4. Network Forensics ?
• What we have seen is DEAD analysis
• Network evidences are highly volatile.
• Needs real time analysis of network traffic.
Network Forensics 4
5. Network Forensics
• Network forensics is the capture, recording, and
analysis of network events in order to discover the
source of security attacks or other problem incidents.
• The ultimate goal is to provide sufficient evidence to
allow the criminal to be successfully prosecuted.
• Network forensics can reveal evidence that is crucial to
building a case.
• Forensics for computer networks is extremely difficult
and depends completely on the quality of information
you maintain.
Network Forensics 5
6. Why network-based evidence?
– Host-centric forensics is an established discipline,
but many investigators ignore or do not
understand network traffic
– Network-based evidence can be found
everywhere
– Network-based evidence can be easy to collect --
without anyone's notice
9. Network Forensics Model
Proactive Detect Reactive
Forensics Forensics
Capture Identify
Preserve Data Aggregation
Data Validation
Research
Extract Data Analysis
Solve Data Confirmation
10. Network Elements
MX
PC
Proxy
Laptop
Relay
Web Server
Web Server
Mail Server
DB Server
Firewall
IDS / IPS
Switch
Router
Wifi Router
Access Point
11. Network Forensics
• Systematic Capture and Analysis of network
events and traffic in order to trace and prove
a network incident.
– Online Capture and Analysis
– Offline Analysis
12. Online Analysis of Network Traffic
Network-based evidence complements host-based
evidence.
Network traffic can be used to show a timed sequence of user’s
network activities.
Suspicious network activities can be monitored real-time.
13. Online Analysis of Network Traffic
Network traffic also enables an investigator to extract
information that is difficult to obtain from host-based
evidence, such as
IP addresses and other identity information a user uses
Passwords
•Specialized knowledge and tools are required to process
network traffic as a source of evidence.
In general, there is only one chance to capture real-time
network data from a network.
14. Online Monitoring
If you need to have online analysis of network you need
to capture packets.
Network Traffic Analysis requires online capturing
and analysis of packets in real time.
Used in Stateful Analysis
IPS
IDS
Firewall
16. TAPS
Test Access Ports
Devices specially built for accessing traffic between
network devices
Usually pre-installed at important traffic points
Physical devices are able to capture traffic at the
physical layer
18. Inline device
Similar to a tap, but implemented using a computer having
at least two bridged NICs
The two devices being monitored are connected to these
two NICs
Traffic through the bridged NICs is available to the
computer or another device connected to an extra NIC
Inline devices are also used to enforce access control.
19. Hub
The simplest and cheapest way to gain access to
network traffic
A hub forwards frames to all ports.
A monitoring station, connected to one of the ports,
sees all traffic passing through the hub.
20. SPAN Port - Switched Port Analyzer
(Port Mirroring)
Provided on good switches
A switch can be configured to copy one or more switch
ports to a dedicated port.
A capture device connected to the SPAN port sees traffic
flowing through specified switch ports.
A SPAN port only copies valid network packets.
Error packets may be ignored and not copied.
21. Collecting Network Traffic as Evidence
• Position the sensor properly
• Consider perimeter monitoring
scenario at right
– Perimeter is easiest place to
monitor
– However, sensor as shown
may not be able to see all the
traffic an analyst needs to
understand the scope of an
intrusion
• Alternative deployments shown
on following slides
22. Collecting Network Traffic as Evidence
• At left we monitor perimeter (via tap) and DMZ (via switch SPAN)
• At right we add a filtering bridge/sensor to watch and/or
control a high value target
23. Collecting Network Traffic as Evidence
• Don't forget to accommodate address translation issues
• Here we add a second interface behind the gateway
26. Collecting Network Traffic as Evidence
• Consider using Network Security Monitoring principles to guide your data
collection strategies
– Alert data (Snort, other IDSs)
• Traditional IDS alerts or judgments (“RPC call!”)
