Principles of Network Forensics · 2011-04-30 · analyzing network autdit trails in order to...
Transcript of Principles of Network Forensics · 2011-04-30 · analyzing network autdit trails in order to...
![Page 1: Principles of Network Forensics · 2011-04-30 · analyzing network autdit trails in order to discover the source of security breaches or other information assurance problems. Network](https://reader033.fdocuments.us/reader033/viewer/2022041919/5e6b2f00f2a7f06e0a398a14/html5/thumbnails/1.jpg)
Principles of NetworkForensics
Richard Baskerville
Georgia StateUniversity
![Page 2: Principles of Network Forensics · 2011-04-30 · analyzing network autdit trails in order to discover the source of security breaches or other information assurance problems. Network](https://reader033.fdocuments.us/reader033/viewer/2022041919/5e6b2f00f2a7f06e0a398a14/html5/thumbnails/2.jpg)
P Internet Concepts Review
PNetwork-based LiveAcquisitions
PNetwork Forensics Principles
Agenda
Principles of Network Forensics
![Page 3: Principles of Network Forensics · 2011-04-30 · analyzing network autdit trails in order to discover the source of security breaches or other information assurance problems. Network](https://reader033.fdocuments.us/reader033/viewer/2022041919/5e6b2f00f2a7f06e0a398a14/html5/thumbnails/3.jpg)
Internet Concepts Review
IPv4
![Page 4: Principles of Network Forensics · 2011-04-30 · analyzing network autdit trails in order to discover the source of security breaches or other information assurance problems. Network](https://reader033.fdocuments.us/reader033/viewer/2022041919/5e6b2f00f2a7f06e0a398a14/html5/thumbnails/4.jpg)
Packet Switched Networks
ErrorCheck Data Header
Packets
Customers
Cust. Cust. Cust.Cust.
LargCeu stomer
Packet Network
1
2
3
4
5
6 7
A-C
D-H I-M N-PQ-Y
Z
![Page 5: Principles of Network Forensics · 2011-04-30 · analyzing network autdit trails in order to discover the source of security breaches or other information assurance problems. Network](https://reader033.fdocuments.us/reader033/viewer/2022041919/5e6b2f00f2a7f06e0a398a14/html5/thumbnails/5.jpg)
X.25 Packet
MessageFramCeh eckSequence
Flag01111110
Flag01111110
Address Control
![Page 6: Principles of Network Forensics · 2011-04-30 · analyzing network autdit trails in order to discover the source of security breaches or other information assurance problems. Network](https://reader033.fdocuments.us/reader033/viewer/2022041919/5e6b2f00f2a7f06e0a398a14/html5/thumbnails/6.jpg)
Open Systems Interconnection (OSI) Model
PhysicLaal yer
DataL inkL ayer
NetworLka yer
TranspoLrat yer
SessioLna yer
PresentatioLna y.
ApplicatioLna yer
PhysicLaal yer
DataL inkL ayer
NetworLka yer
TranspoLrat yer
SessioLna yer
PresentatioLna y.
