Network forensics1

1,295 views

Published on

Published in: Education
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,295
On SlideShare
0
From Embeds
0
Number of Embeds
9
Actions
Shares
0
Downloads
177
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Network forensics1

  1. 1. Network ForensicsNetwork Forensics 1
  2. 2. Cyber Threat Evolution Malicious Identity Theft Data Theft Virus Code Botnet (Phishing) (Melissa) Targeted Attacks Breaking Advanced Worm / Organised Crime Web Sites Trojan (I LOVE YOU) Data Theft, DoS / DDoS1977 1995 2000 2003-04 2005-06 2007-08 2009-10
  3. 3. Global Attack Trend Source: Websense
  4. 4. Network Forensics ?• What we have seen is DEAD analysis• Network evidences are highly volatile.• Needs real time analysis of network traffic.Network Forensics 4
  5. 5. Network Forensics• Network forensics is the capture, recording, and analysis of network events in order to discover the source of security attacks or other problem incidents.• The ultimate goal is to provide sufficient evidence to allow the criminal to be successfully prosecuted.• Network forensics can reveal evidence that is crucial to building a case.• Forensics for computer networks is extremely difficult and depends completely on the quality of information you maintain.Network Forensics 5
  6. 6. Why network-based evidence?– Host-centric forensics is an established discipline, but many investigators ignore or do not understand network traffic– Network-based evidence can be found everywhere– Network-based evidence can be easy to collect -- without anyones notice
  7. 7. Vulnerability ApplicationsOperating System Network
  8. 8. Vulnerability Exploitation Trends *Symantec
  9. 9. Network Forensics ModelProactive Detect ReactiveForensics Forensics Capture Identify Preserve Data Aggregation Data Validation Research Extract Data Analysis Solve Data Confirmation
  10. 10. Network Elements MX PC Proxy Laptop Relay Web Server Web Server Mail Server DB Server Firewall IDS / IPS Switch Router Wifi Router Access Point
  11. 11. Network Forensics• Systematic Capture and Analysis of network events and traffic in order to trace and prove a network incident. – Online Capture and Analysis – Offline Analysis
  12. 12. Online Analysis of Network TrafficNetwork-based evidence complements host-basedevidence.Network traffic can be used to show a timed sequence of user’snetwork activities.Suspicious network activities can be monitored real-time.
  13. 13. Online Analysis of Network TrafficNetwork traffic also enables an investigator to extractinformation that is difficult to obtain from host-basedevidence, such as IP addresses and other identity information a user uses Passwords•Specialized knowledge and tools are required to processnetwork traffic as a source of evidence.In general, there is only one chance to capture real-timenetwork data from a network.
  14. 14. Online MonitoringIf you need to have online analysis of network you needto capture packets.Network Traffic Analysis requires online capturingand analysis of packets in real time.Used in Stateful Analysis IPS IDS Firewall
  15. 15. CapturingNetwork Traffic Flow Analysis Capturing Network Traffic using TAPS InLine Devices Hubs SPAN Ports
  16. 16. TAPSTest Access PortsDevices specially built for accessing traffic betweennetwork devicesUsually pre-installed at important traffic pointsPhysical devices are able to capture traffic at thephysical layer
  17. 17. TAPS
  18. 18. Inline deviceSimilar to a tap, but implemented using a computer havingat least two bridged NICsThe two devices being monitored are connected to thesetwo NICsTraffic through the bridged NICs is available to thecomputer or another device connected to an extra NICInline devices are also used to enforce access control.
  19. 19. HubThe simplest and cheapest way to gain access tonetwork trafficA hub forwards frames to all ports.A monitoring station, connected to one of the ports,sees all traffic passing through the hub.
  20. 20. SPAN Port - Switched Port Analyzer (Port Mirroring) Provided on good switches A switch can be configured to copy one or more switch ports to a dedicated port. A capture device connected to the SPAN port sees traffic flowing through specified switch ports. A SPAN port only copies valid network packets. Error packets may be ignored and not copied.
  21. 21. Collecting Network Traffic as Evidence• Position the sensor properly• Consider perimeter monitoring scenario at right – Perimeter is easiest place to monitor – However, sensor as shown may not be able to see all the traffic an analyst needs to understand the scope of an intrusion• Alternative deployments shown on following slides
  22. 22. Collecting Network Traffic as Evidence• At left we monitor perimeter (via tap) and DMZ (via switch SPAN)• At right we add a filtering bridge/sensor to watch and/or control a high value target
  23. 23. Collecting Network Traffic as Evidence• Dont forget to accommodate address translation issues• Here we add a second interface behind the gateway
  24. 24. Collecting Network Traffic as Evidence• This network shows a variety of instrumentation options
  25. 25. Collecting Network Traffic as Evidence• Verify the sensor collects traffic as expected
  26. 26. Collecting Network Traffic as Evidence• Consider using Network Security Monitoring principles to guide your data collection strategies – Alert data (Snort, other IDSs) • Traditional IDS alerts or judgments (“RPC call!”) • Context-sensitive, either by signature or anomaly – Full content data (Tcpdump) • All packet details, including application layer • Expensive to save, but always most granular analysis – Session data (Argus, SANCP, NetFlow) • Summaries of conversations between systems • Content-neutral, compact; encryption no problem – Statistical data (Capinfos, Tcpdstat) • Descriptive, high-level view of aggregated events• Sguil (www.sguil.net) is an interface to much of this in a single open source suite
  27. 27. Protecting and Preserving Network-Based Evidence• Hash traces after collection and store hashes elsewhere• Understand forms of evidence• Copy evidence to read-only media when possible• Create derivative evidence• Follow chains of evidence
  28. 28. Protecting and Preserving Network-Based Evidence• Understand forms of evidence• Best evidence should, to the extent practically possible, never be analyzed directly. – Rather, investigators should make working copies of the best evidence, and analyze those duplications. – Network traffic saved on a sensor is the best evidence available. – Copies of that traffic transferred to a central location become working copies.
  29. 29. Protecting and Preserving Network-Based EvidenceCreate derivative evidence 1. Ensure you have a hash of the original file stored in a safe location. 2. After verifying the hashes match, use the desired Packet Analysis to extract packets of interest to a new file and directory. 3. Hash the resulting file 4. Make multiple copies of the new local evidence file, and analyze them at will. 5. Document these steps on both platforms.
  30. 30. Analyzing Network-Based Evidence• Validate results with more than one system• Beware of malicious traffic• Document not just what you find, but how you found it• Follow a methodology
  31. 31. Trends• Significant increase in network-based DoS attacks over the last year – Attackers’ growing accessibility to networks – Growing number of organizations connected to networks• Vulnerability – Most networks have not implemented spoof prevention filters – Very little protection currently implemented against attacks
  32. 32. Goals of Attacks• Prevent another user from using network connection – “Smurf” attacks, “pepsi” (UDP floods), ping floods• Disable a host or service – “Land”, “Teardrop”, “Bonk”, “Boink”, SYN flooding, “Ping of death”• Traffic monitoring – Sniffing
  33. 33. “Smurfing”• Very dangerous attack – Network-based, fills access pipes – Uses ICMP echo/reply packets with broadcast networks to multiply traffic – Requires the ability to send spoofed packets• Abuses “bounce-sites” to attack victims – Traffic multiplied by a factor of 50 to 200 – Low-bandwidth source can kill high-bandwidth connections• Similar to ping flooding, UDP flooding but more dangerous due to traffic multiplication
  34. 34. “Smurfing” (cont’d) ICMP echo (spoofed source address of victim) Sent to IP broadcast address ICMP echo reply InternetPerpetrator Victim
  35. 35. “Smurfing” trend• Smurf attacks are still “in style” for attackers• Significant advances made in reducing the effects – Education campaigns through the use of white paper and other education by NOCs has reduced the average “smurf” attack from 80 Mbits/sec to 5 Mbits/sec• Most attacks can still inundate a T1 link
  36. 36. “Teardrop”, “Bonk”, “Boink”, “Ping of Death”• Goal is to severely impair or disable a host or its IP stack• Use packet fragmentation and reassembly vulnerabilities• Require that a host IP stack be able to receive a packet from an attacker
  37. 37. SYN flooding• Goal is to deny access to a TCP service running on a host• Creates a number of half-open TCP connections which fill up a host’s listen queue; host stops accepting connections• Requires the TCP service be open to connections from the victim
  38. 38. Sniffing• Goal is generally to obtain information – Account usernames, passwords – Source code, business critical information• Usually a program placing an Ethernet adapter into promiscuous mode and saving information for retrieval later• Hosts running the sniffer program is compromised using host attack methods.
  39. 39. Network Packet Analysis 39
  40. 40. Packet Switched Networks• Each message is divided into small data blocks called packets• Packets are stored, and forwarded by intermediate nodes• Packets from different nodes, and process get intermixed in the network• Packets may follow different routes• Shortest path to the destination 40
  41. 41. Packet RouteSender Receiver Process Router …… … 41
  42. 42. Packet RouteSender Receiver Process Router …… … 42
  43. 43. Benefits• No user can monopolise the link for long time• Network traffic load balancing• Doesn’t waste resources of network• No congestion at connection setup time 43
  44. 44. Drawbacks• Packets may arrive out of order. Message needs to be re- assembled at receiving end.• May cause delay in real-time applications (audio/video)• Service is not guaranteed 44
  45. 45. Packet Packet Header Data– Is a formatted block of data carried by a computer network– Internet, LAN uses packet technology to transfer data– Key components are header and data 45
  46. 46. Data• Information to be conveyed between sender and the receiver• It can be text or binary – Images, documents, web page, email …• It may be small enough to store in a single packet or else it has to be split and stored in multiple packets 46
  47. 47. Header• Meta information added to the data• With the help of header data reach the destination correctly• Header contains Address, Length, Type, Error detection code, Packet order, Status flag … 47
  48. 48. Why header is needed?• To ensure delivery to the right receiver• To ensure correctness and order of data• Proper routing of packets 48
  49. 49. Packetisation Sender Receiver Eg. Internet Eg. Web Process server Process Explorer Message Message TCP/IP Network TCP/IP Protocol Interface Card Protocol Stack Stack Communication Link 1 Packets 2 1 Packets 2H1 Mes H2 sage NIC NIC H1 Mes H2 sage 49
  50. 50. Protocol Suite• Collection of protocols to deliver data• Eg. TCP/IP, Xerox XNS, DECnet, AppleTalk Xerox XNS TCP/IP ISO/OSI Level 4+ Application Application Presentation Level 3 Session Transport Transport Level 2 Internet Network Level 1 Data Link Link Level 0 Physical 50
  51. 51. TCP/IP Layers - Link Layer• Main responsibility is to move the packet between hosts through physical medium• Network interface card and its device driver does this• Adds the link layer specific address and other details to the packet• Has mechanism to resolve the physical address from logical address, in broadcast networks• Characteristics of the communication signal is handled here 51
  52. 52. TCP/IP Layers - Network Layer• Main responsibility is to move the packet between network and to reach the final destination (Routing)• This is an unreliable protocol, higher layers has to add reliability• Handles fragmentation and reassembly of packets, when passed through different networks.• Facility for error handling and diagnosis – special protocols for conveying the intermediate node status and errors occurred 52
  53. 53. TCP/IP Layers - Transport Layer• End to end message transfer facility or process to process communication• Have facility for flow control and error control• This layer can add reliability to the data transferred• Splits the large data in to small chunks for the network layer• This layer associates the packet with a particular application through ports• Port - Port is a logical address, it has nothing to do with the physical ports present on a computer. 53
  54. 54. TCP/IP Layers - Application Layer• Handles the details of particular application, eg. Email, web• Adds meta information to the actual data to send (or Formats the data)• This formatted message is encapsulated in transport layer protocol• The respective applications can interpret this message• The message may be plain text or binary and can be encrypted or compressed 54
  55. 55. TCP/IP stack with sample protocolsApplication HTTP SMTP POP3 FTP Telnet DNSTransport TCP UDPInternet IP ICMPLink Ethernet FDDI SLIP PPP ARP RARP 55
  56. 56. The way a packet is formed (Encapsulation) App HTTP layer TCP Trans Layer IP Network Layer Ethernet Link Layer 56
  57. 57. Packet Analysis 57
  58. 58. Uses of Packet Analysis• Forensics analysis• Trouble shooting and debugging• Collect sensitive information• Misuse detection• Gather Network Statistics 58
  59. 59. Forensics analysis• To collect evidence• To track the source of attack• To learn the attacker behavior 59
  60. 60. Trouble shooting and debugging• Debugging network applications• Trouble shooting network problems 60
  61. 61. Collect sensitive information• Passwords• Emails• Other confidential data 61
  62. 62. Misuse detection• Company policy violation – Accessing restricted sites – Bandwidth misuse• Email spoofing• IP spoofing• ARP spoofing 62
  63. 63. Gather network statistics• To collect bandwidth utilization information• To find misbehaving nodes in the network 63
  64. 64. Packet Analysis Methods• Manual inspection• Filtering• Statistics• Session reconstruction 64
  65. 65. Manual Inspection• Text search• Binary pattern search• Packet inspection• Protocol verification 65
  66. 66. Filtering• Filtering based on – MAC – IP – Date, Time – Pattern• Combinations of the above – Packets between a particular date and time – Packets from a particular IP• Complex filter expressions 66
  67. 67. Statistics• Based on – Bandwidth utilization – IP – Date and time – Protocol based (Email, FTP, HTTP… )• Eg. Top mail sender 67
  68. 68. Statistics based analysisMails 50 40 30 Da 1 4/ 20 te 1 3/ 10 Data traffic to different servers 1 2/ 1 1/ 1.1.1.1 1.1.1.2 1.1.1.3 1.1.1.4 M Bytes/Sec 1.1.1. Nodes 7 3 6 Mail traffic of individuals on 5 different days 4 1.1.1. 3 2 1.1.1. 2 1 1 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 Time 68
  69. 69. Session reconstructionPacket 1 P2 P3 … Pn File 1 F2 … Fm• TCP session reconstruction – Images, emails and other files• UDP stream reconstruction – Streamed video, audio, VoIP and other types of communications 69
  70. 70. Network ForensicsNetwork Forensics 70
  71. 71. Computer Forensics VS Network ForensicsNetwork Forensics 71
  72. 72. Legal Issues• You may not be able to use hacker techniques against them• Laws for gathering evidence are confusing• Logs may or may not be admissible• Perpetrator may or may not be prosecutable• It is important to know about: – Local laws on computer-related crimes – Legal processes and how to build a criminal caseNetwork Forensics 72
  73. 73. Network TrafficNetwork Forensics 73
  74. 74. Online Analysis of Network TrafficNetwork Forensics 74
  75. 75. Online Monitoring• If you need to have online analysis of network you need to capture packets.• Network Traffic Analysis requires online capturing and analysis of packets in real time.• Used in Stateful Analysis• IPS• IDS• FirewallNetwork Forensics 75
  76. 76. Collecting Network Traffic as EvidenceNetwork Forensics 76
  77. 77. Protecting and Preserving Network- Based Evidence• Hash traces after collection and store hashes elsewhere• Copy evidence to read-only media when possible• Create derivative evidence• Follow chains of evidence• Understand forms of evidence• Best evidence should, to the extent practically possible, never be analyzed directly. – Rather, investigators should make working copies of the best evidence, and analyze those duplications. – Network traffic saved on a sensor is the best evidence available. – Copies of that traffic transferred to a central location become working copies. Network Forensics 77
  78. 78. Protecting and Preserving Network- Based EvidenceNetwork Forensics 78
  79. 79. Network Forensics ProcedureNetwork Forensics 79
  80. 80. Network Forensics ProcedureNetwork Forensics 80
  81. 81. Analyzing Network-Based EvidenceNetwork Forensics 81
  82. 82. Live Analysis• Allows for collection of data from volatile locations such as RAM and cache.• Often will provide extremely useful data.• Requires installation of software to capture data, possibly erasing critical data and spoiling the “preservation” of the system.Network Forensics 82
  83. 83. Live Forensics - Goals • Gathers data from running systems • Diagnosing your system without killing it first. ng • Snapshot of the state of the eni Wh o is computer app wh at? doin t’ sh g ha ? W w noNetwork Forensics 83
  84. 84. Live ForensicsNetwork Forensics 84
  85. 85. Live / Volatile DataNetwork Forensics 85
  86. 86. Gathering Data more volatile• Volatile data – registers, cache contents – memory contents – network connections – running processes• Non-volatile data – content of filesystems and drives – content of removable media less volatileNetwork Forensics 86
  87. 87. Presentation And PreservationNetwork Forensics 87
  88. 88. Typical Scenario• “Dead” forensics information incomplete – discovered to be incomplete – predicted to be incomplete• Non-local attacker or local user using network in inappropriate fashion• Generally, another event triggers network investigation• Company documents apparently stolen• Denial of service attack• Suspected use of unauthorized use of file sharing software• “Cyberstalking” or threatening email
  89. 89. Information Available• Summary information (router flow logs) – Routers generally provide this information – Includes basic connection information • source and destination IP address and ports • connection duration • number of packets sent – No content! Can only surmise what was sent – Can establish that connections between machines were established – Can corroborate data from log files (e.g., ssh’ing from one machine to another to another within a network) – Unusual ports (rootkits? botnet?) – Unusual activity (spam generator?)
  90. 90. Information Available (2)• Complete information (packet dumps) – from programs like Ethereal/Wireshark, snort, tcpdump – on an active net, can generate a LOT of data – can provide filter options so programs only capture certain traffic (by IP, port, protocol) – includes full content—can reconstruct what happened (maybe) – reconstruct sessions – reconstruct transmitted files – retrieve typed passwords – identify which resources are involved in attack – BUT no easy way to decrypt encrypted traffic
  91. 91. Information Available (3)• Port scans (nmap, etc.) – Identifies machines on your network • Often can identify operating system, printer type, etc., without needing account on the machine • “OS fingerprinting” – Identifies ports open on those machines • Backdoors, unauthorized servers, … – Identifies suspicious situation (infected machine, rogue computer, etc.) – nmap: lots of options
  92. 92. Analysis• Does not exist in a vacuum• Link information in analysis to network and host log files – who was on the network – who was at the keyboard – what files are on the disk and where• Look up the other sites (who are they, where are they, what’s the connection)• Otherwise, network traces can be overwhelming• Potentially huge amounts of data• Limited automation!
  93. 93. Normal ICMP Traffic (tcpdump)• PingsIP BOUDIN.mshome.net > www.google.com: icmp 40: echo request seq 6400IP www.google.com > BOUDIN.mshome.net: icmp 40: echo reply seq 6400IP BOUDIN.mshome.net > www.google.com: icmp 40: echo request seq 6656IP www.google.com > BOUDIN.mshome.net: icmp 40: echo reply seq 6656IP BOUDIN.mshome.net > www.google.com: icmp 40: echo request seq 6912IP www.google.com > BOUDIN.mshome.net: icmp 40: echo reply seq 6912IP BOUDIN.mshome.net > www.google.com: icmp 40: echo request seq 7168IP www.google.com > BOUDIN.mshome.net: icmp 40: echo reply seq 7168• Host unreachablexyz.com > boudin.cs.uno.edu: icmp: host blarg.xyz.com unreachable• Port unreachablexyz.com > boudin.cs.uno.edu: icmp: blarg.xyz.com port 7777 unreachable
  94. 94. HTTP Connections• 3-way TCP handshake as laptop begins HTTP communication with a google.com serverIP tasso.1433 > qb-in-f104.google.com.80: S 3064253594:306425359 4(0) win 16384 <mss 1460,nop,nop,sackOK>IP qb-in-f104.google.com.80 > tasso.1433: S 2967044073:296704407 3(0) ack 3064253595 win 8190 <mss 1460>IP tasso.1433 > qb-in-f104.google.com.80: . ack 1 win 17520
  95. 95. Fragmentation Visualization• Fragmentation can be seen by tcpdumpwhatever.com > me.com: icmp: echo request (frag 5000:1400@0+)whatever.com > me.com: (frag 5000:1000@1400) ID offset size Note that 2nd frag more frags flag isn’t identifiable as ICMP echo request…
  96. 96. nmap 137.30.120.*Starting Nmap 4.11 ( http://www.insecure.org/nmap ) at 2006-10-24 19:32Interesting ports on 137.30.120.1:Not shown: 1679 closed portsPORT STATE SERVICE23/tcp open telnetMAC Address: 00:0D:ED:41:A8:40 (Cisco Systems)All 1680 scanned ports on 137.30.120.3 are closedMAC Address: 00:0F:8F:34:7E:C2 (Cisco Systems)All 1680 scanned ports on 137.30.120.4 are closedMAC Address: 00:13:C3:13:B4:41 (Cisco Systems)All 1680 scanned ports on 137.30.120.5 are closedMAC Address: 00:0F:90:84:13:41 (Cisco Systems)……
  97. 97. nmap 137.30.120.*Interesting ports on mailsvcs.cs.uno.edu (137.30.120.32):Not shown: 1644 closed portsPORT STATE SERVICE7/tcp open echo9/tcp open discard13/tcp open daytime19/tcp open chargen21/tcp open ftp22/tcp open ssh23/tcp open telnet25/tcp open smtp37/tcp open time79/tcp open finger80/tcp open http110/tcp open pop3111/tcp open rpcbind143/tcp open imap443/tcp open https512/tcp open exec……
  98. 98. Wireshark (aka Ethereal)PacketlistingDetailedpacketdata atvariousprotocollevelsRaw data
  99. 99. Wireshark: Following a TCP Stream
  100. 100. Wireshark: FTP Control Stream
  101. 101. Wireshark: FTP Data Stream
  102. 102. Wireshark: FTP Data Stream
  103. 103. Wireshark: Extracted FTP Data Stream
  104. 104. Wireshark: HTTP Session save, then trim away HTTP headers to retrieve image Use: e.g., WinHex
  105. 105. HTTP (An application layer protocol) Request from client Response from server HTML web page 105
  106. 106. Prevention Techniques• How to prevent your network from being the source of the attack: – Apply filters to each customer network • Allow only those packets with source addresses within the customer’s assigned netblocks to enter your network – Apply filters to your upstreams • Allow only those packets with source addresses within your netblocks to exit your network, to protect others • Deny those packets with source addresses within your netblocks from coming into your network, to protect your network• This removes the possibility of your network being used as an attack source for many attacks which rely on anonymity
  107. 107. Prevention Techniques• How to prevent being a “bounce site” in a “Smurf” attack: – Turn off directed broadcasts to networks: • Cisco: Interface command “no ip directed-broadcast” • Proteon: IP protocol configuration “disable directed-broadcast” • Bay Networks: Set a false static ARP address for bcast address – Use access control lists (if necessary) to prevent ICMP echo requests from entering your network – Encourage vendors to turn off replies for ICMP echos to broadcast addresses • Host Requirements RFC-1122 Section 3.2.2.6 states “An ICMP Echo Request destined to an IP broadcast or IP multicast address MAY be silently discarded.” • Patches are available for free UNIX-ish operating systems.
  108. 108. Conclusion: Network Analysis• Potentially a source of valuable evidence beyond that available from “dead” analysis• By the time an incident occurs, may have lost the change to capture much of the interesting traffic• Challenging: huge volumes of data• Again, only one part of a complete investigative strategy• This introduction didn’t include stepping stone analysis, many other factors (limited time)
  109. 109. THANK YOUNetwork Forensics 109
  110. 110. NeSA – Network Session Analyser
  111. 111. NeSA Architecture Packet Hex View Packet Protocol PacketCapture Dissectors Analyser Packet Tree View Packet Filter Hex Dump Filter Rules ViewPcap Format dump Picture (HTTP, SMTP, POP3 and FTP) View Packet Packet Session File Classifier Rebuild Parser View Mail Rebuild Crypto Parse Rules View Rules Media Player
  112. 112. Packet Capture• Uses pcap library• Captures packet in promiscuous mode• Similar capture features as of Wireshark• Stores the captured packets to the user specified dump file• Capture filter can be supplied – e.g. Capture only tcp traffic
  113. 113. Packet Filter• Based on the filter rule supplied, filters packets as well as the TCP sessions.• Packet filter language is same as that of pcap• TCP session filter language is custom written – Filtering based on date/time – Protcol based filter – MAC, IP and Port based filtering – Complex combinations of the above
  114. 114. Protocol Dissector• Shows each field of packet in very detail• Dissects very common protocols like IP, TCP,UDP, ARP …• Useful to get a very detailed view of each packet• Helpful in detecting malformed packets
  115. 115. Packet Classifier• At load time itself, classifies the packets to different groups in order to improve the performance of later analysis process• TCP session filter (Rebuild filter) chooses only from this classified group of packets, thus it has to process only a very small portion of the entire dump file
  116. 116. Packet Analyser• Has a packet filtering scheme• Packets can be exported• Has an easily extendible packet (protocol) dissector• Shows the dissected packets in a hex view as well as in a tree control as that of in Wireshark
  117. 117. Packet Rebuild• Rebuilds the TCP session• Shows the rebuilt session in a hex view with data direction indication• To identify different types of session, colouring schemes can be given• Rebuilt session are passed to the session parser
  118. 118. Session Parser• Parses the rebuilt session and tries to extract the available files in it.• Presently parses HTTP, SMTP, POP3 and FTP.• The above are the most common application layer protocols• More parsers can be added• Parses MIME and extracts files from it• Shows the extracted files in a thumbnail view, file view and mail view.• These files can be exported
  119. 119. Distinctive Features of NeSA• NeSA is data centric as well as packet centric, but most other tools are packet centric, This makes NeSA a distinct product – Session parser – Session filter – Session views
  120. 120. NeSA (Network Session Analyser)• A solution developed by CDAC for offline packet analysis• Features – TCP session reconstruction and file recovery – Packet filter – Powerful session filter – Regular expression based search – File export, especially mail export – Packet dissect view 120
  121. 121. NeSA Architecture Packet Hex View Packet Protocol PacketCapture Dissectors Analyser Packet Tree View Packet Filter Hex Dump Filter Rules ViewPcap Format dump Picture (HTTP, SMTP, POP3 and FTP) View Packet Packet Session File Classifier Rebuild Parser View Mail Rebuild Crypto Parse Rules View Rules Media Player 121
  122. 122. Future plan –Moving to online• Real-time packet analysis• Decryption support• Support for more protocols 122
  123. 123. Catching Packets• Enable promiscuous mode of Ethernet card, from which packets has to be caught• Otherwise OS will see only the packets which are destined to that system only• Packet capture tools: – tcpdump – wireshark• Sample tcpdump comand: – tcpdump –s0 –ieth0 –wfile/to/store.dump – -s0 options tells to capture full length packet – -ieth0 options instructs to capture from the interface eth0 – -w option indicates to which file the captured packets has to be stored 123
  124. 124. Catching packets in an Enterprise Only packets passing through gateway, no local Gateway traffic like “between N1 and N2” Only traffic between N5,N6 and Gateway, no other traffic like “between N1 and Switch Switch N2” N5 N6 Switch Switch Only traffic of N4N1 N2 N3 N4 Place capture system accordingly 124
  125. 125. 125
  126. 126. 126
  127. 127. 127
  128. 128. 128
  129. 129. Issues and Challenges• Processing the large data• Lack of forensics tools• Lack of proven methods• Varied attacks• Encrypted data• Partial data• Spoofed packets• Unknown protocols 129
  130. 130. Thank you 130
  131. 131. Appendix A – ICMP Message typesType Name Type Name---- ------------------------ ---- ------------------------- 0 Echo Reply 17 Address Mask Request 1 Unassigned 18 Address Mask Reply 2 Unassigned 19 Reserved (for Security) 3 Destination Unreachable 20-29 Reserved (for Robustness 4 Source Quench Experiment) 5 Redirect 30 Traceroute 6 Alternate Host Address 31 Datagram Conversion Error 7 Unassigned 32 Mobile Host Redirect 8 Echo 33 IPv6 Where-Are-You 9 Router Advertisement 34 IPv6 I-Am-Here 10 Router Solicitation 35 Mobile Registration Request 36 Mobile Registration Reply 11 Time Exceeded 37 Domain Name Request 12 Parameter Problem 38 Domain Name Reply 13 Timestamp 39 SKIP 40 Photuris 14 Timestamp Reply 41-255 Reserved 15 Information Request 16 Information Reply 131

×