The document discusses challenges in network forensics and describes a scenario where the chief forensic investigator Judy at NAI calls a meeting with her team to discuss analyzing network logs to investigate unusual login attempts from the CFO's account while he was on vacation, highlighting that network logs are an important source of forensic evidence but networks present complexities for investigators due to multiple devices, external networks, and log files from various sources.
1. What are two items to consider when creating a malware analysis.docx
1. 1. What are two items to consider when creating a malware
analysis environment?
Could malware detect and react differently if a potential
malware analysis tool/environment is detected? Give two
possible examples.
UMUC (2013), Network Forensics, Cybercrime Investigation
and Digital Forensics. Retrieved from
http://tychousa5.umuc.edu/CSEC650/1202/csec650_07/assets/cs
ec650_07.pdf
2. Give an example of an incident where it was discovered that
a RAT was found in a corporate network.
Identify one method a forensic investigator may use to identify
a potential RAT program?
UMUC (2013), Network Forensics, Cybercrime Investigation
and Digital Forensics. Retrieved from
http://tychousa5.umuc.edu/CSEC650/1202/csec650_07/assets/cs
ec650_07.pdf
3/21/13 11:10 AMRubric
Page 1 of
1https://learn.vccs.edu/webapps/blackboard/execute/manageRub
rics?dispatch=view&context=course&rubricId=_6365_1&course
_id=_297188_1
Paper Rubric
Used to grade papers in the course.
2. Levels of Achievement
Criteria Explanation
Thesis/Introduction 10 Points
The assignment has a clear thesis which addresses all parts of
the
topic
Analysis 30 Points
Development of each of the introduction's thesis points; focused
treatment of the essay question. Analysis is detailed,
understandable and accurate.
Evidence 30 Points
Citation of specific historical events/developments to support
analysis. Reference to footnoted and/or cited sources.
Grammar/Organization 20 Points
Proper paragraph organization for the essay with correct style
usage.
Conclusion 10 Points
Short summation of paper.
RubricRubric
PrintPrint Close WindowClose Window
Name
4. What is Network Forensics?
...............................................................................................
......... 5
Why We Need Network Forensics
...............................................................................................
6
Topic 4: Challenges in Network Forensics
...................................................................................... 8
The Complexities of Network Forensics
...................................................................................... 8
The Key to Network Forensic Investigations
............................................................................... 9
Case Study: Birth of the Earth
...............................................................................................
.... 11
Topic 5: Botnets
...............................................................................................
.............................. 14
Botnets as a Network Forensic Antagonist
................................................................................ 14
Types of Botnets
...............................................................................................
......................... 16
Challenges and Protection
...............................................................................................
.......... 17
Activity: Annihilating the Internet
...............................................................................................
. 19
Topic 6: Performing Live Acquisitions
...........................................................................................
24
Performing Live Acquisitions of Data
6. Steve Freeman, a senior network engineer at National
Aerospace Industries (NAI),
notices some unusual activity on the company's Wide Area
Network (WAN). Steve
knows that network forensics can help solve cases of data
leakage and network
intrusions by performing an in-depth and accurate analysis of
the network.
He asks a network forensic investigator to conduct a forensic
investigation on the
company's network. Steve is hoping that the network forensic
investigator can help
determine the cause of the unusual activity.
Scenario
Scene 1
Steve Freeman is the senior network engineer at NAI. He
notices unusual activity on
NAI's WAN, which serves about 1,200 users.
Scene 2
Steve: Our company's network-management system has set off
an alarm. There have
been repeated unsuccessful log-ins, and they're all from Chief
Financial Officer David
Thompson's account.
Steve: I wonder if the simultaneous occurrence of the unusual
activity on the WAN and
this alarm is a coincidence. I'd better review the alarm.
Scene 3
Steve: There have been 24 attempted log-ins within a five-hour
period, from 1 a.m. to 6
8. Scene 5
Judy contacts Mr. Thompson's secretary, who tells her that Mr.