ApplicatioLna yer
Client Server
![Page 7: Principles of Network Forensics · 2011-04-30 · analyzing network autdit trails in order to discover the source of security breaches or other information assurance problems. Network](https://reader033.fdocuments.us/reader033/viewer/2022041919/5e6b2f00f2a7f06e0a398a14/html5/thumbnails/7.jpg)
P Application Layer
P Host-to-Host Transport Layer
P Internet Layer
P Network Access Layer
Internet Model
![Page 8: Principles of Network Forensics · 2011-04-30 · analyzing network autdit trails in order to discover the source of security breaches or other information assurance problems. Network](https://reader033.fdocuments.us/reader033/viewer/2022041919/5e6b2f00f2a7f06e0a398a14/html5/thumbnails/8.jpg)
Internet Layers
Data
Data + TL Pr
Data + TL/IL Pr
Application Layer
Transport Layer
Internet Layer
Network Access Layer
Data + TL/IL/NA Pr
FTP
TCP
IP
X.25
Data
Data + TL Pr
Data + TL/IL Pr
FTP
TCP
IP
X.25
![Page 9: Principles of Network Forensics · 2011-04-30 · analyzing network autdit trails in order to discover the source of security breaches or other information assurance problems. Network](https://reader033.fdocuments.us/reader033/viewer/2022041919/5e6b2f00f2a7f06e0a398a14/html5/thumbnails/9.jpg)
< CCITT X.25< IEEE 802.3< Ethernet< Novell Netware< CSMA/CD< Token Ring (IEEE 802.5)
Network Access Layer
![Page 10: Principles of Network Forensics · 2011-04-30 · analyzing network autdit trails in order to discover the source of security breaches or other information assurance problems. Network](https://reader033.fdocuments.us/reader033/viewer/2022041919/5e6b2f00f2a7f06e0a398a14/html5/thumbnails/10.jpg)
P Internet Protocol (IP)
P Datagram< Header (5-6 words)< Data
P Types of network nodes< Gateways< Hosts
P Internet Control Message Protocol (ICMP)
Internet Layer
![Page 11: Principles of Network Forensics · 2011-04-30 · analyzing network autdit trails in order to discover the source of security breaches or other information assurance problems. Network](https://reader033.fdocuments.us/reader033/viewer/2022041919/5e6b2f00f2a7f06e0a398a14/html5/thumbnails/11.jpg)
P Transmission ControlProtocol (TCP)
< 6-word header< "reliable"< connection oriented
P User Datagram Protocol(UDP)
Transport Layer
![Page 12: Principles of Network Forensics · 2011-04-30 · analyzing network autdit trails in order to discover the source of security breaches or other information assurance problems. Network](https://reader033.fdocuments.us/reader033/viewer/2022041919/5e6b2f00f2a7f06e0a398a14/html5/thumbnails/12.jpg)
P FTP
P Telnet
P SMTP
P DNS
P NFS
P RIP
P Gopher
P WAIS
P WWW
Application Layer
![Page 13: Principles of Network Forensics · 2011-04-30 · analyzing network autdit trails in order to discover the source of security breaches or other information assurance problems. Network](https://reader033.fdocuments.us/reader033/viewer/2022041919/5e6b2f00f2a7f06e0a398a14/html5/thumbnails/13.jpg)
P IP Addresses< 4-byte numbers
– eg 121.11.21.18
< Network addresses– 121.11.21.0
< Multihomed hosts andgateways have twoaddresses
P Domain Name Service< Host tableNIC Host table
Internet Addressing
IPv4
![Page 14: Principles of Network Forensics · 2011-04-30 · analyzing network autdit trails in order to discover the source of security breaches or other information assurance problems. Network](https://reader033.fdocuments.us/reader033/viewer/2022041919/5e6b2f00f2a7f06e0a398a14/html5/thumbnails/14.jpg)
Nesting Packets
Data
Header
Header
Header
Header
HeaderHeader
Data
Data
Data
Application Layer
Transport Layer
Internet Layer
Network Access Layer
![Page 15: Principles of Network Forensics · 2011-04-30 · analyzing network autdit trails in order to discover the source of security breaches or other information assurance problems. Network](https://reader033.fdocuments.us/reader033/viewer/2022041919/5e6b2f00f2a7f06e0a398a14/html5/thumbnails/15.jpg)
Domain Hierarchy
![Page 16: Principles of Network Forensics · 2011-04-30 · analyzing network autdit trails in order to discover the source of security breaches or other information assurance problems. Network](https://reader033.fdocuments.us/reader033/viewer/2022041919/5e6b2f00f2a7f06e0a398a14/html5/thumbnails/16.jpg)
Domain Name Server Response
ww.ibm.com?
com NS nic.com
www.ibm.com?
ibm.com NS vm1.ibm.com
www.ibm.com?
