Chapter 2 - kuroski.net

Download Report

Transcript Chapter 2 - kuroski.net 

Forensics
Book 4: Investigating
Network Intrusions and
Cybercrime
Chapter 2: Investigating
Network Traffic
Objectives





Understand network protocols
Understand the physical and data link layers of the
OSI model
Understand the network and transport layers of the
OSI model
Describe types of network attacks
Understand the reasons for investigating network
traffic
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Objectives (continued)




Perform evidence gathering via sniffing
Describe the tools used in investigating network
traffic
Document the evidence gathered on a network
Reconstruct evidence for an investigation
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Case Example

Jessica, a university student, was known to be an
introvert among her peers
 She

used to live with her father
One day, Jessica left a note for her father
mentioning that she was going to meet her old
school friend and would be back by the end of the
week
 Two
weeks later, Jessica’s dead body was found near a
dumping ground near her university campus

Jessica’s system logs showed that Jessica frequented
Web sites related to bondage and sex
 Further
investigations revealed her e-mail address
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Case Example (continued)

The investigators traced the e-mail service provider
of the unknown person
 The
trace revealed that the e-mail address belonged to
a man named Nichol

The investigators analyzed Nichol’s computer after
the state judiciary granted them permission to do so
 They
found pornography and materials related to
bondage and murder on Nichol’s computer

Nichol was questioned and after long hours of
investigation, he broke down and admitted to the
crime
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Network Addressing Schemes

Two methods of network addressing:
 LAN addressing
 Internetwork
addressing
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
LAN Addressing

Local area network (LAN)
 Set
of host machines in a relatively contiguous area,
allowing for high data transfer rates among hosts on
the same IP network


Each node in the LAN has a unique MAC (media
access control) address assigned to the NIC
MAC address
 Unique 48-bit serial
number assigned to each NIC,
providing a physical address to the host machine

Network interface card (NIC)
 Piece of
hardware used to provide an interface
between a host machine and a computer network
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
LAN Addressing (continued)

Types of MAC addresses:
 Static
 Configurable
 Dynamic


Packets are either addressed to one node or, in the
case of broadcasting, to all the nodes in the LAN
Broadcasting is often used to discover the services or
devices on the network
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Internetwork Addressing

Used in a network where a number of LANs or other
networks are connected with the help of routers
 Each network
in this Internetwork has a unique
network ID or network address known as the host
address or node ID
 Routers use these addresses when data packets are
transmitted from a source to its target

Internetwork address is a combination of both a
network address and host address
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
OSI Reference Model

OSI model consists of seven layers
 Each layer
contains a set of similar functions and
provides services to the layer above it

The OSI reference model is based on the following
principles:
 Every layer
has a fully defined function
 The boundaries of the layers have been designed to
reduce the flow of information in the interface
 When an additional level of abstraction is required,
then a layer is created
 Each layer contains the functions of the international
standardized protocol
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
OSI Reference Model (continued)
Figure 2-1 The OSI protocol stack consists of seven layers.
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Overview of Network Protocols

In the seven layers of the OSI model, protocols exist
in only six layers
 The
physical layer contains no network protocols
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Data Link Layer

Main protocols include:
 Point-to-Point Protocol
(PPP)
 Serial Line Internet Protocol (SLIP)
 Address Resolution Protocol (ARP)
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Network Layer

Main protocols include:
 RARP
(Reverse Address Resolution Protocol)
 ICMP (Internet Control Message Protocol)
 IGMP (Internet Group Management Protocol)
 IP (Internet Protocol)
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Transport Layer

Main protocols include:
 UDP
(User Datagram Protocol)
 TCP (Transmission Control Protocol)
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Session Layer, Presentation Layer, and
Application Layer

Main protocols include:
 HTTP (Hypertext
Transfer Protocol)
 SMTP (Simple Mail Transfer Protocol)
 NNTP (Network News Transfer Protocol)
 Telnet
 FTP (File Transfer Protocol)
 SNMP (Simple Network Management Protocol)
 TFTP (Trivial File Transfer Protocol)
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Session Layer, Presentation Layer, and
Application Layer (continued)
Figure 2-2 Different protocols are used in different layers in the
TCP/IP model.
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Overview of Physical and Data Link
Layers of the OSI Model

Physical layer
 Transmits raw
bits over a communication channel
 Design must ensure that when one side sends a 1 bit,
the other side should receive that bit as a 1 bit
 Deals with the mechanical, electrical, and procedural
interfaces, and the physical transmission medium,
which are all below the physical layer

