1 / 48

Digital Forensics

Digital Forensics. Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #17 Network Forensics October 19, 2008. Outline. Plans for October 21 Network Forensics Network Attacks Security Measures Network Forensics and Tools Types of Networks Other info

Download Presentation

Digital Forensics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #17 Network Forensics October 19, 2008

  2. Outline • Plans for October 21 • Network Forensics • Network Attacks • Security Measures • Network Forensics and Tools • Types of Networks • Other info • Summary/Conclusion and Links • Special presentation of network forensic • http://www.infragard.net/library/congress_05/computer_forensics/network_primer.pdf • Appendix: Social network Forensics • Readings for October 26 and 28

  3. Meeting on October 21st • Tour of North Texas FBI Lab at 2pm • 301 N. market street, suite 500 (5th floor) Dallas, Texas.  www.ntrcfl.org • Michael S. Morris • Lab Director • NTRCFL • (972) 559-5800

  4. Network Attacks • Denial of service Denial of service attacks cause the service or program to cease functioning or prevent others from making use of the service or program. • These may be performed at the network layer by sending carefully crafted and malicious datagrams that cause network connections to fail. • They may also be performed at the application layer, where carefully crafted application commands are given to a program that cause it to become extremely busy or stop functioning. • Preventing suspicious network traffic from reaching hosts and preventing suspicious program commands and requests are the best ways of minimizing the risk of a denial of service attack. • It is useful to know the details of the attack method, so you should educate yourself about each new attack as it gets publicized.

  5. Network Attacks • Spoofing This type of attack causes a host or application to mimic the actions of another. • Typically the attacker pretends to be an innocent host by following IP addresses in network packets. • For example, a well-documented exploit of the BSD rlogin service can use this method to mimic a TCP connection from another host by guessing TCP sequence numbers. • To protect against this type of attack, verify the authenticity of datagrams and commands. • Prevent datagram routing with invalid source addresses. Introduce unpredictablility into connection control mechanisms, such as TCP sequence numbers and the allocation of dynamic port addresses.

  6. Network Attacks • Eavesdropping This is the simplest type of attack. • A host is configured to "listen" to and capture data not belonging to it. Carefully written eavesdropping programs can take usernames and passwords from user login network connections. • Broadcast networks like Ethernet are especially vulnerable to this type of attack. • To protect against this type of threat, avoid use of broadcast network technologies and enforce the use of data encryption. • IP firewalling is very useful in preventing or reducing unauthorized access, network layer denial of service, and IP spoofing attacks. • It not very useful in avoiding exploitation of weaknesses in network services or programs and eavesdropping.

  7. Securing a Network • Need measures to secure a network and prevent breaches • Apply patches; User a layered network defense strategy • NSA (National Security Agency) ahs developed DiD Defense in Depth) and has three models of protection • People, Technology, Operations • People: Employees are trained well • Technology: Strong network architecture and testing tools • Operations: applying security patches, anti-virus software, etc.

  8. Network Security Mechanisms • Network security starts from authenticating any user, most likely a username and a password. • Once authenticated, a stateful firewall enforces access policies such as what services are allowed to be accessed by the network users • Though effective to prevent unauthorized access, this component fails to check potentially harmful contents such as computer worms being transmitted over the network. • An intrusion prevention system (IPS) helps detect and prevent such malware. IPS also monitors for suspicious network traffic for contents, volume and anomalies to protect the network from attacks such as denial of service. • Communication between two hosts using the network could be encrypted to maintain privacy. • Individual events occurring on the network could be tracked for audit purposes and for a later high level analysis.

  9. Network Security Mechanisms • Honeypots, essentially decoy network-accessible resources, could be deployed in a network as surveillance and early-warning tools. • Techniques used by the attackers that attempt to compromise these decoy resources are studied during and after an attack to keep an eye on new exploitation techniques. • Such analysis could be used to further tighten security of the actual network being protected by the honeypot • Some tools: Firewall, Antivirus software and Internet Security Software. For authentication, use strong passwords and change it on a bi-weekly/monthly basis. When using a wireless connection, use a robust password. Network analyzer to monitor and analyze the network.

