURMIC.2004.1333418<br />
This conference paper attempts to determine if IPv6 will change security on the Internet.<br />
It is a qualitative study using description. The study identifies a number of considerations<br />
for IPv6 security including scanning, IPSec, auto-configuration, neighbor discovery, and<br />
option headers. The author concludes that it is to early to tell if there will be an impact of<br />
Ipv6 on the Internet. The source is well laid out and has some unique points.<br />
Tadayoshi, K. (2005). Remote Physical Device Fingerprinting. IEEE Transactions on<br />
Dependable and Secure Computing, 2, 93-108.<br />
This paper addresses methods to identify remote devices. Previous research includes<br />
Paxson, “On Calibrating Measurements of Packet Transit", Moon et al. "Estimation and<br />
Removal of Clock Skew From Network Delay Measurements ". The research established<br />
proof that time differences between packets can be used to identify the same source of<br />
traffic communications: It is interesting that this is used by Nmap and p0f to identify<br />
operating systems; however, I can't see how this is valuable for forensics.<br />
Tantayakul, K..Kamolphiwong, S., & Angchuan, T. (2008). IPv6@HOME. Paper presented at<br />
the Proceedings of the International Conference on Mobile Technology, Applications,
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
233<br />
and Systems, Yilan, Taiwan. Retrieved from<br />
http://doi.acm.org/10.1145/1506270.1506383<br />
This conference proceeding addresses the need for IPv6 in the homes and the eventual<br />
exhaustion of the IPv4 space. The research presents a possible methods of connecting a<br />
home router operating from a IPv4 network to a IPv6 network using 6to4 tunneling. The<br />
qualitative methodology with descriptive and experimental techniques was used in the<br />
study. The research did provide a good overview of IPv6 transition mechanisms and a<br />
proposal for modifying a router to operate the 6to4 tunnel. I cannot confirm if the router<br />
would still work however, I would guess it works best with the router the author utilized.<br />
Templin, F..Gleeson, T., & Thaler, D. (2008). Intra-site automatic tunnel addressing protocol<br />
(ISATAP). RFC 5214: Internet Engineering Task Force (IETF).<br />
This RFC 5214 describes the ISATAP IPv6 transition mechanism which allows IPv6<br />
tunneling from remote sites through IPv4 networks. The document described some<br />
aspects of the protocol and identified spoofing as a possible security vulnerability.<br />
Tseng, B..Chen, C. Y., & Laih, C. S. (2006). Design and implementation of an IPv6-enabled<br />
intrusion detection system (6IDS). Paper presented at the International Computer<br />
Symposium, Taipei, Taiwan.<br />
http://dspace.lib.fcu.edu.tw/dspace/bitstream/2377/1860/1/ce07ics002004000116.pdf<br />
This conference paper addresses the lack of an effective IPv6 IDS solution by providing<br />
an architectural summary and implementation description for a software based IDS<br />
solution. A qualitative methodology using description and scenario testing is used to<br />
present the solution. Prior research presented in the paper is based on IPv4 IDS methods<br />
and the author indicated a lack of sources for IPv6 IDS research. The paper is an initial
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
234<br />
study and further research areas are proposed to further integrate IPv6 into IPv4 and<br />
expand IPv6 attack signatures. This research appears to be promising with future<br />
opportunities to expand IPv6 attack signatures; although, more details could have been<br />
presented that outlined the proposed solution.<br />
Tsirtsis, G., & Srisuresh, P. (2000). Network address translation - protocol translation (NAT<br />
PT). RFC 2766: Internet Engineering Task Force (IETF).<br />
This RFC 2766 document defines the NAT-PT IPv6 transition mechanism. NAT-PT<br />
allows IPv6 nodes to communicate with IPv4 nodes using SIIT translation and assigning<br />
IP addresses as necessary. The other translation mechanisms like BIA and BIS employ<br />
functions similar to NAT-PT and are more widely deployed.<br />
