1 / 15

Network Forensics: When conventional forensic analysis is not enough

Network Forensics: When conventional forensic analysis is not enough. Manuel Humberto Santander Peláez GIAC GCFA Gold, GNET Silver, GCIA Gold. Network Security Perimeter. Firewalls NIDS/NIPS VPN Concentrator NAC (Switches) Antivirus Antispyware Content Filtering.

ashley
Download Presentation

Network Forensics: When conventional forensic analysis is not enough

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network Forensics: When conventional forensic analysis is not enough Manuel Humberto Santander Peláez GIAC GCFA Gold, GNET Silver, GCIA Gold

  2. Network Security Perimeter • Firewalls • NIDS/NIPS • VPN Concentrator • NAC (Switches) • Antivirus • Antispyware • Content Filtering

  3. Network Security Perimeter VPN Concentrator Firewall Switch (NAC) NIDS Security Event Correlator

  4. Network Forensics • Capture, recording and analysis of network events • Need to discover source and type of network attacks • Big amount of logs and traffic • Network Security Perimeter devices gives lots of interesting info

  5. Network Forensics • Network traffic gives evidence of attacks like: • Exploit attacks • Virus breach attempts • MITM • Valuable if possible to correlate to computer breaches. • Can find the missing information on a computer attack (“missing puzzle”)

  6. Billing Information Change using a network attack • Colombia Utility Company is the biggest utility company in all Colombia • Massive change of billing amount on 10000 installations, about 40% less on each invoice • Once invoice is delivered, no change can be made (Law 142 of 1994 Colombian Congress) • Where was the breach? How can this be prevented?

  7. Billing Information Change using a network attack • Billing process is a daily batch process • 98% of invoices were altered • Billing Calculations are done by stored procedures on the database • First evidence gathered was report of users executing the offending transactions on the application (August 25/2007)

  8. Billing Information Change using a network attack

  9. Billing Information Change using a network attack Same result obtained on every computer analyzed from the obtained table

  10. Billing Information Change using a network attack • IDS alerts showed ARP address change for main router several times, No firewall or NAC alert • Found 4970 alerts for August 25/2007 • Investigation showed a local desktop machine claimed to be the router for the whole network segment • All billing department people in that segment logged on the application

  11. Billing Information Change using a network attack

  12. Billing Information Change using a network attack Oexplore access time matches the first access at the database. Passwords found cracked by Cain.

  13. Billing Information Change using a network attack

  14. Billing Information Change using a network attack

  15. Lessons Learned • Network Forensics completes computer forensic evidence when evidence found inside computers doesn’t give enough clues. • Network Forensics evidence must be correlated with the evidence found in computers to be valuable. • Security Perimeter devices gives valuable information if well configured.

More Related