Thompson is in Florida
on a family vacation. Given the potentially serious nature of
this situation, Judy contacts
him on his cell phone.
Scene 6
A transcript of the conversation between Judy and Mr.
Thompson is reproduced
below.
Judy: Hello, Mr. Thompson. I'm sorry to call while you're on
vacation. There were
several unsuccessful log-in attempts from your account. Have
you had any log-in
issues?
Mr. Thompson: No, I haven't logged in to my account for a
week. What do you plan to
do now?
Judy: We're looking into it. I'll let you know what we find.
Scene 7
Judy: I'm really concerned now. Is a hacker trying to get into
the network? Could the
hacker already be inside, or is this just a glitch?
Scene 8
Judy: I'm going to conduct a rigorous network forensic review.
I'd also better get our
incident response team involved.
12. The Need for Network Forensics
An important question to ask about network forensics concerns
its value to an
organization. Network forensics is useful in capturing an attack
fingerprint and
performing post attack analysis for security exploits. Using
network forensics, a forensic
examiner can analyze historical network traffic. Such analyses
help examiners
investigate security attacks. Network forensics helps to
reconstruct the sequence of
events that occurred during the breach to get the complete
picture.
Cybersecurity attacks have become common these days. A
Distributed Denial of Service
(DDoS) attack on Bitbucket.org—a Web-based code-hosting
service that relies on
Amazon's Elastic Compute Cloud (EC2)1—and a DDoS attack
on Facebook and Twitter
in August 2011 are headline examples (WildPackets, n.d., p. 3).
In addition, IT professionals commonly use network forensics to
do these things
(WildPackets, p. 3):
Enhance network performance.
Improve the organization's intrusion-detection technologies.
Identify any rogue devices that reside on the network.
Prevent computer malware and network hacks.
Reference: "WildPackets." Network Forensics 101: Finding the
Needle in the Haystack. Retrieved from
13. https://mypeek.wildpackets.com/elements/whitepapers/Network
_forensics101.pdf
The Benefits of Network Forensics
Monitoring User Activity
Monitoring user activity is an important aspect of workplace
productivity as well as
cybersecurity. For instance, social networking sites are known
to create a significant
decrease in worker productivity. As a result, many
organizations have implemented
policies that prohibit or minimize such activities (WildPackets,
p. 3).
In addition, organizations have policies prohibiting non-work-
related activities—such
as online gaming and movie watching—that use network
resources. Finally, rogue
network forensics can monitor these types of activities and
provide management with
the evidence required to take disciplinary action against
employees who violate an
organization's policies (WildPackets, p. 4).
Reference: "WildPackets." Network Forensics 101: Finding the
Needle in the Haystack. Retrieved from
https://mypeek.wildpackets.com/elements/whitepapers/Network
_forensics101.pdf
Identifying the Source of Data Leaks
Network monitoring helps to supervise the flow of data and to
15. protocols that transmit data in plain text, such as Hypertext
Transfer Protocol
(HTTP), File Transfer Protocol (FTP), Telnet, and Structured
Query Language (SQL)
(WildPackets, p. 4).
Network administrators are the owners of audit logs, so they
bear accountability for
maintaining and archiving these logs, some of which may be
initiated by the
organization's customers. If there are problems with certain
business transactions,
network forensic techniques often can be used to resolve them.
Reference: "WildPackets." Network Forensics 101: Finding the
Needle in the Haystack. Retrieved from
https://mypeek.wildpackets.com/elements/whitepapers/Network
_forensics101.pdf
Identifying the Source of Intermittent Network Performance
Issues
A practical application of network forensics is the identification
of network
performance issues in an organization's LAN or WAN through
retrospective analysis.
Network forensic tools are more scientific and reliable than
traditional troubleshooting
tools, and a timeline analysis can provide the information
required to plot and
analyze all detailed and significant network events
(WildPackets, p. 4).
18. Jean. In this meeting, Judy hopes to discuss the merits of
analyzing network logs
because she intends to conduct a log review of NAI's network to
trace the cause of the
alarm.
