Network Forensics

1
Network Forensics
Networking Basics Collecting Network-Based
Evidence (NBE) Collection of Packets using
Tools Windows Intrusion UNIX Intrusion

2
OSI Layers
Taken from Forouzan TCP/IP Protocol Suite
3
Source to Destination Delivery
Taken from Forouzan TCP/IP Protocol Suite
4
Physical Addresses
A node with physical address 10 sends a frame to
a node with physical address 87. The two nodes
are connected by a link. At the data link level
this frame contains physical (link) addresses in
the header. These are the only addresses needed.
The rest of the header contains other information
needed at this level. The trailer usually
contains bits needed for error detection.
Taken from Forouzan TCP/IP Protocol Suite
5
Physical Addresses

• Also called mac addresses...

Most local area networks use a 48-bit (6 bytes)
physical address written as 12 hexadecimal
digits, with every byte separated by a colon as
shown below 7B 05 4C A9 62 83
6
IP Addresses
As the message moves through the Internet, notice
how the IP addresses stay the same, but the
physical addresses change. Why are physical
addresses not sufficient?
Taken from Forouzan TCP/IP Protocol Suite
7
IP Addresses

• Also called network address, logical address

An Internet address (network address, logical
address) is 32 bits in length, normally written
as four decimal numbers, with each number
representing 1 byte. The numbers are separated by
a dot, thus the notation is often called dotted
decimal notation. 179. 84. 31. 8
8
Port Addresses
A port address uniquely identifies a network
application such as http, email, ftp, etc. and is
a 16-bit decimal number such as 176.
Taken from Forouzan TCP/IP Protocol Suite
9
Collecting Network-Based Evidence

• Types of NBE
• Full content data
• Every packet is captured
• Excellent for analysis, but requires much work
• Session data
• Summaries of data transfer, including time and
  duration of transfer, and parties involved
• Alert data
• Responding to occurrence of a keyword (shipment)
• Statistical data
• Examining which services or protocols are being
  used more and for longer periods of time

10
Evidence Collection

• NBE collected
• Before a compromise proactive network security
  monitoring (NSM)
• During a compromise reactive NSM

11
Standard Intrusion Attack

• Intrusion Phases
• Reconnaissance intruder (1st IP address) checks
  connectivity and vulnerabilities of Web server
  (victim)
• Exploitation launch attack from 2nd IP address
  against Web server
• Reinforcement store tools at 3rd IP address,
  connect to Web server (backdoor)
• Consolidation intruder communicates with
  backdoor using 4th IP address
• Pillage sensitive information is stolen, or base
  built for further attacks

Taken from Jones, et al Real Digital Forensics
12
Attack Phases

IP Address 1
IP Address 2
Phase 1 Reconnaissance
Phase 2 Exploitation
Phase 3 Reinforcement
IP Address 3
Victim
Phase 4 Consolidation
Phase 5 Pillage
IP Address 4
IP Address 5?
13
Gaining access to network traffic

• Hubs
• A hub forwards a packet to all ports other than
  the one that received it, thus, all traffic
  passing by can be seen and collected
• Taps
• Test Access Ports are placed between a firewall
  and router or between switches cost is 4 or 5
  times that of hubs
• Inline device homemade tap computer that
  supports bridging
• Switched Port Analyzer (SPAN port) copy to a
  mirror port on the switch

14
Tools

• Full Content Tcpdump, Ethereal, Flowgrep,
  hexdump
• Session Argus can also run in live mode,
  Tcptrace
• Alert Snort, Bro
• Statistical Tcpdstat, Tcpstat

15
Windows Intrusion

• Situation
• BankTwo collected network-based evidence while
  troubleshooting a network problem. The bank did
  not have a full suite of security monitoring
  tools, but it was collecting full content data to
  learn about the networks performance.
• Tcpdump was running on a Linux monitoring
  platform sitting on a hub with visibility to the
  victim system 103.98.91.41.

