Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Forensics Networking Basics Collecting Network-Based Evidence (NBE) Collection of Packets using Tools Windows Intrusion UNIX Intrusion.

Published byJasmin Anthony Modified over 8 years ago

Similar presentations

Presentation on theme: "Network Forensics Networking Basics Collecting Network-Based Evidence (NBE) Collection of Packets using Tools Windows Intrusion UNIX Intrusion."— Presentation transcript:

1 Network Forensics Networking Basics Collecting Network-Based Evidence (NBE) Collection of Packets using Tools Windows Intrusion UNIX Intrusion

2 OSI Layers Taken from Forouzan: TCP/IP Protocol Suite

3 Source to Destination Delivery Taken from Forouzan: TCP/IP Protocol Suite

4 Physical Addresses A node with physical address 10 sends a frame to a node with physical address 87. The two nodes are connected by a link. At the data link level this frame contains physical (link) addresses in the header. These are the only addresses needed. The rest of the header contains other information needed at this level. The trailer usually contains bits needed for error detection. Taken from Forouzan: TCP/IP Protocol Suite

5 Physical Addresses Also called mac addresses... Most local area networks use a 48-bit (6 bytes) physical address written as 12 hexadecimal digits, with every byte separated by a colon as shown below: 7B : 05 : 4C : A9 : 62 : 83

6 IP Addresses As the message moves through the Internet, notice how the IP addresses stay the same, but the physical addresses change. Why are physical addresses not sufficient? Taken from Forouzan: TCP/IP Protocol Suite

7 IP Addresses Also called network address, logical address An Internet address (network address, logical address) is 32 bits in length, normally written as four decimal numbers, with each number representing 1 byte. The numbers are separated by a dot, thus the notation is often called dotted decimal notation. 179. 84. 31. 8

8 Port Addresses A port address uniquely identifies a network application such as http, email, ftp, etc. and is a 16-bit decimal number such as 176. Taken from Forouzan: TCP/IP Protocol Suite

9 Collecting Network-Based Evidence  Types of NBE Full content data  Every packet is captured  Excellent for analysis, but requires much work Session data  Summaries of data transfer, including time and duration of transfer, and parties involved Alert data  Responding to occurrence of a keyword (shipment) Statistical data  Examining which services or protocols are being used more and for longer periods of time

10 Evidence Collection  NBE collected: Before a compromise: proactive network security monitoring (NSM) During a compromise: reactive NSM

11 Standard Intrusion Attack  Intrusion Phases 1.Reconnaissance: intruder (1 st IP address) checks connectivity and vulnerabilities of Web server (victim) 2.Exploitation: launch attack from 2 nd IP address against Web server 3.Reinforcement: store tools at 3 rd IP address, connect to Web server (backdoor) 4.Consolidation: intruder communicates with backdoor using 4 th IP address 5.Pillage: sensitive information is stolen, or base built for further attacks Taken from Jones, et al Real Digital Forensics

12 Attack Phases IP Address 5? IP Address 4 IP Address 3 IP Address 2 IP Address 1 Victim Phase 1: Reconnaissance Phase 5: Pillage Phase 4: Consolidation Phase 3: Reinforcement Phase 2: Exploitation

13 Gaining access to network traffic  Hubs A hub forwards a packet to all ports other than the one that received it, thus, all traffic passing by can be seen and collected  Taps Test Access Ports are placed between a firewall and router or between switches; cost is ~ 4 or 5 times that of hubs  Inline device – homemade tap; computer that supports bridging  Switched Port Analyzer (SPAN port) – copy to a mirror port on the switch

14 Tools  Full Content: Tcpdump, Ethereal, Flowgrep, hexdump  Session: Argus can also run in live mode, Tcptrace  Alert: Snort, Bro  Statistical: Tcpdstat, Tcpstat

15 Windows Intrusion  Situation BankTwo collected network-based evidence while troubleshooting a network problem. The bank did not have a full suite of security monitoring tools, but it was collecting full content data to learn about the network’s performance. Tcpdump was running on a Linux monitoring platform sitting on a hub with visibility to the victim system 103.98.91.41.