A transcript of the discussion among Judy and her team is
reproduced here.
Judy: Thank you all for taking the time to attend this
discussion.
Judy: I'm hoping we can conduct a log review of NAI's network,
and I'd like to hear your
thoughts about the merits of conducting such a review.
Calpurnia: I think it's a good idea. At the very least, the
network logs can provide
information about the evidence trail of network events.
Jean: I agree. The ability to analyze network logs is a big
advantage for us.
Steve: It'll be a big help if we can verify the entry points,
personnel involved, and
systems used to access the network.
Judy: Yes, our organization had the foresight to make decisions
about how the
information is logged and retained.
Jean: Judy, network log files can be extremely large. I suggest
we establish accurate
network log analysis processes, data-retention policies, and
toolkits to analyze this
information.
21. response, and investigations.
Reference: Caballero, A. Fidge, S. Network Forensics: SIEM,
the Investigations Triad, and SANS Top-20
Vulnerabilities. Retrieved from
http://megabyteconcepts.com/Documents/ASC_Network_Forens
ics.pdf
Vulnerabilities
Vulnerabilities in IT systems are frequently unknown or are not
immediately detected.
Network forensic tools can help identify vulnerabilities and
provide detailed information
to the appropriate administrator, whose responsibility it is to fix
vulnerabilities.
Intrusion Response
Intrusion response can create a particularly challenging
situation for digital forensic
investigators. One of the fundamental questions debated in such
investigations is
whether to shut the network down immediately or observe the
intruder's behavior to
gather more evidence. The obvious risk of having the intruder
on the network for an
extended period is that he or she can further damage the
network. Conversely, tracking
the intruder's actions can help acquire sufficient evidence to
pursue a strong legal case.
Investigations
23. Question 2: Select the network(s) that network forensic tools
and investigative
techniques can be useful with.
a. Local Area Network (LAN)
b. Personal Area Network (PAN)
c. Wireless network
d. Wide Area Network (WAN)
Correct Answers: Options a, b, c, and d
Feedback:
Network forensic tools are useful with all types of computer
networks.
Question 3: Which term refers to a type of record that should be
kept for all business
transactions and is often useful to digital forensic investigators?
a. General journal
b. Audit trail
c. Purchase requisition
d. Inventory listing
Correct Answer: Option b
Feedback:
Audit trails document the flow of business transactions on a
step-by-step basis.
Question 4: What type of process is a network forensic
investigation?
a. Proactive
b. Experimental
c. Reactive
d. Educational
26. Botnet
A botnet is a collection of computers infected by bots. A botnet
is formed by running
software, which is usually installed via drive-by downloads that
exploit Web browser
vulnerabilities, ActiveX controls, plug-ins, or any other
applications that a computer
requires to browse the Internet. Bots can control viruses,
worms, Trojan horses, or
backdoors under a common command-and-control
infrastructure.
Botnet Attacks
Botnet attacks can have serious consequences, such as financial
loss, including
regulatory noncompliance fines and litigation fees associated
with the theft of sensitive
second- and third-party data or intellectual property leakage;
damage to reputation; and
the time and costs associated with preventing, detecting, and
resolving attacks of fraud,
DDoS, and spam. (EdgeWave, 2011).
Reference: (n.d.) EdgeWave iPrism Technology.
ThreatDefender.com. Retrieved from
http://www.threatdefender.com/Web-Filter-Technology.asp
How Botnets Work
A bot herder or botmaster controls botnets remotely, usually
through an Internet Relay
Chat (IRC), which is a form of real-time communication over
the Internet, or peer-to-peer
(P2P) networking communications. Often the command-and-
control takes place via a
29. Attackers have different motives for using botnets. The most
common incentives,
however, are financial gain and destruction.
