Principles of Network Forensics
Richard Baskerville
Georgia State University Agenda
Principles of Network Forensics
PInternet Concepts Review PNetwork-based Live Acquisitions PNetwork Forensics Principles Internet Concepts Review
IPv4 Packet Switched Networks
Error Check Data Header
Packets
Customers LargCeu stomer A-C Z 1 5 3
Packet Network
2 6 7 4
Cust. Cust. Cust. Q-Y D-H Cust. I-M N-P X.25 Packet
Flag FramCeh eck Flag Address Control Message 01111110 Sequence 01111110 Open Systems Interconnection (OSI) Model
Client Server
ApplicatioLna yer ApplicatioLna yer
PresentatioLna y. PresentatioLna y.
SessioLna yer SessioLna yer
TranspoLrat yer TranspoLrat yer
NetworLka yer NetworLka yer
DataL inkL ayer DataL inkL ayer
PhysicLaal yer PhysicLaal yer Internet Model
P Application Layer P Host-to-Host Transport Layer P Internet Layer P Network Access Layer Internet Layers
FTP Application Layer FTP Data Data
TCP Transport Layer TCP Data + TL Pr Data + TL Pr
IP Internet Layer IP
Data + TL/IL Pr Data + TL/IL Pr
X.25 Network Access Layer X.25
Data + TL/IL/NA Pr Network Access Layer
< CCITT X.25 < IEEE 802.3 < Ethernet < Novell Netware < CSMA/CD < Token Ring (IEEE 802.5) Internet Layer
P Internet Protocol (IP) P Datagram < Header (5-6 words) < Data P Types of network nodes < Gateways < Hosts P Internet Control Message Protocol (ICMP) Transport Layer
P Transmission Control Protocol (TCP) < 6-word header < "reliable" < connection oriented P User Datagram Protocol (UDP) Application Layer
P FTP P Telnet P SMTP P DNS P NFS P RIP P Gopher P WAIS P WWW Internet Addressing
IPv4 P IP Addresses < 4-byte numbers – eg 121.11.21.18 < Network addresses – 121.11.21.0 < Multihomed hosts and gateways have two addresses P Domain Name Service < Host table NIC Host table Nesting Packets
Data Application Layer
Header Data Transport Layer
Header Header Data Internet Layer
Header Header Header Data Network Access Layer Domain Hierarchy Domain Name Server Response
First ww.ibm.com? nic.cbs.dk com NS nic.com
Second www.ibm.com? nic.com ibm.com NS vm1.ibm.com
www.ibm.com? vm1.ibm.com Third www.ibm.com A 111.222.101.111 Routing
PTransport layer routing tables < lists destination nets with gateways < "default" gateway where unlisted IP packets are sent PAddress resolution < Network access layer Ports and Sockets
Socket: 211.14.21.2.23, 131.71.8.1.3121
Telnet Client Socket: 131.71.8.1 131.71.8.1.3121, 211.14.21.2.23
Telnet Server 211.14.21.2 Classless Inter-Domain Routing
(CIDR)
PSlowed Exhaustion of IPv4 address space PRouting tables simplified < Base address < Size of subnet PEnabled more fluid subnet proliferation IPv6
P32-byte address numbers < Addresses IPv4 Address Exhaustion PAutoconfiguration < Router solicitation & advertisement PMany other features, e.g., < Multicast capability no longer optional < Network layer security (encryption) no longer optional Network-based Live Acquisitions Motivation: Live Acquisitions
PCases where circumstances prevent removing the media from the computer. PSpecialty hardware (e.g., some laptops) PUnusual hard drive geometries < Host Protected Areas (HPA) < Device Configuration Overlays (DCO) PDisclosure of ongoing investigation < “Black bag” jobs Safely Booting Target Machine
PHelix < Linux boot of Windows machine < C:\ drive write protected < Encase, FTK, dd imaging PForensic Boot Disk < Diskette or CD Homemade < DOS < Windows 98 < EnCase Boot Disk Connecting Acquisition Devices
PUSB adapter PDisk-to-disk < No boot required < Open the box, connect directly to drive PCross-over cable < Use network acquisition technology Live Network Acquisitions (I)
PServlet installed on target machine < Requires administrator access < Can be installed remotely PServlet feeds image to acquiring machine PMay require authentication < (E.g., EnCase) Live Network Acquisition (II)
Network Servlet
Forensics Examiner
Acquisition Target
Authentication Server Network Forensics Principles Network Forensics
Kim, et al (2004) “A fuzzy expert system for network fornesics”, ICCSA 2004, Berlin: Springer-Verlag, p. 176 The action of capturing, recording, and analyzing network autdit trails in order to discover the source of security breaches or other information assurance problems. Network Attacks
PProtocol < Eg, SQL-Injection PMalware < Eg, Virus, Trojan, Worm PFraud < Eg, Phishing, Pharming, etc. Attack Residue
PSuccessful < Obfuscation of residue PUnsuccessful < Residue is intact Network Traffic Capture
Logging Issues Driving Automated Support
PManaging data volume PManaging logging performance PEnsuring logs are useful to reconstruct the Attack PCorrelation of data in logs < Importance of timestamping Honeytraps
Systems Designed to be Compromised and Collect Attack Data
From Yasinac, A. and Manzano, Y. (2002) “Honeytraps, A Network Forensic Tool” Florida State University. Network Traffic Analysis
Usually Requires Software Tools
PSessionizing PProtocol parsing and analysis PDecryption PSecurity of Analysis and Data < Avoiding detection and analysis-data compromise Traceback Evidence Processing
PMinimizing distance to source PTraversing firewalls, proxies and address translation PMuliple cooroborating collectors PTime and location stamping Principles of Network Forensics
Richard Baskerville
Georgia State University