Presentation on theme: "Network Forensics Tools for Cybercrime Investigation Lead-off Presentation by Glen Myers, IP Fabrics May 12, 2009."— Presentation transcript:
Network Forensics Tools for Cybercrime Investigation Lead-off Presentation by Glen Myers, IP Fabrics May 12, 2009
IP Fabrics Cybercrime Targets can be Individuals Enterprises Companies Service providers / carriers Government Network or part thereof Crimes include Illegal access Illegal interception Interference Fraud ID theft Theft of intellectual property Harassment Obscene/offensive content Crimes against children... Crimes (depending on locality of course) where the network (“Internet”) is the vehicle
IP Fabrics Cybercrime Forensics vs Lawful Intercept For lawful intercept, you have a target (e.g., suspect) Court order to intercept the tel number 1-503-444-2499 Court order to intercept the signaling information for sip:email@example.com Court order to intercept the email of firstname.lastname@example.org For cybercrime, that’s the biggest challenge You discover “something’s going on” You may or may not identify the potential victim(s) You usually have no idea of the source If you do eventually discover the source, you may find you have no legal jurisdiction
IP Fabrics to date: Jan 29, 2008 8:37 AM subject: Tax Refund - Online Form hide details 8:37 AM (25 minutes ago) Reply Warning: This message may not be from whom it claims to be. Beware of following any links in it or of providing the sender with any personal information. Learn more Link omitted After the last annual calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of $375.20. Please submit the tax refund request and allow us 3-9 days in order to process it. A refund can be delayed for a variety of reasons. For example submitting invalid records or applying after the deadline. To access the form for your tax refund, please click here Note: For security reasons, we will record your ip-address, the date and time. Deliberate wrong inputs are criminally pursued and indicated. Regards, Internal Revenue Service Copyright 2008, Internal Revenue Service U.S.A. All rights reserved. Email as a Vehicle http://www.fbi.gov ANTI FRAUD & MONITARY CRIME DIVISION Code: FBI/111 Tel: 1-646-778-3497 Private Email: email@example.com ATTENTION: BENEFICIARY We the Federal Bureau Of Investigation (FBI) United States Of America have discovered through our intelligent monitoring network that you have a transaction going on as... text omitted YOURS FAITHFULLY, F.B.I DIRECTOR ROBERT S. MUELLER III. The United States Department of Justice Order 556-73 establishes rules and regulations for the subject of an FBI Identification Record to obtain a copy of his or her own Record for review. The FBI’s Criminal Justice Information Services (CJIS) Division processes these requests to chek illegal activities in U.S.A. FOR CORPORATE AFFAIRS FEDERAL BUREAU OF INVESTIGATION (FBI) UNITED STATES OF AMERICA
IP Fabrics Network Capabilities Needed Great flexibility May need to look at a lot of things – SMTP email, webmail, web page interactions, P2P traffic, instant messaging, virus signatures, VoIP, chat rooms, file sharing,... Need to filter out a lot of “noise” (ads, IPTV, YouTube,...) Real-time “onion peeling” capability Need to redirect your device from A to B to C to D to E... E.g., by discovering some suspect content in an email, we then watch for traffic to a specific email address or IP addresses connecting to a particular URL. Ability to tap concurrently into multiple network segments Different pieces of the puzzle may go down different paths Evidentiary capabilities Assurances on the data that will stand up in court Be completely invisible on the network Operate at network bandwidths Need to go a step beyond DPI...
IP Fabrics Example Tools DeepProbe-10 4 10GbE inputs 6 1GbE inputs 4 1GbE inputs Provided with software “surveillance modules” for specific applications Reconstructs the desired application information Maps different applications of like form (e.g., webmail, instant messengers) into single canonical form Generally provisioned from elsewhere over a networked API, but also has browser interface (e.g., for unpeeling the onion) DeepProbe-1
IP Fabrics Example Filters Give me all the email to/from firstname.lastname@example.org Get any Yahoo mail containing the phrase “U-238 enrichment” Give me any mail attachments sent by email@example.com Give me just the to/from info on every yahoo.com email Give me all the presence information reported to Yahoo Messenger user glen_roberts Give me all the email downloaded by POP3 user glen_roberts Give me the to/from info from all calls associated with sip:firstname.lastname@example.org Give me all of the port 80 traffic from this specific cable modem address Let me know if email@example.com ever sends a message with the URL www.darkmarket.com in it. Watch all SMTP traffic for the appearance of this list of 1623 credit-card numbers and give me any mail that has one Give me the voice traffic of firstname.lastname@example.org Give me the output stream of chat room Hacker’s Lounge:1 Give me all IM messages from email@example.com. Get me any IM message from firstname.lastname@example.org containing “how old r u”