Fraud
Fraud can take many forms and can be committed through many
media, including
"snail mail," wire, and telephone. Fraud is also committed over
the Internet in various
forms. For example, identity theft is one of the fastest-growing
crimes on the Internet
which is commonly initiated by bogus e-mail messages
generated and sent by bots
via spam. Bots can also harvest personal information through
multiple fake Web
sites by masquerading as popular auction Web sites, online
money-transfer sites, or
banks.
Spamming
Bots can spam a compromised computer via a generic proxy
protocol for TCP/IP-
based networking applications. Some bots can also implement a
special function to
harvest e-mail addresses and other personal information.
Distributed Denial of Service Attacks
Botnets are often used to carry out Distributed Denial of
Service (DDoS) attacks on
computer systems or networks. A DDoS attack causes a loss of
service to users,
30. including the loss of network connectivity and services, by
consuming the bandwidth
of the victim network or by overloading the computational
resources of the victim
system.
Sniffing Traffic
Bots can use packet sniffers to watch for and retrieve sensitive
clear-text data, such
as usernames and passwords, passing by a compromised
computer.
Keylogging
Attackers use keylogging to retrieve encrypted sensitive data
that sniffers cannot
decrypt. By monitoring each keystroke a user types on his or
her keyboard, an
attacker can obtain a variety of user-specific information.
Spreading New Malicious Code
Because all bots implement mechanisms to download and
execute a file via HTTP or
FTP, botnets usually spread new bots. They can also spread e-
mail viruses, Trojans,
worms, and other malicious code.
UMUC Cybercrime Investigation and Digital Forensics
CSEC650
32. supplement any subsequent
network-level investigation (Law, Chow, Lai, &Tse, 2009, p.
162).
Reference: Law Y.W, F., Chow, K.P., Lai K.Y., P., TseK. S., H.
A Host-Based Approach to BotNet
Investigation? Center for Information Security & Cryptography.
Retrieved from
http://www.cs.hku.hk/cisc/forensics/papers/09_05.pdf.
Polymorphism
Polymorphism is a condition in which bots change with every
instantiation so that
they always appear to be new.
Rootkitting
Rootkitting is the stealthy installation of software called a
rootkit, which is activated
each time a user boots up the system. Rootkits are difficult to
detect because they
are activated before the system's operating system has
completely booted.
Periodic Communications
A botnet communicates with its controller only periodically.
Therefore, the low
volume of communication makes it more difficult to analyze.
Retaliatory Denial of Service
Live investigations involving retaliatory DoS attacks can cause
botmasters to expand
their attack and cause even more damage. Retaliatory DoS
35. Topic 5: Botnets
Activity: Annihilating the Internet
It's time to end the electronic age and save the world from its
wired and impersonal
existence. Let's cut some wires, spread infection, and herald
destruction—but in good
faith. You are the chosen one! You are hereby crowned
Botmaster.
Phase I: Organizing Your Botnet Technology
You are now Botmaster, and it is your responsibility to begin
annihilating the Internet!
You have a budget of $1,500 to fund your dastardly deeds. Your
first step will be to
establish a command-and-control structure, which will allow
you to gain the largest
amount of information possible. As everyone knows,
information is money!
Get started!
Welcome to the malware factory!
Carry out all necessary steps to acquire the tools you will need
in your toolbox.
Step 1: Select the malware you want to create for annihilation.
Keep in mind your
budget and your goal of producing an appropriate impact!
a. Virus: $100 Low Impact
b. Worm: $250 Low Impact
c. Trojan Horse: $400 Low Impact
36. d. Rootkit: $750 High Impact
Step 2: Select the distribution mechanism for your malware.
a. Through a rogue distribution of a popular software program:
$200
b. Via a downloadable game: $250
c. Through a Web browser: $175
d. As an e-mail attachment: $125
Step 3: How about customizing your malware to make it
unique? Select a tool from the
options below.
a. Code Monster: $200
The Code Monster will allow you to develop and customize
your malware code. You
can choose to combine your malware with existing programs to
develop superlatively
malicious software.
b. Web Map: $250
Use the Web Map to keep track of your work. You can
configure the Web Map to
notify you when your malware infects new computers, to track
the activities of other
hackers, and to identify new targets to attack. Your targets can
include private- and
public-sector computers and Web sites. The Web Map comes
equipped with various
resources, such as the results of passive scans of networks.
c. Malware-Gro Toolkit: $275
Use the Malware-Gro Toolkit to determine the size of your
botnet. You can even
begin small and then grow, depending on your interest and the
amount of damage
38. developments.
