Presentation is loading. Please wait.

Presentation is loading. Please wait.

Section 3.1 Network Forensics TRACKING HACKERS THROUGH CYBERSPACE

Published bySammy Anctil Modified over 10 years ago

Similar presentations

Presentation on theme: "Section 3.1 Network Forensics TRACKING HACKERS THROUGH CYBERSPACE"— Presentation transcript:

1 Section 3.1 Network Forensics TRACKING HACKERS THROUGH CYBERSPACE
Case study : Ann Section 3.1 Network Forensics TRACKING HACKERS THROUGH CYBERSPACE

2 Scenario: Ann’s Bad AIM
Anarchy-R-Us, Inc. suspects that one of their employees, Ann Dercover, is really a secret agent working for their competitor. Ann has access to the company’s prize asset, the secret recipe. Security staff are worried that Ann may try to leak the company’s secret recipe. Security staff have been monitoring Ann’s activity for some time, but haven’t found anything suspicious– until now. Today an unexpected laptop briefly appeared on the company wireless network. Staff hypothesize it may have been someone in the parking lot, because no strangers were seen in the building. Ann’s computer, ( ) sent IMs over the wireless network to this computer. The rogue laptop disappeared shortly thereafter. “We have a packet capture of the activity,” said security staff, “but we can’t figure out what’s going on. Can you help?”

3 Mission You are the forensic investigator. Your mission is to figure out who Ann was IM-ing, what she sent, and recover evidence including: 1. What is the name of Ann’s IM buddy? 2. What was the first comment in the captured IM conversation? 3. What is the name of the file Ann transferred? 4. What is the magic number of the file you want to extract (first four bytes)? 5. What was the MD5sum of the file? 6. What is the secret recipe?

4 What protocol is being used?
Remember that the count byte offset is 0. Look for bits that are commonly associated with a protocol. Example: 0x0045 -> beginning of an IPv4 packet Tcpdump from Ann’s Bad AIM packet capture

5 Wireshark - TCP IP protocol details displayed within Wireshark. Notice that the IP packet contains information about the encapsulated protocol (in this case, 0x06, or TCP). Pg 85

6 TCp / udp port numbers http://www.iana.org/assignments/port-numbers
/etc/services Example chunk of file:

7 UDP port association “UDP Protocol Details displayed within Wireshark. Notice that Wireshark automatically associates the UDP port, 123, with its IANA-assigned default service, NTP.” Pg 86

8 Wireshark is not always correct
“TCP packet details displayed within Wireshark. Notice that Wireshark automatically associates TCP port 443 with its IANA-assigned default service, HTTPS. However, this interpretation is INCORRECT (as evidenced by the fact that the packet contents are not encrypted, and no protocol details are displayed under the heading “Secure Socket Layer”).” Pg. 87

9 Find out about the mystery ip
A simple whois lookup can provide a lot of information. Below is only a snippet of the data provided about IP address

10 Make a reasonable hypothesis
Facts: AOL provides services including: HTTP and instant messaging Packet 112 source is port 5190, which Wireshark associates with AOL Packet begins with 0x4F465432, or “OFT2” in ASCII which matches OSCAR protocol

11 OSCAR Protocol Byte 6 and 7 indicate type
0x0101 of packet 112 specifies the “Prompt” value Sender is ready to transmit file

12 Protocol decoding Message becomes clear when the protocol is decoded

13 Exporting fields Easy to do in Wireshark – File > “Export Selected Packet Bytes” Saves contents of selected fields for further study Tshark will print out any or all fields defined within the protocol Examples of command line instructions $ tshark -r evidence.pcap -X lua_script:oft -tsk.lua -R "oft" -n -R frame. number ==112 -V $ tshark -r evidence01.pcap -X lua_script:oft -tsk.lua -R "oft" -n -R frame. number ==112 -T pdml

14 Packet analysis Dirty word search using ngrep

15 Parsing Protocol fields
Use tshark to extract all of the AIM message data from the package capture

16 Packet filtering Filtering with BPF Resulting file

17 Find the file transfer Use Wireshark display filters to search for channel 2 ICBM packet sent to AOL server

18 Flow analysis List conversations List TCP flow

19 Export TCP flow Once you have identified the flow most likely to contain the file, export it using a BPF filter Tcpflow will automatically extract flows, also using BPF filter Notice that tcpflow extracted two half-duplex flows

20 Export tcp flow continued
Manually export using Wireshark Warning! Does not scale well, not good for large projects! Select Frame #109 > Right click > click on “Follow TCP Stream” Save in raw format

21 File and data carving Open full duplex saved dump file in hex editor
First 4 bytes are “OFT2” Bytes 6-7 (Type) are 0x0101 Bytes 28 – 31 (Total Size) are 0x00002EE8 12,008 bytes File name begins at Byte 192 0xc0 Padded with null to 64 bytes Byte 256 new header 0x0202 = acknowledge

