Forensics Book 4: Investigating Network Intrusions and Cybercrime Chapter 2: Investigating Network Traffic

Forensics Book 4: Investigating Network Intrusions and Cybercrime

Chapter 2: Investigating Network Traffic

Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited

Objectives

Understand network protocols Understand the physical and data link layers

of the OSI model Understand the network and transport layers

of the OSI model Describe types of network attacks Understand the reasons for investigating

network traffic


Objectives (continued)

Perform evidence gathering via sniffing Describe the tools used in investigating

network traffic Document the evidence gathered on a

network Reconstruct evidence for an investigation


Case Example

Jessica, a university student, was known to be an introvert among her peers She used to live with her father

One day, Jessica left a note for her father mentioning that she was going to meet her old school friend and would be back by the end of the week Two weeks later, Jessica’s dead body was found

near a dumping ground near her university campus Jessica’s system logs showed that Jessica

frequented Web sites related to bondage and sex Further investigations revealed her e-mail address


Case Example (continued)

The investigators traced the e-mail service provider of the unknown person The trace revealed that the e-mail address

belonged to a man named Nichol The investigators analyzed Nichol’s computer

after the state judiciary granted them permission to do so They found pornography and materials related

to bondage and murder on Nichol’s computer Nichol was questioned and after long hours

of investigation, he broke down and admitted to the crime


Network Addressing Schemes

Two methods of network addressing: LAN addressing Internetwork addressing


LAN Addressing

Local area network (LAN) Set of host machines in a relatively contiguous

area, allowing for high data transfer rates among hosts on the same IP network

Each node in the LAN has a unique MAC (media access control) address assigned to the NIC

MAC address Unique 48-bit serial number assigned to each

NIC, providing a physical address to the host machine

Network interface card (NIC) Piece of hardware used to provide an interface

between a host machine and a computer network


LAN Addressing (continued)

Types of MAC addresses: Static Configurable Dynamic

Packets are either addressed to one node or, in the case of broadcasting, to all the nodes in the LAN

Broadcasting is often used to discover the services or devices on the network


Internetwork Addressing

Used in a network where a number of LANs or other networks are connected with the help of routers Each network in this Internetwork has a

unique network ID or network address known as the host address or node ID

Routers use these addresses when data packets are transmitted from a source to its target

Internetwork address is a combination of both a network address and host address


OSI Reference Model

OSI model consists of seven layers Each layer contains a set of similar functions

and provides services to the layer above it The OSI reference model is based on the

following principles: Every layer has a fully defined function The boundaries of the layers have been designed

to reduce the flow of information in the interface When an additional level of abstraction is

required, then a layer is created Each layer contains the functions of the

international standardized protocol


OSI Reference Model (continued)

Figure 2-1 The OSI protocol stack consists of seven layers.


Overview of Network Protocols

In the seven layers of the OSI model, protocols exist in only six layers The physical layer contains no network

protocols


Data Link Layer

Main protocols include: Point-to-Point Protocol (PPP) Serial Line Internet Protocol (SLIP) Address Resolution Protocol (ARP)


Network Layer

Main protocols include: RARP (Reverse Address Resolution Protocol) ICMP (Internet Control Message Protocol) IGMP (Internet Group Management Protocol) IP (Internet Protocol)


Transport Layer

Main protocols include: UDP (User Datagram Protocol) TCP (Transmission Control Protocol)


Session Layer, Presentation Layer, and Application Layer Main protocols include:

HTTP (Hypertext Transfer Protocol) SMTP (Simple Mail Transfer Protocol) NNTP (Network News Transfer Protocol) Telnet FTP (File Transfer Protocol) SNMP (Simple Network Management

Protocol) TFTP (Trivial File Transfer Protocol)


Session Layer, Presentation Layer, and Application Layer (continued)

Figure 2-2 Different protocols are used in different layers in the TCP/IP model.