Tsuchiya, K..Higuchi, H., & Atarashi, Y. (2000). Dual stack hosts using the "bump-in-the-stack"<br />
technique (BIS). RFC 2767: Internet Engineering Task Force (IETF).<br />
This RFC 2767 from the IETF describes the bump in the stack IPv6 transition<br />
mechanism. This method inserts three modules in the TCP/IP stack of a dual stack host<br />
and dynamically assign IPv4 addresses to communication sessions that it observes<br />
between IPv4 applications and IPv6 destinations or sources.<br />
Tulloch, M..Northrup, T..Honeycutt, J., & Wilson, E. (2010). Windows 7 Resource Kit:<br />
Microsoft Press.<br />
This Micosoft publication is a technical manual on Microsoft Windows 7 and Windows<br />
Server 2008. If explains a number of features and explains how to configure settings for<br />
available functionality. Chapter 28, "Deploying IPv6" explains the features of IPv6 in<br />
Windows products. This chapter provides a good overview but lacks some necessary<br />
details for a full understanding of IPv6 in Windows.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
235<br />
Visoottiviseth, V., & Bureenok, N. (2008). Performance comparison of ISATAP implementations<br />
on FreeBSD, RedHat, and Windows 2003. Paper presented at the 22nd International<br />
Conference on Advanced Information Networking and Applications - Workshops.<br />
http://doi.ieeecomputersociety.org/10.1109/WAINA.2008.79<br />
This conference paper addresses the performance of the ISATAP IPv6 transition<br />
mechanism verses traditional IPv4. It is a quantitative study that uses testing of network<br />
packet loss, latency, and other metrics. The conclusion is that traditional IPv4 traffic has<br />
better performance than ISATAP packets. This conclusions seem obvious considering the<br />
traffic begins as IPv4 and ISATAP adds additional overhead to the network.<br />
Vives, A., & Palet, J. (2005). IPv6 distributed security: problem statement. Paper presented at<br />
the The 2005 Symposium on Applications and the Internet Workshops (SAINT-W’05).<br />
Retrieved from http://doi.ieeecomputersociety.org/10.1109/SAINTW.2005.72<br />
This IEEE conference paper addresses the limited information available concerning IPv6<br />
security vulnerabilities. The qualitative methodology is employed using description. The<br />
study describes vulnerabilities in IPv6 including Neighbor Discovery, end-to-end, and<br />
mobile. The author proposes host based security as a solution to the issues proposed. The<br />
paper has a large number of careless grammar errors and is very simplistic but does have<br />
a few notable points.<br />
Wagener, G..Dulaunoy, A., & Engel, T. (2008). Towards an estimation of the accuracy of TCP<br />
reassembly in network forensics. Paper presented at the Future Generation<br />
Communication and Networking. Retrieved from<br />
http://doi.ieeecomputersociety.org/10.1109/FGCN.2008.118<br />
doi:10.1109/FGCN.2008.118
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
236<br />
This IEEE conference paper addresses the problem of accurate network analysis tied to<br />
stream reassembly because we need to know accuracy of tools and poor reassembly leads<br />
to corrupt data. This is a qualitative study using simulation. Prior research includes: Song<br />
et al. "Nidsbench - a network intrusion detection test suite", M.I. Cohen et al. "Pyflag - an<br />
advanced network", Eric Cronin et al. "On the reliability of current generation network<br />
eavesdropping tools". The research proposes a model to establish stream reassembly<br />
errors. Future research is needed to look for causes of error and build tools to solve them.<br />
The study is short with a lack of detail as in the author's other paper. This proposal<br />
doesn't seem applicable to forensics.<br />
Wang, S. (2007). Measures of retaining digital evidence to prosecute computer-based cybercrimes.<br />
Computer Standards & Interfaces, 29(2), 216-223. doi: 10.1016/j.csi.2006.03.008<br />
This journal article published by Elsevier Science identifies the need for improved digital<br />
evidence extraction and handling by investigators. A qualitative methodology is used to<br />
present logical arguments. The paper uses Casey (2002) "<strong>Digital</strong> evidence and computer<br />
