1. Digital Forensics Dr. Bhavani Thuraisingham
The University of Texas at Dallas
Network and Application Forensics
September 28, 2011

2. Network Forensics Network Forensics Network Attacks Security Measures
Network Forensics and Tools
Types of Networks
Other info
Summary/Conclusion and Links
Special presentation of network forensic
sics/network_primer.pdf

3. Network Attacks
Denial of service Denial of service attacks cause the service or program to cease functioning or prevent others from making use of the service or program.
These may be performed at the network layer by sending carefully crafted and malicious datagrams that cause network connections to fail.
They may also be performed at the application layer, where carefully crafted application commands are given to a program that cause it to become extremely busy or stop functioning.
Preventing suspicious network traffic from reaching hosts and preventing suspicious program commands and requests are the best ways of minimizing the risk of a denial of service attack.
It is useful to know the details of the attack method, so you should educate yourself about each new attack as it gets publicized.

4. Network Attacks
Spoofing This type of attack causes a host or application to mimic the actions of another.
Typically the attacker pretends to be an innocent host by following IP addresses in network packets.
For example, a well-documented exploit of the BSD rlogin service can use this method to mimic a TCP connection from another host by guessing TCP sequence numbers.
To protect against this type of attack, verify the authenticity of datagrams and commands.
Prevent datagram routing with invalid source addresses. Introduce unpredictablility into connection control mechanisms, such as TCP sequence numbers and the allocation of dynamic port addresses.

5. Network Attacks Eavesdropping This is the simplest type of attack.
A host is configured to "listen" to and capture data not belonging to it. Carefully written eavesdropping programs can take usernames and passwords from user login network connections.
Broadcast networks like Ethernet are especially vulnerable to this type of attack.
To protect against this type of threat, avoid use of broadcast network technologies and enforce the use of data encryption.
IP firewalling is very useful in preventing or reducing unauthorized access, network layer denial of service, and IP spoofing attacks.
It not very useful in avoiding exploitation of weaknesses in network services or programs and eavesdropping.

6. Securing a Network
Need measures to secure a network and prevent breaches
Apply patches; User a layered network defense strategy
NSA (National Security Agency) ahs developed DiD Defense in Depth) and has three models of protection
People, Technology, Operations
People: Employees are trained well
Technology: Strong network architecture and testing tools
Operations: applying security patches, anti-virus software, etc.

7. Network Security Mechanisms
Network security starts from authenticating any user, most likely a username and a password.
Once authenticated, a stateful firewall enforces access policies such as what services are allowed to be accessed by the network users
Though effective to prevent unauthorized access, this component fails to check potentially harmful contents such as computer worms being transmitted over the network.
An intrusion prevention system (IPS) helps detect and prevent such malware. IPS also monitors for suspicious network traffic for contents, volume and anomalies to protect the network from attacks such as denial of service.
Communication between two hosts using the network could be encrypted to maintain privacy.
Individual events occurring on the network could be tracked for audit purposes and for a later high level analysis.

8. Network Security Mechanisms
Honeypots, essentially decoy network-accessible resources, could be deployed in a network as surveillance and early- warning tools.
Techniques used by the attackers that attempt to compromise these decoy resources are studied during and after an attack to keep an eye on new exploitation techniques.
Such analysis could be used to further tighten security of the actual network being protected by the honeypot
Some tools: Firewall, Antivirus software and Internet Security Software. For authentication, use strong passwords and change it on a bi-weekly/monthly basis. When using a wireless connection, use a robust password. Network analyzer to monitor and analyze the network.

9. Network Forensics What is Network Forensics?
gci859579,00.html
Network Forensics Analysis
Relationship to Honeynets/Honeypots
Policies for Networks Forensics
Example Prototype System
Some Popular Networks Forensics Analysis Tools (NFAT)

10. What is Network Forensics
Network forensics is the process of capturing information that moves over a network and trying to make sense of it in some kind of forensics capacity.
Network forensics is the capture, recording, and analysis of network events in order to discover the source of security attacks or other problem incidents.
A network forensics appliance is a device that automates this process.
Wireless forensics is the process of capturing information that moves over a wireless network and trying to make sense of it in some kind of forensics capacity.

11. What is Network Forensics?
Network forensics systems can be one of two kinds:
"Catch-it-as-you-can" systems, in which all packets passing through a certain traffic point are captured and written to storage with analysis being done subsequently in batch mode. This approach requires large amounts of storage, usually involving a RAID system.
"Stop, look and listen" systems, in which each packet is analyzed in a rudimentary way in memory and only certain information saved for future analysis. This approach requires less storage but may require a faster processor to keep up with incoming traffic.

