Case study ann
This presentation is the property of its rightful owner.
Sponsored Links
1 / 27

Case study : Ann PowerPoint PPT Presentation


  • 142 Views
  • Uploaded on
  • Presentation posted in: General

Case study : Ann. Section 3.1 Network Forensics TRACKING HACKERS THROUGH CYBERSPACE. Scenario: Ann’s Bad AIM.

Download Presentation

Case study : Ann

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Case study ann

Case study : Ann

Section 3.1

Network Forensics

TRACKING HACKERS THROUGH CYBERSPACE


Scenario ann s bad aim

Scenario: Ann’s Bad AIM

Anarchy-R-Us, Inc. suspects that one of their employees, Ann Dercover, is really a secret agent working for their competitor. Ann has access to the company’s prize asset, the secret recipe. Security staff are worried that Ann may try to leak the company’s secret recipe.

Security staff have been monitoring Ann’s activity for some time, but haven’t found anything suspicious– until now. Today an unexpected laptop briefly appeared on the company wireless network. Staff hypothesize it may have been someone in the parking lot, because no strangers were seen in the building. Ann’s computer, (192.168.1.158) sent IMs over the wireless network to this computer. The rogue laptop disappeared shortly thereafter.

“We have a packet capture of the activity,” said security staff, “but we can’t figure out what’s going on. Can you help?”

http://forensicscontest.com/2009/09/25/puzzle-1-anns-bad-aim


Mission

Mission

You are the forensic investigator. Your mission is to figure out who Ann was IM-ing, what she sent, and recover evidence including:

1. What is the name of Ann’s IM buddy?2. What was the first comment in the captured IM conversation?3. What is the name of the file Ann transferred?4. What is the magic number of the file you want to extract (first four bytes)?5. What was the MD5sum of the file?6. What is the secret recipe?


What protocol is being used

What protocol is being used?

  • Remember that the count byte offset is 0.

  • Look for bits that are commonly associated with a protocol.

    • Example: 0x0045 -> beginning of an IPv4 packet

  • Tcpdump from Ann’s Bad AIM packet capture


Wireshark tcp

Wireshark - TCP

  • IP protocol details displayed within Wireshark. Notice that the IP packet contains information about the encapsulated protocol (in this case, 0x06, or TCP). Pg 85


Tcp udp port numbers

TCp / udp port numbers

  • http://www.iana.org/assignments/port-numbers

  • /etc/services

    • Example chunk of file:


Udp port association

UDP port association

  • “UDP Protocol Details displayed within Wireshark. Notice that Wiresharkautomatically associates the UDP port, 123, with its IANA-assigned default service, NTP.” Pg 86


Wireshark is not always correct

Wireshark is not always correct

  • “TCP packet details displayed within Wireshark. Notice that Wireshark automatically associates TCP port 443 with its IANA-assigned default service, HTTPS. However, this interpretation is INCORRECT (as evidenced by the fact that the packet contents are not encrypted, and no protocol details are displayed under the heading “Secure Socket Layer”).” Pg. 87


Find out about the mystery ip

Find out about the mystery ip

  • A simple whois lookup can provide a lot of information. Below is only a snippet of the data provided about IP address 64.12.24.50


Make a reasonable hypothesis

Make a reasonable hypothesis

  • Facts:

    • AOL provides services including: HTTP and instant messaging

    • Packet 112 source is port 5190, which Wireshark associates with AOL

    • Packet begins with 0x4F465432, or “OFT2” in ASCII which matches OSCAR protocol


Oscar protocol

OSCAR Protocol

  • Byte 6 and 7 indicate type

    • 0x0101 of packet 112 specifies the “Prompt” value

      • Sender is ready to transmit file


Protocol decoding

Protocol decoding

  • Message becomes clear when the protocol is decoded


Exporting fields

Exporting fields

  • Easy to do in Wireshark – File > “Export Selected Packet Bytes”

    • Saves contents of selected fields for further study

  • Tshark will print out any or all fields defined within the protocol

    • Examples of command line instructions

      • $ tshark -r evidence.pcap -X lua_script:oft -tsk.lua -R "oft" -n -R frame.

        number ==112 -V

      • $ tshark -r evidence01.pcap -X lua_script:oft -tsk.lua -R "oft" -n -R frame.

        number ==112 -T pdml


Packet analysis

Packet analysis

  • Dirty word search using ngrep


Parsing protocol fields

Parsing Protocol fields

  • Use tshark to extract all of the AIM message data from the package capture


Packet filtering

Packet filtering

  • Filtering with BPF

  • Resulting file


Find the file transfer

Find the file transfer

  • Use Wireshark display filters to search for channel 2 ICBM packet sent to AOL server


Flow analysis

Flow analysis

  • List conversations

  • List TCP flow


Export tcp flow

Export TCP flow

  • Once you have identified the flow most likely to contain the file, export it using a BPF filter

  • Tcpflow will automatically extract flows, also using BPF filter

  • Notice that tcpflow extracted two half-duplex flows


Export tcp flow continued

Export tcp flow continued

  • Manually export using Wireshark

    • Warning! Does not scale well, not good for large projects!

    • Select Frame #109 > Right click > click on “Follow TCP Stream”

    • Save in raw format


File and data carving

File and data carving

  • Open full duplex saved dump file in hex editor

    • First 4 bytes are “OFT2”

    • Bytes 6-7 (Type) are 0x0101

    • Bytes 28 – 31 (Total Size) are 0x00002EE8

      • 12,008 bytes

    • File name begins at Byte 192 0xc0

      • Padded with null to 64 bytes

    • Byte 256 new header

      • 0x0202 = acknowledge


File and data carving continued

File and data carving continued

  • Look for magic number for beginning of .docx file

    • 0x504B or PK in ASCII

    • Byte 512 (0x200)

    • To find the end of the file add the file size to the starting byte

      • 0x0200 + 0x2EE8 = 0x30E8

      • Byte 0x30E8 shows Type 0x0204 = done

      • Size of transfer Byte 0x3108 = 0x2EE8 which is a match to the file size


File and data carving continued again

File and data carving continued again

  • Use Bless cut tool to carve out the file

    • Select extra data at the end of the file and click cut

    • Select extra data at the beginning of the file and click cut

    • Save file as “recipe.docx”

  • Get cryptographic hashes of file

  • Double check file size

  • Verify the file type


Carved file

Carved file

  • Open a copy of the file to verify the contents


Extract file automatically

Extract file automatically

  • Use tcpextract

    • Uses 0x504B0304 by default to mark the beginning of a file

  • Try saving the first instance “00000023.zip” as “recipe-tcpxtract.docx” and open a copy in document editor

    • Do not forget to take the cryptographic hashes


Networkminer

networkMiner

  • All of the work is done for us in NetworkMiner


Case study ann

Disclaimer: All information and data pulled directly from this book.

Pages 88 - 134

Works Cited

Davidoff, S., & Ham, J. (2012). Network Forensics Tracking Hackers Through Cyberspace. Boston: Prentice Hall.


  • Login