Presentation is loading. Please wait.

Presentation is loading. Please wait.

Forensics Book 4: Investigating Network Intrusions and Cybercrime Chapter 4: Router Forensics.

Published byBathsheba Mason Modified over 8 years ago

Similar presentations

Presentation on theme: "Forensics Book 4: Investigating Network Intrusions and Cybercrime Chapter 4: Router Forensics."— Presentation transcript:

1 Forensics Book 4: Investigating Network Intrusions and Cybercrime Chapter 4: Router Forensics

2 Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited Objectives  Understand router architecture  Understand the use of Routing Information Protocol (RIP)  List the different types of router attacks  Differentiate router forensics from traditional forensics  List the steps for investigating router attacks  Conduct an incident response  Read router logs  List various router auditing tools

3 Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited Introduction to Router Forensics  Router  Network-layer device or software application that determines the next network point to which a data packet should be forwarded in a packet-switched network  Decides where to send information packets based on its current understanding of the state of the networks it is connected to, as well as the network portion of the Internet Protocol (IP) address  Routers use headers and forwarding tables to determine the best path for sending data packets

4 Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited Functions of a Router  Basic functions of a router:  Forwarding packets  Sharing routing information  Packet filtering  Network address translation (NAT)  Encrypting or decrypting packets in the case of virtual private networks (VPNs)  Overall, a router:  Is the backbone of a network and performs significant network functions  Has the additional responsibility of protocol interpretation

5 Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited Functions of a Router (continued)  A router in the OSI model  Operates at the network layer of the OSI model  Relays packets among multiple interconnected networks  Forwards the packets to the next router on the path until the destination is reached  Generally sends the packets through that particular route once the best route is identified  Router architecture  Memory  Hardware  IOS

6 Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited Functions of a Router (continued) Figure 4-1 Routers operate in the physical, data link, and network layers of the OSI model.

7 Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited Functions of a Router (continued)  The routing table and its components  Routing table  Database that stores the most efficient routes to particular network destinations  Components of a routing table  Address prefix specifying the address of the final destination of the packet  Interface on which the packets corresponding to the address prefix are transmitted  Next hop address specifying the address of the router to which a packet must be delivered en route to its final destination

8 Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited Functions of a Router (continued)  Components of a routing table (continued)  Preference value for choosing between several routes with similar prefixes  Route duration  Specification showing whether the route is advertised in a routing advertisement  Specification on how the route is aged  Route type  Routing Information Protocol (RIP)  Protocol used to manage router information within a self-contained network

9 Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited Router Vulnerabilities  Common router vulnerabilities are likely avenues for attack:  HTTP authentication vulnerability  NTP vulnerability  SNMP parsing vulnerability

10 Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited Router Attacks  Intruder that takes control of a router can perform many different attacks on a network  Can gain knowledge of all possible vulnerabilities in a network once the router has been accessed  Attacker who has gained access to a router can interrupt communication, disable the router, stop communication between compromised networks, as well as observe and record logs on both incoming and outgoing traffic  By compromising a router, attackers can avoid firewalls and intrusion detection systems (IDS), and can transmit any kind of traffic to a chosen network

11 Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited Types of Router Attacks  Denial-Of-Service (DoS) attacks  Render a router unusable for network traffic by overloading the router’s resources so that no one can access it  Goals: destruction, resource utilization, and bandwidth consumption  Packet-mistreating attacks  Compromised router mishandles or mistreats packets, resulting in congestion  Mistreated packet could invoke the following problems: denial of service, congestion, and lowering of connection throughput

12 Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited Types of Router Attacks (continued)  Routing table poisoning  One of the most prominent types of attacks  When an attacker maliciously alters, or poisons, a routing table, the routing-data update packets are also maliciously modified  Misconfigured packets produce false entries in the routing table, such as a false destination address  Hit-and-run attacks  Occur when an attacker injects a small number of bad packets into the router to exploit the network  Similar to a test attack: attacker gains knowledge of whether the network is online and functioning

13 Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited Types of Router Attacks (continued)  Persistent attacks  Attacker continuously injects bad packets into the router and exploits the vulnerabilities that are revealed during the course of the injection process  Can cause significant damage because the router can get flooded with packets and cease functioning due to the constant injection of packets  Comparatively easy to detect

14 Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited Router Forensics Versus Traditional Forensics  Router forensics does not differ much from traditional forensics  Except in some particular steps taken during investigations  During router investigations, the system needs to be online, whereas in traditional forensic investigations, the system needs to be powered off  System must be online so the forensic investigator can have exact knowledge of what type of traffic flows through the router

15 Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited Investigating Router Attacks  Guidelines:  Start with a security policy and develop a plan that includes collecting and defining data  Create a reconnaissance methodology that provides information about the target  Perform an analysis check to identify incidents and review default passwords and default information  Develop an attack strategy for analyzing commands to access the network, ACLs, firewalls, and protocols  Be careful while accessing the router  Intrusion analysis is vital to identifying the attacker and preventing the success of future attacks

16 Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited Investigation Steps  Seize the router and maintain the chain of custody  Investigator should seize the router so that nobody can change its configuration  Chain of custody  Record of seizure, custody, control, transfer, analysis, and disposition of physical and electronic evidence  Perform incident response and session recording  Router should not be rebooted unless absolutely necessary  Record all information and evidence acquired  No modifications should be made to the information and evidence acquired

17 Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited Investigation Steps (continued) Figure 4-2 Chain of custody forms document the evidence- gathering phase of an investigation.

