Networks and the Internet A Primer for Prosecutors and Investigators

Similar documents
Networks and the Internet A Primer for Prosecutors and Investigators

Inside vs. Outside. Inside the Box What the computer owner actually has possession of 1/18/2011

Outside the Box: Networks and The Internet

Features of a proxy server: - Nowadays, by using TCP/IP within local area networks, the relaying role that the proxy

Chapter 2A. The Internet s History

PRIVACY POLICY Let us summarize this for you...

Management Information Systems

and the Forensic Science CC Spring 2007 Prof. Nehru

Internet Crimes Against Children:

CS Paul Krzyzanowski

Privacy defense on the Internet. Csaba Kiraly

We collect information from you when You register for an Traders account to use the Services or Exchange and when You use such Services. V.

UIP1869V User Interface Guide

YADTEL - Privacy Information INFORMATION WE COLLECT

Chapter 3. The Basics of Networking

Dark Web. Ronald Bishof, MS Cybersecurity. This Photo by Unknown Author is licensed under CC BY-SA

Internet Technology. 06. Exam 1 Review Paul Krzyzanowski. Rutgers University. Spring 2016

Internet Technology 3/2/2016

Chapter 7. Telecommunications, the Internet, and Wireless Technology

4. The transport layer

Wireless-G Router User s Guide

SurfSolo VPN VPN PRIVACY TUNNEL. SurfSolo VPN. User Manual. Version 1.0. User Manual v.1.0 Page 1

INTRODUCTION TO ICT.

Chapter 2 The Internet and World Wide Web

- To aid in the investigation by identifying. - To identify the proper ISP, webhosting. - To use in search warrant affidavits for to

Proxying. Why and How. Alon Altman. Haifa Linux Club. Proxying p.1/24

Social Security Number Protection Policy.

AT&T SD-WAN Network Based service quick start guide

Avaya Branch Gateways 6.3 (build ) Release Notes

Firewall-Friendly VoIP Secure Gateway and VoIP Security Issues

Computer Networking. Chapter #1. Dr. Abdulrhaman Alameer

Explanation of Data Element Data Element Potentially Legitimate purposes for Collection/Retention

6 Computer Networks 6.1. Foundations of Computer Science Cengage Learning

Computer Security. 15. Tor & Anonymous Connectivity. Paul Krzyzanowski. Rutgers University. Spring 2017

Private Browsing. Computer Security. Is private browsing private? Goal. Tor & The Tor Browser. History. Browsers offer a "private" browsing modes

Special expressions, phrases, abbreviations and terms of Computer Networks

Motivation For Networking. Information access Interaction among cooperative application programs Resource sharing

Class X Subject : IT (Vocational) Chapter -1 Ouestion / Answer

Typical Network Uses

A+ Guide to Software: Managing, Maintaining, and Troubleshooting, 5e. Chapter 9 Networking Practices

Chapter Topics. The History of the Internet. Chapter 7: Computer Networks, the Internet, and the World Wide Web

Session 2. Background. Lecture Objectives

Chapter 10: Application Layer CCENT Routing and Switching Introduction to Networks v6.0

Class X Chapter 1 Internet

CCNA R&S: Introduction to Networks. Chapter 10: The Application Layer

Chapter 4: Networking and the Internet. Network Classifications. Network topologies. Network topologies (continued) Connecting Networks.

ACE Chapter 4 review. Name: Class: Date: True/False Indicate whether the statement is true or false.

CNBK Communications and Networks Lab Book: Purpose of Hardware and Protocols Associated with Networking Computer Systems

Computer Networks. Computer Networks. Telecommunication Links. CMPUT101 Introduction to Computing - Spring Chapter 12: Computer Networks 1

Business Data Communications and Networking

Network setup and troubleshooting

IPsec NAT Transparency

Network Defenses 21 JANUARY KAMI VANIEA 1

TURKU SCHOOL OF ECONOM ICS AND BUSINESS ADMIS TRATION

CASE STUDY USER INTERNET MANAGEMENT DESIGN CHOICES

CS 355. Computer Networking. Wei Lu, Ph.D., P.Eng.

