Slide 1


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Slide 1

  1. 1. Network Forensics Primer Richard Bejtlich [email_address] / Look sharp, troops. It's time to learn network forensics.
  2. 2. <ul><li>Introduction </li></ul><ul><li>What is Network Forensics? </li></ul><ul><li>Collecting Network Traffic as Evidence </li></ul><ul><li>Protecting and Preserving Network-Based Evidence </li></ul><ul><li>Analyzing Network-Based Evidence </li></ul><ul><li>Presenting and Defending Conclusions </li></ul><ul><li>Conclusion </li></ul>Overview
  3. 3. Overview <ul><li>Introduction </li></ul><ul><ul><li>Speaker biography </li></ul></ul><ul><ul><li>Purpose of course </li></ul></ul><ul><ul><li>Why network forensics </li></ul></ul><ul><ul><li>Course outline </li></ul></ul>What better way to relate to a law enforcement audience than to turn to the finest crime fighter of the 80s -- TJ Hooker?
  4. 4. Introduction <ul><li>Bejtlich (&quot;bate-lik&quot;) biography </li></ul><ul><ul><li>TaoSecurity LLC (05-present) </li></ul></ul><ul><ul><ul><li>ManTech (04-05) </li></ul></ul></ul><ul><ul><ul><li>Foundstone (02-04) </li></ul></ul></ul><ul><ul><ul><li>Ball Aerospace (01-02) </li></ul></ul></ul><ul><ul><ul><li>Captain at US Air Force CERT (98-01) </li></ul></ul></ul><ul><ul><ul><li>Lt at Air Intelligence Agency (96-98) </li></ul></ul></ul><ul><ul><li>Author </li></ul></ul><ul><ul><ul><li>Tao of Network Security Monitoring: Beyond Intrusion Detection (solo, Addison-Wesley, Jul 04) </li></ul></ul></ul><ul><ul><ul><li>Extrusion Detection: Security Monitoring for Internal Intrusions (solo, Addison-Wesley, Dec 05 - Jan 06) </li></ul></ul></ul><ul><ul><ul><li>Real Digital Forensics (co-author, Addison-Wesley, Sep 05) </li></ul></ul></ul><ul><ul><ul><li>Contributed to Incident Response, 2 nd Ed and Hacking Exposed, 4 th Ed </li></ul></ul></ul>
  5. 5. Introduction <ul><li>Purpose of course </li></ul><ul><ul><li>Introduce ways to collect, protect, analyze, and present network-based evidence </li></ul></ul><ul><ul><li>Host-based forensics is not addressed </li></ul></ul><ul><ul><ul><li>For more coverage of host-based forensics, I recommend Incident Response, 2nd Ed by Mandia, Prosise, and Pepe </li></ul></ul></ul><ul><ul><li>Share experiences conducting real network forensics </li></ul></ul><ul><ul><li>Encourage attendees to plan to perform network forensics prior to an incident, not during an incident </li></ul></ul><ul><ul><li>This course is an introduction to material I present for an entire day elsewhere </li></ul></ul><ul><ul><ul><li>Network Security Operations ( </li></ul></ul></ul><ul><ul><ul><li>Network Forensics at USENIX LISA ( </li></ul></ul></ul><ul><ul><ul><li>Items in blue are not expanded upon in this hour-long talk </li></ul></ul></ul>
  6. 6. Introduction <ul><li>Why network-based evidence? </li></ul><ul><ul><li>Host-centric forensics is an established discipline, but many investigators ignore or do not understand network traffic </li></ul></ul><ul><ul><li>Network-based evidence can be found everywhere </li></ul></ul><ul><ul><li>Network-based evidence can be easy to collect -- without anyone's notice </li></ul></ul><ul><li>Network forensics should always be performed! </li></ul>I'm sold. Let's talk network forensics! Rookies...