12. What is Network Forensics
Network Forensics is the process of collecting and analyzing raw network data and then tracking network traffic to determine how an attack took place
When intruders break into a network they leave a trail. Need to spot variations in network traffic; detect anomalies
Network forensics can usually help to determine whether network has been attacked or there is a user error
Examiners must establish standards procedures to carry out forensics

13. Network Analysis
Find analysis techniques developed for one type of network and apply it to another type of network
Types of networks
Computer and Communication Networks
Telecommunication Network
Transportation networks
Highways, Railroad, Air Traffic
Human networks
Terror networks, Relationship networks

14. Network Forensics Analysis Tools (NFAT): Relationships between IDS, Firewalls and NFAT
IDS attempts to detect activity that violates an organization’s security policy by implementing a set of rules describing preconfigures patterns of interest
Firewall allows or disallows traffic to or from specific networks, machine addresses and port numbers
NFAT synergizes with IDSs and Firewalls.
Preserves long term record of network traffic
Allows quick analysis of trouble spots identified by IDSs and Firewalls
NFATs must do the following:
Capture network traffic
Analyze network traffic according to user needs
Allow system users discover useful and interesting things about the analyzed traffic

15. NFAT Tasks Traffic Capture What is the policy?
What is the traffic of interest?
Intermal/Externasl?
Collect packets: tcpdump
Traffic Analysis
Sessionizing captured traffic (organize)
Protocol Parsing and analysis
Check for strings, use expert systems for analysis
Interacting with NFAT
Appropriate user interfaces, reports, examine large quantities of information and make it manageable

16. Network Forensics: NetworkMiner
NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows.
NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network.
The purpose of NetworkMiner is to collect data (such as forensic evidence) about hosts on the network rather than to collect data regarding the traffic on the network.
The main view is host centric (information grouped per host) rather than packet centric (information showed as a list of packets/frames).

17. Honeynets/Honeypots
Network Forensics and honeynet systems have the same features of collecting information about computer misuses
Honeynet system can lure attackers and gain information about new types of intrusions
Network forensics systems analyze and reconstruct he attack behaviors
These two systems integrated together build a active self learning and response system to profile the intrusion behavior features and investigate the original source of the attack.

18. Honeynet project
Honeynet project was established to make information about network attacks and solutions widely available
Objectives: Awareness, information, tools
Attacks: distributed Denial of Service, Zero day attacks
Honeypot is a computer set up to lure attackers
Honeywalls are computers set up to monitor what is happening to the honeypots in the network

19. Policies: Computer Attack Taxonomy
Probing
Attackers reconnaissance
Attackers create a profile of an organization's structure, network capabilities and content, security posture
Attacker finds the targets and devices plans to circumvent the security mechanism
Penetration
Exploit System Configuration errors and vulnerabilities
Install Trojans, record passwords, delete files, etc.
Cover tracks
Configure event logging to a previous state
Clear event logs and hide files

20. Policies to enhance forensics
Retaining information
Planning the response
Training
Accelerating the investigation
Preventing anonymous activities
Protect the evidence

21. Example Prototype System: Iowa State University
Network Forensics Analysis mechanisms should meet the following:
Short response times; User friendly interfaces
Questions addresses
How likely is a specific host relevant to the attack? What is the role the host played in the attack? How strong are two hosts connected to the attack?
Features of the prototype
Preprocessing mechanism to reduce redundancy in intrusion alerts
Graph model for presenting and interacting with th3 evidence
Hierarchical reasoning framework for automated inference of attack group identification

22. Example Prototype System: Modules
Evidence collection module
Evidence preprocessing module
Attack knowledge base
Assets knowledge base
Evidence graph generation module
Attack reasoning module
Analyst interface module
Reference
wang.pdf?key1= &key2= &coll=GUIDE&dl= GUIDE&CFID= &CFTOKEN=
hs.pdf

23. Network Tools
Network Forensics tools help in the monitoring of the network
Example: the records that Ps tools generate can prove that an employee ran a program without permission
Can also monitor machines/processes that may be harmful
Problem is the attacker can get administrator rights and start using the tools
Chapter 11 discusses tools for Windows and Linux

