Digital Forensics Lecture 7. Network Analysis

Transcription

1 Digital Forensics Lecture 7 Network Analysis

2 This Week s Presentations Johnathan Ammons: Web Analysis Kelcey Tietjen: Wireless Network Traffic David Burton: Collection and Analysis of Network Traffic David Burton: Network Devices: Routers, Switches, (EC)

3 Week after Next Presentations Maggie Castillo: Cell Phones Jim Curry: PDAs Ryan Ware: Investigation of Non-traditional Equipment: Autos, Washers, Nicholas Gallegos: MP3 Players Barry Gavrich: Flash Media (EC) Ron Prine: Digital Cameras Next Week: Midterm Exam

4 Lecture Overview Legal/Policy Preparation Collection Analysis Findings/ Evidence Reporting/ Action Investigative Goals Investigation Centric Analysis Data Centric Analysis General Tools and Methods

5 Module 1 First Steps

6 Goals Collect evidence Identify: Scope of activity Other parties involved Support or refute allegation Timeline Ensure compliance

7 Types of Network-Based Evidence Full content data Every bit, every sound, lots of disk space Session data Addresses, phone numbers, trap&trace Alert data Triggered, keywords, addresses, services, event Statistical data Whole picture, causal, patterns

8 Characteristics of Network Data Ephemeral Many locations Computer systems Network components Can be large in size Might be encrypted Could be fragmented

9 Tying it Together Role is a key factor in all decisions Goals determine Type of collection Type of collection determines Tools

10 Module 2 Setup

11 Consider a network diagram to show Route diversity Switched networks Convergence Wireless (hidden node problem) Difficulties resulting from this Incomplete observation Difficulty in collecting on a network that s not well prepped Well trained investigators Large data

12 System Tools Used for after-incident collection Volatile data on running system Placed prior to need How do you trust the data collected?

13 Network Tools Part of infrastructure Routers, switches, hubs, access points Packet capture, SNMP, other Additional taps Workstations, sniffers Packet capture, IDS s, other

14 Module 3 Investigation Centric Analysis

15 Roles User Owner of personal system Corporation or organization Company Service Provider Local investigators Federal investigators International investigators

16 Role-Based Motivation Private owner Maintain system security (i.e., Title 18) Corporation Maintain system security, ensure operational continuity Investigate system misuse Identify and manage compromise Various investigative authorities Investigate computer-related criminal activity Fraud, theft, damage, use of IT in other crimes, etc. Investigate other criminal activity Murder, kidnap, fraud, etc. Counter-terrorism

17 Approach Identify communicating parties Geo-locate the source/destination Help provide individual attribution Determine intent/nature of suspected communications Capture and provide evidence of crime Identify social networks Others?

18 Processes Store and post-analyze vs. real time analysis Implement a corporate framework Court order to wire tap Others?

19 Analysis Techniques Log analysis Network device Computer network logs Statistics Protocol Conversations Time of day Flow size Number of connections Signatures Well known crime

20 Module 4 Data Centric Analysis

21 Tools for Collection Packet capture and interpretation ethereal tcpdump windump Limitations For example, stream reassembly Statistical tools

22 Tools for Analysis tcptrace identify sessions snort event scanner tcpflow reassembling sessions ethereal jack of all trades

23 Network Equipment Routers Switches SNMP enabled devices Firewalls DHCP servers IDS sensors Proxy servers

24 Routers/Switches Caches (Live analysis) ARP Route tables Logs Previously setup for capture

25 Network Computer Information Similar to network device commands From computer point-of-view Corresponding connections to network devices

26 Module 5 Future Needs

27 Gaps What are the features that each role would enjoy having? Home user Parent Corporate IT investigator Criminal investigator Counter terrorism authority

28 More Gaps What are the difficult problems? E.g., observation, interpretation, large data analysis, etc.

29 More Gaps Balancing privacy with security Data collection on switched or multi-path networks Volume of data to be collected Analysis techniques

30 Questions? After all, you are an investigator