Network Forensics
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
942
On Slideshare
942
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
13
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Conferencia FIST Enero/Madrid 2008 @ Sponsored by: Network Forensics and Lessons Learnt from the July 07 London Attacks Geoff Harris Alderbridge Consulting Ltd geoff.harris@alderbridge.com www.alderbridge.com 0044 1423 321900
  • 2. About the AuthorBackground in Military Communications DesignCEO Alderbridge Consulting formed 1997ISSA-UK PresidentUK Government CLAS ConsultantCISSP, ITPC, BSc, DipEE, C.Eng 2
  • 3. 3
  • 4. 4
  • 5. Early Firewall Adoption 5
  • 6. DMZs & De-Perimeterisation 6
  • 7. An early Intrusion Prevention System – Is IDS dead? 7
  • 8. Forensics – fingerprints & DNAEdward Henry appointed as Assistant Commissioner ofPolice at New Scotland Yardand began to introduce his fingerprint system.The first British court conviction by fingerprints in 1902 8
  • 9. 11 March 2004 – Madrid Train Bombings10 explosions on 4 commuter trains (cercanías)killing 191 people and wounding 1,755 9
  • 10. 7 July 2005 - London3 tube explosions and 1 bus explosionEntire London Underground system shut down 10
  • 11. Post 7 July 2005 – London Investigations12 July 2005 Idenitifed three suspects from CCTV footage, a missing persons report and documents found in the debris at each bomb site. Luton railways station is closed as police investigate a car parked there and believed to be associated with the suspects caught on CCTV cameras. 11
  • 12. The Dummy Run“Police trawl through 80,000 CCTV tapes”“Ten weeks after the attacks, CCTV footage was released of three of thebombers setting out on a "practice run".Mohammad Sidique Khan, Germaine Lindsay and Shehzad Tanweer -but not Hasib Hussain - met at Luton station at around 0810 BST onJune 28. 12
  • 13. The Dummy RunVideo cameras showed them buying tickets before they boarded a trainto Kings Cross, where they arrived at 0855 and made their way to theUnderground network. Police said they were seen at Baker Street atmidday before they returned to Kings Cross at 1250, arriving back inLuton 50 minutes later. 13
  • 14. Detecting The IT Network Attack• Firewall logs• System Logs• IDS – Host IDS & Network IDS• Correlation of events – SEM toolsManagement Overhead - MSS 14
  • 15. Hiding In The Noise• The Slow Scan• Random Ports – Random Port Hopping• Trojan/Covert channels over well used ports• The outgoing IRC, http, https threat 15
  • 16. “Network CCTV” as a Forensic ToolCommonly Used Existing Sniffing Products Microsoft Net Mon NAI Sniffer EtherealProblem – the ability to capture the moment of attack at the right timeand understand what lead up to the attack 16
  • 17. “Network CCTV” as a Forensic ToolFor the IDS & Network CCTV - NIKSUN NetDetectorOther products such as NetIntercept 17
  • 18. “Network CCTV” as a Forensic Tool Manchester Leeds Internet WAN London - HQ Web Mail VPN Server Server GatewayStealth Monitoring LAN (RESTRICTE D) Server Server (RESTRICTE D) Central Security Server (UNCLASSIFIED) Security LAN Trusted LAN (UNCLASSIFIED) Trusted LAN (RESTRICTED) (RESTRICTED) Netw ork IDS Sensor Proposed Netw ork Recorder 18
  • 19. Hiding In The Noise 19
  • 20. Network Packet Decode 20
  • 21. Summary• CCTV in UK has been highly successful• Social issues – invasion of privacy• “Network CCTV” is very powerful as aforensic tool• Employee and citizen rights here too• Threat to corporate and governmentnetworks due to terrorism and espionagecontinues to grow 21
  • 22. Creative Commons Attribution-ShareAlike 2.0You are free:•to copy, distribute, display, and perform this work•to make commercial use of this workUnder the following conditions: Attribution. You must give the original author credit. Share Alike. If you alter, transform, or build upon this work, you may distribute the resulting work only under a license identical to this one.For any reuse or distribution, you must make clear to others the license terms of this work.Any of these conditions can be waived if you get permission from the author.Your fair use and other rights are in no way affected by the above.This work is licensed under the Creative Commons Attribution-ShareAlike License. To view acopy of this license, visit http://creativecommons.org/licenses/by-sa/2.0/ or send a letter toCreative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA. 22
  • 23. www.fistconference.org @ with the sponsorship of: Geoff Harris Alderbridge Consulting Ltd geoff.harris@alderbridge.com www.alderbridge.com 0044 1423 321900 23