Overview of Physical and Data Link Layers of the OSI Model Physical layer

Transmits raw bits over a communication channel Design must ensure that when one side sends a 1

bit, the other side should receive that bit as a 1 bit Deals with the mechanical, electrical, and

procedural interfaces, and the physical transmission medium, which are all below the physical layer

Data link layer Breaks the raw transmission bits into data frames Sequentially broadcasts the frames Creates and recognizes frame boundaries


Overview of Network and Transport Layers of the OSI Model Network layer

Takes care of the delivery of data packets from the source to the destination

Provides the logical address of the sender and receiver in the header of the data packet

Checks the integrity of the transferred data Transport layer

Takes care of the entire message that is transferred from the source to the destination

Takes care of error correction and flow control of the message


Types of Network Attacks

Main categories of attacks launched against networks: IP spoofing Router attacks Eavesdropping Denial of service Man-in-the-middle attack Sniffing Data modification


Why Investigate Network Traffic?

Reasons investigators analyze network traffic include: Locate suspicious network traffic Know which network is generating the

troublesome traffic and where the traffic is being transmitted to or received from

Identify network problems


Evidence Gathering at the Physical Layer Computer connected to a LAN has two

addresses: MAC address IP address

Two basic types of Ethernet environments: Shared Ethernet Switched Ethernet


Shared Ethernet

Every machine receives packets that are meant for one machine

Sniffer ignores this rule and accepts all frames by putting the NIC into promiscuous mode

Promiscuous mode Mode of a network interface card in which the

card passes all network traffic it receives to the host computer, rather than only the traffic specifically addressed to it

Passive sniffing is possible in a shared Ethernet environment, but it is difficult to detect


Switched Ethernet

Hosts are connected to a switch Switch does not broadcast to all computers

but sends the packets to the appropriate destination only Sniffing by putting the NIC into promiscuous

mode does not work in this type of environment SPAN (Switched Port Analyzer) port

Port that is configured to receive all the packets sent by any source port

Special switches are available that can be configured to allow sniffing at the switch that can even capture local traffic


DNS Poisoning Techniques

DNS (Domain Name Service) Service that translates domain names into IP

addresses DNS poisoning

Process in which an attacker provides fake data to a DNS server for the purpose of misdirecting users

Types of DNS poisoning: Intranet DNS spoofing (local network) Internet DNS spoofing (remote network) Proxy server DNS poisoning DNS cache poisoning


Intranet DNS Spoofing (Local Network)

Figure 2-3 An attacker must be connected to the LAN to perform intranet DNS spoofing.


Internet DNS Spoofing (Remote Network)

Figure 2-4 An attacker uses a Trojan to perform Internet DNS spoofing.


Proxy Server DNS Poisoning

Figure 2-5 An attacker uses a Trojan to change the proxy server settings on a machine during a proxy server DNS poisoning attack.


DNS Cache Poisoning

Attacker exploits a flaw in the DNS server software that can make it accept incorrect information

If the server does not correctly validate DNS responses to ensure that they have come from an authoritative source Server will end up caching the incorrect

entries locally and serve them to users that make the same request


Evidence Gathering from ARP Table

Figure 2-6 The arp -a command displays the ARP table in Windows.


Evidence Gathering at the Data Link Layer: DHCP Database DHCP database provides a means of

determining the MAC address associated with the computer in custody Database helps DHCP conclude the MAC

address in case DHCP is unable to maintain a permanent log of requests

DHCP server maintains a list of recent queries along with the MAC address and IP address Database can be queried by giving the time

duration during which the given IP address accessed the server


Gathering Evidence from an IDS

Administrator can configure an intrusion detection system (IDS) to capture network traffic when an alert is generated This data is not a sufficient source of evidence

because there is no way to perform integrity checks on the log files

Preserving digital evidence is difficult Investigators can record examination results

from networking through a serial cable and software Such as the Windows HyperTerminal program

or a script on UNIX


Tool: Tcpdump

Powerful tool that extracts network packets and performs statistical analysis on those dumps Operates by putting the network card into

promiscuous mode Tcpdump report consists of the following:

Captured packet count Received packet count Count of packets dropped by kernel

Supported by various platforms


Tool: Tcpdump (continued)

Figure 2-7 Tcpdump shows information about all the packets that come through the network interface.