  7. 7. Introduction Plan Protect Detect Respond The Security Process Defensible Network Architecture Network Security Monitoring Pervasive Network Awareness Network Incident Response Network Forensics Traffic Threat Assessment Preparation for Incident Response
  8. 8. Overview <ul><li>What is Network Forensics? </li></ul><ul><ul><li>Definitions </li></ul></ul><ul><ul><li>Evidence guidelines </li></ul></ul><ul><ul><li>Daubert </li></ul></ul><ul><ul><li>Kumho </li></ul></ul>To Serve and to Protect Packets You can't carry enough weaponry when performing network forensics. Phasers on stun.
  9. 9. What is Network Forensics? <ul><li>The &quot;network&quot; in &quot;network forensics&quot; != &quot;computer&quot; </li></ul><ul><ul><li>Network here means &quot;relating to packets&quot; or &quot;network traffic&quot; </li></ul></ul><ul><li>Definition of forensics ( </li></ul><ul><ul><li>Relating to, used in, or appropriate for courts of law or for public discussion or argumentation. </li></ul></ul><ul><ul><li>Of, relating to, or used in debate or argument; rhetorical. </li></ul></ul><ul><ul><li>Relating to the use of science or technology in the investigation and establishment of facts or evidence in a court of law: a forensic laboratory. </li></ul></ul><ul><li>Many claim to perform network forensics, but most of these practitioners are probably just capturing packets </li></ul><ul><ul><li>These guidelines will elevate your game to forensic levels </li></ul></ul><ul><li>Forensics helps with &quot;patch and proceed&quot; or &quot;pursue and prosecute&quot; </li></ul>
  10. 10. What is Network Forensics? <ul><li>Evidence Guidelines: three broad sources </li></ul><ul><ul><li>Federal Rules of Evidence </li></ul></ul><ul><ul><li>Daubert v. Merrell Dow Pharmaceuticals, Inc., 113 S. Ct. 2786 (1993 ) </li></ul></ul><ul><ul><li>Kumho Tire Company, Ltd v. Patrick Carmichael 119 S.Ct. 1167 (March 23, 1999 ) </li></ul></ul>Good grief Spock, what happened to your ears? Let it go, Bill.
  11. 11. What is Network Forensics? <ul><li>Daubert criteria </li></ul><ul><ul><li>“[W]hether it [a scientific theory or technique] can be (and has been) tested” </li></ul></ul><ul><ul><li>“[W]hether the theory or technique has been subjected to peer review and publication” </li></ul></ul><ul><ul><li>“[C]onsider the known or potential rate of error... and the existence and maintenance of standards controlling the technique's operation” </li></ul></ul><ul><ul><li>“The technique is ‘generally accepted’ as reliable in the relevant scientific community” </li></ul></ul><ul><li>The better your network forensic methodology meets these criteria, the more success you will have in the board room or court room </li></ul>
  12. 12. What is Network Forensics? <ul><li>Kumho findings </li></ul><ul><ul><li>Required the Court “to decide how Daubert applies to the testimony of engineers and other experts who are not scientists.” </li></ul></ul><ul><ul><li>“Daubert's general holding -- setting forth the trial judge's general ‘gatekeeping’ obligation -- applies not only to testimony based on ‘scientific’ knowledge, but also to testimony based on ‘technical’ and ‘other specialized’ knowledge .” </li></ul></ul><ul><ul><li>“[A] trial court may consider one or more of the more specific factors that Daubert mentioned when doing so will help determine that testimony's reliability.” </li></ul></ul><ul><ul><li>Introduced a level of “flexibility” and discretion into the process of accepting expert witness testimony. </li></ul></ul><ul><ul><li>“Daubert's list of specific factors neither necessarily nor exclusively applies to all experts or in every case . Rather, the law grants a district court the same broad latitude when it decides how to determine reliability as it enjoys in respect to its ultimate reliability determination.” </li></ul></ul>
  13. 13. Collecting Network Traffic as Evidence <ul><li>Secure the sensor </li></ul><ul><li>Limit access to the sensor </li></ul><ul><li>Position the sensor properly </li></ul><ul><li>Verify the sensor collects traffic as expected </li></ul><ul><li>Determine sensor failure modes </li></ul><ul><li>Recognize and compensate for collection weaknesses </li></ul><ul><li>Use trusted tools and techniques </li></ul><ul><li>Document and automate the collection process </li></ul>Nice bandana and &quot;workout gloves&quot;, Adrian.
