Network Forensics Network Forensics Principles

Network Forensics Network Forensics Principles

Agenda Network Forensics PPrinciples of Network Forensics PTerms & Log-based Tracing Richard Baskerville PApplication Layer Log Analysis PLower Layer Log Analysis Georgia State University 1 2 Network Forensics Network Forensics Kim, et al (2004) “A fuzzy expert system for network fornesics”, ICCSA 2004, Berlin: Springer-Verlag, p. 176 Principles The action of capturing, recording, and analyzing network audit trails in order to discover the source of security breaches or other information assurance problems. 3 4 Network Attacks Attack Residue PProtocol PSuccessful < Eg, SQL-Injection < Obfuscation of residue PMalware PUnsuccessful < Eg, Virus, Trojan, Worm < Residue is intact PFraud < Eg, Phishing, Pharming, etc. 5 6 Honeytraps Network Traffic Capture Systems Designed to be Compromised and Collect Attack Data Logging Issues Driving Automated Support PManaging data volume PManaging logging performance PEnsuring logs are useful to reconstruct the Attack PCorrelation of data in logs < Importance of timestamping From Yasinac, A. and Manzano, Y. (2002) “Honeytraps, A Network Forensic Tool” Florida State University. 7 8 Network Traffic Analysis Traceback Evidence Processing Usually Requires Software Tools PMinimizing distance to source PSessionizing PTraversing firewalls, proxies and address translation PProtocol parsing and analysis PMuliple cooroborating collectors PDecryption PTime and location stamping PSecurity of Analysis and Data < Avoiding detection and analysis-data compromise 9 10 Two Important Terms PPromiscuous Mode < An Ethernet Network Interface Card (NIC) in promiscuous mode is a configuration that will pass all traffic received by the card to the Terms and Log-based operating system, rather than just packets addressed to it. This Tracing feature is normally used for packet sniffing. PIPSpoofing < Forging the source address in the header of an IP packet so that it contains a different address, making it appear that the packet was sent by a different machine. Responses to spoofed packets will go to the forged source address. Mainly used for Denial of Service where the attacker does not care about the response, or defeating IP-based authentication. It is sometimes possible for an attacker to recover responses, when the spoofed address is on LAN or WAN controlled by the attacker. 11 12 Rootkit Honeypot Data P Blackhat software that gains control over a computer or network. "Root" refers to the administrative (superuser) P A network host computer serving only the purpose of computer account. Kit refers to mechanisms that initiate attracting network-based attacks. Because a honeypot entry into the target computer modify it for later, and is intended to host no legitimate activity, any activity more simplified means of access (a backdoor). detected on this host is assumed to be intrusion activity. P Rootkits will usually erase the system event logging P Data on honeypot activity is carefully captured to avoid capacity in an attempt to hide attack evidence and may detection and corruption. It is used to study ongoing disclose sensitive data. A well designed rootkit will network-based attacks for the purpose of developing replace parts of the operating system with rootkit defenses and remedies for potential or experienced processes and files, and obscure itself from security compromises scanning. 13 14 Log-based Tracing Client Server Logging Options Server HTTP Application HTTP Log Data Data Proxy or PIssues of efficiency in logfile space and TCP Transport TCP Firewall Log Data + TL Pr Data + TL Pr processing time PSometimes options, e.g., IP IP Router Internet Log < Off Data + TL/IL Pr Data + TL/IL Pr < Succinct < Verbose X.25 Network X.25 Sniffers Data + TL/IL/NA Pr Forensics Analysis 15 16 Web Server Logs Example of Application Layer Logging Application Layer Log P Access Log File < Access log file contains a log of all the requests. Analysis P Proxy Access Log File < (If directed) a separate log of proxy transactions (otherwise logged to Access Log) P Cache Access Log < (If directed) a separate log of cache accesses (otherwise logged to Access Log) P Error Log File < Log of errors 17 18 The Common Logfile Format Web Server Logfile Example World Wide Web Consortium (W3C) 209.240.221.71 - - [03/Jan/2001:15:20:06 -0800] "GET /Inauguration.htm HTTP/1.0" 200 8788 "http://www.democrats.com/" "Mozilla/3.0 WebTV/1.2 (compatible; MSIE P Format: remotehost rfc931 authuser [date] "request" status bytes 2.0)" < remotehost – Remote hostname (or IP number if DNS hostname is not