Network Forensic.pdf
Document Details
Uploaded by IngenuousIntegral
University of Mumbai
Tags
Full Transcript
NETWORK FORENSICS Introduction to Network Forensics and Tracking Network Traffic Network Forensics: The process of collecting and analyzing raw network data to systematically track network traffic and determine how an attack or event occurred on a network....
NETWORK FORENSICS Introduction to Network Forensics and Tracking Network Traffic Network Forensics: The process of collecting and analyzing raw network data to systematically track network traffic and determine how an attack or event occurred on a network. Importance: With the increasing frequency of network attacks, network forensics is crucial for identifying whether attacks are intentional or unintentional and for understanding the methods used by attackers. Types of Network Attacks Unintentional Attacks: Often occur due to lack of knowledge and do not involve malicious intent. DoS Attacks: Denial of Service attacks overload network resources, making the network unavailable to genuine users without gaining access to any computer on the network. ○ Characteristics: DoS attackers should not be referred to as intruders since no direct intrusion happens. Not all intruders are attackers, but those who gain access and then destroy information or plant viruses can be called both intruders and attackers. Tracking Network Traffic Intrusion Traces: Intruders leave traces when they attack a network. Detecting these traces involves identifying variations in network traffic. Normal Traffic Patterns: Understanding typical network patterns (e.g., peak internet usage hours) helps in identifying unusual activities. ○ Example: Peak hours in a city might be between 6 a.m. and 6 p.m. Any suspicious activity at night would prompt an investigation by the network administrator. Standard Procedures in Network Forensics Response to Attacks: Network administrators aim to find compromised machines, take them offline, and restore them quickly to reduce downtime. Importance of Procedures: Following standard procedures ensures all compromised systems are tracked and attack methods are identified to prevent future incidents. Compromised System Handling: Thorough investigation and adherence to procedures help in understanding the full scope of an attack and securing the network. Securing a Network Network Forensics Role: Used to identify security breaches due to attacks, viruses, and other incidents. Hardening: Involves tasks like applying the latest patches and using a layered network defense strategy to protect valuable data. ○ Defense in Depth (DiD): Developed by the National Security Agency (NSA), this strategy includes three modes of protection: People, Technology, and Operations. Defense in Depth (DiD) Strategy 1. People: ○ Qualified Personnel: Hiring well-qualified individuals and treating them well to prevent revenge motives. ○ Training: Adequate training in security procedures and policies. ○ Security Measures: Includes physical and personnel security measures. 2. Technology: ○ Network Architecture: Selecting strong network architecture. ○ Tools: Using tools like firewalls and Intrusion Detection Systems (IDSs). ○ Penetration Testing and Risk Assessment: Regular testing and assessment to enhance network security. ○ Investigation Tools: Tools that allow for quick and thorough examination during a security breach. 3. Operations: ○ Daily Activities: Updating antivirus software, security patches, and operating systems. ○ Evaluation and Monitoring: Regular evaluation and monitoring methods. ○ Disaster Recovery Plans: Having plans in place for disaster recovery. Reviewing Network Logs Network Logs: Records of incoming and outgoing traffic on a network, created by servers, firewalls, routers, and other devices. Purpose: They track activities and events, helping to monitor network health, identify issues, and investigate security incidents. Tools for Reviewing Network Logs Tcpdump: A common program used to capture and analyze network traffic. It generates extensive records that detail network activities. Example of Tcpdump Output Format: The log entries typically include the date, time, protocol, interface, packet size, and source/destination addresses. TCP log from 2010-12-16:15:06:33 to 2010-12-16:15:06:34 Wed Dec 15 15:06:33 2010; TCP; eth0; 1296 bytes; from 204.146.114.10:1916 to 156.26.62.201:126 Wed Dec 15 15:06:33 2010; TCP; eth0; 625 bytes; from 192.168.114.30:289 to 188.226.173.122:13 Wed Dec 15 15:06:33 2010; TCP; eth0; 2401 bytes; from 192.168.5.41:529 to 188.226.173.122:31 Wed Dec 15 15:06:33 2010; TCP; eth0; 1296 bytes; from 206.199.79.28:1280 to 10.253.170.210:168; first packet END ○ Header: The first line shows the log's timeframe. ○ Entries: Subsequent lines follow the format time; protocol; interface; size; source and destination addresses. Analyzing the Logs Understanding Entries: For example, the second line shows: ○ Date and Time: December 15, 2010, at 15:06:33 ○ Protocol: TCP ○ Interface: Ethernet 0 (eth0) ○ Size: 1296 bytes ○ Source: IP address 204.146.114.10 with port 