Zombie 4: Michael Thomas
Michael is a college student. He uses the Internet to stay
connected with his friends and
to learn about new technology. An avid blogger, he usually
blogs about music, travel,
and changing technological trends.
A transcript of the chat between the Botmaster and
Martha/Gareth is below.
Botmaster: Hello! I am Botham. I work as a travel agent. Are
you interested traveling to
exotic destinations?
Martha/Gareth: I do not talk to strangers, Botham. I hope you
don't mind.
A transcript of the chat between the Botmaster and Rob/Michael
is below.
Botmaster: Hello! I am Botham. I work for a travel agent. Are
you interested in traveling
to exotic locations?
Rob/Michael: Yes, I am.
Botmaster: Great! I love traveling too, and was hoping to meet
people on the Internet
who share my interests.
Rob/Michael: Hmm.
Botmaster: So…do you travel budget or luxury?
40. victim.
Phase III: Retaliation by the Infected Zombie
You will now step into the shoes of the victim. Look at the
incident from the victim's
perspective.
The victim's train of thought is reproduced below.
Victim: I cannot believe it. I have all kinds of unauthorized
charges on my credit cards,
and someone has dipped into my checking account, too.
Victim: Could I have been the victim of a botnet attack? I
remember reading about how
victims of botnet attacks lose their personal identity and
financial security.
Victim: I'm sure I didn't share my bank or credit card details
with anyone.
Victim: Hmm … the withdrawals from my account began a
couple of days after I visited
that travel Website.
Victim: The site was really useful, and I booked my next
vacation almost for free.
However, they say there's no such thing as a free lunch. Is it
possible my computer is
infected with some type of malware?
Victim: I'm angry at myself for not being more careful. I never
thought I was a gullible
person, but I'm going to have to be more careful.
Victim: I would love to track that person down while I try to
42. c. Spread, infect, command and control, and attack
d. Infect, command and control, spread, and attack
Correct Answer: Option c
Feedback:
The proper sequence of steps in the botnet life cycle is: spread,
infect, command and
control, and attack.
Question 3: Which of the following malicious goals can botnets
accomplish?
a. Spamming
b. Fraud
c. Antivirus protection
d. DDoS attacks
Correct Answers: Options a, b, and d
Feedback:
Spamming, fraud, and DDoS attacks are common malicious
goals of botnets.
Question 4: What challenges do digital forensic investigators
face in detecting botnets?
a. Polymorphism
b. Fast flux
c. Covert channel communications
d. Rootkitting
Correct Answers: Options a, b, c, and d.
Feedback:
Polymorphism, fast flux, covert channel communication, and
rootkitting are all
challenges for digital forensic investigators in detecting botnets.
46. Digital forensic researchers have identified several methods to
improve the live
acquisition of network data. Judy conducts a presentation to
teach her team members
techniques for improving the live acquisition of data.
Recommendation 1: Position the collector as close as possible
to the source
of information.
The physical and the logical distance of the source of
information must be
considered. The collector should be close as possible to the
evidence source, both
physically and logically. Proximity will help minimize latency,
potential loss of
evidence, and authenticity of the evidence.
Recommendation 2: Perform write blocking of the evidence.
Perform write blocking of data to maintain the integrity of the
evidence. Write
blocking can be done with one-way Ethernet cables or by using
a read-only FTP
client device. In addition, write blocking should be performed
in front of a witness,
and both the procedures and the results should be documented.
The documented
data will serve as verification of the data's integrity.
Recommendation 3: Define workable boundaries to collect
relevant data.
