Computer Forensics: Investigating Network Intrusions and Cybercrime, 2nd Edition Chapter 2 Investigating Network Traffic
Objectives After completing this chapter, you should be able to: Understand network protocols Understand the physical and data link layers of the OSI model Understand the network and transport layers of the OSI model Describe types of network attacks Understand the reasons for investigating network traffic 2
Objectives After completing this chapter, you should be able to (cont d): Perform evidence gathering via sniffing Describe the tools used in investigating network traffic Document the evidence gathered on a network Reconstruct evidence for an investigation 3
Introduction to Investigating Network This chapter: Traffic Begins by explaining some basic networking concepts Discusses ways that an intruder can attack a network Covers how an investigator can gather evidence from different parts of the network and what tools an investigator can use to gather evidence 4
Network Addressing Scheme Two methods of network addressing: LAN addressing Internetwork addressing 5
LAN Addressing Local area network (LAN) Set of hosts in a relatively contiguous area, allowing for data transfer among hosts on the same network Each node in the LAN has a unique MAC (media access control) address assigned to the NIC MAC address: a unique 48-bit serial number assigned to each NIC, providing a physical address to the host machine Network interface card (NIC) Piece of hardware used to provide an interface between a host machine and a computer network 6
LAN Addressing Types of MAC addresses: Static Configurable Dynamic Packets are either addressed to one node or, in the case of broadcasting, to all the nodes in the LAN Broadcasting is often used to discover the services or devices on the network 7
Internetwork Addressing Used in a network where a number of LANs or other networks are connected with the help of routers Each network in this Internetwork has a unique network ID or network address known as the host address or node ID Routers use these addresses when data packets are transmitted from a source to its target Internetwork address is a combination of both a network address and host address 8
OSI Reference Model OSI model consists of seven layers The OSI reference model is based on the following principles: Every layer has a fully defined function The boundaries of the layers have been designed to reduce the flow of information in the interface When an additional level of abstraction is required, then a layer is created Each layer contains the functions of the international standardized protocol 9
OSI Reference Model Figure 2-1 The OSI protocol stack consists of seven layers 10
Overview of Network Protocols In the seven layers of the OSI model, protocols exist in only six layers The physical layer contains no network protocols 11
Data Link Layer Main protocols include: Point-to-Point Protocol (PPP) Serial Line Internet Protocol (SLIP) Address Resolution Protocol (ARP) 12
Network Layer Main protocols include: RARP (Reverse Address Resolution Protocol) ICMP (Internet Control Message Protocol) IGMP (Internet Group Management Protocol) IP (Internet Protocol) 13
Transport Layer Main protocols include: UDP (User Datagram Protocol) TCP (Transmission Control Protocol) 14
Session Layer, Presentation Layer, and Application Layer Main protocols include: HTTP (Hypertext Transfer Protocol) SMTP (Simple Mail Transfer Protocol) NNTP (Network News Transfer Protocol) Telnet FTP (File Transfer Protocol) SNMP (Simple Network Management Protocol) TFTP (Trivial File Transfer Protocol) 15
Session Layer, Presentation Layer, and Application Layer Figure 2-2 Different protocols are used in different layers in the TCP/IP model 16
Overview of Physical and Data Link Physical layer Layers of the OSI Model Transmits raw bits over a communication channel Design must ensure that when one side sends a 1 bit, the other side should receive that bit as a 1 bit Deals with the mechanical, electrical, and procedural interfaces, and the physical transmission medium Data link layer Breaks the raw transmission bits into data frames Sequentially broadcasts the frames Creates and recognizes frame boundaries 17
Overview of Network and Transport Network layer Layers of the OSI Model Takes care of the delivery of data packets from the source to the destination Provides the logical address of the sender and receiver in the header of the data packet Checks the integrity of the transferred data Transport layer Takes care of the entire message that is transferred from the source to the destination Takes care of error correction and flow control of the message 18
Types of Network Attacks Main categories of attacks launched against networks: IP spoofing Router attacks Eavesdropping Denial of service Man-in-the-middle attack Sniffing Data modification 19
Why Investigate Network Traffic? Reasons investigators analyze network traffic include: Locate suspicious network traffic Know which network is generating the troublesome traffic and where the traffic is being transmitted to or received from Identify network problems 20