  10. Network Forensics • What is Network Forensics? • http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci859579,00.html • Network Forensics Analysis • Relationship to Honeynets/Honeypots • Policies for Networks Forensics • Example Prototype System • Some Popular Networks Forensics Analysis Tools (NFAT)

  11. What is Network Forensics • Network forensics is the process of capturing information that moves over a network and trying to make sense of it in some kind of forensics capacity. • Network forensics is the capture, recording, and analysis of network events in order to discover the source of security attacks or other problem incidents. • A network forensics appliance is a device that automates this process. • Wireless forensics is the process of capturing information that moves over a wireless network and trying to make sense of it in some kind of forensics capacity.

  12. What is Network Forensics? • Network forensics systems can be one of two kinds: • "Catch-it-as-you-can" systems, in which all packets passing through a certain traffic point are captured and written to storage with analysis being done subsequently in batch mode. This approach requires large amounts of storage, usually involving a RAID system. • "Stop, look and listen" systems, in which each packet is analyzed in a rudimentary way in memory and only certain information saved for future analysis. This approach requires less storage but may require a faster processor to keep up with incoming traffic.

  13. What is Network Forensics • Network Forensics is the process of collecting and analyzing raw network data and then tracking network traffic to determine how an attack took place • When intruders break into a network they leave a trail. Need to spot variations in network traffic; detect anomalies • Network forensics can usually help to determine whether network has been attacked or there is a user error • Examiners must establish standards procedures to carry out forensics

  14. Network Analysis • Find analysis techniques developed for one type of network and apply it to another type of network • Types of networks • Computer and Communication Networks • Telecommunication Network • Transportation networks • Highways, Railroad, Air Traffic • Human networks • Terror networks, Relationship networks

  15. Network Forensics Analysis Tools (NFAT): Relationships between IDS, Firewalls and NFAT • IDS attempts to detect activity that violates an organization’s security policy by implementing a set of rules describing preconfigures patterns of interest • Firewall allows or disallows traffic to or from specific networks, machine addresses and port numbers • NFAT synergizes with IDSs and Firewalls. • Preserves long term record of network traffic • Allows quick analysis of trouble spots identified by IDSs and Firewalls • NFATs must do the following: • Capture network traffic • Analyze network traffic according to user needs • Allow system users discover useful and interesting things about the analyzed traffic

  16. NFAT Tasks • Traffic Capture • What is the policy? • What is the traffic of interest? • Intermal/Externasl? • Collect packets: tcpdump • Traffic Analysis • Sessionizing captured traffic (organize) • Protocol Parsing and analysis • Check for strings, use expert systems for analysis • Interacting with NFAT • Appropriate user interfaces, reports, examine large quantities of information and make it manageable

  17. Network Forensics: NetworkMiner • NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. • NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. • The purpose of NetworkMiner is to collect data (such as forensic evidence) about hosts on the network rather than to collect data regarding the traffic on the network. • The main view is host centric (information grouped per host) rather than packet centric (information showed as a list of packets/frames).

  18. Honeynets/Honeypots • Network Forensics and honeynet systems have the same features of collecting information about computer misuses • Honeynet system can lure attackers and gain information about new types of intrusions • Network forensics systems analyze and reconstruct he attack behaviors • These two systems integrated together build a active self learning and response system to profile the intrusion behavior features and investigate the original source of the attack.