www.ibm.com A 111.222.101.111
nic.cbs.dk
nic.com
vm1.ibm.com
First
Second
Third
![Page 17: Principles of Network Forensics · 2011-04-30 · analyzing network autdit trails in order to discover the source of security breaches or other information assurance problems. Network](https://reader033.fdocuments.us/reader033/viewer/2022041919/5e6b2f00f2a7f06e0a398a14/html5/thumbnails/17.jpg)
PTransport layer routingtables< lists destination nets with
gateways< "default" gateway where
unlisted IP packets aresent
PAddress resolution< Network access layer
Routing
![Page 18: Principles of Network Forensics · 2011-04-30 · analyzing network autdit trails in order to discover the source of security breaches or other information assurance problems. Network](https://reader033.fdocuments.us/reader033/viewer/2022041919/5e6b2f00f2a7f06e0a398a14/html5/thumbnails/18.jpg)
Ports and Sockets
Telnet Client
Telnet Server
131.71.8.1
211.14.21.2
Socket:131.71.8.1.3121,211.14.21.2.23
Socket:211.14.21.2.23,131.71.8.1.3121
![Page 19: Principles of Network Forensics · 2011-04-30 · analyzing network autdit trails in order to discover the source of security breaches or other information assurance problems. Network](https://reader033.fdocuments.us/reader033/viewer/2022041919/5e6b2f00f2a7f06e0a398a14/html5/thumbnails/19.jpg)
PSlowed Exhaustion ofIPv4 address space
PRouting tables simplified< Base address< Size of subnet
PEnabled more fluidsubnet proliferation
Classless Inter-Domain Routing
(CIDR)
![Page 20: Principles of Network Forensics · 2011-04-30 · analyzing network autdit trails in order to discover the source of security breaches or other information assurance problems. Network](https://reader033.fdocuments.us/reader033/viewer/2022041919/5e6b2f00f2a7f06e0a398a14/html5/thumbnails/20.jpg)
P32-byte address numbers< Addresses IPv4 Address
Exhaustion
PAutoconfiguration < Router solicitation & advertisement
PMany other features, e.g.,< Multicast capability no longer
optional< Network layer security (encryption)
no longer optional
IPv6
![Page 21: Principles of Network Forensics · 2011-04-30 · analyzing network autdit trails in order to discover the source of security breaches or other information assurance problems. Network](https://reader033.fdocuments.us/reader033/viewer/2022041919/5e6b2f00f2a7f06e0a398a14/html5/thumbnails/21.jpg)
Network-based LiveAcquisitions
![Page 22: Principles of Network Forensics · 2011-04-30 · analyzing network autdit trails in order to discover the source of security breaches or other information assurance problems. Network](https://reader033.fdocuments.us/reader033/viewer/2022041919/5e6b2f00f2a7f06e0a398a14/html5/thumbnails/22.jpg)
PCases where circumstances preventremoving the media from the computer.
PSpecialty hardware (e.g., some laptops)
PUnusual hard drive geometries< Host Protected Areas (HPA)< Device Configuration Overlays (DCO)
PDisclosure of ongoing investigation < “Black bag” jobs
Motivation: Live Acquisitions
![Page 23: Principles of Network Forensics · 2011-04-30 · analyzing network autdit trails in order to discover the source of security breaches or other information assurance problems. Network](https://reader033.fdocuments.us/reader033/viewer/2022041919/5e6b2f00f2a7f06e0a398a14/html5/thumbnails/23.jpg)
PHelix< Linux boot of Windows machine< C:\ drive write protected< Encase, FTK, dd imaging
PForensic Boot Disk< Diskette or CD< DOS< Windows 98< EnCase Boot Disk
Safely Booting Target Machine
Homemade
![Page 24: Principles of Network Forensics · 2011-04-30 · analyzing network autdit trails in order to discover the source of security breaches or other information assurance problems. Network](https://reader033.fdocuments.us/reader033/viewer/2022041919/5e6b2f00f2a7f06e0a398a14/html5/thumbnails/24.jpg)
PUSB adapter
PDisk-to-disk< No boot required< Open the box, connect directly to drive
PCross-over cable< Use network acquisition technology
Connecting Acquisition Devices
![Page 25: Principles of Network Forensics · 2011-04-30 · analyzing network autdit trails in order to discover the source of security breaches or other information assurance problems. Network](https://reader033.fdocuments.us/reader033/viewer/2022041919/5e6b2f00f2a7f06e0a398a14/html5/thumbnails/25.jpg)
PServlet installed on target machine< Requires administrator access< Can be installed remotely
PServlet feeds image to acquiring machine
PMay require authentication< (E.g., EnCase)
Live Network Acquisitions (I)
![Page 26: Principles of Network Forensics · 2011-04-30 · analyzing network autdit trails in order to discover the source of security breaches or other information assurance problems. Network](https://reader033.fdocuments.us/reader033/viewer/2022041919/5e6b2f00f2a7f06e0a398a14/html5/thumbnails/26.jpg)
Live Network Acquisition (II)
AuthenticationServer
ForensicsExaminer
AcquisitionTarget
Network
Servlet
![Page 27: Principles of Network Forensics · 2011-04-30 · analyzing network autdit trails in order to discover the source of security breaches or other information assurance problems. Network](https://reader033.fdocuments.us/reader033/viewer/2022041919/5e6b2f00f2a7f06e0a398a14/html5/thumbnails/27.jpg)
Network ForensicsPrinciples
![Page 28: Principles of Network Forensics · 2011-04-30 · analyzing network autdit trails in order to discover the source of security breaches or other information assurance problems. Network](https://reader033.fdocuments.us/reader033/viewer/2022041919/5e6b2f00f2a7f06e0a398a14/html5/thumbnails/28.jpg)
The action of capturing, recording, andanalyzing network autdit trails in order todiscover the source of security breaches orother information assurance problems.
