Digital Forensics Lecture 7 Network Analysis
This Week s Presentations Johnathan Ammons: Web Analysis Kelcey Tietjen: Wireless Network Traffic David Burton: Collection and Analysis of Network Traffic David Burton: Network Devices: Routers, Switches, (EC)
Week after Next Presentations Maggie Castillo: Cell Phones Jim Curry: PDAs Ryan Ware: Investigation of Non-traditional Equipment: Autos, Washers, Nicholas Gallegos: MP3 Players Barry Gavrich: Flash Media (EC) Ron Prine: Digital Cameras Next Week: Midterm Exam
Lecture Overview Legal/Policy Preparation Collection Analysis Findings/ Evidence Reporting/ Action Investigative Goals Investigation Centric Analysis Data Centric Analysis General Tools and Methods
Module 1 First Steps
Goals Collect evidence Identify: Scope of activity Other parties involved Support or refute allegation Timeline Ensure compliance
Types of Network-Based Evidence Full content data Every bit, every sound, lots of disk space Session data Addresses, phone numbers, trap&trace Alert data Triggered, keywords, addresses, services, event Statistical data Whole picture, causal, patterns
Characteristics of Network Data Ephemeral Many locations Computer systems Network components Can be large in size Might be encrypted Could be fragmented
Tying it Together Role is a key factor in all decisions Goals determine Type of collection Type of collection determines Tools
Module 2 Setup
Consider a network diagram to show Route diversity Switched networks Convergence Wireless (hidden node problem) Difficulties resulting from this Incomplete observation Difficulty in collecting on a network that s not well prepped Well trained investigators Large data
System Tools Used for after-incident collection Volatile data on running system Placed prior to need How do you trust the data collected?
Network Tools Part of infrastructure Routers, switches, hubs, access points Packet capture, SNMP, other Additional taps Workstations, sniffers Packet capture, IDS s, other
Module 3 Investigation Centric Analysis
Roles User Owner of personal system Corporation or organization Company Service Provider Local investigators Federal investigators International investigators
Role-Based Motivation Private owner Maintain system security (i.e., Title 18) Corporation Maintain system security, ensure operational continuity Investigate system misuse Identify and manage compromise Various investigative authorities Investigate computer-related criminal activity Fraud, theft, damage, use of IT in other crimes, etc. Investigate other criminal activity Murder, kidnap, fraud, etc. Counter-terrorism
Approach Identify communicating parties Geo-locate the source/destination Help provide individual attribution Determine intent/nature of suspected communications Capture and provide evidence of crime Identify social networks Others?
Processes Store and post-analyze vs. real time analysis Implement a corporate framework Court order to wire tap Others?
Analysis Techniques Log analysis Network device Computer network logs Statistics Protocol Conversations Time of day Flow size Number of connections Signatures Well known crime
Module 4 Data Centric Analysis
Tools for Collection Packet capture and interpretation ethereal tcpdump windump Limitations For example, stream reassembly Statistical tools
Tools for Analysis tcptrace identify sessions snort event scanner tcpflow reassembling sessions ethereal jack of all trades
Network Equipment Routers Switches SNMP enabled devices Firewalls DHCP servers IDS sensors Proxy servers
Routers/Switches Caches (Live analysis) ARP Route tables Logs Previously setup for capture
Network Computer Information Similar to network device commands From computer point-of-view Corresponding connections to network devices
Module 5 Future Needs
Gaps What are the features that each role would enjoy having? Home user Parent Corporate IT investigator Criminal investigator Counter terrorism authority
More Gaps What are the difficult problems? E.g., observation, interpretation, large data analysis, etc.
More Gaps Balancing privacy with security Data collection on switched or multi-path networks Volume of data to be collected Analysis techniques
Questions? After all, you are an investigator