available, or if DNSLookup is Off. < rfc931 – The remote logname of the user. < authuser – The username as which the user has authenticated himself. < [date] – Date and time of the request. < "request" – The request line exactly as it came from the client. < status – The HTTP status code returned to the client. < bytes – The content-length of the document transferred. Thamason, L. (2001) “Analyzing Web Site Traffic”, NetMechanic (4)11. http://www.netmechanic.com/news/vol4/promo_no11.htm 19 20 IIS Logging Options Web Server Access Log 21 22 Web Server Log Analysis Tools: Page Delivery Web Server Log Analysis Tools: File Delivery Usually Intended for Management 23 24 Web Server Log Analysis Tools: Users Web Server Logfile Live Example #1 131.96.102.37 - - [27/Mar/2010:22:27:03 -0400] "GET /cis8080/readings/SEC_YOU.pdf HTTP/1.0" 401 0 0 "-" "eliza-google-crawler (Enterprise; S5- JDM5GCVTD6NJB; [email protected],[email protected])" Unauthorized Nothing delivered 25 26 Simple “Who Is” Tracing Web Server Logfile Live Example #2 Subject to Spoofing 208.61.220.34 - infosecstudent [25/Mar/2010:13:34:38 -0400] "GET /cis8080/readings/StratISRM_Final_Typescript.pdf HTTP/1.1" 200 60818 125 "http://cis.gsu.edu/~rbaskerv/cis8080/readings.html" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)" Request fulfilled 60KB delivered 27 28 Simple “Who is” Tracing Help for Tracing Abuse Lower Layer Log Analysis 29 30 Transport, Internet, Network Access Logging Reconstructing Data Flows Server Server Log P Logs record packet headers, not sessions or flows P Logs usually ignore packet contents for efficiency Proxy or P Flow can be logically reconstructed from Transport TCP Firewall < IP addresses Log Data + TL Pr < Port numbers < Implied Protocols IP Router < Internet Log Sequencing Data + TL/IL Pr Network X.25 Sniffers Reconstructing TCP flows from raw IP network traffic. From E. Casey (2004) “Network Traffic as a source of evidence”, Digital Investigation 1 (1) 28-43. 31 32 TCP Connection Graph Incoming TCP Connection Graph Network Analysis Tools Inbound port 139 connections suggest the firewall and the host are controlled by intruders. Port 139: This is the single most dangerous port on the Internet. All "File and Printer Sharing" on a Windows machine runs over this port. About 10% of all users on the Internet leave their hard disks exposed on this port. This is the first port hackers want to connect to, and the port that firewalls block. Example from Raynal, et al. (2004) “Honeypot Forensics” IEEE Security Example from Raynal, et al. (2004) “Honeypot Forensics” IEEE Security & Privacy 72-77. & Privacy 72-77. 33 34 Outgoing TCP Connection Graph Detecting the Moment of Compromise These outgoing port Port 42895 is not “listening”, attempts to connect are “reset” (RST). 139 connections suggest this machine has been compromised by intruders. Port 42895 starts “listening”, attempts to connect “finish” (FIN), some software has started monitoring this port at 5:50:37 Example from Raynal, et al. (2004) “Honeypot Forensics” Example from Raynal, et al. (2004) “Honeypot Forensics” IEEE Security & Privacy 72-77. IEEE Security & Privacy 72-77. 35 36 tcpdump Snort Free packet analyzer that allows a computer to intercept and Free open source network intrusion prevention and detection display packets transmitted and received over its attached system that logs packets and analyzes traffic on IP networks. network. Runs on Unix-like operating systems and there is a It performs protocol analysis, content searching/matching, and port to Windows (WinDump). Uses packet capture engines actively blocks or passively detects many attacks and probes, libpcap (or WinPcap). Tcpdump file format is standard now. such as buffer overflows, stealth port scans, web application attacks, SMB probes, and OS fingerprinting attempts. 37 38 NetDetector NetIntercept Captures and stores LAN traffic in raw dump files using a promiscuous Ethernet card and a modified UNIX kernel. Can Continuous capture and warehousing of network packets and write directly to removable media or network transfer to other statistics. Alerts on signatures, traffic patterns. and statistical machines for archiving. Stream reconstruction on demand. anomalies. Reconstructs web, email, instant messaging, FTP, Assembles user-defined range of packets into network Telnet, etc. connection data streams. The analysis subsystem is graphical, constructing a tree stored in an SQL database. 39 40 Network Forensics Richard Baskerville Georgia State University 41 42.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    7 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us