• Context-sensitive, either by signature or anomaly
– Full content data (Tcpdump)
• All packet details, including application layer
• Expensive to save, but always most granular analysis
– Session data (Argus, SANCP, NetFlow)
• Summaries of conversations between systems
• Content-neutral, compact; encryption no problem
– Statistical data (Capinfos, Tcpdstat)
• Descriptive, high-level view of aggregated events
• Sguil (www.sguil.net) is an interface to much of this in a single open
source suite
27. Protecting and Preserving Network-Based Evidence
• Hash traces after collection and store hashes elsewhere
• Understand forms of evidence
• Copy evidence to read-only media when possible
• Create derivative evidence
• Follow chains of evidence
28. Protecting and Preserving Network-Based Evidence
• Understand forms of evidence
• Best evidence should, to the extent practically possible, never be analyzed
directly.
– Rather, investigators should make working copies of the best
evidence, and analyze those duplications.
– Network traffic saved on a sensor is the best evidence available.
– Copies of that traffic transferred to a central location become working
copies.
29. Protecting and Preserving Network-Based Evidence
Create derivative evidence
1. Ensure you have a hash of the original file stored in a safe
location.
2. After verifying the hashes match, use the desired Packet
Analysis to extract packets of interest to a new file and
directory.
3. Hash the resulting file
4. Make multiple copies of the new local evidence file, and
analyze them at will.
5. Document these steps on both platforms.
30. Analyzing Network-Based Evidence
• Validate results with more than one system
• Beware of malicious traffic
• Document not just what you find, but how you found it
• Follow a methodology
31. Trends
• Significant increase in network-based DoS attacks
over the last year
– Attackers’ growing accessibility to networks
– Growing number of organizations connected to
networks
• Vulnerability
– Most networks have not implemented spoof
prevention filters
– Very little protection currently implemented against
attacks
32. Goals of Attacks
• Prevent another user from using network
connection
– “Smurf” attacks, “pepsi” (UDP floods), ping floods
• Disable a host or service
– “Land”, “Teardrop”, “Bonk”, “Boink”, SYN
flooding, “Ping of death”
• Traffic monitoring
– Sniffing
33. “Smurfing”
• Very dangerous attack
– Network-based, fills access pipes
– Uses ICMP echo/reply packets with broadcast networks to multiply
traffic
– Requires the ability to send spoofed packets
• Abuses “bounce-sites” to attack victims
– Traffic multiplied by a factor of 50 to 200
– Low-bandwidth source can kill high-bandwidth connections
• Similar to ping flooding, UDP flooding but more
dangerous due to traffic multiplication
34. “Smurfing” (cont’d)
ICMP echo (spoofed source address of victim)
Sent to IP broadcast address
ICMP echo reply
Internet
Perpetrator
Victim
35. “Smurfing” trend
• Smurf attacks are still “in style” for attackers
• Significant advances made in reducing the
effects
– Education campaigns through the use of white
paper and other education by NOCs has reduced
the average “smurf” attack from 80 Mbits/sec to 5
Mbits/sec
• Most attacks can still inundate a T1 link
36. “Teardrop”, “Bonk”, “Boink”, “Ping of
Death”
• Goal is to severely impair or disable a host or
its IP stack
• Use packet fragmentation and reassembly
vulnerabilities
• Require that a host IP stack be able to receive
a packet from an attacker
37. SYN flooding
• Goal is to deny access to a TCP service running
on a host
• Creates a number of half-open TCP
connections which fill up a host’s listen queue;
host stops accepting connections
• Requires the TCP service be open to
connections from the victim
38. Sniffing
• Goal is generally to obtain information
– Account usernames, passwords
– Source code, business critical information
• Usually a program placing an Ethernet adapter
into promiscuous mode and saving
information for retrieval later
• Hosts running the sniffer program is
compromised using host attack methods.
40. Packet Switched Networks
• Each message is divided into small data blocks called
packets
• Packets are stored, and forwarded by intermediate
nodes
• Packets from different nodes, and process get
intermixed in the network
• Packets may follow different routes
• Shortest path to the destination
40
43. Benefits
• No user can monopolise the link for long time
• Network traffic load balancing
• Doesn’t waste resources of network
• No congestion at connection setup time
43
44. Drawbacks
• Packets may arrive out of order. Message needs to be re-
assembled at receiving end.