  19. Honeynet project • Honeynet project was established to make information about network attacks and solutions widely available • Objectives: Awareness, information, tools • Attacks: distributed Denial of Service, Zero day attacks • Honeypot is a computer set up to lure attackers • Honeywalls are computers set up to monitor what is happening to the honeypots in the network

  20. Policies: Computer Attack Taxonomy • Probing • Attackers reconnaissance • Attackers create a profile of an organization's structure, network capabilities and content, security posture • Attacker finds the targets and devices plans to circumvent the security mechanism • Penetration • Exploit System Configuration errors and vulnerabilities • Install Trojans, record passwords, delete files, etc. • Cover tracks • Configure event logging to a previous state • Clear event logs and hide files

  21. Policies to enhance forensics • Retaining information • Planning the response • Training • Accelerating the investigation • Preventing anonymous activities • Protect the evidence

  22. Example Prototype System: Iowa State University • Network Forensics Analysis mechanisms should meet the following: • Short response times; User friendly interfaces • Questions addresses • How likely is a specific host relevant to the attack? What is the role the host played in the attack? How strong are two hosts connected to the attack? • Features of the prototype • Preprocessing mechanism to reduce redundancy in intrusion alerts • Graph model for presenting and interacting with th3 evidence • Hierarchical reasoning framework for automated inference of attack group identification

  23. Example Prototype System: Modules • Evidence collection module • Evidence preprocessing module • Attack knowledge base • Assets knowledge base • Evidence graph generation module • Attack reasoning module • Analyst interface module • Reference • http://delivery.acm.org/10.1145/1420000/1410238/a4-wang.pdf?key1=1410238&key2=9838895521&coll=GUIDE&dl=GUIDE&CFID=57276464&CFTOKEN=77054716 • https://www.dfrws.org/2005/proceedings/wang_evidencegraphs.pdf

  24. Network Tools • Network Forensics tools help in the monitoring of the network • Example: the records that Ps tools generate can prove that an employee ran a program without permission • Can also monitor machines/processes that may be harmful • Problem is the attacker can get administrator rights and start using the tools • Chapter 11 discusses tools for Windows and Linux

  25. Some Popular Tools • Raytheon’s SilentRunner • Gives administrators help as they attempt to protect their company’s assets • Collector, Analyzer and Visualize Modules • Sandstorm Enterprise’s NetIntercept • Hardware appliance focused on capturing network traffic • Niksun’s NetDetector • Its an appliance like NetIntercept • Has an alerting mechanism • Integrates with Cicso IDS for a complete forensic analysis

  26. Network Forensics: Open Source Tools • Open source tools • Wireshark • Kismet • Snort • OSSEC • NetworkMiner is an open source Network Forensics Tool available at SourceForge. • Xplico is an Internet/IP Traffic Decoder (NFAT). Protocols supported: HTTP, SIP, FTP, IMAP, POP, SMTP, TCP, UDP, IPv4, IPv6

  27. Network Forensics: Commercial Tools • Deep Analysis Tools (data mining based tools) • E-Detective • ManTech International Corporation • Network Instruments • NIKSUN's NetDetector • PacketMotion • Sandstorm's NetIntercept • Mera Systems NetBeholder • InfoWatch Traffic Monitor

  28. Network Forensics: Commercial Tools • Flow-Based Systems • Arbor Networks • GraniteEdge Networks • Lancope http://www.lancope.com/ • Mazu Networks http://www.mazunetworks.com/ • Hybrid Systems • These systems combine flow analysis, deep analysis, and security event monitoring and reporting. • Q1 Labs http://www.q1labs.com/

  29. Performing Live Acquisitions • Insert bootable forensics CD in the suspect system • Keep a log of all the actions • Send collected information to a network drive • Copy the physical memory • Determine if root kit is present; access system’s firmware, - - • Get forensics hash value of all files

  30. Performing Live Acquisitions: Windows • Setup NetCat listener to send the forensics data • Load Helix CD in the CD-ROM drive • Click appropriate buttons – System Information; Glad arrow etc • Click Acquire Live Image if Widows System • Connect to NetCat listener to send the collected data (e.g., enter IP address of NetCat listener) • Click Incidence Response Tools • Click on appropriate tools to collect data

  31. Standard procedures • Standard installation image, hash schemes (e.g., MD5, SHA-1) • Fix vulnerabilities if intrusion is detected • Retrieve volatile data (RAM, processes) • Acquire compromised drive and make forensics image of it • Compare forensics image and standard image and determine if anything has changed

