Principles of Network Forensics - Department of Computer ...
Principles of Network Forensics - Department of Computer ...
Principles of Network Forensics - Department of Computer ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Principles</strong> <strong>of</strong> <strong>Network</strong><br />
<strong>Forensics</strong><br />
Richard Baskerville<br />
Georgia State<br />
University
Agenda<br />
<strong>Principles</strong> <strong>of</strong> <strong>Network</strong> <strong>Forensics</strong><br />
PInternet Concepts Review<br />
P<strong>Network</strong>-based Live<br />
Acquisitions<br />
P<strong>Network</strong> <strong>Forensics</strong> <strong>Principles</strong>
Internet Concepts Review<br />
IPv4
Packet Switched <strong>Network</strong>s<br />
Error<br />
Check Data Header<br />
Packets<br />
Customers<br />
A-C<br />
1<br />
5<br />
LargCeustomer<br />
Z<br />
3<br />
Packet<br />
<strong>Network</strong><br />
2<br />
6 7<br />
4<br />
Cust.<br />
Cust.<br />
D-H<br />
Cust.<br />
I-M N-P<br />
Cust.<br />
Q-Y
X.25 Packet<br />
Flag<br />
01111110<br />
Address<br />
Control<br />
Message<br />
FramCeheck<br />
Sequence<br />
Flag<br />
01111110
Open Systems Interconnection (OSI) Model<br />
Client<br />
Server<br />
ApplicatioLna yer<br />
PresentatioLna y.<br />
SessioLnayer<br />
TranspoLrat yer<br />
NetworLkayer<br />
DataL inkL ayer<br />
PhysicLaal yer<br />
ApplicatioLna yer<br />
PresentatioLna y.<br />
SessioLnayer<br />
TranspoLrat yer<br />
NetworLkayer<br />
DataL inkL ayer<br />
PhysicLaal yer
Internet Model<br />
P Application Layer<br />
P Host-to-Host Transport Layer<br />
P Internet Layer<br />
P <strong>Network</strong> Access Layer
Internet Layers<br />
FTP<br />
Data<br />
Application Layer<br />
FTP<br />
Data<br />
TCP<br />
Data + TL Pr<br />
Transport Layer<br />
TCP<br />
Data + TL Pr<br />
IP<br />
Data + TL/IL Pr<br />
X.25<br />
Internet Layer<br />
<strong>Network</strong> Access Layer<br />
IP<br />
Data + TL/IL Pr<br />
X.25<br />
Data + TL/IL/NA Pr
<strong>Network</strong> Access Layer<br />
CCITT X.25<br />
IEEE 802.3<br />
Ethernet<br />
Novell Netware<br />
CSMA/CD<br />
Token Ring (IEEE 802.5)
Internet Layer<br />
P Internet Protocol (IP)<br />
P Datagram<br />
<br />
<br />
Header (5-6 words)<br />
Data<br />
P Types <strong>of</strong> network nodes<br />
<br />
<br />
Gateways<br />
Hosts<br />
P Internet Control Message Protocol (ICMP)
Transport Layer<br />
P Transmission Control<br />
Protocol (TCP)<br />
<br />
<br />
<br />
6-word header<br />
"reliable"<br />
connection oriented<br />
P User Datagram Protocol<br />
(UDP)
Application Layer<br />
P<br />
P<br />
P<br />
P<br />
P<br />
P<br />
P<br />
P<br />
P<br />
FTP<br />
Telnet<br />
SMTP<br />
DNS<br />
NFS<br />
RIP<br />
Gopher<br />
WAIS<br />
WWW
P IP Addresses<br />
<br />
<br />
<br />
4-byte numbers<br />
– eg 121.11.21.18<br />
<strong>Network</strong> addresses<br />
– 121.11.21.0<br />
Multihomed hosts and<br />
gateways have two<br />
addresses<br />
P Domain Name Service<br />
Host table<br />
NIC Host table<br />
Internet Addressing<br />
IPv4
Nesting Packets<br />
Application Layer<br />
Data<br />
Header<br />
Transport Layer<br />
Data<br />
Header<br />
Internet Layer<br />
Header<br />
Data<br />
Header Header<br />
<strong>Network</strong> Access Layer<br />
Header<br />
Data
Domain Hierarchy
Domain Name Server Response<br />
First<br />
ww.ibm.com?<br />
com NS nic.com<br />
nic.cbs.dk<br />
Second<br />
www.ibm.com?<br />
ibm.com NS vm1.ibm.com<br />
nic.com<br />
Third<br />
www.ibm.com?<br />
www.ibm.com A 111.222.101.111<br />
vm1.ibm.com
Routing<br />
PTransport layer routing<br />
tables<br />
lists destination nets with<br />
gateways<br />
"default" gateway where<br />
unlisted IP packets are<br />
sent<br />
PAddress resolution<br />
<strong>Network</strong> access layer
Ports and Sockets<br />
Socket:<br />
211.14.21.2.23,<br />
131.71.8.1.3121<br />
Telnet Client<br />
131.71.8.1<br />