• May cause delay in real-time applications (audio/video)
• Service is not guaranteed
44
45. Packet
Packet
Header Data
– Is a formatted block of data carried by a computer
network
– Internet, LAN uses packet technology to transfer data
– Key components are header and data
45
46. Data
• Information to be conveyed between sender and the
receiver
• It can be text or binary
– Images, documents, web page, email …
• It may be small enough to store in a single packet or else
it has to be split and stored in multiple packets
46
47. Header
• Meta information added to the data
• With the help of header data reach the destination
correctly
• Header contains Address, Length, Type, Error
detection code, Packet order, Status flag …
47
48. Why header is needed?
• To ensure delivery to the right receiver
• To ensure correctness and order of data
• Proper routing of packets
48
49. Packetisation
Sender Receiver
Eg. Internet Eg. Web
Process server
Process
Explorer
Message Message
TCP/IP Network TCP/IP
Protocol Interface Card Protocol
Stack Stack
Communication Link
1 Packets 2 1 Packets 2
H1 Mes H2 sage NIC NIC H1 Mes H2 sage
49
50. Protocol Suite
• Collection of protocols to deliver data
• Eg. TCP/IP, Xerox XNS, DECnet, AppleTalk
Xerox XNS
TCP/IP ISO/OSI
Level 4+
Application Application
Presentation Level 3
Session
Transport Transport Level 2
Internet Network Level 1
Data Link
Link Level 0
Physical
50
51. TCP/IP Layers - Link Layer
• Main responsibility is to move the packet between hosts
through physical medium
• Network interface card and its device driver does this
• Adds the link layer specific address and other details to the
packet
• Has mechanism to resolve the physical address from logical
address, in broadcast networks
• Characteristics of the communication signal is handled here
51
52. TCP/IP Layers - Network Layer
• Main responsibility is to move the packet between network and
to reach the final destination (Routing)
• This is an unreliable protocol, higher layers has to add reliability
• Handles fragmentation and reassembly of packets, when passed
through different networks.
• Facility for error handling and diagnosis – special protocols for
conveying the intermediate node status and errors occurred
52
53. TCP/IP Layers - Transport Layer
• End to end message transfer facility or process to process
communication
• Have facility for flow control and error control
• This layer can add reliability to the data transferred
• Splits the large data in to small chunks for the network layer
• This layer associates the packet with a particular application
through ports
• Port - Port is a logical address, it has nothing to do with the
physical ports present on a computer.
53
54. TCP/IP Layers - Application Layer
• Handles the details of particular application, eg. Email, web
• Adds meta information to the actual data to send (or Formats
the data)
• This formatted message is encapsulated in transport layer
protocol
• The respective applications can interpret this message
• The message may be plain text or binary and can be encrypted
or compressed
54
55. TCP/IP stack with sample protocols
Application
HTTP SMTP POP3 FTP Telnet DNS
Transport
TCP UDP
Internet
IP ICMP
Link
Ethernet FDDI SLIP PPP ARP RARP
55
56. The way a packet is formed (Encapsulation)
App HTTP
layer
TCP
Trans
Layer
IP
Network
Layer
Ethernet
Link
Layer
56
66. Filtering
• Filtering based on
– MAC
– IP
– Date, Time
– Pattern
• Combinations of the above
– Packets between a particular date and time
– Packets from a particular IP
• Complex filter expressions
66
67. Statistics
• Based on
– Bandwidth utilization
– IP
– Date and time
– Protocol based (Email, FTP, HTTP… )
• Eg. Top mail sender
67
68. Statistics based analysis
Mails
50
40
30
Da 1
4/
20
te
1
3/
10 Data traffic to different servers
1
2/
1
1/
1.1.1.1 1.1.1.2 1.1.1.3 1.1.1.4
M Bytes/Sec
1.1.1.
Nodes 7 3
6
Mail traffic of individuals on
5
different days 4 1.1.1.
3 2
1.1.1.
2
1
1
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 Time
68
69. Session reconstruction
Packet 1 P2 P3 … Pn File 1 F2
… Fm
• TCP session reconstruction
– Images, emails and other files
• UDP stream reconstruction
– Streamed video, audio, VoIP and other types of
communications
69
72. Legal Issues
• You may not be able to use hacker techniques
against them
• Laws for gathering evidence are confusing
• Logs may or may not be admissible
• Perpetrator may or may not be prosecutable
• It is important to know about:
– Local laws on computer-related crimes
– Legal processes and how to build a criminal case
Network Forensics 72
75. Online Monitoring
• If you need to have online analysis of network
you need to capture packets.
