Upload
rosalind-ramsey
View
220
Download
1
Tags:
Embed Size (px)
Citation preview
Forensics Book 4: Investigating Network Intrusions and Cybercrime
Chapter 2: Investigating Network Traffic
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Objectives
Understand network protocols Understand the physical and data link layers
of the OSI model Understand the network and transport layers
of the OSI model Describe types of network attacks Understand the reasons for investigating
network traffic
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Objectives (continued)
Perform evidence gathering via sniffing Describe the tools used in investigating
network traffic Document the evidence gathered on a
network Reconstruct evidence for an investigation
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Case Example
Jessica, a university student, was known to be an introvert among her peers She used to live with her father
One day, Jessica left a note for her father mentioning that she was going to meet her old school friend and would be back by the end of the week Two weeks later, Jessica’s dead body was found
near a dumping ground near her university campus Jessica’s system logs showed that Jessica
frequented Web sites related to bondage and sex Further investigations revealed her e-mail address
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Case Example (continued)
The investigators traced the e-mail service provider of the unknown person The trace revealed that the e-mail address
belonged to a man named Nichol The investigators analyzed Nichol’s computer
after the state judiciary granted them permission to do so They found pornography and materials related
to bondage and murder on Nichol’s computer Nichol was questioned and after long hours
of investigation, he broke down and admitted to the crime
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Network Addressing Schemes
Two methods of network addressing: LAN addressing Internetwork addressing
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
LAN Addressing
Local area network (LAN) Set of host machines in a relatively contiguous
area, allowing for high data transfer rates among hosts on the same IP network
Each node in the LAN has a unique MAC (media access control) address assigned to the NIC
MAC address Unique 48-bit serial number assigned to each
NIC, providing a physical address to the host machine
Network interface card (NIC) Piece of hardware used to provide an interface
between a host machine and a computer network
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
LAN Addressing (continued)
Types of MAC addresses: Static Configurable Dynamic
Packets are either addressed to one node or, in the case of broadcasting, to all the nodes in the LAN
Broadcasting is often used to discover the services or devices on the network
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Internetwork Addressing
Used in a network where a number of LANs or other networks are connected with the help of routers Each network in this Internetwork has a
unique network ID or network address known as the host address or node ID
Routers use these addresses when data packets are transmitted from a source to its target
Internetwork address is a combination of both a network address and host address
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
OSI Reference Model
OSI model consists of seven layers Each layer contains a set of similar functions
and provides services to the layer above it The OSI reference model is based on the
following principles: Every layer has a fully defined function The boundaries of the layers have been designed
to reduce the flow of information in the interface When an additional level of abstraction is
required, then a layer is created Each layer contains the functions of the
international standardized protocol
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
OSI Reference Model (continued)
Figure 2-1 The OSI protocol stack consists of seven layers.
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Overview of Network Protocols
In the seven layers of the OSI model, protocols exist in only six layers The physical layer contains no network
protocols
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Data Link Layer
Main protocols include: Point-to-Point Protocol (PPP) Serial Line Internet Protocol (SLIP) Address Resolution Protocol (ARP)
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Network Layer
Main protocols include: RARP (Reverse Address Resolution Protocol) ICMP (Internet Control Message Protocol) IGMP (Internet Group Management Protocol) IP (Internet Protocol)
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Transport Layer
Main protocols include: UDP (User Datagram Protocol) TCP (Transmission Control Protocol)
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Session Layer, Presentation Layer, and Application Layer Main protocols include:
HTTP (Hypertext Transfer Protocol) SMTP (Simple Mail Transfer Protocol) NNTP (Network News Transfer Protocol) Telnet FTP (File Transfer Protocol) SNMP (Simple Network Management
Protocol) TFTP (Trivial File Transfer Protocol)
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Session Layer, Presentation Layer, and Application Layer (continued)
Figure 2-2 Different protocols are used in different layers in the TCP/IP model.
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Overview of Physical and Data Link Layers of the OSI Model Physical layer
Transmits raw bits over a communication channel Design must ensure that when one side sends a 1
bit, the other side should receive that bit as a 1 bit Deals with the mechanical, electrical, and
procedural interfaces, and the physical transmission medium, which are all below the physical layer
Data link layer Breaks the raw transmission bits into data frames Sequentially broadcasts the frames Creates and recognizes frame boundaries
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Overview of Network and Transport Layers of the OSI Model Network layer
Takes care of the delivery of data packets from the source to the destination
Provides the logical address of the sender and receiver in the header of the data packet
Checks the integrity of the transferred data Transport layer
Takes care of the entire message that is transferred from the source to the destination
Takes care of error correction and flow control of the message
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Types of Network Attacks
Main categories of attacks launched against networks: IP spoofing Router attacks Eavesdropping Denial of service Man-in-the-middle attack Sniffing Data modification
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Why Investigate Network Traffic?
Reasons investigators analyze network traffic include: Locate suspicious network traffic Know which network is generating the
troublesome traffic and where the traffic is being transmitted to or received from
Identify network problems
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Evidence Gathering at the Physical Layer Computer connected to a LAN has two
addresses: MAC address IP address
Two basic types of Ethernet environments: Shared Ethernet Switched Ethernet
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Shared Ethernet
Every machine receives packets that are meant for one machine
Sniffer ignores this rule and accepts all frames by putting the NIC into promiscuous mode
Promiscuous mode Mode of a network interface card in which the
card passes all network traffic it receives to the host computer, rather than only the traffic specifically addressed to it
Passive sniffing is possible in a shared Ethernet environment, but it is difficult to detect
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Switched Ethernet
Hosts are connected to a switch Switch does not broadcast to all computers
but sends the packets to the appropriate destination only Sniffing by putting the NIC into promiscuous
mode does not work in this type of environment SPAN (Switched Port Analyzer) port
Port that is configured to receive all the packets sent by any source port
Special switches are available that can be configured to allow sniffing at the switch that can even capture local traffic
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
DNS Poisoning Techniques
DNS (Domain Name Service) Service that translates domain names into IP
addresses DNS poisoning
Process in which an attacker provides fake data to a DNS server for the purpose of misdirecting users
Types of DNS poisoning: Intranet DNS spoofing (local network) Internet DNS spoofing (remote network) Proxy server DNS poisoning DNS cache poisoning
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Intranet DNS Spoofing (Local Network)
Figure 2-3 An attacker must be connected to the LAN to perform intranet DNS spoofing.
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Internet DNS Spoofing (Remote Network)
Figure 2-4 An attacker uses a Trojan to perform Internet DNS spoofing.
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Proxy Server DNS Poisoning
Figure 2-5 An attacker uses a Trojan to change the proxy server settings on a machine during a proxy server DNS poisoning attack.
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
DNS Cache Poisoning
Attacker exploits a flaw in the DNS server software that can make it accept incorrect information
If the server does not correctly validate DNS responses to ensure that they have come from an authoritative source Server will end up caching the incorrect
entries locally and serve them to users that make the same request
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Evidence Gathering from ARP Table
Figure 2-6 The arp -a command displays the ARP table in Windows.
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Evidence Gathering at the Data Link Layer: DHCP Database DHCP database provides a means of
determining the MAC address associated with the computer in custody Database helps DHCP conclude the MAC
address in case DHCP is unable to maintain a permanent log of requests
DHCP server maintains a list of recent queries along with the MAC address and IP address Database can be queried by giving the time
duration during which the given IP address accessed the server
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Gathering Evidence from an IDS
Administrator can configure an intrusion detection system (IDS) to capture network traffic when an alert is generated This data is not a sufficient source of evidence
because there is no way to perform integrity checks on the log files
Preserving digital evidence is difficult Investigators can record examination results
from networking through a serial cable and software Such as the Windows HyperTerminal program
or a script on UNIX
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Tool: Tcpdump
Powerful tool that extracts network packets and performs statistical analysis on those dumps Operates by putting the network card into
promiscuous mode Tcpdump report consists of the following:
Captured packet count Received packet count Count of packets dropped by kernel
Supported by various platforms
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Tool: Tcpdump (continued)
Figure 2-7 Tcpdump shows information about all the packets that come through the network interface.