1916 ○ Destination: IP address 156.26.62.201 with port 126 Key Points for Investigation Port Information: Ports above 1024 can be suspicious and warrant further investigation. Check port assignments on the Internet Assigned Numbers Authority (IANA) website. Frequent IP Addresses: Repeated occurrences of specific IP addresses can indicate potential issues or malicious activity. Using Ethereal for Further Analysis Top Websites: Ethereal (now known as Wireshark) can generate a list of the top 10 websites visited by users, showing bytes transferred and IP addresses. Top Internal Users: It can also list the top 10 internal users by tracking IP addresses and the amount of data they transfer. Patterns in Network Logs Behavioral Patterns: Logs can reveal patterns like an employee frequently accessing certain sites during work hours, potentially indicating misuse of company resources. Investigating Suspicious Activity: If suspicious behavior is detected, investigate while preserving evidence. Findings might reveal broader issues affecting other companies. Handling Findings Confidentiality: Do not reveal findings about other companies without their consent. Contacting Companies: Notify affected companies to collaborate on tracking down intruders. Reporting to Authorities: Consider reporting significant incidents to federal authorities for further action. Network Forensic Tools Windows Operating System Network Tools Sysinternals Suite: A collection of free tools for examining Windows products, created by Mark Russinovich and Bryce Cogswell, now owned by Microsoft. These tools help in monitoring network traffic and managing devices and processes. Here are some of the key tools: ○ RegMon: Displays all registry data in real-time. ○ Process Explorer: Shows files, registry keys, and DLLs loaded at a specific time. ○ Handle: Shows open files and the processes using them. ○ Filemon: Shows file system activity. ○ PsExec: Runs processes remotely. ○ PsGetSid: Displays the security identifier (SID) of a computer or user. ○ PsKill: Kills processes by name or process ID. ○ PsList: Lists detailed information about processes. ○ PsLoggedOn: Displays who is logged on locally. ○ PsPasswd: Allows you to change account passwords. ○ PsService: Enables you to view and control services. ○ PsShutdown: Shuts down and optionally restarts a computer. ○ PsSuspend: Allows you to suspend processes. UNIX/Linux Operating System Network Tools Knoppix Security Tools Distribution: A bootable Linux CD designed for computer and network forensics, created by Klaus Knopper. It offers a variety of tools for authentication, firewalls, password management, wireless tools, encryption, intrusion detection systems (IDS), honeynets, forensics, packet sniffers, vulnerability assessment, and more. Here are some important tools: ○ dcfldd: A U.S. Department of Defense computer forensics lab version of the dd command. ○ memfetch: Forces a memory dump. ○ photorec: Retrieves files from a digital camera. ○ snort: A popular IDS that captures and analyzes packets in real-time. ○ oinkmaster: Manages snort rules, specifying regular traffic and alarms. ○ john: The latest version of John the Ripper, a password cracker. ○ chntpw: Resets passwords on a Windows computer, including the administrator password. ○ tcpdump and ethereal (Wireshark): Packet sniffers for capturing and analyzing network traffic. Packet Sniffers Packet Sniffers: Devices or software used to monitor network traffic. They can enhance security and track network bottlenecks but can also be used maliciously to capture sensitive information. ○ Functionality: Examine packets on TCP/IP networks, working at Layer 2 or Layer 3 of the OSI model. ○ Common Tools: Tcpdump, Tethereal, and SNORT can capture packets, including those with specific flags like SYN for detecting SYN flood attacks. Example Packet Sniffer Tools Topslice: Extracts information from large Libpcap files based on a specified timeframe and can combine files. Tcpreplay: Replays network traffic recorded in Libpcap format to test network devices. Ngrep: Examines email headers or IRC logs, collects, and hashes data for verification. Ethereal (Wireshark): A graphical tool for viewing network traffic and rebuilding sessions. Netdude: A GUI tool for inspecting and analyzing large Tcpdump files. Argus: A session data probe, collector, and analysis tool. Examining the Honeynet Project Honeynet Project: Aims to thwart internet and network attackers by creating awareness, providing information, and offering tools and methods. It involves worldwide participation. ○ Steps: Awareness: Informing people and organizations about existing threats. Information: Providing details on how to protect against threats and understanding attacker tactics. Research: Offering tools and methods for individuals to conduct their own research. Threats Addressed: ○ Distributed Denial-of-Service (DDoS) Attacks: Involving hundreds or thousands of "zombie" machines. ○ Zero-Day Attacks: Exploiting network and OS vulnerabilities before patches are available. Honeypots and Honeywalls: ○ Honeypot: A decoy computer