Presentation is loading. Please wait.

Presentation is loading. Please wait.

Forensics Book 4: Investigating Network Intrusions and Cybercrime

Published byRosalind Ramsey Modified over 8 years ago

Similar presentations

Presentation on theme: "Forensics Book 4: Investigating Network Intrusions and Cybercrime"— Presentation transcript:

1 Forensics Book 4: Investigating Network Intrusions and Cybercrime
Chapter 2: Investigating Network Traffic

2 Objectives Understand network protocols
Understand the physical and data link layers of the OSI model Understand the network and transport layers of the OSI model Describe types of network attacks Understand the reasons for investigating network traffic

3 Objectives (continued)
Perform evidence gathering via sniffing Describe the tools used in investigating network traffic Document the evidence gathered on a network Reconstruct evidence for an investigation

4 Case Example Jessica, a university student, was known to be an introvert among her peers She used to live with her father One day, Jessica left a note for her father mentioning that she was going to meet her old school friend and would be back by the end of the week Two weeks later, Jessica’s dead body was found near a dumping ground near her university campus Jessica’s system logs showed that Jessica frequented Web sites related to bondage and sex Further investigations revealed her address

5 Case Example (continued)
The investigators traced the service provider of the unknown person The trace revealed that the address belonged to a man named Nichol The investigators analyzed Nichol’s computer after the state judiciary granted them permission to do so They found pornography and materials related to bondage and murder on Nichol’s computer Nichol was questioned and after long hours of investigation, he broke down and admitted to the crime

6 Network Addressing Schemes
Two methods of network addressing: LAN addressing Internetwork addressing

7 LAN Addressing Local area network (LAN)
Set of host machines in a relatively contiguous area, allowing for high data transfer rates among hosts on the same IP network Each node in the LAN has a unique MAC (media access control) address assigned to the NIC MAC address Unique 48-bit serial number assigned to each NIC, providing a physical address to the host machine Network interface card (NIC) Piece of hardware used to provide an interface between a host machine and a computer network

8 LAN Addressing (continued)
Types of MAC addresses: Static Configurable Dynamic Packets are either addressed to one node or, in the case of broadcasting, to all the nodes in the LAN Broadcasting is often used to discover the services or devices on the network

9 Internetwork Addressing
Used in a network where a number of LANs or other networks are connected with the help of routers Each network in this Internetwork has a unique network ID or network address known as the host address or node ID Routers use these addresses when data packets are transmitted from a source to its target Internetwork address is a combination of both a network address and host address

10 OSI Reference Model OSI model consists of seven layers
Each layer contains a set of similar functions and provides services to the layer above it The OSI reference model is based on the following principles: Every layer has a fully defined function The boundaries of the layers have been designed to reduce the flow of information in the interface When an additional level of abstraction is required, then a layer is created Each layer contains the functions of the international standardized protocol

11 OSI Reference Model (continued)
Figure 2-1 The OSI protocol stack consists of seven layers.

12 Overview of Network Protocols
In the seven layers of the OSI model, protocols exist in only six layers The physical layer contains no network protocols

13 Data Link Layer Main protocols include: Point-to-Point Protocol (PPP)
Serial Line Internet Protocol (SLIP) Address Resolution Protocol (ARP)

14 Network Layer Main protocols include:
RARP (Reverse Address Resolution Protocol) ICMP (Internet Control Message Protocol) IGMP (Internet Group Management Protocol) IP (Internet Protocol)

15 Transport Layer Main protocols include: UDP (User Datagram Protocol)
TCP (Transmission Control Protocol)

16 Session Layer, Presentation Layer, and Application Layer
Main protocols include: HTTP (Hypertext Transfer Protocol) SMTP (Simple Mail Transfer Protocol) NNTP (Network News Transfer Protocol) Telnet FTP (File Transfer Protocol) SNMP (Simple Network Management Protocol) TFTP (Trivial File Transfer Protocol)

17 Session Layer, Presentation Layer, and Application Layer (continued)
Figure 2-2 Different protocols are used in different layers in the TCP/IP model.