Network Forensics
Kim, et al (2004) “A fuzzy expert system for networkfornesics”, ICCSA 2004, Berlin: Springer-Verlag, p. 176
![Page 29: Principles of Network Forensics · 2011-04-30 · analyzing network autdit trails in order to discover the source of security breaches or other information assurance problems. Network](https://reader033.fdocuments.us/reader033/viewer/2022041919/5e6b2f00f2a7f06e0a398a14/html5/thumbnails/29.jpg)
PProtocol< Eg, SQL-Injection
PMalware< Eg, Virus, Trojan, Worm
PFraud< Eg, Phishing, Pharming, etc.
Network Attacks
![Page 30: Principles of Network Forensics · 2011-04-30 · analyzing network autdit trails in order to discover the source of security breaches or other information assurance problems. Network](https://reader033.fdocuments.us/reader033/viewer/2022041919/5e6b2f00f2a7f06e0a398a14/html5/thumbnails/30.jpg)
PSuccessful< Obfuscation of residue
PUnsuccessful< Residue is intact
Attack Residue
![Page 31: Principles of Network Forensics · 2011-04-30 · analyzing network autdit trails in order to discover the source of security breaches or other information assurance problems. Network](https://reader033.fdocuments.us/reader033/viewer/2022041919/5e6b2f00f2a7f06e0a398a14/html5/thumbnails/31.jpg)
PManaging data volume
PManaging logging performance
PEnsuring logs are useful to reconstruct theAttack
PCorrelation of data in logs< Importance of timestamping
Network Traffic Capture
Logging Issues Driving Automated Support
![Page 32: Principles of Network Forensics · 2011-04-30 · analyzing network autdit trails in order to discover the source of security breaches or other information assurance problems. Network](https://reader033.fdocuments.us/reader033/viewer/2022041919/5e6b2f00f2a7f06e0a398a14/html5/thumbnails/32.jpg)
Honeytraps
Systems Designed to be Compromised and Collect AttackData
From Yasinac, A. andManzano, Y. (2002)“Honeytraps, A NetworkForensic Tool” FloridaState University.
![Page 33: Principles of Network Forensics · 2011-04-30 · analyzing network autdit trails in order to discover the source of security breaches or other information assurance problems. Network](https://reader033.fdocuments.us/reader033/viewer/2022041919/5e6b2f00f2a7f06e0a398a14/html5/thumbnails/33.jpg)
PSessionizing
PProtocol parsing andanalysis
PDecryption
PSecurity of Analysis andData< Avoiding detection and
analysis-data compromise
Network Traffic Analysis
Usually Requires Software Tools
![Page 34: Principles of Network Forensics · 2011-04-30 · analyzing network autdit trails in order to discover the source of security breaches or other information assurance problems. Network](https://reader033.fdocuments.us/reader033/viewer/2022041919/5e6b2f00f2a7f06e0a398a14/html5/thumbnails/34.jpg)
PMinimizing distance to source
PTraversing firewalls, proxies and addresstranslation
PMuliple cooroborating collectors
PTime and location stamping
Traceback Evidence Processing
![Page 35: Principles of Network Forensics · 2011-04-30 · analyzing network autdit trails in order to discover the source of security breaches or other information assurance problems. Network](https://reader033.fdocuments.us/reader033/viewer/2022041919/5e6b2f00f2a7f06e0a398a14/html5/thumbnails/35.jpg)
Principles of NetworkForensics
Richard Baskerville
Georgia StateUniversity