crime: forensic science, Computers and the Internet" and Kruse (2002) "Computer<br />
Forensic: Incident Response Essentials" as a basis for their research. The intended result<br />
of the research is to describe a set of tools and techniques that support digital evidence<br />
collection; however, it is unclear if the information presented is new information and<br />
useful to practitioners. It is the first source reviewed that presents information at the<br />
machine level.<br />
Wang, W., & Daniels, T. E. (2007). Diffusion and graph spectral methods for network forensic<br />
analysis. Paper presented at the Proceedings of the 2006 Workshop on New Security<br />
Paradigms, Germany.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
237<br />
This ACM conference paper addresses the problem of the scale of cyber attacks<br />
combined with ad-hoc methods is not ideal for analysis. The research applies<br />
mathematical model to forensic science. Future research is needed to investigate how the<br />
approach would work in a noisy network environment and evaluate it in different<br />
environments. Previous research includes: Wang "Building evidence graphs for network<br />
forensics analysis", Chung, "Spectral Graph Theory", Mohar "The laplacian spectrum of<br />
graphs". This research is a little confusing . It is unclear if mathematical models can be<br />
applied to forensics?<br />
Warfield, M. H. (2003). Security implications of IPv6. Internet Security Systems. Retrieved<br />
from http://www.blackhat.com/presentations/bh-federal-03/bh-federal-03-warfield/bhfed-03-warfield.pdf<br />
This unpublished presentation addresses the need for better security with IPv6<br />
implementations by outlining the risks. The qualitative methodology is used and the<br />
document is in bullet point format. The presentation addresses some of the IPv6<br />
vulnerabilities; however, the most interesting information includes the example of an<br />
IPv6 backdoor implementation and the list of Ipv6 tools.<br />
Wei, X..Jiang-wei, Z., & Guo-dong, Z. (2009). Application research on IPv4/IPv6 dual stack<br />
technology. Paper presented at the International Conference on Signal Processing<br />
Systems. Retrieved from http://doi.ieeecomputersociety.org/10.1109/ICSPS.2009.200<br />
This IEEE conference paper addresses the need to transition from IPv4 to IPv6. It is a<br />
qualitative study. The research briefly describes dual stack architecture and proposes a<br />
possible implementation for a campus network, Overall, this is a limited and short
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
238<br />
document that doesn't address anything that has not already been addressed by other<br />
individuals.<br />
WenQi, W., & Weiguang, L. (2009). The research on forensic model based network. Paper<br />
presented at the Second International Workshop on Computer Science and Engineering.<br />
Retrieved from http://doi.ieeecomputersociety.org/10.1109/WCSE.2009.635<br />
doi:10.1109/WCSE.2009.345<br />
This IEEE conference paper address the shortcomings of other models that do not<br />
account for admissible evidence. Prior research includes: DoJ: <strong>Digital</strong><br />
Evidence:Standards and Principles<br />
http://www.fbi.gov/hq/lab/fsc/backissu/april2000/swgde.htm This is a qualitative study.<br />
The research proposes another framework for analysis that addresses evidence directly.<br />
This is weak support from the literature and incorrect discussion of HTTP email which<br />
doesn't exist.<br />
Wu, L..Hai-xin, D..Tao, L..Xing, L., & Jian-ping, W. (2009). H6Proxy: ICMPv6 weakness<br />
analysis and implementation of IPv6 attacking test proxy. Paper presented at the<br />
Symposia and Workshops on Ubiquitous, Autonomic and Trusted Computing. Retrieved<br />
from http://doi.ieeecomputersociety.org/10.1109/UIC-ATC.2009.78 doi:10.1109/UIC<br />
ATC.2009.78<br />
This IEEE conference paper addresses the weakness in ICPMv6. It is a qualitative study<br />
using description and experiment. The research exposes vulnerabilities in destination<br />
unreachable or redirect messages that could cause DoS or man in the middle attacks. The<br />
study then explains how to implement a router redirect attack that could be used to