18 Overview of Physical and Data Link Layers of the OSI Model
Physical layer Transmits raw bits over a communication channel Design must ensure that when one side sends a 1 bit, the other side should receive that bit as a 1 bit Deals with the mechanical, electrical, and procedural interfaces, and the physical transmission medium, which are all below the physical layer Data link layer Breaks the raw transmission bits into data frames Sequentially broadcasts the frames Creates and recognizes frame boundaries

19 Overview of Network and Transport Layers of the OSI Model
Network layer Takes care of the delivery of data packets from the source to the destination Provides the logical address of the sender and receiver in the header of the data packet Checks the integrity of the transferred data Transport layer Takes care of the entire message that is transferred from the source to the destination Takes care of error correction and flow control of the message

20 Types of Network Attacks
Main categories of attacks launched against networks: IP spoofing Router attacks Eavesdropping Denial of service Man-in-the-middle attack Sniffing Data modification

21 Why Investigate Network Traffic?
Reasons investigators analyze network traffic include: Locate suspicious network traffic Know which network is generating the troublesome traffic and where the traffic is being transmitted to or received from Identify network problems

22 Evidence Gathering at the Physical Layer
Computer connected to a LAN has two addresses: MAC address IP address Two basic types of Ethernet environments: Shared Ethernet Switched Ethernet

23 Shared Ethernet Every machine receives packets that are meant for one machine Sniffer ignores this rule and accepts all frames by putting the NIC into promiscuous mode Promiscuous mode Mode of a network interface card in which the card passes all network traffic it receives to the host computer, rather than only the traffic specifically addressed to it Passive sniffing is possible in a shared Ethernet environment, but it is difficult to detect

24 Switched Ethernet Hosts are connected to a switch
Switch does not broadcast to all computers but sends the packets to the appropriate destination only Sniffing by putting the NIC into promiscuous mode does not work in this type of environment SPAN (Switched Port Analyzer) port Port that is configured to receive all the packets sent by any source port Special switches are available that can be configured to allow sniffing at the switch that can even capture local traffic

25 DNS Poisoning Techniques
DNS (Domain Name Service) Service that translates domain names into IP addresses DNS poisoning Process in which an attacker provides fake data to a DNS server for the purpose of misdirecting users Types of DNS poisoning: Intranet DNS spoofing (local network) Internet DNS spoofing (remote network) Proxy server DNS poisoning DNS cache poisoning

26 Intranet DNS Spoofing (Local Network)
Figure 2-3 An attacker must be connected to the LAN to perform intranet DNS spoofing.

27 Internet DNS Spoofing (Remote Network)
Figure 2-4 An attacker uses a Trojan to perform Internet DNS spoofing.

28 Proxy Server DNS Poisoning
Figure 2-5 An attacker uses a Trojan to change the proxy server settings on a machine during a proxy server DNS poisoning attack.

29 DNS Cache Poisoning Attacker exploits a flaw in the DNS server software that can make it accept incorrect information If the server does not correctly validate DNS responses to ensure that they have come from an authoritative source Server will end up caching the incorrect entries locally and serve them to users that make the same request

30 Evidence Gathering from ARP Table
Figure 2-6 The arp -a command displays the ARP table in Windows.

31 Evidence Gathering at the Data Link Layer: DHCP Database
DHCP database provides a means of determining the MAC address associated with the computer in custody Database helps DHCP conclude the MAC address in case DHCP is unable to maintain a permanent log of requests DHCP server maintains a list of recent queries along with the MAC address and IP address Database can be queried by giving the time duration during which the given IP address accessed the server

32 Gathering Evidence from an IDS
Administrator can configure an intrusion detection system (IDS) to capture network traffic when an alert is generated This data is not a sufficient source of evidence because there is no way to perform integrity checks on the log files Preserving digital evidence is difficult Investigators can record examination results from networking through a serial cable and software Such as the Windows HyperTerminal program or a script on UNIX

33 Tool: Tcpdump Powerful tool that extracts network packets and performs statistical analysis on those dumps Operates by putting the network card into promiscuous mode Tcpdump report consists of the following: Captured packet count Received packet count Count of packets dropped by kernel Supported by various platforms

34 Tool: Tcpdump (continued)
Figure 2-7 Tcpdump shows information about all the packets that come through the network interface.

35 Tool: WinDump Port of Tcpdump for the Windows platform
WinDump is fully compatible with Tcpdump Can be used to watch and diagnose network traffic according to various complex rules WinDump is simple to use and works at the command-line level

36 Tool: WinDump (continued)
Figure 2-8 WinDump displays more verbose information when the user specifies the -vv option.

37 Tool: NetIntercept Network analysis tool
Captures LAN traffic using a standard Ethernet interface card placed in promiscuous mode and a modified UNIX kernel Performs stream reconstruction on demand

38 Tool: NetIntercept (continued)
Figure 2-9 NetIntercept captures traffic continuously.

39 Tool: NetIntercept (continued)
Figure 2-10 A user can look at the contents of a connection once it has been identified.

40 Tool: Wireshark Formerly known as Ethereal
GUI-based network protocol analyzer Lets the user interactively browse packet data from a live network or from a previously saved capture file Wireshark’s native capture file format is the libpcap format Also the format used by Tcpdump and various other tools

41 Tool: Wireshark (continued)
Figure 2-11 Wireshark can show information about all captured packets.

42 Tool: CommView Figure 2-12 CommView shows detailed information about every captured packet.

43 Tool: SoftPerfect Network Protocol Analyzer
Figure 2-13 SoftPerfect Network Protocol Analyzer displays information about all packets captured from the network.