  32. Network Logs • Network logs record traffic in and out of network • Network servers, routers, firewalls record activities and events that move through them • One ways is to run Tcpdump • When viewing network log, port information can give clues about suspicious activity • Use network analysis tool

  33. Packet Sniffers • Devices or software to monitor (sniff) traffic • TCP/IP sniffers operate at the Packet level; in OSI operates at the Layer 2 or 3 level (e.g. Data link or Network layers) • Some sniffers perform packet captures, some perform analysis and some perform both • Tools exist for examining (i) packets with certain flags set (ii) email headers (iii) IRC chats

  34. Summary • Network Forensics is the process of collecting and analyzing raw network data and then tracking network traffic to determine how an attack took place • Layered defense strategies to the network architecture • Live acquisitions are needed to retrieve volatile items • Standard procedure are needed to establish how to proceed after a network attack occurs • By monitoring network traffic can establish normal operations; then determine if there is an anomaly • Network tools used to monitor networks; but intruders can get admin rights to attack from the inside • Tools are available for monitoring network traffic for both Windows and Linux systems • Honeynet project enables people to learn latest intrusion techniques

  35. Summary • Network forensics is essentially about monitoring network traffic and determining if there is an attack and if so, determine the nature of the attack • Key tasks include traffic capture, analysis and visualization • Many tools are now available • Works together with IDs, Firewalls and Honeynets • Expert systems solutions show promise

  36. Links • https://www.dfrws.org/2005/proceedings/wang_evidencegraphs.pdf • http://www.cs.fsu.edu/~yasinsac/Papers/MY01.pdf • http://www.sandstorm.net/support/netintercept/downloads/ni-ieee.pdf • http://www.giac.org/certified_professionals/practicals/gsec/2478.php • http://www.infragard.net/library/congress_05/computer_forensics/network_primer.pdf • http://dfrws.org/2003/presentations/Brief-Casey.pdf • http://delivery.acm.org/10.1145/1070000/1066749/p302-ren.pdf?key1=1066749&key2=0512850911&coll=GUIDE&dl=GUIDE&CFID=36223233&CFTOKEN=49225512 • http://dfrws.org/

  37. Reference Books for Digital Forensics • Bruce Middleton, Cyber Crime Investigator's Field Guide, Boca Raton, Florida:Auerbach Publications, 2001, ISBN 0-8493-1192-6. • Brian Carrier, File System Forensic Analysis, Addison-Wesley, 2005, ISBN 0-321-26817-2. • Chris Prosise and Kevin Mandia, Incident Response: Investigating Computer Crime, Berkeley, California: Osborne/McGraw-Hill, 2001, ISBN 0-07-213182-9. • Warren Kruse and Jay Heiser, Computer Forensics: Incident Response Essentials, Addition-Wesley, 2002, ISBN 0-201-70719-5. • Edward Amoroso, Intrusion Detection: An Introduction to Internet Surveillance, Correlation, Trace Back, Traps, and Response, Intrusion.Net Books, 1999, ISBN 0-9666700-7-8.

  38. Special Presentation • Network Forensics Primer • http://www.infragard.net/library/congress_05/computer_forensics/network_primer.pdf

  39. Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Appendix Social Network Analysis and Forensics October 19, 2009

  40. Social Network Analysis of 9/11 Terrorists (www.orgnet.com) Early in 2000, the CIA was informed of two terrorist suspects linked to al-Qaeda. Nawaf Alhazmi and Khalid Almihdhar were photographed attending a meeting of known terrorists in Malaysia. After the meeting they returned to Los Angeles, where they had already set up residence in late 1999.

  41. Social Network Analysis of 9/11 Terrorists • What do you do with these suspects? Arrest or deport them immediately? No, we need to use them to discover more of the al-Qaeda network. • Once suspects have been discovered, we can use their daily activities to uncloak their network. Just like they used our technology against us, we can use their planning process against them. Watch them, and listen to their conversations to see... • who they call / email • who visits with them locally and in other cities • where their money comes from • The structure of their extended network begins to emerge as data is discovered via surveillance.