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
239<br />
reroute victims to spoofed web sites. This study is interesting; however, the author does<br />
not recommend a mitigation strategy.<br />
Xie, L..Bi, J., & Wu, J. (2007). A multihoming based IPv4/IPv6 transition approach. Paper<br />
presented at the Proceedings of the 6th international IFIP-TC6 conference on Ad Hoc and<br />
sensor networks, wireless networks, next generation internet, Atlanta, GA, USA.<br />
This conference paper addresses the problem of redundancy in transition networks. This<br />
is a qualitative study using narrative and description. The research proposes inserting a<br />
layer between the link and network layers to dynamically rout IPv6 packets between a<br />
tunnel broker and 6to4 dual homed interface. It provides the best of these methods and<br />
allows for redundancy on the IPv6 network connection.<br />
Yan-ge, C..Shui-mu, T., & Jun-ying, G. (2009). IPv4/IPv6 intercommunication technology<br />
research. Paper presented at the International Conference on Environmental Science and<br />
Information Application Technology. Retrieved from<br />
http://doi.ieeecomputersociety.org/10.1109/ESIAT.2009.297<br />
This conference proceeding presents a summary of IPv6 transition mechanisms. The<br />
qualitative method was used and the problem addresses is the lack of research on<br />
transition mechanisms. The research presents three phases of IPv6 transition including<br />
IPv6 over IPv4, transparent interconnect, and IPv4 over IPv6. The author's English skills<br />
create a lot of confusing passages however, it provides a basic technical overview.<br />
Yang, J. (n.d.). Fast worm propagation in IPv6 networks.<br />
This unpublished work addresses the speed of IPv6 worm propagation and identifies<br />
methods to remove barriers to the large address space. This is a quantitative study that<br />
presents the results from numerical analysis. The research identifies various methods to
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
240<br />
reduce worm propagation on a IPv6 network from 22,000 years using random scanning to<br />
6 hours using faster connections, dense addressing, DNS, and local cache analysis. The<br />
analysis is interesting and discounts the benefits of the IPv6 address space as a worm<br />
propagation deterrent.<br />
Yang, X., & Ma, T. (2007). A link signature based DDoS attacker tracing algorithm under IPv6.<br />
Paper presented at the Future Generation Communication and Networking. Retrieved<br />
from http://doi.ieeecomputersociety.org/10.1109/FGCN.2007.15<br />
This IEEE conference paper addresses the problem of sourcing DDoS attacks in IPv6<br />
networks. It is a qualitative study using an experiment. The research proposes a packet<br />
marking method that is implemented at edge routers to allow a destination to reconstruct<br />
a packet's original path. The research seems to only extend other packet marking research<br />
onto IPv6 when this is not exclusively an IPv6 topic. Also it is unclear of the applicability<br />
of this approach given the added router overhead needed to write into each packet.<br />
Yang, X..Ma, T., & Shi, Y. (2007). Typical DoS/DDoS threats under IPv6. Paper presented at<br />
the Proceedings of the International Multi-Conference on Computing in the Global<br />
Information Technology (ICCGI'07). Retrieved from<br />
http://doi.ieeecomputersociety.org/10.1109/ICCGI.2007.61<br />
This IEEE conference paper presents the methods used to initiate DoS attacks in IPv6. It<br />
is a qualitative study using an experiment to present results. The research described<br />
various DoS attacks related to the neighbor discovery protocol and flooding and then<br />
explained the steps they used and results of an experiment conducted in a lab<br />
environment. The study is interesting because of the details presented; however, it did not<br />
conduct an experiment with all of the attacks.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
241<br />
Yangui, X..Xiangchun, L..Jiachun, Z., & Huanyan, Q. (2009). Worm detection in an IPv6<br />
internet. Paper presented at the International Conference on Computational Intelligence<br />