Evidence Gathering at the Physical Layer A computer connected to a LAN has two addresses: MAC address IP address Two basic types of Ethernet environments: Shared Ethernet Switched Ethernet 21
Shared Ethernet Every machine receives packets that are meant for one machine Sniffer ignores this rule and accepts all frames by putting the NIC into promiscuous mode Promiscuous mode Mode of a network interface card in which the card passes all network traffic it receives to the host computer, rather than only the traffic specifically addressed to it Passive sniffing is possible in a shared Ethernet environment, but it is difficult to detect 22
Switched Ethernet Hosts are connected to a switch Switch does not broadcast to all computers Sends the packets to the appropriate destination Sniffing by putting the NIC into promiscuous mode does not work in this type of environment SPAN (Switched Port Analyzer) port Port that is configured to receive all the packets sent by any source port Special switches are available that can be configured to allow sniffing at the switch that can even capture local traffic 23
DNS Poisoning Techniques DNS (Domain Name Service) Service that translates domain names into IP addresses DNS poisoning Process in which an attacker provides fake data to a DNS server for the purpose of misdirecting users Types of DNS poisoning: Intranet DNS spoofing (local network) Internet DNS spoofing (remote network) Proxy server DNS poisoning DNS cache poisoning 24
Intranet DNS Spoofing (Local Network) Figure 2-3 An attacker must be connected to the LAN to perform intranet DNS spoofing 25
Internet DNS Spoofing (Remote Network) Figure 2-4 An attacker uses a Trojan to perform Internet DNS spoofing 26
Proxy Server DNS Poisoning Figure 2-5 An attacker uses a Trojan to change the proxy server settings on a machine during a proxy server DNS poisoning attack 27
DNS Cache Poisoning Attacker exploits a flaw in the DNS server software that can make it accept incorrect information If the server does not correctly validate DNS responses to ensure that they have come from an authoritative source Server will end up caching the incorrect entries locally and serve them to users that make the same request 28
Evidence Gathering from ARP Table Figure 2-6 The arp -a command displays the ARP table in Windows 29
Evidence Gathering at the Data Link Layer: DHCP Database DHCP database provides a means of determining the MAC address associated with the computer in custody Database helps DHCP conclude the MAC address in case DHCP is unable to maintain a permanent log of requests DHCP server maintains a list of recent queries along with the MAC address and IP address Database can be queried by giving the time duration during which the given IP address accessed the server 30
Gathering Evidence from an IDS Administrator can configure an intrusion detection system (IDS) to capture network traffic when an alert is generated This data is not a sufficient source of evidence because there is no way to perform integrity checks on the log files Preserving digital evidence is difficult Investigators can record examination results from networking through a serial cable and software Such as the Windows HyperTerminal program or a script on UNIX 31
Tool: Tcpdump Powerful tool that extracts network packets and performs statistical analysis on those dumps Operates by putting the network card into promiscuous mode Tcpdump report consists of the following: Captured packet count Received packet count Count of packets dropped by kernel Supported by various platforms 32
Tool: WinDump Port of Tcpdump for the Windows platform WinDump is fully compatible with Tcpdump Can be used to watch and diagnose network traffic according to various complex rules WinDump is simple to use and works at the command-line level With the command: windump n S vv The n option tells WinDump to display IP addresses instead of computer names 33
Tool: Wireshark Formerly known as Ethereal GUI-based network protocol analyzer Lets the user interactively browse packet data from a live network or from a previously saved capture file Wireshark s native capture file format is the libpcap format Also the format used by Tcpdump and various other tools 34
Tool: Wireshark Figure 2-7 Wireshark can show information about all captured packets 35
Tool: CommView A network monitor and analysis tool Provides a complete picture of the traffic flowing through a PC or LAN segment Captures every packet on the wire and displays information and vital statistics about the captured packets Users can examine, save, filter, import, and export captured packets Includes an add-on called the Remote Agent Allows users to capture network traffic on any computer where Remote Agent is running 36
Tool: HTTP Sniffer An HTTP packet sniffer, protocol analyzer, and file reassembly tool for Windows Captures IP packets containing HTTP messages Rebuilds the HTTP sessions and reassembles files sent through HTTP Features: Powerful HTTP file rebuilder Multiple file-type support Powerful packet-capturing filter Customized logging 37