24. Some Popular Tools Raytheon’s SilentRunner
Gives administrators help as they attempt to protect their company’s assets
Collector, Analyzer and Visualize Modules
Sandstorm Enterprise’s NetIntercept
Hardware appliance focused on capturing network traffic
Niksun’s NetDetector
Its an appliance like NetIntercept
Has an alerting mechanism
Integrates with Cicso IDS for a complete forensic analysis

25. Network Forensics: Open Source Tools
Wireshark
Kismet
Snort
OSSEC
NetworkMiner is an open source Network Forensics Tool available at SourceForge.
Xplico is an Internet/IP Traffic Decoder (NFAT). Protocols supported: HTTP, SIP, FTP, IMAP, POP, SMTP, TCP, UDP, IPv4, IPv6

26. Network Forensics: Commercial Tools
Deep Analysis Tools (data mining based tools)
E-Detective
ManTech International Corporation
Network Instruments
NIKSUN's NetDetector
PacketMotion
Sandstorm's NetIntercept
Mera Systems NetBeholder
InfoWatch Traffic Monitor

27. Network Forensics: Commercial Tools
Flow-Based Systems
Arbor Networks
GraniteEdge Networks
Lancope
Mazu Networks
Hybrid Systems
These systems combine flow analysis, deep analysis, and security event monitoring and reporting.
Q1 Labs

28. Performing Live Acquisitions
Insert bootable forensics CD in the suspect system
Keep a log of all the actions
Send collected information to a network drive
Copy the physical memory
Determine if root kit is present; access system’s firmware, - -
Get forensics hash value of all files

29. Performing Live Acquisitions: Windows
Setup NetCat listener to send the forensics data
Load Helix CD in the CD-ROM drive
Click appropriate buttons – System Information; Glad arrow etc
Click Acquire Live Image if Widows System
Connect to NetCat listener to send the collected data (e.g., enter IP address of NetCat listener)
Click Incidence Response Tools
Click on appropriate tools to collect data

30. Standard procedures
Standard installation image, hash schemes (e.g., MD5, SHA-1)
Fix vulnerabilities if intrusion is detected
Retrieve volatile data (RAM, processes)
Acquire compromised drive and make forensics image of it
Compare forensics image and standard image and determine if anything has changed

31. Network Logs Network logs record traffic in and out of network
Network servers, routers, firewalls record activities and events that move through them
One ways is to run Tcpdump
When viewing network log, port information can give clues about suspicious activity
Use network analysis tool

32. Packet Sniffers Devices or software to monitor (sniff) traffic
TCP/IP sniffers operate at the Packet level; in OSI operates at the Layer 2 or 3 level (e.g. Data link or Network layers)
Some sniffers perform packet captures, some perform analysis and some perform both
Tools exist for examining (i) packets with certain flags set (ii) headers (iii) IRC chats

33. Summary
Network Forensics is the process of collecting and analyzing raw network data and then tracking network traffic to determine how an attack took place
Layered defense strategies to the network architecture
Live acquisitions are needed to retrieve volatile items
Standard procedure are needed to establish how to proceed after a network attack occurs
By monitoring network traffic can establish normal operations; then determine if there is an anomaly
Network tools used to monitor networks; but intruders can get admin rights to attack from the inside
Tools are available for monitoring network traffic for both Windows and Linux systems
Honeynet project enables people to learn latest intrusion techniques

34. Links http://dfrws.org/
ieee.pdf
work_primer.pdf
ren.pdf?key1= &key2= &coll=GUIDE&dl=GUIDE&C FID= &CFTOKEN=

35. Application Forensics
Forensics
UTD work on worm detection - revisited
Mobile System Forensics
Note: Other Application/systems related forensics
Database forensics, Network forensics (already discussed)
Military Forensics Overview
Optional paper to read:

36. Email Forensics Email Investigations Client/Server roles
crimes and violations
servers
forensics tools

37. Email Investigations Types of email investigations
s have worms and viruses – suspicious s
Checking s in a crime – homicide
Types of suspicious s
Phishing s i- they are in HTML format and redirect to suspicious web sites
Nigerian scam
Spoofing s

38. Client/Server Roles Client-Server architecture
servers runs the server programs – example Microsoft Exchange Server
runs the client program – example Outlook
Identitication/authntictaion is used for client to access the server
Intranet/Internet servers
Intranet – local environment
Internet – public: example: yahoo, hotmail etc.