16 Using Tcpdump The command used: tcpdump –n –i eth0 –s 1515 –w capture_file.lpc -n disables translation of IP addresses to host names and port numbers to service names -i eth0 specifies running against the promiscuous interface (receives all packets on the network segment) -w capture_file.lps writes the output to a file on the monitoring station’s hard drive

17 Statistical Data using Tcpdstat The command: tcpdstat s2a.lpc > s2a.tcpdstat.txt Generates: number of packets, average rate, # of source and destination pairs and protocols used DumpFile: s2a.lpc FileSize: 8.21MB Id: 200309231852 StartTime: Tue Apr 08 12:03:29 2009 EndTime: Tue Apr 08 12:03:29 2009 TotalTime: # of packets: 26084 (7.81MB) AvgRate: 1.10Mbps stddev:0.56M ### IP address information ### # of IPv4 addresses: 4 File size Rate

18 Statistical Data using Tcpdstat ### Protocol Breakdown ### protocolpacketsbytesbytes/pkt ----------------------------------- [0]total26084 (100%)8187014 (100%)313.87 [1]ip26084 (100%)8187014 (100%)313.87 [2]tcp26077 (99.97%)8186206 (99.9%)313.92 [3] http(s)11344 (43.49%)6914617 (84.46%)609.54 [3]http(c)11491 (44.05%)1076775 (13.15%) 93.71 [3]squid 4 (0.02%) 240 (0.00%) 60.00 [3]smtp 3 (0.01%) 180 (0.00%) 60.00 [3]ftp 2 (0.01%) 120 (0.00%) 60.00 [3]telnet 2 (0.01%) 120 (0.00%) 60.09... [3]other 3213 (12.32%) 193074 (2.36%) 60.00 [3]udp 4 (0.02%) 618 (0.01%) 154.50... Notice web servers sending 43.49% of packets, web clients sending 44.05%, and “other” sending 12.32%.

19 Alert data using Snort [**] [1:1668:5] WEB-CGI /cgi/bin/ access [**] [Classification: Web Application Attack] [Priority:1] 04/08-12:03:29 322441 95.16.3.79:51767 -> 103.98.91.41:80 TCP TTL:63 TOS:0x0 ID:13538 IpLen:20 DgmLen:181 DF ***AP*** Seq: 0xA50D689C Ack: 0x1EDB04F1 Win: 0x8218 TcpLen:32 TCP Options (3) => NOP NOP TS: 1462497415 0 [**] [1:1201:6] ATTACK RESPONSES 403 FORBIDDEN [**] [Classification: Attempted Information Leak] [Priority:2] 04/08-12:03:29 421027 103.98.91.41:80 -> 95.16.3.79:51773 -> 103.98.91.41:80 TCP TTL:128 TOS:0x0 ID:516 IpLen:20 DgmLen:386 DF ***AP*** Seq: 0x1EDFB033 Ack: 0x7E945F39 Win: 0x43EF TcpLen:32 TCP Options (3) => NOP NOP TS: 120360 1462497415 Source IP @ is 95.16.3.79 and destination is 103.98.91.41 – the victim Web server. This looks like pre-attack reconnaissance against the Web server.

