COEN 252 Computer Forensics Challenges of Network Forensics

COEN 252 Computer Forensics

Challenges of Network Forensics

Challenges of Network Forensics

Evidence in a network is dispersed. Scope of investigation fluid. No isolated crime scene.

Hard to collect all evidence. Equally hard to destroy all

evidence.

Challenges of Network Forensics: Preparation and Authorization

System administrators routinely gather network data.

But usually, more data is needed. Basic problem: Where to find all

the relevant data.


Step 1: Investigation of the network. Determine the location of servers, … Determine their type Plan for the processing of the data

Often, evidence needs to be gathered simultaneously at various sites.

This should not disrupt operations. Network scanning is aggressive and

can lead to automatic response.


2nd Step: Seek authorization. Depends on

Situation Country Type of data Who is collecting data.

Sometimes, law enforcement needs to demonstrate that they exhausted all other means.

A warrant for all sites involved is advisable.


Using passwords obtained during investigation usually requires additional authorization.

The FBI prosecuted successfully two Russian computer intruders, Aleksey Ivanov and Gorshkov, for breaking into e-commerce sites. The FBI lured the two by a factitious job-interview, then captured the passwords on their systems. The FBI used these passwords to gain access to their computers at home that yielded a wealth of evidence on the men’s computer hacking and fraud.


Russia’s counterintelligence service filed criminal charges against an FBI agent because the agent illegally seized evidence against them by downloading data from their computers in Chelyabinsk, Russia.

But U.S. District Judge John C. Coughenour of Seattle ruled that Gorshkov and Ivanov gave up any expectation of privacy by using computers in what they believed were the offices of a public company.


“When (the) defendant sat down at the networked computer … he knew that the systems administrator could and likely would monitor his activities,” Coughenour wrote. “Indeed, the undercover agents told (Gorshkov) that they wanted to watch in order to see what he was capable of doing.” He also found that the Fourth Amendment did not apply to the computers, “because they are the property of a non-resident and located outside the United States,” or to the data — at least until it was transmitted to the United States.


The judge noted that investigators obtained a search warrant before viewing the vast store of data — nearly 250 gigabytes, according to court records. He rejected the argument that the warrant should have been obtained before the data was downloaded, noting that “the agents had good reason to fear that if they did not copy the data, (the) defendant’s co-conspirators would destroy the evidence or make it unavailable.”

Finally, Coughenour rejected defense arguments that the FBI’s actions “were unreasonable and illegal because they failed to comply with Russian law,” saying that Russian law does not apply to the agents’ actions.


Warrants can be too broad: Evidence collected under such a

warrant might be admissible. Warrants can be too specific:

Do not allow investigators to find all the relevant data.

Challenges of Network Forensics: Preparation and Authorization Warrants requesting email are harder to

obtain. Rather ask for:

Records associated with subscriber account: Screen Name Phone number Address Credit card numbers Connection records (including IP addresses, logon

dates, phone numbers) …

Some subscribers (ebay) can provide law enforcement because the user agreement allows for that.


Investigators need not be present when data at an internet provider is collected.In October of 2000, police officers in Minnesota began investigating

Dale Robert Bach for potential child pornography crimes. As part of the investigation, an officer obtained a search warrant to be served upon Yahoo, an internet service provider (ISP) in California. Minnesota requires that an officer be present at the service of a search warrant. Rather than adhering to the requirements provided by Minnesota law, the officer investigating Mr. Bach served the search warrant to Yahoo by fax. Upon receiving the fax, Yahoo employees retrieved all data from Mr. Bach's account, including deleted email messages. Yahoo then mailed the disk to Minnesota, where the data became evidence in Bach's federal criminal prosecution.


At trial, Bach moved to have the evidence suppressed, citing both violations of the Minnesota statute, as well as violations of a federal statute. The district court held that the evidence should be suppressed as the search was illegal under both federal and state laws. The government appealed to the circuit court.On October 10, 2002, the Eighth Circuit held oral arguments in United States v. Bach, the first Circuit case examining how a case examining how the Fourth Amendment protects stored e-mail and other files held by Internet Service Providers (ISPs). The district court suppressed the evidence, stating that the law enforcement practice of faxing search warrants for the contents of e-mails to ISPs violated the Constitution because the Fourth Amendment required the government to be physically present to execute the warrant. The government appealed to the circuit court. At oral argument, the government's attorney urged the court to resolve the question on narrow reasonableness grounds, without addressing the broader issue of whether an Internet user has an expectation of privacy in remotely stored files held by an ISP.


The Eighth Circuit ruled that service of a warrant on an ISP by fax complies with the "reasonableness" requirements of the Fourth Amendment. The court resolved the case on the narrow ground that the government's actions were "reasonable," without deciding the broader issue of whether an Internet user has a Fourth Amendment expectation of privacy in their e-mail. In January 2003, the Circuit judges narrowly rejected the defendant's petition for reconsideration, voting 5 to 4 against the motion.

Challenges of Network Forensics: Identification

Locate the systems that contain the most useful evidence. Seek end-points and intermediate

systems (switches, routers, proxies). Look for log files that give an

overview of system activities. Look for supporting systems such as

authentication servers and caller-id systems.


Example: Investigator examines compromised

machine and determines the source and method of attack.

Investigator locates other system that are compromised and observes traffic on compromised systems.

This determines the source of the attack.


Example: Investigator contacts ISP to preserve

related evidence. Intruder has stolen a dial-up account. But ISP has Automatic Number

Identification. This gives the phone number used to

dial into the ISP modems.