18 Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited Investigation Steps (continued)  Incidents that should be handled in specific ways:  Direct-compromise incidents  Routing table manipulation  Theft of information  Denial of service  Access the router (guidelines)  Router must be accessed through the console  Record the entire console session  Record the actual time and the router time  Only show commands should be executed  Volatile information must be given priority

19 Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited Investigation Steps (continued) Figure 4-3 Every step an investigator takes must be recorded.

20 Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited Investigation Steps (continued)  Gather volatile evidence  Volatile evidence: evidence that can easily be lost during the course of a normal investigation  Items considered volatile evidence: Current Configuration, Access list, Time, and Log files  Methods to collect volatile evidence:  Direct access – carried out using show commands  Indirect access – carried out only if the attacker has changed the passwords by port-scanning every router IP

21 Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited Investigation Steps (continued)  Identify the router configuration  Establish a connection to the router to retrieve the RAM and NVRAM  Use the encrypted protocol secure shell to remotely access the router if a direct connection is not possible  Log entire session with HyperTerminal  Capture and save the volatile and nonvolatile router configurations for documentation purposes  Examine and analyze  Once the volatile evidence has been secured and the configuration has been obtained, the investigator can begin to analyze the retrieved information

22 Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited Investigation Steps (continued)  Router components that should be examined and analyzed:  Router configuration  Routing table  Access control list  Router logs: provide information about the router’s activities  Types of router logs:  Syslog log, log buffer, console lop, terminal log, SNMP log, and ACL violation log

23 Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited Investigation Steps (continued) Figure 4-4 Router log files can tell an investigator where a connection originated.

24 Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited Investigation Steps (continued) Figure 4-5 The ping command can be used to find a host name.

25 Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited Investigation Steps (continued)  NETGEAR router logs  Can be used for monitoring network activities for specific types of attacks and reporting those attacks to a security monitoring program  Can be used to perform the following tasks:  Alert when someone on a LAN has tried to access a blocked WAN address  Alert when someone on the Internet has tried to access a blocked address in a LAN  Identify port scans, attacks, and administrative logins  Collect statistics on outgoing traffic  Assess whether keyword-blocking rules are excluding an undesired IP address

26 Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited Investigation Steps (continued) Figure 4-6 NETGEAR router logs allow the user to apply various firewall rules.

27 Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited Investigation Steps (continued) Figure 4-7 Entries indicating suspicious data being dropped are a possible indication of an attack.

28 Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited Investigation Steps (continued)  Real-time forensics  Investigator should use the router to monitor the network, after removing or collecting the data from the compromised router  AAA logging gathers the following information:  Login time  Logout time  HTTP accesses  Privilege level changes  Commands executed

29 Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited Investigation Steps (continued)  Generate a report (steps)  Note the name of the investigator  List the router evidence  Document the evidence and other supporting items  Provide a list of tools used for the investigation  List the devices and setup used in the examination  Give a brief description of the examination steps  Provide the following details about the findings:  Information about the files  Internet-related evidence  Data and image analysis  Provide conclusions for the investigation

30 Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited Router Audit Tool (RAT) Figure 4-8 The RAT tool checks devices against settings in a benchmark.

31 Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited Link Logger Figure 4-9 Link Logger allows users to see and analyze firewall traffic.

32 Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited Sawmill Table 4-1 Sawmill stores these nonnumerical fields in its Linksys router database

33 Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited Summary  A router is a computer networking device that forwards data packets across networks  A router decides the most effective path for a packet to reach its final destination  A routing table is a database that stores the most efficient routes to particular network destinations  The types of router attacks are denial-of-service attacks, packet-mistreating attacks, routing table poisoning, hit-and-run attacks, and persistent attacks

34 Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited Summary (continued)  RIP sends routing update messages when the network topology changes  A router log shows whether anyone has been trying to get into a network  Investigators must be careful while accessing a router

Download ppt "Forensics Book 4: Investigating Network Intrusions and Cybercrime Chapter 4: Router Forensics."

Similar presentations

Access Control List (ACL)

Access Control List (ACL)
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 4: Routing Concepts Routing Protocols.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 4: Routing Concepts Routing Protocols.
 WAN uses Serial ports  Ethernet Ports:  Straight through  Cross over.

 WAN uses Serial ports  Ethernet Ports:  Straight through  Cross over.
Chapter 9: Access Control Lists

Chapter 9: Access Control Lists
CCNA2 Module 4. Discovering and Connecting to Neighbors Enable and disable CDP Use the show cdp neighbors command Determine which neighboring devices.

CCNA2 Module 4. Discovering and Connecting to Neighbors Enable and disable CDP Use the show cdp neighbors command Determine which neighboring devices.
1 Semester 2 Module 4 Learning about Other Devices Yuda college of business James Chen

1 Semester 2 Module 4 Learning about Other Devices Yuda college of business James Chen
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Troubleshooting the Network Connecting Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Troubleshooting the Network Connecting Networks.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung(1203584897) SriramGopinath(1203800749)

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) SriramGopinath( )
William Stallings Data and Computer Communications 7 th Edition (Selected slides used for lectures at Bina Nusantara University) Internetworking.

William Stallings Data and Computer Communications 7 th Edition (Selected slides used for lectures at Bina Nusantara University) Internetworking.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
CCNA Guide to Cisco Networking Fundamentals Fourth Edition

CCNA Guide to Cisco Networking Fundamentals Fourth Edition
Lesson 19: Configuring Windows Firewall

Lesson 19: Configuring Windows Firewall
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.

Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.
Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.

Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.
Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.

Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.
Connecting LANs, Backbone Networks, and Virtual LANs

Connecting LANs, Backbone Networks, and Virtual LANs

Similar presentations

Ads by Google