39. Email Crimes and Violations
Goal is to determine who is behind the crime such as who sent the
Steps to forensics
Examine message
Copy message – also forward
View and examine header: tools available for outlook and other clients
Examine additional files such as address books
Trace the message using various Internet tools
Examine network logs (netflow analysis)
Note: UTD Netflow tools SCRUB are in SourceForge

40. Servers
Need to work with the network administrator on how to retrieve messages from the server
Understand how the server records and handles the messages
How are the logs created and stored
How are deleted messages handled by the server? Are copies of the messages still kept?
Chapter 12 discussed servers by UNIX, Microsoft, Novell

41. Forensics Tools
Several tools for Outlook Express, Eudora Exchange, Lotus notes
Tools for log analysis, recovering deleted s,
Examples:
AccessData FTK
FINAL
EDBXtract
MailRecovery

42. Worm Detection: Introduction
What are worms?
Self-replicating program; Exploits software vulnerability on a victim; Remotely infects other victims
Evil worms
Severe effect; Code Red epidemic cost $2.6 Billion
Goals of worm detection
Real-time detection
Issues
Substantial Volume of Identical Traffic, Random Probing
Methods for worm detection
Count number of sources/destinations; Count number of failed connection attempts
Worm Types
worms, Instant Messaging worms, Internet worms, IRC worms, File- sharing Networks worms
Automatic signature generation possible
EarlyBird System (S. Singh -UCSD); Autograph (H. Ah-Kim - CMU)

43. Email Worm Detection using Data Mining
Task:
given some training instances of both “normal” and “viral” s,
induce a hypothesis to detect “viral” s.
We used:
Naïve Bayes
SVM
Outgoing s
The Model
Test data
Feature extraction
Classifier
Machine Learning
Training data
Clean or Infected ?

44. Assumptions Features are based on outgoing emails.
Different users have different “normal” behaviour.
Analysis should be per-user basis.
Two groups of features
Per (#of attachments, HTML in body, text/binary attachments)
Per window (mean words in body, variable words in subject)
Total of 24 features identified
Goal: Identify “normal” and “viral” s based on these features

45. Feature sets Per email features Binary valued Features
Presence of HTML; script tags/attributes; embedded images; hyperlinks;
Presence of binary, text attachments; MIME types of file attachments
Continuous-valued Features
Number of attachments; Number of words/characters in the subject and body
Per window features
Number of s sent; Number of unique recipients; Number of unique sender addresses; Average number of words/characters per subject, body; average word length:; Variance in number of words/characters per subject, body; Variance in word length
Ratio of s with attachments

46. Data Mining Approach Classifier Clean/ Infected Test instance
SVM
infected?
Naïve Bayes
Test instance
Clean?
Clean

47. Data set Collected from UC Berkeley.
Contains instances for both normal and viral s.
Six worm types:
bagle.f, bubbleboy, mydoom.m,
mydoom.u, netsky.d, sobig.f
Originally Six sets of data:
training instances: normal (400) + five worms (5x200)
testing instances: normal (1200) + the sixth worm (200)
Problem: Not balanced, no cross validation reported
Solution: re-arrange the data and apply cross-validation

48. Our Implementation and Analysis
Naïve Bayes: Assume “Normal” distribution of numeric and real data; smoothing applied
SVM: with the parameter settings: one-class SVM with the radial basis function using “gamma” = and “nu” = 0.1.
Analysis
NB alone performs better than other techniques
SVM alone also performs better if parameters are set correctly
mydoom.m and VBS.Bubbleboy data set are not sufficient (very low detection accuracy in all classifiers)
The feature-based approach seems to be useful only when we have
identified the relevant features
gathered enough training data
Implement classifiers with best parameter settings

49. Mobile Device/System Forensics
Mobile device forensics overview
Acquisition procedures
Summary

50. Mobile Device Forensics Overview
What is stored in cell phones
Incoming/outgoing/missed calls
Text messages
Short messages
Instant messaging logs
Web pages
Pictures
Calendars
Address books
Music files
Voice records

51. Mobile Phones Multiple generations
Analog, Digital personal communications, Third generations (increased bandwidth and other features)
Digital networks
CDMA, GSM, TDMA, - - -
Proprietary OSs
SIM Cards (Subscriber Identity Module)
Identifies the subscriber to the network
Stores personal information, addresses books, etc.
PDAs (Personal digital assistant)
Combines mobile phone and laptop technologies