20 Session data using Argus Transform the data into session data: argus –d -r s2a.lpc –w s2a.argus// -d run in background // -r read from filename //-w write Argus results to file Next, run Argus’ ra client to view it in text-based form: ra –a –c –n –r s2a.argus | grep –v drops > s2a.argus.all.txt // -a give summary statistics // -c count bytes in packets // grep –v remove status rpt DateTimeProtoSourceIP.PortDestIP.Port SrcPktsDstPkts SrcBytes DestBytes Session Close 08 Apr 09 12:03:29tcp95.16.3.23.1044 ->103.98.91.41.80 67 906 4909EST 08 Apr 09 12:04:41tcp95.16.3.70.53236 ->103.98.91.41.80 66 545 3791FIN...scanning for web vulnerabilities

21 Session data using Argus...later DateTimeProtoSourceIP.PortDestIP.Port SrcPktsDstPkts SrcBytes DestBytes Session Close 08 Apr 09 12:04:41tcp95.16.3.23.47990 ->103.98.91.41.1359 11 54 54RST 08 Apr 09 12:04:41tcp95.16.3.70.47990 ->103.98.91.41.305 11 54 54RST 08 Apr 09 12:04:41tcp95.16.3.23.47990 ->103.98.91.41.698 11 54 54RST 08 Apr 09 12:04:41tcp95.16.3.70.47990 ->103.98.91.41.155 11 54 54RST... Notice that only the port number differs in each transmission. This pattern indicates port scanning, searching for open ports. If one is found open, the sender could try to make a connection...

Download ppt "Network Forensics Networking Basics Collecting Network-Based Evidence (NBE) Collection of Packets using Tools Windows Intrusion UNIX Intrusion."

Similar presentations

F3 Collecting Network Based Evidence (NBE)

F3 Collecting Network Based Evidence (NBE)
F4-analyzing Network-based evidence for a windows intrusion Dr. John P. Abraham Professor UTPA.

F4-analyzing Network-based evidence for a windows intrusion Dr. John P. Abraham Professor UTPA.
Chapter 2 Network Models.

Chapter 2 Network Models.
Chapter 2 Network Models.

Chapter 2 Network Models.
The OSI Model and the TCP/IP Protocol Suite

The OSI Model and the TCP/IP Protocol Suite
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 2 The OSI Model and the TCP/IP.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 2 The OSI Model and the TCP/IP.
Understanding Networks. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.

Understanding Networks. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.
Introduction To Networking

Introduction To Networking
Using Argus Audit Trails to Enhance IDS Analysis Jed Haile Nitro Data Systems

Using Argus Audit Trails to Enhance IDS Analysis Jed Haile Nitro Data Systems
Lecturer: Tamanna Haque Nipa

Lecturer: Tamanna Haque Nipa
The OSI Model and the TCP/IP Protocol Suite

The OSI Model and the TCP/IP Protocol Suite
McGraw-Hill©The McGraw-Hill Companies, Inc., 2000 Computer Communication and Networks Muhammad Waseem Iqbal Lecture # 07.

McGraw-Hill©The McGraw-Hill Companies, Inc., 2000 Computer Communication and Networks Muhammad Waseem Iqbal Lecture # 07.
Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 12 Transmission Control Protocol (TCP) Basics.

Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 12 Transmission Control Protocol (TCP) Basics.
Module 1: Reviewing the Suite of TCP/IP Protocols.

Module 1: Reviewing the Suite of TCP/IP Protocols.
OSI Model Routing Connection-oriented/Connectionless Network Services.

OSI Model Routing Connection-oriented/Connectionless Network Services.
Forensic and Investigative Accounting

Forensic and Investigative Accounting
COEN 252 Computer Forensics

COEN 252 Computer Forensics
 TCP/IP is the communication protocol for the Internet  TCP/IP defines how electronic devices should be connected to the Internet, and how data should.

 TCP/IP is the communication protocol for the Internet  TCP/IP defines how electronic devices should be connected to the Internet, and how data should.
McGraw-Hill©The McGraw-Hill Companies, Inc., 2000 Chapter 2 The OSI Model and TCP/IP Protocol Suite.

McGraw-Hill©The McGraw-Hill Companies, Inc., 2000 Chapter 2 The OSI Model and TCP/IP Protocol Suite.
Chapter 9.

Chapter 9.

Similar presentations

Ads by Google