Guide to Computer Forensics and Investigations, Second Edition Chapter 12 Network Forensics

Guide to Computer Guide to Computer Forensics and Forensics and Investigations, Investigations, Second EditionSecond Edition

Chapter 12Network Forensics

Guide to Computer Forensics and Investigations, 2e 2

ObjectivesObjectives

• Understand Internet fundamentals

• Understand network basics

• Acquire data on a Linux computer


Objectives (continued)Objectives (continued)

• Understand network forensics

• Understand the use of network tools

• Understand the goals of the Honeynet Project


Understanding Internet FundamentalsUnderstanding Internet Fundamentals

• Internet = Collection of networks

• Internet protocols for message exchange– E-mail

• Internet Service Provider (ISP)– Internet entry point– Username and password

• Common software– Web browsers and e-mail clients


Internet ProtocolsInternet Protocols

• Standards and rules

• Every computer must observe a protocol

• TCP/IP default Internet protocol– TCP connection-oriented– UDP connectionless

• Addressing (IPv4)– 32-bit long divided into four groups of 8 bits– Binary representation


Internet Protocols (continued)Internet Protocols (continued)

• Addressing (continued)– Dotted quad (205.55.29.170)– Several classes (A, B, C, D and E)

• Domain Name Service– Translate IP addresses to named addresses or vice

versa


Understanding Network BasicsUnderstanding Network Basics

• Hardening networks– Applying latest patches– Layered network defense strategies

• Protocols– TCP/IP– IPX/SPX

• Network Address Translation– Translates IP addresses


Understanding Network Basics Understanding Network Basics (continued)(continued)

• DHCP– Dynamically assigns IP addresses to hosts

• Attacks– Internal– External– Early and mid-1990s

• 70% internal/30% external


Acquiring Data on Linux ComputersAcquiring Data on Linux Computers

• dd command– Disk-to-disk file– Disk-to-image file– Block-to-block copy– Block-to-file copy– Ext2fs, Ext3fs, NTFS, FAT, NTFS, HFS, HPFS

• Gzip command to compress image files


Acquiring Data on Linux Computers Acquiring Data on Linux Computers (continued)(continued)

• Linux boot disks– Knoppix– MandrakeMove– Fedora Rescue– Gentoo Live– F.I.R.E.– Penguin Sleuth Kit– Tom’s Root Boot Kit







• Steps for using dd– Boot PC in Linux– Create disk mounting points– Mount all disks needed– Create copies

• For multiple volumes– Determine number of bytes per volume– Calculate number of segments you need to create





• Linux dd script file– Input source– Output source– Block size– Number of blocks to save

• Hash check original media– Linux md5sum command– Linux sha1sum command



• Image creation script example:

• Image restore script example:


Understanding Network ForensicsUnderstanding Network Forensics

• Systematic tracking of incoming and outgoing traffic– Need to know normal traffic behavior

• Intruders leave trace behind– Experimented intruders are harder to trace

• Determine the cause of the abnormal traffic– Internal bug– Attackers


Approach to Network ForensicsApproach to Network Forensics

• Long, tedious process

• Standard procedure– Use image for machines on network– Close any way in after an attack– Acquire all compromised drives– Make a bit-stream image of the drives– Compare images to original images– Optionally, store images on a server


Approach to Network Forensics Approach to Network Forensics (continued)(continued)

• Computer forensics– Work from the image to find what has changed

• Network forensics– Restore drives to understand attack

• Work on an isolated system– Prevents malware from affecting other systems


Network LogsNetwork Logs

• Record ingoing and outgoing traffic– Network servers– Routers– Firewalls

• Tcpdump tool for examining network traffic– Top 10 lists– Pattern

• Attacks might include other companies– Distributed Denial of Service (DDoS)


Using Network ToolsUsing Network Tools

• PsTools suite– RegMon shows Registry data in real time– Process Explorer shows what is loaded– Handle shows open files and processes using them– PsExec runs processes remotely– PsGetSid display SID– PsKill kills process by name or ID


Using Network Tools (continued)Using Network Tools (continued)

• PsTools suite (continued)– PsList lists details about a process– PsLoggedOn shows who’s logged locally– PsPasswd changes account passwords– PsService controls and views services– PsShutdown shuts down and restarts PCs– PsSuspend suspends processes


Using Network Tools (continued)Using Network Tools (continued)


UNIX/Linux ToolsUNIX/Linux Tools

• Knoppix-STD tools– Dcfldd the U.S. DoD dd version– Memfetch forces a memory dump– Photorec grabs files from a digital camera– Snort intrusion detection system– Oinkmaster helps manage your snort rules– John the Ripper– Chntpw resets passwords on a Windows PC


UNIX/Linux Tools (continued)UNIX/Linux Tools (continued)

• Knoppix-STD tools (continued)– Tcpdum is a packet sniffer– Ethereal another packet sniffer

• Packet sniffer– Devices or software that monitors network traffic– Most Work at layer 2 or 3 of the OSI model





• The Auditor– Based on Knoppix– Contains more than 300 tools

• 20 for scanning

• 10 for network scanning

• Brute-force attack

• Bluetooh and wireless

• Autopsy and Sleuth Kit

• Word lists with more than 64 million entries


Network SniffersNetwork Sniffers

• Operate at layers 2 or 3 of the OSI model

• Most tools follow the PCAP format

• Tools:– Tcpdump– Tethereal– Snort– Tcpslice– Tcpreplay


Network Sniffers (continued)Network Sniffers (continued)

• Tools (continued):– Tcpdstat– Ngrep– Etherape– Netdude– Argus– Ethereal– The Auditor


Network Sniffers (continued)Network Sniffers (continued)


The Honeynet ProjectThe Honeynet Project

• Attempt to thwart Internet and network hackers– Provides information about attack methods

• Honeypots– Normal looking computer that lures attackers to it

• Honeywalls– Monitor outbound connections– Snort-inline intrusion prevention systems


The Honeynet Project (continued)The Honeynet Project (continued)



• Its legality has been questioned– Cannot be used in court– Can be used to learn about attacks

• Scan of the month– Monthly challenge contest– Good as a learning experience




SummarySummary

• Network forensics tracks down internal and external network intrusions

• Most networks today use TCP/IP

• Networks must be hardened by using good architecture

• Each NOS has its own way of handling security, and you must become familiar with how yours operates


Summary (continued)Summary (continued)

• Tools such as PsTools, Knoppix-STD, and others can be used to monitor what’s happening on your network

• The Honeynet Project is designed to help people learn the latest intrusion techniques that hackers are using

Documents

Guide to Computer Forensics and Investigations, Second Edition Chapter 12 Network Forensics