Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Forensics Tools for Cybercrime Investigation Lead-off Presentation by Glen Myers, IP Fabrics May 12, 2009.

Similar presentations

Presentation on theme: "Network Forensics Tools for Cybercrime Investigation Lead-off Presentation by Glen Myers, IP Fabrics May 12, 2009."— Presentation transcript:

1 Network Forensics Tools for Cybercrime Investigation Lead-off Presentation by Glen Myers, IP Fabrics May 12, 2009

2 IP Fabrics Cybercrime Targets can be Individuals Enterprises Companies Service providers / carriers Government Network or part thereof Crimes include Illegal access Illegal interception Interference Fraud ID theft Theft of intellectual property Harassment Obscene/offensive content Crimes against children... Crimes (depending on locality of course) where the network (“Internet”) is the vehicle

3 IP Fabrics Cybercrime Forensics vs Lawful Intercept For lawful intercept, you have a target (e.g., suspect) Court order to intercept the tel number 1-503-444-2499 Court order to intercept the signaling information for Court order to intercept the email of For cybercrime, that’s the biggest challenge You discover “something’s going on” You may or may not identify the potential victim(s) You usually have no idea of the source If you do eventually discover the source, you may find you have no legal jurisdiction

4 IP Fabrics to date: Jan 29, 2008 8:37 AM subject: Tax Refund - Online Form hide details 8:37 AM (25 minutes ago) Reply Warning: This message may not be from whom it claims to be. Beware of following any links in it or of providing the sender with any personal information. Learn more Link omitted After the last annual calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of $375.20. Please submit the tax refund request and allow us 3-9 days in order to process it. A refund can be delayed for a variety of reasons. For example submitting invalid records or applying after the deadline. To access the form for your tax refund, please click here Note: For security reasons, we will record your ip-address, the date and time. Deliberate wrong inputs are criminally pursued and indicated. Regards, Internal Revenue Service Copyright 2008, Internal Revenue Service U.S.A. All rights reserved. Email as a Vehicle ANTI FRAUD & MONITARY CRIME DIVISION Code: FBI/111 Tel: 1-646-778-3497 Private Email: ATTENTION: BENEFICIARY We the Federal Bureau Of Investigation (FBI) United States Of America have discovered through our intelligent monitoring network that you have a transaction going on as... text omitted YOURS FAITHFULLY, F.B.I DIRECTOR ROBERT S. MUELLER III. The United States Department of Justice Order 556-73 establishes rules and regulations for the subject of an FBI Identification Record to obtain a copy of his or her own Record for review. The FBI’s Criminal Justice Information Services (CJIS) Division processes these requests to chek illegal activities in U.S.A. FOR CORPORATE AFFAIRS FEDERAL BUREAU OF INVESTIGATION (FBI) UNITED STATES OF AMERICA

5 IP Fabrics Network Capabilities Needed Great flexibility May need to look at a lot of things – SMTP email, webmail, web page interactions, P2P traffic, instant messaging, virus signatures, VoIP, chat rooms, file sharing,... Need to filter out a lot of “noise” (ads, IPTV, YouTube,...) Real-time “onion peeling” capability Need to redirect your device from A to B to C to D to E... E.g., by discovering some suspect content in an email, we then watch for traffic to a specific email address or IP addresses connecting to a particular URL. Ability to tap concurrently into multiple network segments Different pieces of the puzzle may go down different paths Evidentiary capabilities Assurances on the data that will stand up in court Be completely invisible on the network Operate at network bandwidths Need to go a step beyond DPI...

6 IP Fabrics Basic DPI isn’t Good Enough Typical IP packet traversing a network IP headerTCP headerPayload Typical DPI view Can’t rely on standard TCP port numbers Some apps have none, some can jump if a specific port is blocked, some can also jump to HTTP Can’t assume a “conversation” uses a fixed set of ports E.g., Yahoo Mail cycles through a wide range of client ports during one session TCP payloads often span multiple IP packets Risk of missing a signature that spans packets Most interesting data is gzip compressed All of the mail webmail services compress, including the addressing info Data is encoded in HTML, Javascript,... in application-specific manner E.g., the encoding of an email address is very different among Hotmail, Yahoo, Gmail,,... Gotta understand what is clutter and ignore it in order to keep up with line rate E.g., in webmail interactions, 90% of the TCP connections and 99% of the packets are clutter What is better is “deep application-protocol inspection” Knowledge in the device of syntax and semantics for specific applications

7 IP Fabrics Example Tools DeepProbe-10 4 10GbE inputs 6 1GbE inputs 4 1GbE inputs Provided with software “surveillance modules” for specific applications Reconstructs the desired application information Maps different applications of like form (e.g., webmail, instant messengers) into single canonical form Generally provisioned from elsewhere over a networked API, but also has browser interface (e.g., for unpeeling the onion) DeepProbe-1

8 IP Fabrics Example Filters Give me all the email to/from Get any Yahoo mail containing the phrase “U-238 enrichment” Give me any mail attachments sent by Give me just the to/from info on every email Give me all the presence information reported to Yahoo Messenger user glen_roberts Give me all the email downloaded by POP3 user glen_roberts Give me the to/from info from all calls associated with Give me all of the port 80 traffic from this specific cable modem address Let me know if ever sends a message with the URL in it. Watch all SMTP traffic for the appearance of this list of 1623 credit-card numbers and give me any mail that has one Give me the voice traffic of Give me the output stream of chat room Hacker’s Lounge:1 Give me all IM messages from Get me any IM message from containing “how old r u”

Download ppt "Network Forensics Tools for Cybercrime Investigation Lead-off Presentation by Glen Myers, IP Fabrics May 12, 2009."

Similar presentations

Ads by Google