Data link layer
 Breaks
the raw transmission bits into data frames
 Sequentially broadcasts the frames
 Creates and recognizes frame boundaries
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Overview of Network and Transport
Layers of the OSI Model

Network layer
 Takes
care of the delivery of data packets from the
source to the destination
 Provides the logical address of the sender and receiver
in the header of the data packet
 Checks the integrity of the transferred data

Transport layer
 Takes
care of the entire message that is transferred
from the source to the destination
 Takes care of error correction and flow control of the
message
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Types of Network Attacks

Main categories of attacks launched against
networks:
 IP
spoofing
 Router attacks
 Eavesdropping
 Denial of service
 Man-in-the-middle attack
 Sniffing
 Data modification
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Why Investigate Network Traffic?

Reasons investigators analyze network traffic
include:
 Locate suspicious
network traffic
 Know which network is generating the troublesome
traffic and where the traffic is being transmitted to or
received from
 Identify network problems
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Evidence Gathering at the Physical
Layer

Computer connected to a LAN has two addresses:
 MAC
address
 IP address

Two basic types of Ethernet environments:
 Shared
Ethernet
 Switched Ethernet
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Shared Ethernet



Every machine receives packets that are meant for
one machine
Sniffer ignores this rule and accepts all frames by
putting the NIC into promiscuous mode
Promiscuous mode
 Mode
of a network interface card in which the card
passes all network traffic it receives to the host
computer, rather than only the traffic specifically
addressed to it

Passive sniffing is possible in a shared Ethernet
environment, but it is difficult to detect
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Switched Ethernet


Hosts are connected to a switch
Switch does not broadcast to all computers but
sends the packets to the appropriate destination
only
 Sniffing by
putting the NIC into promiscuous mode
does not work in this type of environment

SPAN (Switched Port Analyzer) port
 Port
that is configured to receive all the packets sent
by any source port

Special switches are available that can be configured
to allow sniffing at the switch that can even capture
local traffic
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
DNS Poisoning Techniques

DNS (Domain Name Service)
 Service that
translates domain names into IP
addresses

DNS poisoning
 Process
in which an attacker provides fake data to a
DNS server for the purpose of misdirecting users

Types of DNS poisoning:
 Intranet DNS
spoofing (local network)
 Internet DNS spoofing (remote network)
 Proxy server DNS poisoning
 DNS cache poisoning
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Intranet DNS Spoofing (Local Network)
Figure 2-3 An attacker must be connected to the LAN to perform
intranet DNS spoofing.
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Internet DNS Spoofing (Remote
Network)
Figure 2-4 An attacker uses a Trojan to perform Internet DNS
spoofing.
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Proxy Server DNS Poisoning
Figure 2-5 An attacker uses a Trojan to change the proxy server
settings on a machine during a proxy server DNS poisoning attack.
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
DNS Cache Poisoning


Attacker exploits a flaw in the DNS server software
that can make it accept incorrect information
If the server does not correctly validate DNS
responses to ensure that they have come from an
authoritative source
 Server
will end up caching the incorrect entries locally
and serve them to users that make the same request
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Evidence Gathering from ARP Table
Figure 2-6 The arp -a command displays the ARP table in Windows.
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Evidence Gathering at the Data Link
Layer: DHCP Database

DHCP database provides a means of determining
the MAC address associated with the computer in
custody
 Database
helps DHCP conclude the MAC address in
case DHCP is unable to maintain a permanent log of
requests

DHCP server maintains a list of recent queries along
with the MAC address and IP address
 Database
can be queried by giving the time duration
during which the given IP address accessed the server
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Gathering Evidence from an IDS

Administrator can configure an intrusion detection
system (IDS) to capture network traffic when an
alert is generated
 This
data is not a sufficient source of evidence because
there is no way to perform integrity checks on the log
files


Preserving digital evidence is difficult
Investigators can record examination results from
networking through a serial cable and software
 Such as
the Windows HyperTerminal program or a
script on UNIX
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Tool: Tcpdump

Powerful tool that extracts network packets and
performs statistical analysis on those dumps
 Operates
by putting the network card into
promiscuous mode

Tcpdump report consists of the following:
 Captured
packet count
 Received packet count
 Count of packets dropped by kernel

