3. an Analysis of Today's Batch Report
Total Page:16
File Type:pdf, Size:1020Kb
Design And Implementation Of Linux Based Network Forensics System Using Virtual Honeynet Thesis submitted in partial fulfillment of the requirements for the award of degree of Master Of Technology Submitted By Jatinder kaur (Roll No. 601003010) Under the Supervision of Mr. Gurpal Singh Chhabra Lecturer SCHOOL OF MATHEMATICS AND COMPUTER APPLICATIONS THAPAR UNIVERSITY PATIALA – 147004 JUNE JULY 2012 i ii Abstract Use of computer and Internet is now a mandatory perquisite for doing any kind of research, business, transactions, or precisely any daily routine. This thesis report focuses on Network Forensics & its related area. Reports also highlight some of the basic tools that can be used for the purpose of controlling & investigating Cyber crime and network attacks by the hacker community , which is growing exponentially. With the fast growing crime in the virtual world, tools and techniques to collect preserve and analyze digital data on the Internet for investigation and law enforcement purposes (termed as Network forensics) are also developed. Network forensics deals with the capture and analysis of the trace and log data of network intrusions from the current network security products and provides information to characterize intrusion or misbehavior features. To figure out such activities, people responsible for computer security incident response and digital forensic examination need to continually update their skills, tools, and knowledge to keep pace with changing technology. In M.Tech Thesis work, we will focus on this implementation of network forensic system using virtual honeynet to find out the activities of attackers. iii iv Table of Contents List of contents Page No. Certificate ii Abstract iii Acknowledgements iv List of Contents v List of Tables viii List of Figures ix Chapter 1. Introduction 1.1 Cyber Crime 3 1.2 Virtual world 5 1.3 Network forensics 6 1.3.1 Types of Network Forensic 8 1.3.2 Network Forensic Analysis Tools 8 1.4 Computer Forensics Vs Network Forensics 10 1.5 Study of Honeypot/Honeynet 10 1.5.1 Honeypot based Network Forensic System 10 1.5.2 Types of Honeypots 11 1.5.3 Advantages of Honeypots 14 1.5.4 Disadvantages of Honeypots 15 Chapter 2. Literature Survey 17 Chapter 3. Problem Statement and Objective 23 3.1 Problem Definition 23 3.2 Objectives 23 Chapter 4. Background and Existing Tools 24 4.1 Encase 24 4.2 Sleuthkit 25 v 4.3 FTK 26 4.4 Pyflag 27 4.5 Foremost 28 4.6 Fatback 28 Chapter 5. An Analysis Of Today’s Batch Report 30 5.1 Building a Test image containing Realistic Data 30 5.2 Building a Test image 31 5.3 Why a Test image 33 5.4 An Analysis of current Batch Report 33 5.4.1 Encase Batch report 34 5.4.2 FTK Batch Report 35 5.4.3 TSK/Autopsy Batch report 36 5.4.4 Pyflag Batch Report 38 Chapter 6.. Design And Implementation Of Network forensic System using Virtual Honeynet 42 6.1 Network Forensics 43 6.2 Motivation For Network forensic 44 6.2.1 Honeypot approaches for network Forensics 45 6.2.2 Honeypot And Network Forensics 46 6.3 Honeypot As Network Forensic Analysis Tools 46 6.3.1 Description of Network Forensic Analysis Tools 47 6.3.2 Honeypots and Network Forensics 48 6.3.3 Description of Network Security & Monitoring Tools 48 6.4 Design Architecture Of Network Forensic system using virtual Honeynet 51 6.4.1 Honeypot System 51 6.4.2 Honeywall System 51 6.4.3 Development Efforts 52 6.4.4 System Requirements 52 6.4.5 Features of Honeypot based network Forensic System 52 6.4.6 System Design Architecture 53 vi 6.6 Performance and results 54 6.6.1 Snapshots 54 Chapter 7. Conclusion and Future scope 62 7.1 Conclusion 62 7.2 Future Scope 62 List of Publications 63 References 64 vii List Of Tables Table No. Table Description Page No. 4.1 Forensic tools, their costs and customization ability 26 5.1 Test system that was used to generate realistic data image 31 5.2 Analysis Time of Realistic Image 37 5.3 Tasks performed by user in Pyflag user study 41 viii List Of Figures Fig No. Figure Description Page No Figure 1.1 Growth of Internet Usage 1 Figure 1.2 Handling of Evidences by Cyber Analyst 6 Figure 2.1(a) Electronic crime to your organization 17 Figure2.1(b) Percent of Electronic Crime Events 17 Figure 4.1 Use of Fatback tool 29 Figure 5.1 Encase user Interface 35 Figure 5.2 Encase Batch Report 36 Figure 5.3 FTK user interface 38 Figure 5.4 Pyflag Scanning options 40 Figure 5.5 Pyflag File view 41 Figure 5.6 Pyflag image report 41 Figure 6.1 Network with traffic monitoring tools 44 Figure 6.2 Architecture of network forensic system 53 Figure 6.3 Web interface function 53 Figure 6.4 Generating of test set up 54 Figure 6.5 Starting of test set up 55 