  42. Social Network Analysis of 9/11 Terrorists A suspect being monitored may have many contacts -- both accidental and intentional. We must always be wary of 'guilt by association'. Accidental contacts, like the mail delivery person, the grocery store clerk, and neighbor may not be viewed with investigative interest. Intentional contacts are like the late afternoon visitor, whose car license plate is traced back to a rental company at the airport, where we discover he arrived from Toronto (got to notify the Canadians) and his name matches a cell phone number (with a Buffalo, NY area code) that our suspect calls regularly. This intentional contact is added to our map and we start tracking his interactions -- where do they lead? As data comes in, a picture of the terrorist organization slowly comes into focus. How do investigators know whether they are on to something big? Often they don't. Yet in this case there was another strong clue that Alhazmi and Almihdhar were up to no good -- the attack on the USS Cole in October of 2000. One of the chief suspects in the Cole bombing [Khallad] was also present [along with Alhazmi and Almihdhar] at the terrorist meeting in Malaysia in January 2000. Once we have their direct links, the next step is to find their indirect ties -- the 'connections of their connections'. Discovering the nodes and links within two steps of the suspects usually starts to reveal much about their network. Key individuals in the local network begin to stand out. In viewing the network map in Figure 2, most of us will focus on Mohammed Atta because we now know his history. The investigator uncloaking this network would not be aware of Atta's eventual importance. At this point he is just another node to be investigated.

  43. Figure 2 shows the two suspects and Social Network Analysis of 9/11 Terrorists

  44. Social Network Analysis of 9/11 Terrorists

  45. Social Network Analysis of 9/11 Terrorists • We now have enough data for two key conclusions: • All 19 hijackers were within 2 steps of the two original suspects uncovered in 2000! • Social network metrics reveal Mohammed Atta emerging as the local leader • With hindsight, we have now mapped enough of the 9-11 conspiracy to stop it. Again, the investigators are never sure they have uncovered enough information while they are in the process of uncloaking the covert organization. They also have to contend with superfluous data. This data was gathered after the event, so the investigators knew exactly what to look for. Before an event it is not so easy. • As the network structure emerges, a key dynamic that needs to be closely monitored is the activity within the network. Network activity spikes when a planned event approaches. Is there an increase of flow across known links? Are new links rapidly emerging between known nodes? Are money flows suddenly going in the opposite direction? When activity reaches a certain pattern and threshold, it is time to stop monitoring the network, and time to start removing nodes. • The author argues that this bottom-up approach of uncloaking a network is more effective than a top down search for the terrorist needle in the public haystack -- and it is less invasive of the general population, resulting in far fewer "false positives".

  46. Figure 2 shows the two suspects and Social Network Analysis of Steroid Usage in Baseball (www.orgnet.com) When the Mitchell Report on steroid use in Major League Baseball [MLB], was published, people were surprised at who and how many players were mentioned. The diagram below shows a human network created from data found in the Mitchell Report. Baseball players are shown as green nodes. Those who were found to be providers of steroids and other illegal performance enhancing substances appear as red nodes. The links reveal the flow of chemicals -- from provider to player.

  47. Applying to Network Forensics • Start with infected machines • Then follow the chain to other machines • Visualization techniques for the network of affected machines • Iowa State University Prototype is an example

  48. Readings for October 26 and October 28 • FORZA – Digital forensics investigation framework that incorporate legal issues • http://dfrws.org/2006/proceedings/4-Ieong.pdf • A cyber forensics ontology: Creating a new approach to studying cyber forensics • http://dfrws.org/2006/proceedings/5-Brinson.pdf • Arriving at an anti-forensics consensus: Examining how to define and control the anti-forensics problem • http://dfrws.org/2006/proceedings/6-Harris.pdf

More Related