Supported by various platforms
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Tool: Tcpdump (continued)
Figure 2-7 Tcpdump shows information about all the packets that
come through the network interface.
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Tool: WinDump


Port of Tcpdump for the Windows platform
WinDump is fully compatible with Tcpdump
 Can
be used to watch and diagnose network traffic
according to various complex rules

WinDump is simple to use and works at the
command-line level
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Tool: WinDump (continued)
Figure 2-8 WinDump displays more verbose information when the user
specifies the -vv option.
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Tool: NetIntercept



Network analysis tool
Captures LAN traffic using a standard Ethernet
interface card placed in promiscuous mode and a
modified UNIX kernel
Performs stream reconstruction on demand
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Tool: NetIntercept (continued)
Figure 2-9 NetIntercept captures traffic continuously.
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Tool: NetIntercept (continued)
Figure 2-10 A user can look at the contents of a connection once
it has been identified.
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Tool: Wireshark




Formerly known as Ethereal
GUI-based network protocol analyzer
Lets the user interactively browse packet data from a
live network or from a previously saved capture file
Wireshark’s native capture file format is the libpcap
format
 Also
the format used by Tcpdump and various other
tools
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Tool: Wireshark (continued)
Figure 2-11 Wireshark can show information about all captured
packets.
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Tool: CommView
Figure 2-12 CommView shows detailed information about every
captured packet.
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Tool: SoftPerfect Network Protocol
Analyzer
Figure 2-13 SoftPerfect Network Protocol Analyzer displays
information about all packets captured from the network.
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Tool: HTTP Sniffer
Figure 2-15 HTTP Sniffer displays information about captured
HTTP packets.
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Tool: EtherDetect Packet Sniffer
Figure 2-16 EtherDetect Packet Sniffer provides syntax
highlighting for application data, including HTTP data, as shown
here.
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Tool: OmniPeek
Figure 2-17 OmniPeek provides different views of captured packets.
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Tool: OmniPeek (continued)
Figure 2-18 OmniPeek provides users with visuals concerning network
traffic.
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Tool: Iris Network Traffic Analyzer
Figure 2-19 Iris Network Traffic Analyzer allows a user to view details
about captured packets.
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Tool: SmartSniff
Figure 2-20 SmartSniff shows ASCII views of network conversations
for textbased protocols.
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Tool: NetSetMan
Figure 2-21 NetSetMan allows a user to switch between sets of network
settings.
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Tool: Distinct Network Monitor
Figure 2-22 Distinct Network Monitor displays live network traffic
statistics.
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Tool: MaaTec Network Analyzer
Figure 2-23 MaaTec Network Analyzer can color-code data based on
different criteria.
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Tool: ntop
Figure 2-24 ntop displays network statistics on a Web page.
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Tool: EtherApe
Figure 2-25 EtherApe creates a graphical display of network traffic.
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Tool: Colasoft Capsa Network Analyzer
Figure 2-26 Colasoft Capsa Network Analyzer provides statistics about
network traffic.
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Tool: Colasoft EtherLook
Figure 2-27 Colasoft EtherLook displays all the data received by every
host in a LAN.
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Tool: AnalogX PacketMon
Figure 2-28 AnalogX PacketMon can show detailed information about
packets.
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Tool: BillSniff
Figure 2-29 BillSniff allows a user to view hexadecimal and ASCII
versions of packets.
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Tool: IE HTTP Analyzer
Figure 2-30 IE HTTP Analyzer displays its information in a separate
frame within Internet Explorer.
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Tool: EtherScan Analyzer

EtherScan Analyzer
 Network
traffic and protocol analyzer
 Captures and analyzes packets sent over a local
network
 Decodes the major protocols and is capable of
reconstructing TCP/IP sessions
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Tool: Sniphere
Figure 2-31 Sniphere can filter traffic based on several criteria.
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Tool: IP Sniffer
Figure 2-32 IP Sniffer provides graphical statistics about network
traffic.
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Tool: Atelier Web Ports Traffic
Analyzer
Figure 2-33 Atelier Web Ports Traffic Analyzer shows hexadecimal and
ASCII versions of the content of packets.
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Tool: IPgrab