Tool: WinDump

Port of Tcpdump for the Windows platform WinDump is fully compatible with Tcpdump

Can be used to watch and diagnose network traffic according to various complex rules

WinDump is simple to use and works at the command-line level


Tool: WinDump (continued)

Figure 2-8 WinDump displays more verbose information when the user specifies the -vv option.


Tool: NetIntercept

Network analysis tool Captures LAN traffic using a standard

Ethernet interface card placed in promiscuous mode and a modified UNIX kernel

Performs stream reconstruction on demand


Tool: NetIntercept (continued)

Figure 2-9 NetIntercept captures traffic continuously.


Tool: NetIntercept (continued)

Figure 2-10 A user can look at the contents of a connection once it has been identified.


Tool: Wireshark

Formerly known as Ethereal GUI-based network protocol analyzer Lets the user interactively browse packet

data from a live network or from a previously saved capture file

Wireshark’s native capture file format is the libpcap format Also the format used by Tcpdump and various

other tools


Tool: Wireshark (continued)

Figure 2-11 Wireshark can show information about all captured packets.


Tool: CommView

Figure 2-12 CommView shows detailed information about every captured packet.


Tool: SoftPerfect Network Protocol Analyzer

Figure 2-13 SoftPerfect Network Protocol Analyzer displays information about all packets captured from the network.


Tool: HTTP Sniffer

Figure 2-15 HTTP Sniffer displays information about captured HTTP packets.


Tool: EtherDetect Packet Sniffer

Figure 2-16 EtherDetect Packet Sniffer provides syntax highlighting for application data, including HTTP data, as shown here.


Tool: OmniPeek

Figure 2-17 OmniPeek provides different views of captured packets.


Tool: OmniPeek (continued)

Figure 2-18 OmniPeek provides users with visuals concerning network traffic.


Tool: Iris Network Traffic Analyzer

Figure 2-19 Iris Network Traffic Analyzer allows a user to view details about captured packets.


Tool: SmartSniff

Figure 2-20 SmartSniff shows ASCII views of network conversations for textbased protocols.


Tool: NetSetMan

Figure 2-21 NetSetMan allows a user to switch between sets of network settings.


Tool: Distinct Network Monitor

Figure 2-22 Distinct Network Monitor displays live network traffic statistics.


Tool: MaaTec Network Analyzer

Figure 2-23 MaaTec Network Analyzer can color-code data based on different criteria.


Tool: ntop

Figure 2-24 ntop displays network statistics on a Web page.


Tool: EtherApe

Figure 2-25 EtherApe creates a graphical display of network traffic.


Tool: Colasoft Capsa Network Analyzer

Figure 2-26 Colasoft Capsa Network Analyzer provides statistics about network traffic.


Tool: Colasoft EtherLook

Figure 2-27 Colasoft EtherLook displays all the data received by every host in a LAN.


Tool: AnalogX PacketMon

Figure 2-28 AnalogX PacketMon can show detailed information about packets.


Tool: BillSniff

Figure 2-29 BillSniff allows a user to view hexadecimal and ASCII versions of packets.


Tool: IE HTTP Analyzer

Figure 2-30 IE HTTP Analyzer displays its information in a separate frame within Internet Explorer.


Tool: EtherScan Analyzer

EtherScan Analyzer Network traffic and protocol analyzer Captures and analyzes packets sent over a

local network Decodes the major protocols and is capable of

reconstructing TCP/IP sessions


Tool: Sniphere

Figure 2-31 Sniphere can filter traffic based on several criteria.


Tool: IP Sniffer

Figure 2-32 IP Sniffer provides graphical statistics about network traffic.


Tool: Atelier Web Ports Traffic Analyzer

Figure 2-33 Atelier Web Ports Traffic Analyzer shows hexadecimal and ASCII versions of the content of packets.


Tool: IPgrab

IPgrab Packet sniffer for UNIX hosts Provides a verbose mode that displays a great

amount of information about packets Also provides a minimal mode in which all

information about all parts of a packet is displayed in a single line of text


Tool: Nagios

Figure 2-35 Nagios can display details about the current network status.


Tool: Give Me Too

Figure 2-36 Using Give Me Too, users can open files that have been transferred over the network.