Figure 6.6 Assigning of ip addresses 55 Figure 6.7 Running state of honeywall & honeypot 56 ix Figure 6.8 Interface of honeywall & honeypot 56 Figure 6.9 Checking of Pcap file 57 Figure 6.10 Snort alert generation 57 Figure 6.11 Honeywall login on web interface 58 Figure 6.12 Downloading of Pcap file 58 Figure 6.13 Saving of pcap file 59 Figure 6.14 Time management to database 59 Figure 6.15 Connection limiting 60 Figure 6.16 Network interface information 60 Figure 6.17 Transfer of udp & tcp packets 61 Figure 6.18 Snort alert generated file 61 x CHAPTER 1. I. Introduction Within last couple of decades, industry as well as governments uses Internet at an increasing pace in basic functions and core activities, as shown in the graph below (ref Figure1.1). Governments use Internet to provide citizens and businesses with public services. Electronic government services that are provided to citizens typically include paying income tax, demanding and issuing personal documentation such as birth and marriage certificates, issuing and renewing driving licenses, participating in election processes and so forth. Business has become depended on Internet not only to communicate and provide their product and services to customers but also to enact new business models which are entirely dependent on the use of the Internet, such as electronic marketplaces, online auctions, online bartering and information brokerage. Figure 1.1 Growth of Internet usage & penetration in India However, technological developments have also “a dark side”: Since crime tends to follow opportunity and the Internet provides many new opportunities, new crimes as well as new ways to commit “traditional crimes” by means of new technologies emerge [1]. Due to the “anonymity” of the cyber-criminal activities and to the fact that these new (types of) crimes are not restricted by geographical boundaries, they have far-reaching consequences. In a networked world, where all points are equidistant from all others and are accessible from everywhere, the principles of the legal system cannot impose obligations on everyone to comply with all law [2]. As a result, governments and business become increasingly vulnerable to threats originating from the Internet. The 2011 CyberSecurity Watch Survey uncovered that more attacks (58%) are caused by outsiders (those without authorized access to network systems and data) versus 21 % of attacks caused by insiders (employees or contractors with authorized access) and 21% from an unknown source; however 33% view the insider attacks to be more costl y, compared to 51% in 2010. Insider attacks are becoming more sophisticated, with a growing number of insiders (22%) using rootkits or hacker tools compared to 9% in 2 010, as these tools are increasingly automated and readily available[4]. ‘Internet forensics’ (also referred to as Cyber forensics or Network forensics) is a sub-category of computer-forensics. Computer-forensics refers to the collection, preservation and analysis of computer-derived evidence to ensure its admissibility as evidence in a legal proceeding [3]. Internet forensics includes techniques and methodologies to collect, preserve and analyze digital data on the Internet for investigation and law enforcement purposes. It is a relatively recent field of research and practice that has evolved as a result of the increasing use of Internet and the move of criminal activity. It is also argued that Internet forensics evolved as a response to the hacker community [5]. The amount of data in the world is increasing. In 2002, about 5 exabytes of new data were created, growing 30% yearly since 1999 [6]. The proliferation of digital information storing devices is incredible, and shows no sign of slowing. With smart- phones, iPods and digital cameras, the average American has more storage on his or her body than the first Cray supercomputers[7]. In 2003, 62 million US households owned computers connected to the Internet[8]. In 2008, one terabyte hard drives are sold for $100. With cheap storage, broadband internet connections for sharing, and ease of digital creation thanks to still and video cameras, some researchers warn of the oncoming “Exaflood” of information[6] .As storage becomes cheaper and personal hard drives become larger, the task of the digital investigator grows geometrically harder. Individuals own more and larger media devices than ever before, and sometimes when a crime is committed, evidence may exist somewhere on one of the devices. It is the job of the digital investigator to find what evidence exists and recover that evidence in a sound manner. One only has to look to the FBI to realize how important digital forensics has become in serious criminal cases.