Network Forensics Section II. Basic Forensic Techniques and Tools CSF: Forensics Cyber-Security MSIDC, Spring 2017 Nuno Santos
Summary! Network addresses! Network infrastructure 2
Recall from last class! Ultimately, in a forensic examination, we re investigating the actions of a person! Almost every event or action on a system is the result of a user either doing something (or not doing something)! Many events change the state of the operating system (OS) 3) OS forensics 1) action! OS forensics helps understand how system changes correlate to events resulting from the actions of somebody in the real world 2) OS state change! 3
Analyzing evidence from computer networks! Traffic analysis techniques! Involves knowing:! Where to look for data! How to retrieve it! How to analyze it 4
Let s start with a practical example! Consider we access a website from our browser Internet! Can we analyze the communication going on? 5
Yes: using a packet analysis tool 1. Launch Wireshark 2. Access the URL: http://www.publico.pt 3. Save the collected network trace on a local file: e.g., trace.pcapng 6
How to interpret a network trace?! A network trace is a linearized bit-copy of collected data exchanged over the network 010101101011110000 Network trace file Computer network! Need to understand some basic networking concepts 7
Key elements in communication: an analogy Sender Common language Receiver Hello Bob! Address Message Address Communication Channel 8
Send a web page request Sender HTTP GET index.htm Protocols HTTP TPC/IP Receiver Packets IP Address IP Address Internet Network Infrastructure 9
Receiver Protocols HTTP TPC/IP Receive the web page index.htm Sender IP Address Packets IP Address Internet Network Infrastructure 10
Key concepts to interpret a network trace! Addresses! Networking infrastructure! Packets! Protocols 11
Addresses and networking infrastructure 12
IP addresses! Two computers connected to the Internet can only communicate if they have each an IP address Internet 146.193.41.201 195.23.42.21 13
! Determining local IP address (ifconfig tool) Determining IP address! Determining IP address of remote service based on DNS name! nslookup tool! www.publico.pt! IP address 14
Connected across multiple networks! Computers are not wired directly but linked through interconnected networks (IP = Internet Protocol) Network 1 Network 2 Network 3 146.193.41.201 switch router 195.23.42.21 15
Can we determine the path between endpoints?! Yes! Use the tool: traceroute 16
IP addresses have a structure! IP address comprises: network number & host number! Found abundantly in digital evidence! E.g., in network traces, logs, configuration files, etc. 17 CSF - Nuno Santos
Public IP addresses assigned geographically! Internet Assigned Numbers Authority (IANA)! IP addresses distributed hierarchically: IANA at the top! Regional Internet Registries (RIRs)! Manages blocks of addresses assigned by IANA! Internet Service Providers (ISPs)! Get blocks of addresses from RIRs! Assign addresses to other ISPs and end users 18 CSF - Nuno Santos
IP private addresses! Private IP addr can t be routed through the Internet! Example: mail header 19 CSF - Nuno Santos
A few issues about IP addresses Dynamic addresses NATs! IP assignment transient! IP hides multiple devices 20 CSF - Nuno Santos
Within a network, computers use MAC addresses! Media Access Control address (MAC address)! Unique identifier assigned to network interfaces for communications at the data link layer of a network segment! Used as network addresses for Ethernet and WiFi! Can be used to track traffic source within a network! Packets sent to the Internet do not contain MAC addresses! Can be used to classify the type of machine! Due to its internal structure! http://www.macvendorlookup.com/ 21 CSF - Nuno Santos
Coming back to our network trace 22
Conclusions! Network forensics cares about tracking the exchanging of messages in a networked system! There are four key concepts we need to understand: addresses, network infrastructure, packets, and protocols! IP addresses convey important information about the topology of the network and path of messages 23
References! Primary bibliography! [Casey11], Chapter 21, 23.2.2 24
Next class! Network Forensics II 25