16
Using Tcpdump

• The command used
• tcpdump n i eth0 s 1515 w capture_file.lpc
• -n disables translation of IP addresses to host
  names and port numbers to service names
• -i eth0 specifies running against the promiscuous
  interface (receives all packets on the network
  segment)
• -w capture_file.lps writes the output to a file
  on the monitoring stations hard drive

17
Statistical Data using Tcpdstat

• The command
• tcpdstat s2a.lpc gt s2a.tcpdstat.txt
• Generates number of packets, average rate, of
  source and destination pairs and protocols used
• DumpFile s2a.lpc
• FileSize 8.21MB
• Id 200309231852
• StartTime Tue Apr 08 120329 2009
• EndTime Tue Apr 08 120329 2009
• TotalTime
• of packets 26084 (7.81MB)
• AvgRate 1.10Mbps stddev0.56M
• IP address information
• of IPv4 addresses 4

File size
Rate
18
Statistical Data using Tcpdstat

• Protocol Breakdown
• protocol packets bytes bytes/pkt
• -----------------------------------
• 0 total 26084 (100) 8187014 (100) 313.87
• 1 ip 26084 (100) 8187014 (100) 313.87
• 2 tcp 26077 (99.97) 8186206 (99.9) 313.92
• 3 http(s) 11344 (43.49) 6914617
  (84.46) 609.54
• 3 http(c) 11491 (44.05) 1076775 (13.15)
  93.71
• 3 squid 4 (0.02) 240
  (0.00) 60.00
• 3 smtp 3 (0.01) 180
  (0.00) 60.00
• 3 ftp 2 (0.01) 120 (0.00)
  60.00
• 3 telnet 2 (0.01) 120
  (0.00) 60.09
• ...
• 3 other 3213 (12.32) 193074 (2.36)
  60.00
• 3 udp 4 (0.02) 618 (0.01)
  154.50
• ...
• Notice web servers sending 43.49 of packets, web
  clients sending 44.05, and other sending
  12.32.

19
Alert data using Snort

• 116685 WEB-CGI /cgi/bin/ access
• Classification Web Application Attack
  Priority1
• 04/08-120329 322441 95.16.3.7951767 -gt
  103.98.91.4180
• TCP TTL63 TOS0x0 ID13538 IpLen20 DgmLen181
  DF
• AP Seq 0xA50D689C Ack 0x1EDB04F1 Win
  0x8218 TcpLen32
• TCP Options (3) gt NOP NOP TS 1462497415 0
• 112016 ATTACK RESPONSES 403 FORBIDDEN
  
• Classification Attempted Information Leak
  Priority2
• 04/08-120329 421027 103.98.91.4180 -gt
  95.16.3.7951773 -gt 103.98.91.4180
• TCP TTL128 TOS0x0 ID516 IpLen20 DgmLen386 DF
• AP Seq 0x1EDFB033 Ack 0x7E945F39 Win
  0x43EF TcpLen32
• TCP Options (3) gt NOP NOP TS 120360 1462497415
• Source IP _at_ is 95.16.3.79 and destination is
  103.98.91.41 the victim Web server. This looks
  like pre-attack reconnaissance against the Web
  server.

20
Session data using Argus

• Transform the data into session data
• argus d -r s2a.lpc w s2a.argus // -d run in
  background
• // -r read from filename
• //-w write Argus results to file
• Next, run Argus ra client to view it in
  text-based form
• ra a c n r s2a.argus grep v drops gt
  s2a.argus.all.txt // -a give summary
  statistics
• // -c count bytes in packets
• // grep v remove status rpt
• Date Time Proto SourceIP.Port DestIP.Port
• SrcPkts DstPkts SrcBytes DestBytes
  Session Close
• 08 Apr 09 120329 tcp 95.16.3.23.1044
  -gt 103.98.91.41.80
• 6 7 906 4909 EST
• 08 Apr 09 120441 tcp 95.16.3.70.53236
  -gt 103.98.91.41.80
• 6 6 545 3791 FIN
• ...scanning for web vulnerabilities

21
Session data using Argus

• ...later
• Date Time Proto SourceIP.Port DestIP.Port
• SrcPkts DstPkts SrcBytes DestBytes
  Session Close
• 08 Apr 09 120441 tcp 95.16.3.23.47990
  -gt 103.98.91.41.1359
• 1 1 54 54 RST
• 08 Apr 09 120441 tcp 95.16.3.70.47990
  -gt 103.98.91.41.305
• 1 1 54 54 RST
• 08 Apr 09 120441 tcp 95.16.3.23.47990
  -gt 103.98.91.41.698
• 1 1 54 54 RST
• 08 Apr 09 120441 tcp 95.16.3.70.47990
  -gt 103.98.91.41.155
• 1 1 54 54 RST
• ... Notice that only the port number differs in
  each transmission. This pattern indicates port
  scanning, searching for open ports. If one is
  found open, the sender could try to make a
  connection...