44 Tool: HTTP Sniffer Figure 2-15 HTTP Sniffer displays information about captured HTTP packets.

45 Tool: EtherDetect Packet Sniffer
Figure 2-16 EtherDetect Packet Sniffer provides syntax highlighting for application data, including HTTP data, as shown here.

46 Tool: OmniPeek Figure 2-17 OmniPeek provides different views of captured packets.

47 Tool: OmniPeek (continued)
Figure 2-18 OmniPeek provides users with visuals concerning network traffic.

48 Tool: Iris Network Traffic Analyzer
Figure 2-19 Iris Network Traffic Analyzer allows a user to view details about captured packets.

49 Tool: SmartSniff Figure 2-20 SmartSniff shows ASCII views of network conversations for textbased protocols.

50 Tool: NetSetMan Figure 2-21 NetSetMan allows a user to switch between sets of network settings.

51 Tool: Distinct Network Monitor
Figure 2-22 Distinct Network Monitor displays live network traffic statistics.

52 Tool: MaaTec Network Analyzer
Figure 2-23 MaaTec Network Analyzer can color-code data based on different criteria.

53 Tool: ntop Figure 2-24 ntop displays network statistics on a Web page.

54 Tool: EtherApe Figure 2-25 EtherApe creates a graphical display of network traffic.

55 Tool: Colasoft Capsa Network Analyzer
Figure 2-26 Colasoft Capsa Network Analyzer provides statistics about network traffic.

56 Tool: Colasoft EtherLook
Figure 2-27 Colasoft EtherLook displays all the data received by every host in a LAN.

57 Tool: AnalogX PacketMon
Figure 2-28 AnalogX PacketMon can show detailed information about packets.

58 Tool: BillSniff Figure 2-29 BillSniff allows a user to view hexadecimal and ASCII versions of packets.

59 Tool: IE HTTP Analyzer Figure 2-30 IE HTTP Analyzer displays its information in a separate frame within Internet Explorer.

60 Tool: EtherScan Analyzer
Network traffic and protocol analyzer Captures and analyzes packets sent over a local network Decodes the major protocols and is capable of reconstructing TCP/IP sessions

61 Tool: Sniphere Figure 2-31 Sniphere can filter traffic based on several criteria.

62 Tool: IP Sniffer Figure 2-32 IP Sniffer provides graphical statistics about network traffic.

63 Tool: Atelier Web Ports Traffic Analyzer
Figure 2-33 Atelier Web Ports Traffic Analyzer shows hexadecimal and ASCII versions of the content of packets.

64 Tool: IPgrab IPgrab Packet sniffer for UNIX hosts
Provides a verbose mode that displays a great amount of information about packets Also provides a minimal mode in which all information about all parts of a packet is displayed in a single line of text

65 Tool: Nagios Figure 2-35 Nagios can display details about the current network status.

66 Tool: Give Me Too Figure 2-36 Using Give Me Too, users can open files that have been transferred over the network.

67 Tool: Sniff-O-Matic Figure 2-37 Sniff-O-Matic shows the entire contents of each packet.

68 Tool: EtherSnoop Figure 2-38 EtherSnoop allows users to choose which packets to see in a more detailed view.

69 Tool: GPRS Network Sniffer: Nokia LIG
Figure 2-39 The LIC, LIB, and LIE all work together in the Nokia LIG.

70 Tool: Siemens Monitoring Center
Designed for law enforcement and government security agencies Permits integration within all telecommunications networks that use any type of modern standardized equipment compatible with an ETSI recommendation With the help of the Siemens Intelligence Platform Analysts may find meaning among large reams of irrelevant data Intelligence Platform Means to organize disparate pieces of information for the law enforcement and security agencies so decision makers can act upon the information

71 Tool: NetWitness Figure 2-40 NetWitness allows users to view files captured from other machines on the network.

72 Tool: NetResident Figure 2-41 Users can view reconstructed Web pages using NetResident.

73 Tool: InfiniStream Figure 2-42 InfiniStream captures packets from the network.

74 Tool: InfiniStream (continued)
Figure 2-43 InfiniStream shows various types of charts describing statistics about network traffic.

75 Tool: eTrust Network Forensics
Some of the features of eTrust Network Forensics: Network traffic recording and visualization Real-time network data capture Advanced visualization Pattern and content analysis Communications catalog On-demand incident playback Advanced security investigation

76 Tool: ProDiscover Investigator
Figure 2-45 ProDiscover Investigator inspects disk contents around the network for illegal content.