• Network Traffic Analysis requires online
capturing and analysis of packets in real time.
• Used in Stateful Analysis
• IPS
• IDS
• Firewall
Network Forensics 75
77. Protecting and Preserving Network-
Based Evidence
• Hash traces after collection and store hashes elsewhere
• Copy evidence to read-only media when possible
• Create derivative evidence
• Follow chains of evidence
• Understand forms of evidence
• Best evidence should, to the extent practically possible, never be
analyzed directly.
– Rather, investigators should make working copies of the best
evidence, and analyze those duplications.
– Network traffic saved on a sensor is the best evidence available.
– Copies of that traffic transferred to a central location become
working copies.
Network Forensics 77
82. Live Analysis
• Allows for collection of data from volatile locations
such as RAM and cache.
• Often will provide extremely useful data.
• Requires installation of software to capture data,
possibly erasing critical data and spoiling the
“preservation” of the system.
Network Forensics 82
83. Live Forensics - Goals
• Gathers data from running
systems
• Diagnosing your system
without killing it first.
ng
• Snapshot of the state of the eni
Wh
o is computer app
wh
at? doin t’ sh
g ha ?
W w
no
Network Forensics 83
86. Gathering Data
more volatile
• Volatile data
– registers, cache contents
– memory contents
– network connections
– running processes
• Non-volatile data
– content of filesystems and drives
– content of removable media
less volatile
Network Forensics 86
88. Typical Scenario
• “Dead” forensics information incomplete
– discovered to be incomplete
– predicted to be incomplete
• Non-local attacker or local user using network in
inappropriate fashion
• Generally, another event triggers network
investigation
• Company documents apparently stolen
• Denial of service attack
• Suspected use of unauthorized use of file sharing
software
• “Cyberstalking” or threatening email
89. Information Available
• Summary information (router flow logs)
– Routers generally provide this information
– Includes basic connection information
• source and destination IP address and ports
• connection duration
• number of packets sent
– No content! Can only surmise what was sent
– Can establish that connections between machines were
established
– Can corroborate data from log files (e.g., ssh’ing from one
machine to another to another within a network)
– Unusual ports (rootkits? botnet?)
– Unusual activity (spam generator?)
90. Information Available (2)
• Complete information (packet dumps)
– from programs like Ethereal/Wireshark, snort, tcpdump
– on an active net, can generate a LOT of data
– can provide filter options so programs only capture certain
traffic (by IP, port, protocol)
– includes full content—can reconstruct what happened
(maybe)
– reconstruct sessions
– reconstruct transmitted files
– retrieve typed passwords
– identify which resources are involved in attack
– BUT no easy way to decrypt encrypted traffic
91. Information Available (3)
• Port scans (nmap, etc.)
– Identifies machines on your network
• Often can identify operating system, printer type, etc.,
without needing account on the machine
• “OS fingerprinting”
– Identifies ports open on those machines
• Backdoors, unauthorized servers, …
– Identifies suspicious situation (infected machine,
rogue computer, etc.)
– nmap: lots of options
92. Analysis
• Does not exist in a vacuum
• Link information in analysis to network and host log
files
– who was on the network
– who was at the keyboard
– what files are on the disk and where
• Look up the other sites (who are they, where are
they, what’s the connection)
• Otherwise, network traces can be overwhelming
• Potentially huge amounts of data
• Limited automation!