22 File and data carving continued
Look for magic number for beginning of .docx file 0x504B or PK in ASCII Byte 512 (0x200) To find the end of the file add the file size to the starting byte 0x x2EE8 = 0x30E8 Byte 0x30E8 shows Type 0x0204 = done Size of transfer Byte 0x3108 = 0x2EE8 which is a match to the file size

23 File and data carving continued again
Use Bless cut tool to carve out the file Select extra data at the end of the file and click cut Select extra data at the beginning of the file and click cut Save file as “recipe.docx” Get cryptographic hashes of file Double check file size Verify the file type

24 Carved file Open a copy of the file to verify the contents

25 Extract file automatically
Use tcpextract Uses 0x504B0304 by default to mark the beginning of a file Try saving the first instance “ zip” as “recipe-tcpxtract.docx” and open a copy in document editor Do not forget to take the cryptographic hashes

26 networkMiner All of the work is done for us in NetworkMiner

27 Disclaimer: All information and data pulled directly from this book.
Pages Works Cited Davidoff, S., & Ham, J. (2012). Network Forensics Tracking Hackers Through Cyberspace. Boston: Prentice Hall.

Download ppt "Section 3.1 Network Forensics TRACKING HACKERS THROUGH CYBERSPACE"

Similar presentations

The Internet.

The Internet.
SHARKFEST '09 | Stanford University | June 15–18, 2009 The Reality of 10G Analysis Presented by: Network Critical Wednesday, June 17 th, 2009 1:30 pm –

SHARKFEST '09 | Stanford University | June 15–18, 2009 The Reality of 10G Analysis Presented by: Network Critical Wednesday, June 17 th, :30 pm –
Click to continue Network Protocols. Click to continue Networking Protocols A protocol defines the rules of procedures, which computers must obey when.

Click to continue Network Protocols. Click to continue Networking Protocols A protocol defines the rules of procedures, which computers must obey when.
Network Fundamentals – Chapter 4 Sandra Coleman, CCNA, CCAI

Network Fundamentals – Chapter 4 Sandra Coleman, CCNA, CCAI
DSL-2730B, DSL-2740B, DSL-2750B.

DSL-2730B, DSL-2740B, DSL-2750B.
Umut Girit 200535027.  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.

Umut Girit  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.
Case study : The curious mr. x

Case study : The curious mr. x
10. UDP/TCP WWW page: Text book: Mastering Networks (Chapter 10) Network IP protocol is routes the data.

10. UDP/TCP WWW page: Text book: Mastering Networks (Chapter 10) Network IP protocol is routes the data.
Section 3.2 Network Forensics TRACKING HACKERS THROUGH CYBERSPACE CASE STUDY : ANN’S RENDEZVOUS.

Section 3.2 Network Forensics TRACKING HACKERS THROUGH CYBERSPACE CASE STUDY : ANN’S RENDEZVOUS.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Network Services Networking for Home and Small Businesses – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Network Services Networking for Home and Small Businesses – Chapter 6.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 13 Introduction to the Transport.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 13 Introduction to the Transport.
We’ve got what it takes to take what you got! NETWORK FORENSICS.

We’ve got what it takes to take what you got! NETWORK FORENSICS.
Section 2.1 Network Forensics TRACKING HACKERS THROUGH CYBERSPACE

Section 2.1 Network Forensics TRACKING HACKERS THROUGH CYBERSPACE
OR I know what you downloaded last night! By: GTKlondike.

OR I know what you downloaded last night! By: GTKlondike.
1 Capturing & Analyzing Network Traffic: tcpdump/tshark and Wireshark EE 122: Intro to Communication Networks Vern Paxson / Jorge Ortiz / Dilip Anthony.

1 Capturing & Analyzing Network Traffic: tcpdump/tshark and Wireshark EE 122: Intro to Communication Networks Vern Paxson / Jorge Ortiz / Dilip Anthony.
Introduction to Management Information Systems Chapter 5 Data Communications and Internet Technology HTM 304 Fall 07.

Introduction to Management Information Systems Chapter 5 Data Communications and Internet Technology HTM 304 Fall 07.
© 2006, The Technology Firm WWW.THETECHFIRM.COM Ethereal The Technology Firm.

© 2006, The Technology Firm Ethereal The Technology Firm.
Hands-on: Capturing an Image with AccessData FTK Imager

Hands-on: Capturing an Image with AccessData FTK Imager
Process-to-Process Delivery:

Process-to-Process Delivery:
1 Lab 3 Transport Layer T.A. Youngjoo Han. 2 Transport Layer  Providing logical communication b/w application processes running on different hosts 

1 Lab 3 Transport Layer T.A. Youngjoo Han. 2 Transport Layer  Providing logical communication b/w application processes running on different hosts 

Similar presentations

Ads by Google