set up to lure attackers, containing no valuable information. ○ Honeywall: Monitors honeypots and records attacker activities. ○ Process: Deploying a honeypot, taking it offline if compromised, comparing pre- and post-attack images to analyze the attack methods and changes made. Performing Live Acquisitions Live acquisitions are crucial for capturing volatile data when dealing with active network attacks or unauthorized access by employees. These acquisitions are performed while the system is still running because certain evidence, such as running processes and data in RAM, can be lost if the system is shut down or restarted. Here is a simplified breakdown of the process: 1. Prepare Forensic Tools: ○ Create or download a bootable forensic CD. ○ Test the CD on a non-suspect drive. ○ If the suspect system is on the network, ensure you have the appropriate forensic tools on your computer. ○ Insert the bootable forensic CD into the suspect system if necessary. 2. Log Actions: ○ Keep a detailed log of all actions taken during the live acquisition process. ○ Document the reasons for each action. 3. Set Up Data Storage: ○ Use a network drive to store gathered data if available. ○ If a network drive is not available, use a USB thumb drive. ○ Note the use of the USB drive in your log. 4. Copy Physical Memory (RAM): ○ Capture the entire contents of RAM. 5. Investigate Specific Issues: ○ Depending on the incident, decide whether to: Shut down the system for a static acquisition later. Use tools like RootKit Revealer to check for rootkits. Access firmware to check for changes. 6. Validate Data Integrity: ○ Ensure you obtain a forensically sound digital hash value of all recovered files to confirm they haven't been altered. Performing a Live Acquisition in Windows Various tools can capture RAM during a live acquisition in Windows. Here are some of the tools: Win32dd: A command-line tool for performing memory dumps on Windows. Back Track 3: Combines tools from the White Hat Hackers CD and The Auditor CD, popular among penetration testers. Mantech Memory DD: Acquires up to 4 GB of RAM in standard DD format. Winen.exe from Guidance Software: A standalone RAM acquisition tool. Command-Line vs. GUI Tools: Command-Line Tools: Offer more control and are generally preferred for live acquisitions. GUI Tools: Require more system resources and can sometimes give false readings, especially on Windows OSs. Live acquisitions are essential for preserving volatile data during an ongoing network attack or suspected unauthorized access. Following a systematic procedure and using reliable tools ensures that the captured data remains forensically sound. Order of Volatility (OOV) The Order of Volatility (OOV) refers to the lifespan of data on a system, which is critical for investigators to understand when collecting evidence during a network forensics investigation. Data varies in how long it remains accessible and useful: 1. Registers, Cache: Lasts only for milliseconds. 2. Routing Table, ARP Cache, Process Table, Kernel Statistics: Short-lived and volatile. 3. Memory (RAM): Volatile, lost when the system is powered off. 4. Established Network Connections: Lasts until the connection is terminated. 5. Running Processes: Exists until the process is terminated or the system is shut down. 6. Temporary File Systems: Can be deleted or overwritten quickly. 7. Media in Use: Disk: Persistent until manually deleted or overwritten. 8. Remote Logging and Monitoring Data: Exists on other systems, potentially longer-lived. 9. Backup Media: Tapes, Disks Not in Use: Very persistent, often stored for long periods. 10. Archival Media: Long-term storage, such as tapes or disks. 11. WORM: CD-ROMs, DVDs: Very long-term, write-once-read-many storage. After digital evidence is gathered, physical evidence such as configuration, network topology, paper documents, fingerprints, and DNA can be collected. Standard Procedures for Network Forensics Network forensics involves a systematic approach to ensure accurate and reliable evidence collection. The standard procedure includes the following steps: 1. Standard Installation Image: ○ Use a standard installation image for all systems on the network. ○ This image includes all standard applications and OS files. ○ Maintain MD5 and SHA-1 hash values for all applications and OS files to ensure integrity. 2. Fix Vulnerabilities: ○ If an intrusion incident occurs, ensure the vulnerability is patched to prevent further attacks. 3. Live Acquisition: ○ Recover all volatile data, such as RAM and running processes, before the system is turned off. 4. Forensic Imaging: ○ Create a forensic image of the compromised drive to preserve the state of the data at the time of the incident. 5. File Comparison: ○ Compare the files on the forensic image with the original installation image. ○ Use hash values to verify the integrity of common files (e.g., Win.exe, standard DLLs) and detect any alterations. By following these standard procedures, investigators can systematically collect and analyze evidence, ensuring the reliability and integrity of their findings.