52. Acquisition procedures
Mobile devices have volatile memory, so need to retrieve RAM before losing power
Isolate device from incoming signals
Store the device in a special bag
Need to carry out forensics in a special lab (e.g., SAIAL)
Examine the following
Internal memory, SIM card, other external memory cards, System server, also may need information from service provider to determine location of the person who made the call

53. Mobile Forensics Tools
Reads SIM Card files
Analyze file content (text messages etc.)
Recovers deleted messages
Manages PIN codes
Generates reports
Archives files with MD5, SHA-1 hash values
Exports data to files
Supports international character sets

54. Information Warfare Information Warfare
Defensive Strategies for Government and Industry
Military Tactics
Terrorism and Information Warfare
Tactics of Private Corporations
Future IW strategies
Surveillance Tools
The Victims of Information Warfare
Military Forensics
Relevant Papers

55. What is Information Warfare?
Information warfare is the use and management of information in pursuit of a competitive advantage over an opponent. Information warfare may involve collection of tactical information, assurance that one's own information is valid, spreading of propaganda or disinformation to demoralize the enemy and the public, undermining the quality of opposing force information and denial of information collection opportunities to opposing forces.

56. Defensive Strategies for Government and Industry
Are US and Foreign governments prepared for Information Warfare
According to John Vacca, US will be most affected with 60% of the world’s computing power
Stealing sensitive information as well as critical, information to cripple an economy (e.g., financial information)
What have industry groups done
IT-SAC: Information Technology Information Sharing and Analysis
Will strategic diplomacy help with Information Warfare?
Educating the end user is critical according to John Vacca

57. Defensive Strategies for Government and Industry
What are International organizations?
Think Tanks and Research agencies
Book cites several countries from Belarus to Taiwan engaged in Economic Espionage and Information Warfare
Risk-based analysis
Military alliances
Coalition forces – US, UK, Canada, Australia have regular meetings on Information Warfare
Legal implications
Strong parallels between National Security and Cyber Security

58. Military Tactics Supporting Technologies
Agents, XML, Human Computer Interaction
Military tactics
Planning, Security, Intelligence
Tools
Offensive Ruinous IW tools
Launching massive distributed denial of service attacks
Offensive Containment IW tools
Operations security, Military deception, Psychological operations, Electronic warfare (use electromagnetic energy), Targeting: Disable enemy's C2 (c0mmand and control) system and capability

59. Military Tactics Tools (continued) Defensive Preventive IW Tools
Monitor networks
Defensive Ruinous IW tools
Information operations
Defensive Responsive Containment IW tools
Handle hacking, viruses.
Other aspects
Dealing with sustained terrorist IW tactics, Dealing with random terrorist IW tactics

60. Terrorism and Information Warfare
Terrorists are using the web to carry out terrorism activities
What are the profiles of terrorists? Are they computer literate?
Hacker controlled tanks, planes and warships
Is there a Cyber underground network?
What are their tools?
Information weapons, HERF gun (high power radio energy at an electronic target), Electromagnetic pulse. Electric power disruptive technologies
Why are they hard to track down?
Need super forensics tools

61. Tactics of Private Corporations
Defensive tactics
Open course intelligence, Gather business intelligence
Offensive tactics
Packet sniffing, Trojan horse etc.
Prevention tactics
Security techniques such as encryption
Survival tactics
Forensics tools

62. Future IW Tactics Electromagnetic bomb
Technology, targeting and delivery
Improved conventional method
Virus, worms, trap doors, Trojan horse
Global positioning systems
Nanotechnology developments
Nano bombs

63. Surveillance Tools Data emanating from sensors:
Video data, surveillance data
Data has to be analyzed
Monitoring suspicious events
Data mining
Determining events/activities that are abnormal
Biometrics technologies
Privacy is a concern

64. Victims of Information Warfare
Loss of money and funds
Loss of shelter, food and water
Spread of disease
Identity theft
Privacy violations
Death and destruction
Note: Computers can be hacked to loose money and identity; computers can be used to commit a crime resulting in death and destruction

65. Military Forensics CFX-2000: Computer Forencis Experiment 2000
Information Directorate (AFRL) partnership with NIJ/NLECTC
Hypothesis: possible to determine the motives, intent, targets, sophistication, identity and location of cyber terrorists by deploying an integrated forensics analysis framework
Tools included commercial products and research prototypes
appb.pdf

66. Digital Forensics Dr. Bhavani Thuraisingham
The University of Texas at Dallas
Appendix
Social Network Analysis and Forensics
October 8, 2010