77 Tool: P2 Enterprise Shuttle
Enterprise investigation tool that views, acquires, and searches client data wherever it resides in an enterprise Checks the main communication pass-through for the system as well as the routers and firewalls Acts as the central repository for all forensic images collected and is integrated with MySQL

78 Tool: Show Traffic Figure 2-46 Show Traffic shows a continuous display of network traffic.

79 Tool: Network Probe Figure 2-47 Network Probe provides a graphical summary of network traffic.

80 Tool: Snort Intrusion Detection System
Software-based, real-time network intrusion detection system Snort features include: Detects threats based on pattern matching Uses syslog, SMB messages, or a file to alert an administrator Develops new rules quickly once the pattern (attack signature) is known for a vulnerability Records packets from the offending IP address in a hierarchical directory structure Records the presence of traffic that should not be found on the network

81 Snort Rules There are a number of rules that Snort allows a user to write Each Snort rules must describe the following: Any violation of the security policy of the company that might be a threat to the security of the company’s network and other valuable information All the well-known and common attempts to exploit the vulnerabilities in the company’s network The conditions in which a user thinks that the identity of a network packet is not authentic

82 Tool: Network Probe Figure 2-48 Snort is a powerful IDS that allows users to write new rules.

83 Tool: IDS Policy Manager
Figure 2-49 IDS Policy Manager allows users to manage multiple Snort policies.

84 Documenting the Evidence Gathered on a Network
Documenting the evidence gathered on a network is easy if the network logs are small, as a printout can be taken and tested Documenting digital evidence on a network becomes more complex when the evidence is gathered from systems that are in remote locations Because of the unavailability of date and time stamps of the related files For documentation and integrity of the document, it is advisable to follow a standard methodology

85 Evidence Reconstruction for Investigation
Gathering evidence on a network is cumbersome for the following reasons: Evidence is not static and not concentrated at a single point on the network The variety of hardware and software found on the network makes the evidence-gathering process more difficult Three fundamentals of reconstruction for investigating a crime: Temporal analysis Relational analysis Functional analysis

86 Summary There are two types of network addressing schemes: LAN addressing and Internetwork addressing Sniffing tools are software or hardware that can intercept and log traffic passing over a digital network or part of a network The ARP table of a router comes in handy for investigating network attacks, as the table contains IP addresses associated with the respective MAC addresses

87 Summary (continued) The DHCP server maintains a list of recent queries, along with the MAC address and IP address An administrator can configure an IDS to capture network traffic when an alert is generated

Download ppt "Forensics Book 4: Investigating Network Intrusions and Cybercrime"

Similar presentations

Introduction to TCP/IP

Introduction to TCP/IP
Chapter 2 Network Models.

Chapter 2 Network Models.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Communicating over the Network Network Fundamentals – Chapter 2.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Communicating over the Network Network Fundamentals – Chapter 2.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Understanding Networks. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.

Understanding Networks. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.
Introduction To Networking

Introduction To Networking
1 Version 3.0 Module 9 TCP/IP Protocol and IP Addressing.

1 Version 3.0 Module 9 TCP/IP Protocol and IP Addressing.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Application Layer Functionality and Protocols Network Fundamentals – Chapter.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Application Layer Functionality and Protocols Network Fundamentals – Chapter.
Chapter Overview TCP/IP Protocols IP Addressing.

Chapter Overview TCP/IP Protocols IP Addressing.
Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.

Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.
Protocols and the TCP/IP Suite Chapter 4. Multilayer communication. A series of layers, each built upon the one below it. The purpose of each layer is.

Protocols and the TCP/IP Suite Chapter 4. Multilayer communication. A series of layers, each built upon the one below it. The purpose of each layer is.
CLIENT A client is an application or system that accesses a service made available by a server. applicationserver.

CLIENT A client is an application or system that accesses a service made available by a server. applicationserver.
Chapter Eleven An Introduction to TCP/IP. Objectives To compare TCP/IP’s layered structure to OSI To review the structure of an IP address To look at.

Chapter Eleven An Introduction to TCP/IP. Objectives To compare TCP/IP’s layered structure to OSI To review the structure of an IP address To look at.
Data Communications and Networks

Data Communications and Networks
Protocol Headers Pre DA SA 0800h … version H L 6 TCP Header Data FCS

Protocol Headers Pre DA SA 0800h … version H L 6 TCP Header Data FCS
Forensic and Investigative Accounting

Forensic and Investigative Accounting
Business Data Communications, by Allen Dooley, (c) 2005 Pearson Prentice HallChapter Five 1 Business Data Communications Chapter Five Network, Transport,

Business Data Communications, by Allen Dooley, (c) 2005 Pearson Prentice HallChapter Five 1 Business Data Communications Chapter Five Network, Transport,
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
COEN 252 Computer Forensics

COEN 252 Computer Forensics

Similar presentations

Ads by Google