& Online Evidence Collection

MyAccount Control Panel

Application Firewall-Instant Message Traffic Enforcement

Answer : B. Answer : C. Answer : B. Answer : A MCQ

Internet Applications. Dr Steve Gordon ICT, SIIT

Internet Basics. Basic Terms and Concepts. Connecting to the Internet

Table of Contents. Cisco How NAT Works

anonymous routing and mix nets (Tor) Yongdae Kim

COMMZOOM BROADBAND INTERNET SERVICE DISCLOSURES

TRANSMISSION CONTROL PROTOCOL. ETI 2506 TELECOMMUNICATION SYSTEMS Monday, 7 November 2016

Assignment front sheet

Case 1:14-cr KBF Document 57 Filed 09/05/14 Page 1 of 10 : : : : : : : : : DECLARATION OF CHRISTOPHER TARBELL

USER MANUAL TABLE OF CONTENTS. Easy Site Maintenance. Version: 1.0.4

6 Computer Networks 6.1. Foundations of Computer Science Cengage Learning

Clear Choice Communications BROADBAND INTERNET SERVICE DISCLOSURES

Department of Industrial Engineering. Sharif University of Technology. Contents: The role of managers in Information Technology (IT)

Network Defenses 21 JANUARY KAMI VANIEA 1

Internet Architecture

WhatsApp Network Forensics: Discovering the Communication Payloads behind Cybercriminals

Network Defenses KAMI VANIEA 1

Large-Scale Internet Crimes Global Reach, Vast Numbers, and Anonymity

WhosOn server help

The Simon Brown SDRconsole tutorial and setup tips: By W3GAS

Web Mechanisms. Draft: 2/23/13 6:54 PM 2013 Christopher Vickery

DoConference Web Conferencing: DoMore DoConference

Definition. Quantifying Anonymity. Anonymous Communication. How can we calculate how anonymous we are? Who you are from the communicating party

IT Certification Exams Provider! Weofferfreeupdateserviceforoneyear! h ps://

Local Area Networks; Ethernet

PLEASE READ CAREFULLY BEFORE YOU START

PLEASE READ CAREFULLY BEFORE YOU START

Data & Computer Communication

CCNA Exploration1 Chapter 3: Application Layer Functionality and Protocols

Application Note Configuring the Netopia R2020 for use with ClipMail Pro and ClipExpress

Network Applications and Protocols

UNIVERSITY OF TORONTO FACULTY OF APPLIED SCIENCE AND ENGINEERING

DRAFT: gtld Registration Dataflow Matrix and Information

ELECTRIC APP - PRIVACY POLICY

Anonymity With Tor. The Onion Router. July 5, It s a series of tubes. Ted Stevens. Technische Universität München

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

Computer Networks. Wenzhong Li. Nanjing University

Anonymity With Tor. The Onion Router. July 21, Technische Universität München

Using the Internet and the World Wide Web

CYAN SECURE WEB Installing on Windows

ICS 351: Networking Protocols

Transcription:

Computer Crime & Intellectual Property Section Networks and the Internet A Primer for Prosecutors and Investigators Al Rees Trial Attorney Computer Crime and Intellectual Property Section () Criminal Division, U.S. Department of Justice

Getting There From networks to the Internet Locating a place on the Internet Applications that let people use the Internet Nassau Electronic Evidence Workshop, September 2009 2

to Get the Evidence What evidence does Internet use create? Where is this evidence located? How do we gather this evidence? Nassau Electronic Evidence Workshop, September 2009 3

Getting There From networks to the Internet Locating a place on the Internet Applications that let people use the Internet Nassau Electronic Evidence Workshop, September 2009 4

What is a network? Nassau Electronic Evidence Workshop, September 2009 5

What is an inter-network? Router Node Nassau Electronic Evidence Workshop, September 2009 6

Network What Is the Internet? Nassau Electronic Evidence Workshop, September 2009 7

A Decentralized Network No center No one is in charge No one knows exactly where all the components are located Nassau Electronic Evidence Workshop, September 2009 8

How do Internet hosts exchange data? WEB PAGE MOVIE E-MAIL MESSAGE VOICE DATA PACKETS SOFTWARE Nassau Electronic Evidence Workshop, September 2009 9

Exchanging Data Information to be sent to another Internet host is divided into small DATA PACKETS The data packets are sent over the network to the receiving host The receiving host assembles the data packets into the complete communication Nassau Electronic Evidence Workshop, September 2009 10