93. Normal ICMP Traffic (tcpdump)
• Pings
IP BOUDIN.mshome.net > www.google.com: icmp 40: echo request seq 6400
IP www.google.com > BOUDIN.mshome.net: icmp 40: echo reply seq 6400
IP BOUDIN.mshome.net > www.google.com: icmp 40: echo request seq 6656
IP www.google.com > BOUDIN.mshome.net: icmp 40: echo reply seq 6656
IP BOUDIN.mshome.net > www.google.com: icmp 40: echo request seq 6912
IP www.google.com > BOUDIN.mshome.net: icmp 40: echo reply seq 6912
IP BOUDIN.mshome.net > www.google.com: icmp 40: echo request seq 7168
IP www.google.com > BOUDIN.mshome.net: icmp 40: echo reply seq 7168
• Host unreachable
xyz.com > boudin.cs.uno.edu: icmp: host blarg.xyz.com unreachable
• Port unreachable
xyz.com > boudin.cs.uno.edu: icmp: blarg.xyz.com port 7777 unreachable
94. HTTP Connections
• 3-way TCP handshake as laptop begins HTTP communication
with a google.com server
IP tasso.1433 > qb-in-f104.google.com.80: S
3064253594:306425359 4(0) win 16384 <mss
1460,nop,nop,sackOK>
IP qb-in-f104.google.com.80 > tasso.1433: S
2967044073:296704407 3(0) ack 3064253595
win 8190 <mss 1460>
IP tasso.1433 > qb-in-f104.google.com.80: .
ack 1 win 17520
95. Fragmentation Visualization
• Fragmentation can be seen by tcpdump
whatever.com > me.com: icmp: echo request (frag 5000:1400@0+)
whatever.com > me.com: (frag 5000:1000@1400)
ID offset
size
Note that 2nd frag more frags flag
isn’t identifiable as ICMP
echo request…
96. nmap 137.30.120.*
Starting Nmap 4.11 ( http://www.insecure.org/nmap )
at 2006-10-24 19:32
Interesting ports on 137.30.120.1:
Not shown: 1679 closed ports
PORT STATE SERVICE
23/tcp open telnet
MAC Address: 00:0D:ED:41:A8:40 (Cisco Systems)
All 1680 scanned ports on 137.30.120.3 are closed
MAC Address: 00:0F:8F:34:7E:C2 (Cisco Systems)
All 1680 scanned ports on 137.30.120.4 are closed
MAC Address: 00:13:C3:13:B4:41 (Cisco Systems)
All 1680 scanned ports on 137.30.120.5 are closed
MAC Address: 00:0F:90:84:13:41 (Cisco Systems)
…
…
97. nmap 137.30.120.*
Interesting ports on mailsvcs.cs.uno.edu (137.30.120.32):
Not shown: 1644 closed ports
PORT STATE SERVICE
7/tcp open echo
9/tcp open discard
13/tcp open daytime
19/tcp open chargen
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
37/tcp open time
79/tcp open finger
80/tcp open http
110/tcp open pop3
111/tcp open rpcbind
143/tcp open imap
443/tcp open https
512/tcp open exec
…
…
104. Wireshark: HTTP Session
save, then trim away
HTTP headers to
retrieve image
Use: e.g., WinHex
105. HTTP (An application layer protocol)
Request from client
Response from server
HTML web page
105
106. Prevention Techniques
• How to prevent your network from being the source of the
attack:
– Apply filters to each customer network
• Allow only those packets with source addresses within the customer’s
assigned netblocks to enter your network
– Apply filters to your upstreams
• Allow only those packets with source addresses within your netblocks to
exit your network, to protect others
• Deny those packets with source addresses within your netblocks from
coming into your network, to protect your network
• This removes the possibility of your network being used as an
attack source for many attacks which rely on anonymity
107. Prevention Techniques
• How to prevent being a “bounce site” in a “Smurf” attack:
– Turn off directed broadcasts to networks:
• Cisco: Interface command “no ip directed-broadcast”
• Proteon: IP protocol configuration “disable directed-broadcast”
• Bay Networks: Set a false static ARP address for bcast address
– Use access control lists (if necessary) to prevent ICMP echo requests
from entering your network
– Encourage vendors to turn off replies for ICMP echos to broadcast
addresses
• Host Requirements RFC-1122 Section 3.2.2.6 states “An ICMP Echo Request
destined to an IP broadcast or IP multicast address MAY be silently discarded.”
• Patches are available for free UNIX-ish operating systems.