Tool: EtherDetect Packet Sniffer A connection-oriented packet sniffer and network protocol analyzer A user can: Capture full packets Organize packets by TCP connections or UDP threads Passively monitor the network View packets in hex format 38
Tool: OmniPeek A network analysis tool used to quickly analyze and troubleshoot network problems at the enterprise level Some features include the ability to: Analyze traffic from any local network segment Drill down to see which network nodes are communicating, which protocols are being transmitted, and which traffic characteristics are affecting network performance Change filters on the fly View packet-stream-based analytics 39
Tool: OmniPeek Figure 2-8 OmniPeek provides different views of captured packets 40
Tool: Iris Network Traffic Analyzer Provides network traffic analysis and reporting functionality Captures network traffic and can automatically reassemble it to its native format Investigator can configure it to capture only specific data through any combination of packet filters 41
Tool: SmartSniff Provides ability to view captured TCP/IP packets as sequences of conversations between clients and servers Some features include: Color coding of local and remote traffic Exporting to HTML and other formats A basic, but very small and standalone, protocol analyzer 42
Tool: NetSetMan A network settings manager that allows a user to easily switch between six different network settings profiles that include the following: IP address Subnet mask Default gateway Preferred and alternate DNS servers Computer name Workgroup DNS domain and more 43
Tool: Distinct Network Monitor Displays live network traffic statistics Includes a scheduler that allows an administrator to run a scheduled collection of network traffic statistics or packet captures Some features include: A drill-down capability showing all the local hardware addresses that have generated the packets Reporting feature allows a user to create statistics reports in HTML and CSV formats Can discover which ports on a system are open 44
Tools More tools include: EtherApe Colasoft Capsa Network Analyzer AnalogX PacketMon IE HTTP Analyzer EtherScan Analyzer Sniphere AWRC Pro (Atelier Web Remote Commander Pro) IPgrab GPRS Network Sniffer 45
Tools More tools include (cont d): Siemens Monitoring Center RSA NetWitness NetResident InfinitiStream etrust Network Forensics Paraben P2C4 46
Tool: Snort Intrusion Detection System Snort features include: Detects threats based on pattern matching Uses syslog, SMB messages, or a file to alert an administrator Develops new rules quickly once the pattern (attack signature) is known for a vulnerability Records packets from the offending IP address in a hierarchical directory structure Records the presence of traffic that should not be found on the network 47
Snort Rules There are a number of rules that Snort allows a user to write Each Snort rules must describe the following: Any violation of the security policy of the company that might be a threat to the security of the company s network and other valuable information All the well-known and common attempts to exploit the vulnerabilities in the company s network The conditions in which a user thinks that the identity of a network packet is not authentic 48
Snort Rules Figure 2-10 Snort is a powerful IDS that allows users to write new rules 49
Tool: IDS Policy Manager Manages Snort IDS sensors in a distributed environment Features include: Ability to update rules via the Web Can manage multiple sensors with multiple policy files Can upload policy files via SFTP and FTP Supports external rule set for BleedingSnort and Snort Community rules Can learn details about a signature 50
Documenting the Evidence Gathered on a Network Documenting the evidence gathered on a network is easy if the network logs are small, as a printout can be taken and tested Documenting digital evidence on a network becomes more complex when the evidence is gathered from systems that are in remote locations Because of the unavailability of date and time stamps of the related files For documentation and integrity of the document, it is advisable to follow a standard methodology 51
Evidence Reconstruction for Investigation Gathering evidence on a network is cumbersome for the following reasons: Evidence is not static and not concentrated at a single point on the network Variety of the evidence-gathering process more difficult hardware and software found on the network makes 52
Evidence Reconstruction for Investigation Three fundamentals of reconstruction for investigating a crime: Temporal analysis Relational analysis Functional analysis 53
Summary There are two types of network addressing schemes: LAN addressing and Internetwork addressing Sniffing tools are software or hardware that can intercept and log traffic passing over a digital network or part of a network The ARP table of a router comes in handy for investigating network attacks, as the table contains IP addresses associated with the respective MAC addresses 54
Summary The DHCP server maintains a list of recent queries, along with the MAC address and IP address An administrator can configure an IDS to capture network traffic when an alert is generated 55