Example: Investigator contacts ISP to preserve

related evidence. Intruder has stolen a dial-up account. But ISP has Automatic Number

Identification. This gives the phone number used to

dial into the ISP modems.


Example: Phone number leads to intruder’s

home. Search warrant is obtained and

intruder is caught red-handed.


Much network evidence is time-critical. Logs are expunged. Caches in highly active devices such as

routers are volatile. This creates a need for instant

analysis. Gathering evidence is usually higher

priority. Plan becomes important.


Mistakes because of haste are common. Subpoena to AOL for 3:13 pm instead of

3:13 am resulted in wrong subscriber information for IP address.

Mistakes in IP address also leads to wrong subscriber information.

Intruders try to mislead investigators by hiding their tracks.

Corroborating Evidence is essential.


Given the haste, the difficulties, the wide variety of evidence, we need a

Methodical Approach. Digital Evidence Map:

Lays out the evidentiary resources of a network.


Digital Evidence Map

UNIX Server

Kerberos Server

Firewall

Firewall

Firewall logs

Intrusion Detection System

IDS logs & evidence proc.

Router logs

Router

Router

Dial-up

rotaries

Firewall

Challenges of Network Forensics: Documentation, Collection, Preservation

Byte-for-byte copy of network computers is often impossible. Systems cannot be shut down. Too much data to collect. Limited authority to access data. Impossible to gain physical access. Likely that evidence is altered before

physical access is gained.


Real Time Evidence Gathering From resources like hyperterminal or

Script. IRC chat sessions

Equivalent of video-taping the session might be required.

Monitoring of network traffic. Intrusion Detection Systems (IDS) do not

log everything.


Real Time Gathering Preserving evidence and

establishing a chain of custody is a challenge.

Example: Log files can be preserved:

With time and date stamp. Documentation of file location and

metadata. Copied to disk, MD5ed, printed out, …


Case Example:In a homicide case, investigators collected all the log entries of network activity of the victim, but not the entire file. It was later determined that the offender might have logged in at the same time in order to chat and to arrange a meeting an hour later. By the time this was realized, the tapes with the log file was already reused and all other log entries were lost. It was now impossible to determine who else was logged on at the same time as the victim.


Maintain a detailed record of the entire collection process to authenticate the evidence at a later time.


Case Example: An intruder was caught breaking into a computer system on an

organization’s network via the internet. Before disconnecting the system from the network, investigators gathered evidence that showed clearly that a crime was being committed. To achieve the equivalent of a videotape of the crime, they used a sniffer to monitor network traffic. They logged onto the compromised system using a client that kept a log of the session, then gathered evidence of the intruder’s presence on the system and the programs the intruder was running. They found other compromised systems and connected to them through a backdoor created by the intruder. Because there was a risk that the intruder might destroy evidence, they collected evidence remotely. Recall that they used a program that monitored their keystrokes and thus documented the investigation.


Standard Procedure Follow a standard operating procedure to reduce

mistakes and increase consistency. Retain a log of all activities during the collection

process (including screen shots). Document from which server the data actually

comes. Calculate MD5 values of evidence prior to

transferring it. Possibly digitally sign and encrypt the data. Possibly use write-once media to collect evidence.

Challenges of Network Forensics: Filtering

Forensic analysis of a network incident typically contains too much data.

Some collected data is privileged or confidential. For example, if all traffic through a

router is collected during an incident.


Filter before collecting data? Can loose evidence.

Better to filter after data is collected.


Filtering for log files: Usually part of command interface.

Ntlast extracts from the NT Event log. Collect log from a Cisco router in a file,

then use a filtering tool. Sniffers (commercial, non-commercial)

have filters. Capture all, then filter the results.


Emails Filter for portions of headers Filter for IP addresses

Challenges of Network Forensics:Evidence Recovery

Sometimes, we can recover deleted log files. At least portions of it.

Challenges of Network Forensics:Reconstruction of the Event

Investigative Reconstruction Systematic process of piecing

together evidence and information gathered during an investigation to gain a better understanding of what transpired.

Use physical imprints to infer offense related behavior.


Some intruders use toolkits, which are left behind after an intrusion. Individualization of toolkit allows

conclusions about intruder. Absence of a toolkit might indicate

Successful removal of toolkit. Intruder skilful enough to not need a

toolkit. Perhaps intruder had legitimate access. …

Challenges of Network Forensics:Reconstruction of the Event Investigative reconstruction

Develops leads Locates additional evidence Develops an understanding of

case facts and their relations Locates concealed evidence Develop suspects with

motive, means, opportunity Establishes evidence for

insider knowledge

Prioritizes investigations Anticipates intruder

actions Links related crimes with

same behavioral impact. Give insight into offender

fantasy, motives, intents, state of mind.

Guides suspect interviews.

Presents case in court.


Evidence used to reconstruct a crime is Relational

Example: Intruder obtained unauthorized access to a computer behind a firewall and then broke into the accounting system.

Intruder needed to know a password. That fact can be used to locate potential sources of

evidence: router error logs, intrusion detection logs, …

Example: Cyberstalking. How did the offender obtain information about the

victim.


Evidence used to reconstruct a crime is Functional

What conditions were necessary for certain aspects of the incident to be possible?

E.g.: Defense attorney questions how you know that the suspect could create his floppy with his computer.

Temporal Creates chronological list of events

A timeline


Examples Relational evidence:

Which computer generates most of the network traffic during an incident?

Intruders might communicate in real time via IRC while breaking into computers around the world.

Documents

COEN 252 Computer Forensics Challenges of Network Forensics