108. Conclusion: Network Analysis
• Potentially a source of valuable evidence beyond
that available from “dead” analysis
• By the time an incident occurs, may have lost the
change to capture much of the interesting traffic
• Challenging: huge volumes of data
• Again, only one part of a complete investigative
strategy
• This introduction didn’t include stepping stone
analysis, many other factors (limited time)
111. NeSA Architecture
Packet
Hex View
Packet Protocol Packet
Capture Dissectors Analyser Packet
Tree
View
Packet Filter
Hex
Dump
Filter Rules View
Pcap Format dump Picture
(HTTP, SMTP, POP3 and FTP)
View
Packet Packet Session File
Classifier Rebuild Parser View
Mail
Rebuild Crypto
Parse
Rules
View
Rules
Media
Player
112. Packet Capture
• Uses pcap library
• Captures packet in promiscuous mode
• Similar capture features as of Wireshark
• Stores the captured packets to the user
specified dump file
• Capture filter can be supplied
– e.g. Capture only tcp traffic
113. Packet Filter
• Based on the filter rule supplied, filters
packets as well as the TCP sessions.
• Packet filter language is same as that of pcap
• TCP session filter language is custom written
– Filtering based on date/time
– Protcol based filter
– MAC, IP and Port based filtering
– Complex combinations of the above
114. Protocol Dissector
• Shows each field of packet in very detail
• Dissects very common protocols like IP,
TCP,UDP, ARP …
• Useful to get a very detailed view of each
packet
• Helpful in detecting malformed packets
115. Packet Classifier
• At load time itself, classifies the packets to
different groups in order to improve the
performance of later analysis process
• TCP session filter (Rebuild filter) chooses only
from this classified group of packets, thus it has
to process only a very small portion of the entire
dump file
116. Packet Analyser
• Has a packet filtering scheme
• Packets can be exported
• Has an easily extendible packet (protocol)
dissector
• Shows the dissected packets in a hex view as
well as in a tree control as that of in Wireshark
117. Packet Rebuild
• Rebuilds the TCP session
• Shows the rebuilt session in a hex view with
data direction indication
• To identify different types of session,
colouring schemes can be given
• Rebuilt session are passed to the session
parser
118. Session Parser
• Parses the rebuilt session and tries to extract the
available files in it.
• Presently parses HTTP, SMTP, POP3 and FTP.
• The above are the most common application layer
protocols
• More parsers can be added
• Parses MIME and extracts files from it
• Shows the extracted files in a thumbnail view, file view
and mail view.
• These files can be exported
119. Distinctive Features of NeSA
• NeSA is data centric as well as packet centric,
but most other tools are packet centric, This
makes NeSA a distinct product
– Session parser
– Session filter
– Session views
120. NeSA (Network Session Analyser)
• A solution developed by CDAC for offline packet
analysis
• Features
– TCP session reconstruction and file recovery
– Packet filter
– Powerful session filter
– Regular expression based search
– File export, especially mail export
– Packet dissect view
120
121. NeSA Architecture
Packet
Hex View
Packet Protocol Packet
Capture Dissectors Analyser Packet
Tree
View
Packet Filter
Hex
Dump
Filter Rules View
Pcap Format dump Picture
(HTTP, SMTP, POP3 and FTP)
View
Packet Packet Session File
Classifier Rebuild Parser View
Mail
Rebuild Crypto
Parse
Rules
View
Rules
Media
Player
121
122. Future plan –Moving to online
• Real-time packet analysis
• Decryption support
• Support for more protocols
122
123. Catching Packets
• Enable promiscuous mode of Ethernet card, from which packets
has to be caught
• Otherwise OS will see only the packets which are destined to
that system only
• Packet capture tools:
– tcpdump
– wireshark
• Sample tcpdump comand:
– tcpdump –s0 –ieth0 –wfile/to/store.dump
– -s0 options tells to capture full length packet
– -ieth0 options instructs to capture from the interface eth0
– -w option indicates to which file the captured packets has to be stored
123
124. Catching packets in an Enterprise
Only packets passing
through gateway, no local Gateway
traffic like “between N1 and
N2”
Only traffic between N5,N6
and Gateway, no other
traffic like “between N1 and
Switch Switch N2”
N5 N6
Switch Switch
Only traffic of N4
N1 N2 N3 N4
Place capture system
accordingly 124
129. Issues and Challenges
• Processing the large data
• Lack of forensics tools
• Lack of proven methods
• Varied attacks
• Encrypted data
• Partial data
• Spoofed packets
• Unknown protocols
129