  14. 14. <ul><li>Position the sensor properly </li></ul><ul><li>Consider perimeter monitoring scenario at right </li></ul><ul><ul><li>Perimeter is easiest place to monitor </li></ul></ul><ul><ul><li>However, sensor as shown may not be able to see all the traffic an analyst needs to understand the scope of an intrusion </li></ul></ul><ul><li>Alternative deployments shown on following slides </li></ul>Collecting Network Traffic as Evidence
  15. 15. <ul><li>At left we monitor perimeter (via tap) and DMZ (via switch SPAN) </li></ul><ul><li>At right we add a filtering bridge/sensor to watch and/or control a high value target </li></ul>Collecting Network Traffic as Evidence
  16. 16. <ul><li>Don't forget to accommodate address translation issues </li></ul><ul><li>Here we add a second interface behind the gateway </li></ul>Collecting Network Traffic as Evidence
  17. 17. <ul><li>This network shows a variety of instrumentation options </li></ul>Collecting Network Traffic as Evidence
  18. 18. Collecting Network Traffic as Evidence <ul><li>My preferred platform for serious monitoring at a reasonable cost is configured as follows </li></ul><ul><ul><li>Appliance : Dell PowerEdge 750 1U rackmount server </li></ul></ul><ul><ul><li>512 MB RAM </li></ul></ul><ul><ul><li>Intel PIV 2.8 GHz CPU </li></ul></ul><ul><ul><li>2X250 GB SATA drives in RAID 0 configuration </li></ul></ul><ul><ul><li>Dual onboard NICs plus extra dual NICs </li></ul></ul><ul><ul><li>Approximately $2,000 without discounts </li></ul></ul><ul><ul><li>OS : FreeBSD 5.4 RELEASE (sample dmesg output at </li></ul></ul><ul><ul><li>Network access : Net Optics tap ( </li></ul></ul>
  19. 19. Collecting Network Traffic as Evidence <ul><li>Consider using Network Security Monitoring principles to guide your data collection strategies </li></ul><ul><ul><li>Alert data (Snort, other IDSs) </li></ul></ul><ul><ul><ul><li>Traditional IDS alerts or judgments (“RPC call!”) </li></ul></ul></ul><ul><ul><ul><li>Context-sensitive, either by signature or anomaly </li></ul></ul></ul><ul><ul><li>Full content data (Tcpdump) </li></ul></ul><ul><ul><ul><li>All packet details, including application layer </li></ul></ul></ul><ul><ul><ul><li>Expensive to save, but always most granular analysis </li></ul></ul></ul><ul><ul><li>Session data (Argus, SANCP, NetFlow) </li></ul></ul><ul><ul><ul><li>Summaries of conversations between systems </li></ul></ul></ul><ul><ul><ul><li>Content-neutral, compact; encryption no problem </li></ul></ul></ul><ul><ul><li>Statistical data (Capinfos, Tcpdstat) </li></ul></ul><ul><ul><ul><li>Descriptive, high-level view of aggregated events </li></ul></ul></ul><ul><li>Sguil ( is an interface to much of this in a single open source suite </li></ul>
  20. 20. Collecting Network Traffic as Evidence <ul><li>Collect network traffic using NSM principles </li></ul>
  21. 21. Collecting Network Traffic as Evidence <ul><li>Verify the sensor collects traffic as expected </li></ul>
  22. 22. Protecting and Preserving Network-Based Evidence <ul><li>Hash traces after collection and store hashes elsewhere </li></ul><ul><li>Understand forms of evidence </li></ul><ul><li>Copy evidence to read-only media when possible </li></ul><ul><li>Create derivative evidence </li></ul><ul><li>Follow chains of evidence </li></ul>Beam me up, Scotty. Bill's lost it.
  23. 23. Protecting and Preserving Network-Based Evidence <ul><li>Understand forms of evidence </li></ul><ul><li>Best evidence: original form of network-based evidence available to the investigator </li></ul><ul><ul><li>If the NBE is given to the investigator as an attachment in an email, that email and its attachment is the investigator’s best evidence. </li></ul></ul><ul><ul><li>It is much preferred from a forensic standpoint to obtain the original file containing traffic as it was written to a hard drive. </li></ul></ul><ul><li>Best evidence should, to the extent practically possible, never be analyzed directly. </li></ul><ul><ul><li>Rather, investigators should make working copies of the best evidence, and analyze those duplications. </li></ul></ul><ul><ul><li>Network traffic saved on a sensor is the best evidence available. </li></ul></ul><ul><ul><li>Copies of that traffic transferred to a central location become working copies. </li></ul></ul>
  24. 24. Protecting and Preserving Network-Based Evidence <ul><li>Create derivative evidence </li></ul><ul><ul><li>Ensure you have a SHA256 hash of the original file stored in a safe location. </li></ul></ul><ul><ul><li>After verifying the hashes match, use the desired Tcpdump filter to extract packets of interest to a new file and directory. </li></ul></ul><ul><li>elise@bourque$ tcpdump -n -r </li></ul><ul><li>-w /home/analyst/ </li></ul><ul><li>port 80 </li></ul><ul><li>reading from file </li></ul><ul><li>, link-type EN10MB (Ethernet) </li></ul><ul><ul><li>Hash the resulting file locally and remotely. </li></ul></ul><ul><ul><li>Copy the remote file to the local workstation. </li></ul></ul><ul><ul><li>Make multiple copies of the new local evidence file, and analyze them at will. </li></ul></ul><ul><ul><li>Document these steps on both platforms. </li></ul></ul>
  25. 25. Analyzing Network-Based Evidence <ul><li>Validate results with more than one system </li></ul><ul><li>Beware of malicious traffic </li></ul><ul><li>Document not just what you find, but how you found it </li></ul><ul><li>Follow a methodology </li></ul>You know the ladies used to call me &quot;Jim Kirk.&quot; You wouldn't happen to be a green alien...?
  26. 26. Analyzing Network-Based Evidence <ul><li>Validate results with more than one system </li></ul><ul><ul><li>Use different tools. Example: Tcpdump, Snort, Ethereal </li></ul></ul><ul><ul><li>Use different operating systems. Example: Unix (BSD, Linux, Solaris), Windows </li></ul></ul><ul><ul><li>Use different architectures. Example: x86, SPARC </li></ul></ul><ul><ul><li>Use different libraries: Example: Libpcap, Data Link Provider Interface (DLPI on Solaris, </li></ul></ul>I'm quite an expert with the police baton, aka the &quot;tonfa&quot; to you martial arts types.
