Principles of Network Forensics

Richard Baskerville

Georgia State University Agenda

Principles of Network Forensics

PInternet Concepts Review PNetwork-based Live Acquisitions PNetwork Forensics Principles Internet Concepts Review

IPv4 Packet Switched Networks

Error Check Data Header

Packets

Customers LargCeu stomer A-C Z 1 5 3

Packet Network

2 6 7 4

Cust. Cust. Cust. Q-Y D-H Cust. I-M N-P X.25 Packet

Flag FramCeh eck Flag Address Control Message 01111110 Sequence 01111110 Open Systems Interconnection (OSI) Model

Client Server

ApplicatioLna yer ApplicatioLna yer

PresentatioLna y. PresentatioLna y.

SessioLna yer SessioLna yer

TranspoLrat yer TranspoLrat yer

NetworLka yer NetworLka yer

DataL inkL ayer DataL inkL ayer

PhysicLaal yer PhysicLaal yer Internet Model

P Application Layer P Host-to-Host Transport Layer P Internet Layer P Network Access Layer Internet Layers

FTP Application Layer FTP Data Data

TCP Transport Layer TCP Data + TL Pr Data + TL Pr

IP Internet Layer IP

Data + TL/IL Pr Data + TL/IL Pr

X.25 Network Access Layer X.25

Data + TL/IL/NA Pr Network Access Layer

< CCITT X.25 < IEEE 802.3 < Ethernet < Novell Netware < CSMA/CD < Token Ring (IEEE 802.5) Internet Layer

P Internet Protocol (IP) P Datagram < Header (5-6 words) < Data P Types of network nodes < Gateways < Hosts P Internet Control Message Protocol (ICMP) Transport Layer

P Transmission Control Protocol (TCP) < 6-word header < "reliable" < connection oriented P User Datagram Protocol (UDP) Application Layer

P FTP P Telnet P SMTP P DNS P NFS P RIP P Gopher P WAIS P WWW Internet Addressing

IPv4 P IP Addresses < 4-byte numbers – eg 121.11.21.18 < Network addresses – 121.11.21.0 < Multihomed hosts and gateways have two addresses P Domain Name Service < Host table NIC Host table Nesting Packets

Data Application Layer

Header Data Transport Layer

Header Header Data Internet Layer

Header Header Header Data Network Access Layer Domain Hierarchy Domain Name Server Response

First ww.ibm.com? nic.cbs.dk com NS nic.com

Second www.ibm.com? nic.com ibm.com NS vm1.ibm.com

www.ibm.com? vm1.ibm.com Third www.ibm.com A 111.222.101.111 Routing

PTransport layer routing tables < lists destination nets with gateways < "default" gateway where unlisted IP packets are sent PAddress resolution < Network access layer Ports and Sockets

Socket: 211.14.21.2.23, 131.71.8.1.3121

Telnet Client Socket: 131.71.8.1 131.71.8.1.3121, 211.14.21.2.23

Telnet Server 211.14.21.2 Classless Inter-Domain Routing

(CIDR)

PSlowed Exhaustion of IPv4 address space PRouting tables simplified < Base address < Size of subnet PEnabled more fluid subnet proliferation IPv6

P32-byte address numbers < Addresses IPv4 Address Exhaustion PAutoconfiguration < Router solicitation & advertisement PMany other features, e.g., < Multicast capability no longer optional < Network layer security (encryption) no longer optional Network-based Live Acquisitions Motivation: Live Acquisitions

PCases where circumstances prevent removing the media from the computer. PSpecialty hardware (e.g., some laptops) PUnusual hard drive geometries < Host Protected Areas (HPA) < Device Configuration Overlays (DCO) PDisclosure of ongoing investigation < “Black bag” jobs Safely Booting Target Machine

PHelix < Linux boot of Windows machine < C:\ drive write protected < Encase, FTK, dd imaging PForensic Boot Disk < Diskette or CD Homemade < DOS < Windows 98 < EnCase Boot Disk Connecting Acquisition Devices

PUSB adapter PDisk-to-disk < No boot required < Open the box, connect directly to drive PCross-over cable < Use network acquisition technology Live Network Acquisitions (I)

PServlet installed on target machine < Requires administrator access < Can be installed remotely PServlet feeds image to acquiring machine PMay require authentication < (E.g., EnCase) Live Network Acquisition (II)

Network Servlet

Forensics Examiner

Acquisition Target

Authentication Server Network Forensics Principles Network Forensics

Kim, et al (2004) “A fuzzy expert system for network fornesics”, ICCSA 2004, Berlin: Springer-Verlag, p. 176 The action of capturing, recording, and analyzing network autdit trails in order to discover the source of security breaches or other information assurance problems. Network Attacks

PProtocol < Eg, SQL-Injection PMalware < Eg, Virus, Trojan, Worm PFraud < Eg, Phishing, Pharming, etc. Attack Residue

PSuccessful < Obfuscation of residue PUnsuccessful < Residue is intact Network Traffic Capture

Logging Issues Driving Automated Support

PManaging data volume PManaging logging performance PEnsuring logs are useful to reconstruct the Attack PCorrelation of data in logs < Importance of timestamping Honeytraps

Systems Designed to be Compromised and Collect Attack Data

From Yasinac, A. and Manzano, Y. (2002) “Honeytraps, A Network Forensic Tool” Florida State University. Network Traffic Analysis

Usually Requires Software Tools

PSessionizing PProtocol parsing and analysis PDecryption PSecurity of Analysis and Data < Avoiding detection and analysis-data compromise Traceback Evidence Processing

PMinimizing distance to source PTraversing firewalls, proxies and address translation PMuliple cooroborating collectors PTime and location stamping Principles of Network Forensics

Richard Baskerville

Georgia State University