Exchanging Data Nassau Electronic Evidence Workshop, September 2009 11

Internet Protocol (IP) Packets 172.31.208.99 213.160.116.205 0111001010101011 1011011000100101 0100... SOURCE ADDRESS DESTINATIO N ADDRESS DATA BEING SENT Nassau Electronic Evidence Workshop, September 2009 12

Getting There From networks to the Internet Locating a place on the Internet Applications that let people use the Internet Nassau Electronic Evidence Workshop, September 2009 13

IP Addresses 213.160.116.205 Nassau Electronic Evidence Workshop, September 2009 14

Assigning IP Addresses Public Dynamic Private Static Blocks of IP addresses registered to Internet service providers (ISP) Nassau Electronic Evidence Workshop, September 2009 15

Assigning IP Addresses INTERNET Computer Modem Internet Service Provider 149.101.1.120 149.101.1.120 assigned to Harry at 2:30 PM Nassau Electronic Evidence Workshop, September 2009 16

ISP Login Records The ISP-equivalent of telephone company records Records each time a user logs in (or tries and fails) Logs show Start time Session duration Account identifier Assigned IP address Nassau Electronic Evidence Workshop, September 2009 17

The Traceback We know the IP address used by the suspect How do we find out who this person is? 149.101.1.120?? Nassau Electronic Evidence Workshop, September 2009 18

Step 1: What ISP has that address? Use the IP whois service to find out what ISP owned that IP address. 149.101.1.120 Nassau Electronic Evidence Workshop, September 2009 19

Step 2: What user had that address at that time? Subpoena the ISP to find out who had that address Specify at least the address and the time and date with time zone. Subpoena + Nassau Electronic Evidence Workshop, September 2009 20

Another Location Method: Prospective Evidence Gathering We know that our suspect was at a site and believe he ll return A pen/trap device installed at the site s server provides the suspect s IP address when he returns Pen/Trap Order INTERNET Nassau Electronic Evidence Workshop, September 2009 21

A Twist: The NAT Several computers share one IP address Outside world sees the same address regardless of which computer communicates 10.232.33.9 10.232.33.10 NAT INTERNET 10.232.33.8 149.101.1.120 Nassau Electronic Evidence Workshop, September 2009 22

Another Twist: The Proxy Laundering communications through someone else s IP address Outside world sees only the proxy s IP address PROXY Nassau Electronic Evidence Workshop, September 2009 23

Infamous Proxies America Online s proxy cache Proxy caches used by private companies Bots Anonymizers Nassau Electronic Evidence Workshop, September 2009 24

Domain Names How humans handle IP addresses Every domain name has whois information Owner, physical address, contact information Almost always wrong if the domain name is registered by a criminal Assume nothing about geography thecommonwealth.org = 213.160.116.205 Nassau Electronic Evidence Workshop, September 2009 25

Domain Name Queries Who is thecommonwealth.org? 213.160.116.205 ISP DOMAIN NAME SYSTEM Nassau Electronic Evidence Workshop, September 2009 26

Getting There From networks to the Internet Locating a place on the Internet Applications that let people use the Internet Nassau Electronic Evidence Workshop, September 2009 27

How People Use the Internet WEB PAGE MOVIE E-MAIL MESSAGE DATA PACKETS VOICE SOFTWARE APPLICATIONS Nassau Electronic Evidence Workshop, September 2009 28

Internet Use Applications E-mail Web browser Peer-to-peer (P2P) Instant messaging (IM) Internet relay chat (IRC) File transfer protocol (FTP) Nassau Electronic Evidence Workshop, September 2009 29

Internet Use Applications E-mail Web browser Peer-to-peer (P2P) Instant messaging (IM) Internet relay chat (IRC) File transfer protocol (FTP) Nassau Electronic Evidence Workshop, September 2009 30

E-Mail Basics E-mail travels from sender to recipient s host, where it resides on a MAIL SERVER until the recipient retrieves it SENDER S ISP RECIPIENT S ISP INTERNET Nassau Electronic Evidence Workshop, September 2009 31

Evidence of Past Activity Content Copies of a previously sent e-mail message may be stored on the sender s system recipient s mail server (even after addressee has read it) recipient s own machine SENDER S ISP RECIPIENT S ISP INTERNET Nassau Electronic Evidence Workshop, September 2009 32