and Security. Retrieved from doi:10.1109/CIS.2009.216<br />
This IEEE conference paper attempts to define a method for detecting worms. It is a<br />
qualitative study using an experiment to draw conclusions. The research suggests that<br />
IPv6 worms will propagate faster at the local level; however, they will still use email and<br />
search engines to attack initially through email. The results of the experiment indicate<br />
that it may be possible to identify worms by analyzing DNS and SMTP traffic. The study<br />
is interesting; however, the experiment uses IPv4 even though the title is based on IPv6.<br />
Yao, G. x..Guan, Q. l..Lin, L. c..Huang, S. Q..Zhu, G. c..Zhang, H., et al. (2008). Research and<br />
Implementation of Next Generation Network Intrusion Detection System Based on<br />
Protocol Analysis. Paper presented at the ISECS International Colloquium on<br />
Computing, Communication, Control, and Management. Retrieved from<br />
http://doi.ieeecomputersociety.org/10.1109/CCCM.2008.30 doi:10.1109/CCCM.2008.30<br />
This IEEE conference paper addresses the belief that IPv4 IDS devices will not work for<br />
IPv6. The research proposes a new method for using NIDS devices in IPv6. Based on<br />
previous research, there is not a need to use a unique devices just for IPv6. It is more<br />
important to develop protocol analysis and pattern matching signatures.<br />
Zagar, D..Grgic, K., & Rimac-Drlje, S. (2007). Security aspects in IPv6 networks <br />
implementation and testing. Computers & Electrical Engineering, 33, 425-437. doi:<br />
10.1016/j.compeleceng.2007.05.008<br />
This Elsevier journal article addresses the new IP security threats in IPv6 which present<br />
unique challenges that were not considerations in IPv4. The study uses a qualitative
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC<br />
242<br />
methodology with logical descriptions and conclusions and also presents the results of an<br />
IPv6 scanning experiment. Sever IPv6 threats are identified and mitigation strategies<br />
using IDS and firewalls is proposed. The study provides a good list of threats; however,<br />
the suggestion of using Wireshark for IDS does not provide an ideal solution.<br />
Zander, S..Armitage, G., & Branch, P. (2007). A survey of covert channels and coutermeasures<br />
in computer network protocols. IEEE Communications Surveys & Tutorials, 9(3).<br />
This IEEE journal article addresses covert channels in network communication. It is a<br />
qualitative study and survey of other research. The survey presents other research in<br />
covert channels and constructs an extensive list of methods. It also presents discussion on<br />
identifying and eliminating covert channels. The overall conclusion is that not all covert<br />
channels can be eliminated; however, design flaws enable many of them to exist.<br />
Zheng, Q..Liu, T..Guan, X..Qu, Y., & Wang, N. (2007). A new worm exploiting IPv4-IPv6 dualstack<br />
networks. Paper presented at the Proceedings of the 2007 ACM workshop on<br />
Recurring malcode, Alexandria, Virginia, USA.<br />
This ACP conference paper addresses the problem of worm propagation in dual stack<br />
networks. It is a qualitative study the presents conclusions based on population statistics.<br />
The research concluded that worms are able to propagate faster in IPv6 networks due to<br />
the neighbor discovery protocol that causes every host to respond. Although, the research<br />
has a valid point, it only applies to nodes on the local link which are usually confined to a<br />
few nodes. The real problem is the worm spreading globally, not locally.<br />
Zhou, L., & Renesse, R. v. (2004). P6P: A peer-to-peer approach to Internet infrastructure.<br />
Paper presented at the International workshop on Peer-To-Peer Systems.
IMPACT OF IPV6 TRANSITION MECHANISMS ON THE NETWORK FORENSIC 243<br />
This conference paper addresses the problem of transitioning from IPv4 to IPv6 in P2P<br />
networks. It is a qualitative study using description. The author proposes a new P2P<br />
model called P6P that routes packets over the IPv4 network and provides IPv6<br />
connectivity in a P2P model. Like the work by Shengyang, the proposal looks promising<br />
as a replacement for P2P networks.