IPgrab
 Packet sniffer for
UNIX hosts
 Provides a verbose mode that displays a great amount
of information about packets
 Also provides a minimal mode in which all
information about all parts of a packet is displayed in
a single line of text
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Tool: Nagios
Figure 2-35 Nagios can display details about the current network
status.
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Tool: Give Me Too
Figure 2-36 Using Give Me Too, users can open files that have been
transferred over the network.
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Tool: Sniff-O-Matic
Figure 2-37 Sniff-O-Matic shows the entire contents of each packet.
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Tool: EtherSnoop
Figure 2-38 EtherSnoop allows users to choose which packets to see in
a more detailed view.
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Tool: GPRS Network Sniffer: Nokia LIG
Figure 2-39 The LIC, LIB, and LIE all work together in the Nokia LIG.
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Tool: Siemens Monitoring Center

Designed for law enforcement and government
security agencies
 Permits integration within all
telecommunications
networks that use any type of modern standardized
equipment compatible with an ETSI recommendation

With the help of the Siemens Intelligence Platform
 Analysts
may find meaning among large reams of
irrelevant data

Intelligence Platform
 Means to
organize disparate pieces of information for
the law enforcement and security agencies so decision
makers can act upon the information
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Tool: NetWitness
Figure 2-40 NetWitness allows users to view files captured from other
machines on the network.
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Tool: NetResident
Figure 2-41 Users can view reconstructed Web
pages using NetResident.
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Tool: InfiniStream
Figure 2-42 InfiniStream captures packets from the
network.
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Tool: InfiniStream (continued)
Figure 2-43 InfiniStream shows various types of charts
describing statistics about network traffic.
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Tool: eTrust Network Forensics

Some of the features of eTrust Network Forensics:
 Network
traffic recording and visualization
 Real-time network data capture
 Advanced visualization
 Pattern and content analysis
 Communications catalog
 On-demand incident playback
 Advanced security investigation
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Tool: ProDiscover Investigator
Figure 2-45 ProDiscover Investigator inspects disk contents
around the network for illegal content.
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Tool: P2 Enterprise Shuttle



Enterprise investigation tool that views, acquires,
and searches client data wherever it resides in an
enterprise
Checks the main communication pass-through for
the system as well as the routers and firewalls
Acts as the central repository for all forensic images
collected and is integrated with MySQL
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Tool: Show Traffic
Figure 2-46 Show Traffic shows a continuous display of network traffic.
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Tool: Network Probe
Figure 2-47 Network Probe provides a graphical summary of network
traffic.
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Tool: Snort Intrusion Detection System


Software-based, real-time network intrusion
detection system
Snort features include:
 Detects threats
based on pattern matching
 Uses syslog, SMB messages, or a file to alert an
administrator
 Develops new rules quickly once the pattern (attack
signature) is known for a vulnerability
 Records packets from the offending IP address in a
hierarchical directory structure
 Records the presence of traffic that should not be
found on the network
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Snort Rules


There are a number of rules that Snort allows a user
to write
Each Snort rules must describe the following:
 Any
violation of the security policy of the company
that might be a threat to the security of the company’s
network and other valuable information
 All the well-known and common attempts to exploit
the vulnerabilities in the company’s network
 The conditions in which a user thinks that the identity
of a network packet is not authentic
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Tool: Network Probe
Figure 2-48 Snort is a powerful IDS that allows users to write new rules.
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Tool: IDS Policy Manager
Figure 2-49 IDS Policy Manager allows users to manage multiple Snort
policies.
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Documenting the Evidence Gathered
on a Network


Documenting the evidence gathered on a network is
easy if the network logs are small, as a printout can
be taken and tested
Documenting digital evidence on a network becomes
more complex when the evidence is gathered from
systems that are in remote locations
 Because
of the unavailability of date and time stamps
of the related files

For documentation and integrity of the document, it
is advisable to follow a standard methodology
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Evidence Reconstruction for
Investigation

Gathering evidence on a network is cumbersome for
the following reasons:
 Evidence is
not static and not concentrated at a single
point on the network
 The variety of hardware and software found on the
network makes the evidence-gathering process more
difficult

Three fundamentals of reconstruction for
investigating a crime:
 Temporal
analysis
 Relational analysis
 Functional analysis
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Summary



There are two types of network addressing schemes:
LAN addressing and Internetwork addressing
Sniffing tools are software or hardware that can
intercept and log traffic passing over a digital
network or part of a network
The ARP table of a router comes in handy for
investigating network attacks, as the table contains
IP addresses associated with the respective MAC
addresses
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Summary (continued)


The DHCP server maintains a list of recent queries,
along with the MAC address and IP address
An administrator can configure an IDS to capture
network traffic when an alert is generated
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited