Discussion Points:
1. Frame of Reference
2. Functionality of the Field
3. Details per 4 Categories
4. News – Proceed for own Reference
5. Attacker Techniques
Network Forensics
Digital Forensics
- Database Forensics
- Mobile Device Forensics
- Computer Forensics
- Audio & Video Forensics
- Network Forensics•Ethernet•TCP/IP•Internet•Wireless Forensics
Network forensics is categorized as a single branch of digital forensics; it includes
the areas of monitoring and analyzing computer network traffic and allows
individuals to gather information, compile evidence, and/or detect intrusions.
Digital Forensics
Investigation Stages: 1) acquisition/imaging of exhibits (write-blocking device),
*) --examination (National Instit of Standards and Tech.)
2) analysis (systematic search for differences), and
3) reporting (documented findings and conclusions)
2000+
1980/90s
1978
1970s
Evolving as Field with Policies
Evolving Need for the Field & Multiple Instances Fraud and Abuse Legislation, “sysadmin”
Florida Computer Crimes Act
Rise of Personal UseSHA-1 & MD5
1) Security = •Monitoring for intrusions•Network evidence may be the only type if a drive was wiped clean
2) Law Enforcement = •Reassembling transferred files•Finding keywords•Searching for keywords•Parsing messages•Examining packet filters •Examining firewalls•Examining existing systems
Recall types of Network Forensics
Unique because it is volatile Unique because it is rarely logged
Reactionary Field of Work, with 2 general uses:
"Catch-it-as-you-can"
• All packets are captured• Large storage needed• Analysis in batch mode• Usually @ packet level• For later analysis
Data Collection Methods
"Stop, look and listen"
• Requires faster processor for incoming traffic• Each analyzed in memory• Certain ones are stored• Usually @ packet level• Real-time filtering
"Catch-it-as-you-can"
• All packets are captured• Large storage needed• Analysis in batch mode• Usually @ packet level• For later analysis
Data Collection Methods
Methods are achieved with eavesdropping bit streams (on the Ethernet layer).
• Uses monitoring tools or sniffers
• Wireshark (a.k.a. Ethereal)
• Then protocols can be consulted, such as the Address Resolution Protocol (ARP)
• Network Interface Card (NIC), but can be averted with encryption
Ethernet TCP/IP Internet Wireless Forensics
Ethernet TCP/IP Internet Wireless Forensics
Methods are achieved with router information investigations (on the Network layer).
• Each router includes routing tables to pass along packets
• These are some of the best information sources for data tracking
• Follow compromised packets, reverse route, ID the source
• Network layer also provides authentication log evidence
Ethernet TCP/IP Internet Wireless Forensics
Methods are achieved by identifying server logs (on the Internet).
• Includes web-browsing, email, chat, and other types of traffic & communication
• Server logs collect information
• Email accounts have useful information except when email headers are faked
• User account information associated with a particular user
Ethernet TCP/IP Internet Wireless Forensics
Methods are achieved by collecting & analyzing wireless traffic (Wireless Networks).
• A sub-discipline of the field
• To get that which is considered “valid digital evidence”
• This can be normal data OR voice communications via VoIP
• Analysis is similar to wired network situations, with different security issues
• Almost non-stop security compromises exist involving transmitted credit card numbers, personal accounts, proprietary information, passwords, and other valuable data.
• One example involving Facebook(2011): Before only the login was encrypted and now wanted to encrypt all communications to servers with HTTPS instead of SSL, else can sniff at any free WiFi at a public place.
Criminal Techniques:
• Encryption
• Hiding Data within Codes
• Hiding with Steganography
• Hiding with Embedding
• Hiding with Obscurity
• Hiding with Nonames on Files
• Text to Image Types
• Compression
• Changing behavior of System Commands
• Changing behavior of Operating Systems
• Hiding Data via other means…
Criminal Techniques:
• Encryption
• Hiding Data within Codes
• Hiding with Steganography
• Hiding with Embedding
• Hiding with Obscurity
• Hiding with Nonames on Files
• Text to Image Types
• Compression
• Changing behavior of System Commands
• Changing behavior of Operating Systems
• Hiding Data via other means…
• Almost non-stop security compromises exist involving transmitted credit card numbers, personal accounts, proprietary information, passwords, and other valuable data.
• One example involving Facebook(2011): Before only the login was encrypted and now wanted to encrypt all communications to servers with HTTPS instead of SSL, else can sniff at any free WiFi at a public place.
+ +
1) Removing all but the two least significant bits of each color component
2) Apply a subsequent normalization
Right: = extracted image
Steganography
Encryption Key Original DataEncrypted Message
Embedding (w/ multiple images)
Using y = 2x +2:“Here, if the value of x=1 then y will be 4, indicating thatthe first byte of secret data will be stored in the first byteplace of second pixel. i.e. ( 8 – bit Red position). Similarly,x=2 will give y=6 so the second secret byte data will bestored in last byte of second pixel (i.e. 8-bit Blue position)and so on. Hence, by a suitable choice of a and b all bytesof the secret data can be mapped entirely into the containerimage.”1
Compression
Two Types of Compression for Hiding Files
1) Lossless compression Hiding files where the original information needs to remain intact and can be reconstructed exactly (GIF and BMP).
2) Lossy compression, Hiding files where the integrity of the original image is not maintained. (JPGs, but very good compression rate/saves more space).
Sources Consulted and Referenced:
1. http://www.e-evidence.info/thiefs_page.html
2. http://www.netresec.com/?page=Blog&month=2011-01&post=Facebook-SSL-and-Network-Forensics
3. http://en.wikipedia.org/wiki/Network_forensics
4. Image citation: http://e-fense.com/index.php
5. https://www.blackhat.com/html/bh-us-12/training/courses/bh-us-12-training_network_forensics.html
6. http://www.garykessler.net/library/fsc_stego.html
7. 1 http://paper.ijcsns.org/07_book/200801/20080132.pdf
8. http://courses.ece.ubc.ca/592/PDFfiles/Data_Compression.pdf
9. http://ansoncse.hubpages.com/hub/Effective-Secret-Hiding-Steganography
Questions ?