Tool: Sniff-O-Matic

Figure 2-37 Sniff-O-Matic shows the entire contents of each packet.


Tool: EtherSnoop

Figure 2-38 EtherSnoop allows users to choose which packets to see in a more detailed view.


Tool: GPRS Network Sniffer: Nokia LIG

Figure 2-39 The LIC, LIB, and LIE all work together in the Nokia LIG.


Tool: Siemens Monitoring Center

Designed for law enforcement and government security agencies Permits integration within all telecommunications

networks that use any type of modern standardized equipment compatible with an ETSI recommendation

With the help of the Siemens Intelligence Platform Analysts may find meaning among large reams of

irrelevant data Intelligence Platform

Means to organize disparate pieces of information for the law enforcement and security agencies so decision makers can act upon the information


Tool: NetWitness

Figure 2-40 NetWitness allows users to view files captured from other machines on the network.


Tool: NetResident

Figure 2-41 Users can view reconstructed Web pages using NetResident.


Tool: InfiniStream

Figure 2-42 InfiniStream captures packets from the network.


Tool: InfiniStream (continued)

Figure 2-43 InfiniStream shows various types of charts describing statistics about network traffic.


Tool: eTrust Network Forensics

Some of the features of eTrust Network Forensics: Network traffic recording and visualization Real-time network data capture Advanced visualization Pattern and content analysis Communications catalog On-demand incident playback Advanced security investigation


Tool: ProDiscover Investigator

Figure 2-45 ProDiscover Investigator inspects disk contents around the network for illegal content.


Tool: P2 Enterprise Shuttle

Enterprise investigation tool that views, acquires, and searches client data wherever it resides in an enterprise

Checks the main communication pass-through for the system as well as the routers and firewalls

Acts as the central repository for all forensic images collected and is integrated with MySQL


Tool: Show Traffic

Figure 2-46 Show Traffic shows a continuous display of network traffic.


Tool: Network Probe

Figure 2-47 Network Probe provides a graphical summary of network traffic.


Tool: Snort Intrusion Detection System Software-based, real-time network intrusion

detection system Snort features include:

Detects threats based on pattern matching Uses syslog, SMB messages, or a file to alert

an administrator Develops new rules quickly once the pattern

(attack signature) is known for a vulnerability Records packets from the offending IP address

in a hierarchical directory structure Records the presence of traffic that should not

be found on the network


Snort Rules

There are a number of rules that Snort allows a user to write

Each Snort rules must describe the following: Any violation of the security policy of the

company that might be a threat to the security of the company’s network and other valuable information

All the well-known and common attempts to exploit the vulnerabilities in the company’s network

The conditions in which a user thinks that the identity of a network packet is not authentic


Tool: Network Probe

Figure 2-48 Snort is a powerful IDS that allows users to write new rules.


Tool: IDS Policy Manager

Figure 2-49 IDS Policy Manager allows users to manage multiple Snort policies.


Documenting the Evidence Gathered on a Network Documenting the evidence gathered on a

network is easy if the network logs are small, as a printout can be taken and tested

Documenting digital evidence on a network becomes more complex when the evidence is gathered from systems that are in remote locations Because of the unavailability of date and time

stamps of the related files For documentation and integrity of the

document, it is advisable to follow a standard methodology


Evidence Reconstruction for Investigation Gathering evidence on a network is

cumbersome for the following reasons: Evidence is not static and not concentrated at

a single point on the network The variety of hardware and software found on

the network makes the evidence-gathering process more difficult

Three fundamentals of reconstruction for investigating a crime: Temporal analysis Relational analysis Functional analysis


Summary

There are two types of network addressing schemes: LAN addressing and Internetwork addressing

Sniffing tools are software or hardware that can intercept and log traffic passing over a digital network or part of a network

The ARP table of a router comes in handy for investigating network attacks, as the table contains IP addresses associated with the respective MAC addresses


Summary (continued)

The DHCP server maintains a list of recent queries, along with the MAC address and IP address

An administrator can configure an IDS to capture network traffic when an alert is generated

Documents

Forensics Book 4: Investigating Network Intrusions and Cybercrime Chapter 2: Investigating Network Traffic