Evidence of Past Activity Traffic Data A record of the e-mail transmission (date, time, source, destination) usually resides in the MAIL LOGS of the sender s system recipient s mail server SENDER S ISP RECIPIENT S ISP INTERNET Nassau Electronic Evidence Workshop, September 2009 33

Prospective Evidence Content Interception, wiretap Creates a cloned account SUBJECT S COMPUTER SUBJECT S ISP INTERNET LAW ENFORCEMEN TCOMPUTER Wiretap Order Nassau Electronic Evidence Workshop, September 2009 34

Prospective Evidence Traffic Data Install a pen/trap at user s ISP to find out the e-mail addresses the user corresponds with SUBJECT S COMPUTER SUBJECT S ISP INTERNET LAW ENFORCEMENT Pen/Trap Order Nassau Electronic Evidence Workshop, September 2009 35

Internet Use Applications E-mail Web browser Peer-to-peer (P2P) Instant messaging (IM) Internet relay chat (IRC) File transfer protocol (FTP) Nassau Electronic Evidence Workshop, September 2009 36

What is a web site? Three components Domain name (or other address) A web hosting server Files sitting on the web hosting server eac.int Nassau Electronic Evidence Workshop, September 2009 37

A Twist: Virtual Hosting One server hosts hundreds of web sites All web sites share a single IP address Think carefully before you seize or search an entire server Nassau Electronic Evidence Workshop, September 2009 38

Web Addresses Uniform Resource Locators (URL) http://www.thecommonwealth.org/internal/163207/151537/148540/podcast/ Computer File http://www.eac.int/index.php/secretariat.html Computer File Nassau Electronic Evidence Workshop, September 2009 39

Browsing the Web: Client-Server Interaction User types a URL or clicks on link User s computer looks up IP address www.eac.int INTERNET 41.220.130.18 DOMAIN NAME SYSTEM USER ISP Nassau Electronic Evidence Workshop, September 2009 40

Browsing the Web: Client-Server Interaction User s CLIENT PROGRAM sends a request to the WEB SERVER at the specified IP address The web server transmits a copy of the requested document (the web page) to the user s computer 41.220.130.18 INTERNET USER ISP WEB SERVER Nassau Electronic Evidence Workshop, September 2009 41

Browsing the Web: Client-Server Interaction The client program displays the transmitted document on the user s screen Nassau Electronic Evidence Workshop, September 2009 42

Evidence of Web Query: On User s Computer Cache directory Copies of recently viewed web pages History file List of recently visited pages INTERNET USER ISP WEB SERVER Nassau Electronic Evidence Workshop, September 2009 43

Evidence of Web Query: On Web Server Detailed logs of each request for any page Date, time Number of bytes IP address of the system that requested the data INTERNET USER ISP WEB SERVER Nassau Electronic Evidence Workshop, September 2009 44

Example Web Server Log 10.143.28.198 - - [11/Feb/2007:22:45:17-0500] "GET /tank.htm HTTP/1.1" 401 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-us; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1 10.143.28.198 - visitor [11/Feb/2007:22:45:23-0500] "GET /images/lolita.png" 200 3788 "http://www.eruditorium.org/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-us; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1 10.143.28.198 - visitor [11/Feb/2007:22:46:11-0500] "POST /dynamic/ HTTP/1.1" 200 413 "http://www.eruditorium.org/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-us; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1" Nassau Electronic Evidence Workshop, September 2009 45

See a theme? To do anything on the Internet, a computer communicates with another computer using an IP address Hopefully, that other computer will log what the suspect has done With that in mind Nassau Electronic Evidence Workshop, September 2009 46

Other Internet Use Applications Peer-to-peer (P2P) Instant messaging (IM) Internet relay chat (IRC) File transfer protocol (FTP) Nassau Electronic Evidence Workshop, September 2009 47

In Closing The Internet is a packet-switched network Systems keep many records about their interactions with the rest of the network Those records often help us locate and identify criminal actors, or at least to bolster the other evidence against them Nassau Electronic Evidence Workshop, September 2009 48

Al Rees Trial Attorney, albert.rees@usdoj.gov (202) 514-1026 Nassau Electronic Evidence Workshop, September 2009 49

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback