Network Forensics


Published on

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Network Forensics

  1. 1. Conferencia FIST Enero/Madrid 2008 @ Sponsored by: Network Forensics and Lessons Learnt from the July 07 London Attacks Geoff Harris Alderbridge Consulting Ltd 0044 1423 321900
  2. 2. About the AuthorBackground in Military Communications DesignCEO Alderbridge Consulting formed 1997ISSA-UK PresidentUK Government CLAS ConsultantCISSP, ITPC, BSc, DipEE, C.Eng 2
  3. 3. 3
  4. 4. 4
  5. 5. Early Firewall Adoption 5
  6. 6. DMZs & De-Perimeterisation 6
  7. 7. An early Intrusion Prevention System – Is IDS dead? 7
  8. 8. Forensics – fingerprints & DNAEdward Henry appointed as Assistant Commissioner ofPolice at New Scotland Yardand began to introduce his fingerprint system.The first British court conviction by fingerprints in 1902 8
  9. 9. 11 March 2004 – Madrid Train Bombings10 explosions on 4 commuter trains (cercanías)killing 191 people and wounding 1,755 9
  10. 10. 7 July 2005 - London3 tube explosions and 1 bus explosionEntire London Underground system shut down 10
  11. 11. Post 7 July 2005 – London Investigations12 July 2005 Idenitifed three suspects from CCTV footage, a missing persons report and documents found in the debris at each bomb site. Luton railways station is closed as police investigate a car parked there and believed to be associated with the suspects caught on CCTV cameras. 11
  12. 12. The Dummy Run“Police trawl through 80,000 CCTV tapes”“Ten weeks after the attacks, CCTV footage was released of three of thebombers setting out on a "practice run".Mohammad Sidique Khan, Germaine Lindsay and Shehzad Tanweer -but not Hasib Hussain - met at Luton station at around 0810 BST onJune 28. 12
  13. 13. The Dummy RunVideo cameras showed them buying tickets before they boarded a trainto Kings Cross, where they arrived at 0855 and made their way to theUnderground network. Police said they were seen at Baker Street atmidday before they returned to Kings Cross at 1250, arriving back inLuton 50 minutes later. 13
  14. 14. Detecting The IT Network Attack• Firewall logs• System Logs• IDS – Host IDS & Network IDS• Correlation of events – SEM toolsManagement Overhead - MSS 14
  15. 15. Hiding In The Noise• The Slow Scan• Random Ports – Random Port Hopping• Trojan/Covert channels over well used ports• The outgoing IRC, http, https threat 15
  16. 16. “Network CCTV” as a Forensic ToolCommonly Used Existing Sniffing Products Microsoft Net Mon NAI Sniffer EtherealProblem – the ability to capture the moment of attack at the right timeand understand what lead up to the attack 16
  17. 17. “Network CCTV” as a Forensic ToolFor the IDS & Network CCTV - NIKSUN NetDetectorOther products such as NetIntercept 17
  18. 18. “Network CCTV” as a Forensic Tool Manchester Leeds Internet WAN London - HQ Web Mail VPN Server Server GatewayStealth Monitoring LAN (RESTRICTE D) Server Server (RESTRICTE D) Central Security Server (UNCLASSIFIED) Security LAN Trusted LAN (UNCLASSIFIED) Trusted LAN (RESTRICTED) (RESTRICTED) Netw ork IDS Sensor Proposed Netw ork Recorder 18
  19. 19. Hiding In The Noise 19
  20. 20. Network Packet Decode 20
  21. 21. Summary• CCTV in UK has been highly successful• Social issues – invasion of privacy• “Network CCTV” is very powerful as aforensic tool• Employee and citizen rights here too• Threat to corporate and governmentnetworks due to terrorism and espionagecontinues to grow 21
  22. 22. Creative Commons Attribution-ShareAlike 2.0You are free:•to copy, distribute, display, and perform this work•to make commercial use of this workUnder the following conditions: Attribution. You must give the original author credit. Share Alike. If you alter, transform, or build upon this work, you may distribute the resulting work only under a license identical to this one.For any reuse or distribution, you must make clear to others the license terms of this work.Any of these conditions can be waived if you get permission from the author.Your fair use and other rights are in no way affected by the above.This work is licensed under the Creative Commons Attribution-ShareAlike License. To view acopy of this license, visit or send a letter toCreative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA. 22
  23. 23. @ with the sponsorship of: Geoff Harris Alderbridge Consulting Ltd 0044 1423 321900 23