  27. 27. Analyzing Network-Based Evidence <ul><li>Follow a methodology </li></ul><ul><ul><li>Make a new directory on the analysis platform to contain data provided by the client or collected by yourself. </li></ul></ul><ul><ul><li>Copy the evidence provided by the client into the analysis directory. </li></ul></ul><ul><ul><li>Change the permissions of the copy to ensure the analyst user cannot accidentally modify the file. </li></ul></ul><ul><ul><li>Hash the file and copy the hash elsewhere. </li></ul></ul><ul><ul><li>Use the Capinfos program packaged with Ethereal to gain initial statistics on the capture file. </li></ul></ul><ul><ul><li>Run Dave Dittrich’s Tcpdstat to obtain basic statistics on the trace . </li></ul></ul><ul><ul><li>Extract sessions from the trace using Argus. </li></ul></ul><ul><ul><li>Gain some high-level idea of the contents of the Argus file with Racount. </li></ul></ul>
  28. 28. Analyzing Network-Based Evidence <ul><li>Follow a methodology (continued) </li></ul><ul><ul><li>Use the Rahosts program to create an ordered list of all of the IP addresses seen in the Argus data. </li></ul></ul><ul><ul><li>(optional) Confirm the number of Argus records. </li></ul></ul><ul><ul><li>(optional) Enumeration source IP, dest IP, dest port combos. </li></ul></ul><ul><ul><li>Perform traffic threat assessment. </li></ul></ul><ul><ul><li>(optional) Process trace with Snort to find obviously malicious events, or build custom signatures. </li></ul></ul>When hitting suspects, it's important to keep your eyes closed! Tonfa-chop!
  29. 29. Presenting and Defending Conclusions <ul><li>Forget the OSI model </li></ul><ul><li>Obtain relevant certifications </li></ul><ul><li>Consider how you would attack the evidence </li></ul>Up front, Officer Locklear. We'll take cover behind that mane of yours.
  30. 30. Presenting and Defending Conclusions <ul><li>Forget the OSI Model </li></ul>
  31. 31. Presenting and Defending Conclusions <ul><li>Forget the OSI model </li></ul><ul><ul><li>TCP/IP is like the postal service. It gets messages across the globe or country. </li></ul></ul><ul><ul><li>TCP packets are like message sent via certified mail. </li></ul></ul><ul><ul><li>UDP packets are like normal, best-effort mail delivery. Nothing is guaranteed but drops are not that common. </li></ul></ul><ul><ul><li>An IP address is like the street address on an envelope. </li></ul></ul><ul><ul><li>A hostname is like a well-known name for a specific location. If an IP address is like 1600 Pennsylvania Avenue, Washington DC, a hostname is like “The White House.” </li></ul></ul><ul><ul><li>A TCP or UDP port is like the name of a person. Multiple people can reside at any address. Names help sort out the recipient of the letter. </li></ul></ul>
  32. 32. Presenting and Defending Conclusions <ul><li>Obtain relevant certifications </li></ul><ul><ul><li>Certified Information Systems Security Professional : CISSP is the must-have certification for security professionals; while its technical merits are lacking, I find its Code of Ethics valuable. </li></ul></ul><ul><ul><li>Certified Information Forensics Investigator : CIFI is a vendor-neutral forensics certification sponsored by the International Information Systems Forensics Association; will help demonstrate your knowledge of core forensic investigation principles. </li></ul></ul><ul><ul><li>Cisco Certified Network Associate : CCNA is Cisco’s entry-level networking certification; shows a basic level of comprehension of networking and device configuration. </li></ul></ul>
  33. 33. Conclusion <ul><li>This presentation introduced key points on network forensics </li></ul><ul><li>For more information, attend my next day-long class and/or read my books </li></ul><ul><li>Contact me at </li></ul>Never shoot from the gut when doing network forensics. Warp speed, Mr. Sulu!
  34. 34. References <ul><li>Tools </li></ul><ul><ul><li>Snort: </li></ul></ul><ul><ul><li>Tcpdump: </li></ul></ul><ul><ul><li>Ethereal, Tethereal, Capinfos: </li></ul></ul><ul><ul><li>Argus: </li></ul></ul><ul><ul><li>SANCP: </li></ul></ul><ul><ul><li>Tcpdstat: </li></ul></ul><ul><ul><li>NetFlow format: </li></ul></ul><ul><li>Certifications </li></ul><ul><ul><li>CISSP: </li></ul></ul><ul><ul><li>CISSP code of ethics: </li></ul></ul><ul><ul><li>CIFI: </li></ul></ul><ul><ul><li>CCNA: </li></ul></ul>