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Tool: WinDump
Port of Tcpdump for the Windows platform WinDump is fully compatible with Tcpdump
Can be used to watch and diagnose network traffic according to various complex rules
WinDump is simple to use and works at the command-line level
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Tool: WinDump (continued)
Figure 2-8 WinDump displays more verbose information when the user specifies the -vv option.
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Tool: NetIntercept
Network analysis tool Captures LAN traffic using a standard
Ethernet interface card placed in promiscuous mode and a modified UNIX kernel
Performs stream reconstruction on demand
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Tool: NetIntercept (continued)
Figure 2-9 NetIntercept captures traffic continuously.
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Tool: NetIntercept (continued)
Figure 2-10 A user can look at the contents of a connection once it has been identified.
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Tool: Wireshark
Formerly known as Ethereal GUI-based network protocol analyzer Lets the user interactively browse packet
data from a live network or from a previously saved capture file
Wireshark’s native capture file format is the libpcap format Also the format used by Tcpdump and various
other tools
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Tool: Wireshark (continued)
Figure 2-11 Wireshark can show information about all captured packets.
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Tool: CommView
Figure 2-12 CommView shows detailed information about every captured packet.
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Tool: SoftPerfect Network Protocol Analyzer
Figure 2-13 SoftPerfect Network Protocol Analyzer displays information about all packets captured from the network.
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Tool: HTTP Sniffer
Figure 2-15 HTTP Sniffer displays information about captured HTTP packets.
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Tool: EtherDetect Packet Sniffer
Figure 2-16 EtherDetect Packet Sniffer provides syntax highlighting for application data, including HTTP data, as shown here.
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Tool: OmniPeek
Figure 2-17 OmniPeek provides different views of captured packets.
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Tool: OmniPeek (continued)
Figure 2-18 OmniPeek provides users with visuals concerning network traffic.
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Tool: Iris Network Traffic Analyzer
Figure 2-19 Iris Network Traffic Analyzer allows a user to view details about captured packets.
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Tool: SmartSniff
Figure 2-20 SmartSniff shows ASCII views of network conversations for textbased protocols.
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Tool: NetSetMan
Figure 2-21 NetSetMan allows a user to switch between sets of network settings.
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Tool: Distinct Network Monitor
Figure 2-22 Distinct Network Monitor displays live network traffic statistics.
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Tool: MaaTec Network Analyzer
Figure 2-23 MaaTec Network Analyzer can color-code data based on different criteria.
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Tool: ntop
Figure 2-24 ntop displays network statistics on a Web page.
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Tool: EtherApe
Figure 2-25 EtherApe creates a graphical display of network traffic.
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Tool: Colasoft Capsa Network Analyzer
Figure 2-26 Colasoft Capsa Network Analyzer provides statistics about network traffic.
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Tool: Colasoft EtherLook
Figure 2-27 Colasoft EtherLook displays all the data received by every host in a LAN.
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Tool: AnalogX PacketMon
Figure 2-28 AnalogX PacketMon can show detailed information about packets.
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Tool: BillSniff
Figure 2-29 BillSniff allows a user to view hexadecimal and ASCII versions of packets.
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Tool: IE HTTP Analyzer
Figure 2-30 IE HTTP Analyzer displays its information in a separate frame within Internet Explorer.
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Tool: EtherScan Analyzer
EtherScan Analyzer Network traffic and protocol analyzer Captures and analyzes packets sent over a
local network Decodes the major protocols and is capable of
reconstructing TCP/IP sessions
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Tool: Sniphere
Figure 2-31 Sniphere can filter traffic based on several criteria.
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Tool: IP Sniffer
Figure 2-32 IP Sniffer provides graphical statistics about network traffic.
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Tool: Atelier Web Ports Traffic Analyzer
Figure 2-33 Atelier Web Ports Traffic Analyzer shows hexadecimal and ASCII versions of the content of packets.
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Tool: IPgrab
IPgrab Packet sniffer for UNIX hosts Provides a verbose mode that displays a great
amount of information about packets Also provides a minimal mode in which all
information about all parts of a packet is displayed in a single line of text
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Tool: Nagios
Figure 2-35 Nagios can display details about the current network status.