Socket:<br />
131.71.8.1.3121,<br />
211.14.21.2.23<br />
Telnet Server<br />
211.14.21.2
Classless Inter-Domain Routing<br />
(CIDR)<br />
P Slowed Exhaustion <strong>of</strong><br />
IPv4 address space<br />
P Routing tables simplified<br />
Base address<br />
Size <strong>of</strong> subnet<br />
P Enabled more fluid<br />
subnet proliferation
IPv6<br />
P32-byte address numbers<br />
Addresses IPv4 Address<br />
Exhaustion<br />
PAutoconfiguration<br />
Router solicitation & advertisement<br />
PMany other features, e.g.,<br />
Multicast capability no longer<br />
optional<br />
<strong>Network</strong> layer security (encryption)<br />
no longer optional
<strong>Network</strong>-based Live<br />
Acquisitions
Motivation: Live Acquisitions<br />
PCases where circumstances prevent<br />
removing the media from the computer.<br />
PSpecialty hardware (e.g., some laptops)<br />
PUnusual hard drive geometries<br />
Host Protected Areas (HPA)<br />
Device Configuration Overlays (DCO)<br />
PDisclosure <strong>of</strong> ongoing investigation<br />
“Black bag” jobs
Safely Booting Target Machine<br />
PHelix<br />
Linux boot <strong>of</strong> Windows machine<br />
C:\ drive write protected<br />
Encase, FTK, dd imaging<br />
PForensic Boot Disk<br />
Diskette or CD<br />
DOS<br />
Windows 98<br />
EnCase Boot Disk<br />
Homemade
Connecting Acquisition Devices<br />
PUSB adapter<br />
PDisk-to-disk<br />
No boot required<br />
Open the box, connect directly to drive<br />
PCross-over cable<br />
Use network acquisition technology
Live <strong>Network</strong> Acquisitions (I)<br />
PServlet installed on target machine<br />
Requires administrator access<br />
Can be installed remotely<br />
PServlet feeds image to acquiring machine<br />
PMay require authentication<br />
(E.g., EnCase)
Live <strong>Network</strong> Acquisition (II)<br />
<strong>Network</strong><br />
Servlet<br />
<strong>Forensics</strong><br />
Examiner<br />
Acquisition<br />
Target<br />
Authentication<br />
Server
<strong>Network</strong> <strong>Forensics</strong><br />
<strong>Principles</strong>
<strong>Network</strong> <strong>Forensics</strong><br />
Kim, et al (2004) “A fuzzy expert system for network<br />
fornesics”, ICCSA 2004, Berlin: Springer-Verlag, p. 176<br />
The action <strong>of</strong> capturing, recording, and<br />
analyzing network autdit trails in order to<br />
discover the source <strong>of</strong> security breaches or<br />
other information assurance problems.
<strong>Network</strong> Attacks<br />
PProtocol<br />
Eg, SQL-Injection<br />
PMalware<br />
Eg, Virus, Trojan, Worm<br />
PFraud<br />
Eg, Phishing, Pharming, etc.
Attack Residue<br />
PSuccessful<br />
Obfuscation <strong>of</strong> residue<br />
PUnsuccessful<br />
Residue is intact
<strong>Network</strong> Traffic Capture<br />
Logging Issues Driving Automated Support<br />
PManaging data volume<br />
PManaging logging performance<br />
PEnsuring logs are useful to reconstruct the<br />
Attack<br />
PCorrelation <strong>of</strong> data in logs<br />
Importance <strong>of</strong> timestamping
Honeytraps<br />
Systems Designed to be Compromised and Collect Attack<br />
Data<br />
From Yasinac, A. and<br />
Manzano, Y. (2002)<br />
“Honeytraps, A <strong>Network</strong><br />
Forensic Tool” Florida<br />
State University.
<strong>Network</strong> Traffic Analysis<br />
Usually Requires S<strong>of</strong>tware Tools<br />
PSessionizing<br />
PProtocol parsing and<br />
analysis<br />
PDecryption<br />
PSecurity <strong>of</strong> Analysis and<br />
Data<br />
Avoiding detection and<br />
analysis-data compromise
Traceback Evidence Processing<br />
PMinimizing distance to source<br />
PTraversing firewalls, proxies and address<br />
translation<br />
PMuliple cooroborating collectors<br />
PTime and location stamping
<strong>Principles</strong> <strong>of</strong> <strong>Network</strong><br />
<strong>Forensics</strong><br />
Richard Baskerville<br />
Georgia State<br />
University