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Tool: Give Me Too
Figure 2-36 Using Give Me Too, users can open files that have been transferred over the network.
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Tool: Sniff-O-Matic
Figure 2-37 Sniff-O-Matic shows the entire contents of each packet.
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Tool: EtherSnoop
Figure 2-38 EtherSnoop allows users to choose which packets to see in a more detailed view.
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Tool: GPRS Network Sniffer: Nokia LIG
Figure 2-39 The LIC, LIB, and LIE all work together in the Nokia LIG.
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Tool: Siemens Monitoring Center
Designed for law enforcement and government security agencies Permits integration within all telecommunications
networks that use any type of modern standardized equipment compatible with an ETSI recommendation
With the help of the Siemens Intelligence Platform Analysts may find meaning among large reams of
irrelevant data Intelligence Platform
Means to organize disparate pieces of information for the law enforcement and security agencies so decision makers can act upon the information
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Tool: NetWitness
Figure 2-40 NetWitness allows users to view files captured from other machines on the network.
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Tool: NetResident
Figure 2-41 Users can view reconstructed Web pages using NetResident.
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Tool: InfiniStream
Figure 2-42 InfiniStream captures packets from the network.
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Tool: InfiniStream (continued)
Figure 2-43 InfiniStream shows various types of charts describing statistics about network traffic.
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Tool: eTrust Network Forensics
Some of the features of eTrust Network Forensics: Network traffic recording and visualization Real-time network data capture Advanced visualization Pattern and content analysis Communications catalog On-demand incident playback Advanced security investigation
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Tool: ProDiscover Investigator
Figure 2-45 ProDiscover Investigator inspects disk contents around the network for illegal content.
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Tool: P2 Enterprise Shuttle
Enterprise investigation tool that views, acquires, and searches client data wherever it resides in an enterprise
Checks the main communication pass-through for the system as well as the routers and firewalls
Acts as the central repository for all forensic images collected and is integrated with MySQL
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Tool: Show Traffic
Figure 2-46 Show Traffic shows a continuous display of network traffic.
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Tool: Network Probe
Figure 2-47 Network Probe provides a graphical summary of network traffic.
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Tool: Snort Intrusion Detection System Software-based, real-time network intrusion
detection system Snort features include:
Detects threats based on pattern matching Uses syslog, SMB messages, or a file to alert
an administrator Develops new rules quickly once the pattern
(attack signature) is known for a vulnerability Records packets from the offending IP address
in a hierarchical directory structure Records the presence of traffic that should not
be found on the network
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Snort Rules
There are a number of rules that Snort allows a user to write
Each Snort rules must describe the following: Any violation of the security policy of the
company that might be a threat to the security of the company’s network and other valuable information
All the well-known and common attempts to exploit the vulnerabilities in the company’s network
The conditions in which a user thinks that the identity of a network packet is not authentic
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Tool: Network Probe
Figure 2-48 Snort is a powerful IDS that allows users to write new rules.
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Tool: IDS Policy Manager
Figure 2-49 IDS Policy Manager allows users to manage multiple Snort policies.
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Documenting the Evidence Gathered on a Network Documenting the evidence gathered on a
network is easy if the network logs are small, as a printout can be taken and tested
Documenting digital evidence on a network becomes more complex when the evidence is gathered from systems that are in remote locations Because of the unavailability of date and time
stamps of the related files For documentation and integrity of the
document, it is advisable to follow a standard methodology
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Evidence Reconstruction for Investigation Gathering evidence on a network is
cumbersome for the following reasons: Evidence is not static and not concentrated at
a single point on the network The variety of hardware and software found on
the network makes the evidence-gathering process more difficult
Three fundamentals of reconstruction for investigating a crime: Temporal analysis Relational analysis Functional analysis
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Summary
There are two types of network addressing schemes: LAN addressing and Internetwork addressing
Sniffing tools are software or hardware that can intercept and log traffic passing over a digital network or part of a network
The ARP table of a router comes in handy for investigating network attacks, as the table contains IP addresses associated with the respective MAC addresses