Define workable boundaries so that the investigator collects
47. relevant data. Due to the
nature of high-speed networks, data travels faster than it can be
fully captured in a
live environment. Coordinating with an organization's IT staff
to develop some filters
and other technical controls is helpful.
Recommendation 4: Ensure that documentation requirements
are met.
Nickell (2006) makes seven specific recommendations for
documentation:
1. Diligence on the forensic investigator's part
2. Adherence to accepted methods and procedures
3. Precise data showing what was collected or, in some cases,
not collected
4. Start and end timestamps
5. Additional technical information, such as lower-level
protocol information or
headers
6. Notation of any errors or lost or corrupted data
7. Other meta information, such as the investigator's name, case
ID, and
case/evidence descriptions
Reference: B. Nickell (2006). "Improving Evidence Acquisition
from Network Sources," Digital Investigation:
The International Journal of Digital Forensics and Incident
Response, Vol. 3, No. 2.
50. Log files are an important source of network data because they
contain
information about devices, Internet activities, services, and the
active state of
network data that can be valuable network forensic information.
The Investigations Triad methodology is an investigative
technique that involves
connecting the three main challenges in network forensics:
vulnerabilities,
intrusion response, and investigations.
A bot is an autonomous application that is often malicious. A
computer attacked
by a bot is known as a robot or a zombie. A collection of
computers infected by
bots is known as a botnet.
The life cycle of a botnet typically includes four phases:
spread, infection,
command and control (C&C), and attack.
Some challenges encountered while dealing with botnets
include polymorphism,
rootkitting, periodic communications, retaliation, denial of
service, distributed
denial of service, fast flux, and encrypted channels and code.
The most common methods of protecting networks against
botnets are using
several firewalls and a layered security approach, installing
52. connectivity. Though originally intended for debugging
purposes,
backdoors are currently used for remote command-and-control
actions.
Bot A bot is a computer program that is used to rapidly carry
out a
large number of automated and repetitive tasks on the Internet,
usually in a cybersecurity attack.
Bot herder A bot herder, also known as a botmaster, controls
botnets
remotely and tricks a victim into installing malicious code on a
computer.
Botnets A botnet is a group of robots, or compromised
computers, running
automatically. Often, the victims whose computers are part of
the
botnet are unaware of the invasion.
Command-and-Control A command-and-control system provides
for command and
control of system components, such as other computers.
Deadbox Forensics Deadbox forensics is an expression that
refers to forensic analysis
of laptops and PCs that are not actively connected to a live
network.
Denial of Service Denial of Service (DoS) or Distributed Denial
of Service (DDoS)
attacks use "zombie" servers to flood a target site with large
volumes of traffic. This flood of traffic consumes all of the
target
site's network or system resources and denies access to
53. legitimate users.
Distributed Denial of
Service
In a distributed denial of service attack (DDoS attack), a
computer's resources are made unavailable to its user when
several compromised systems flood it with useless data.
Fast Flux Fast flux is a Domain Name Server (DNS) technique
used to hide
phishing and malicious code delivery sites behind compromised
hosts that act as proxies.
File System Forensics File system forensics is the forensic
analysis of an individual
computer's file system and operating system components.
FTP File Transfer Protocol (FTP) is an application protocol that
uses
the TCP/IP protocol (or the Internet) to transfer files between
computers.
HTTP Hypertext Transfer Protocol (HTTP) transmits Web pages
to
clients.
Internet Relay Chat Internet Relay Chat (IRC) is a form of
communicating over the
Internet using private messages, chats, or group discussions.
UMUC Cybercrime Investigation and Digital Forensics
CSEC650
55. instantiation, so they always appear to be new.
Rogue Network
Forensics
Rogue network forensics is used to describe the practice of
using
network forensic techniques to perform malicious activities.
Rootkitting Rootkitting is the stealthy installation of software
called a rootkit,
which is activated each time a user boots up a system.
Small-Scale Digital
Devices
Small-scale digital devices are devices that are analogous to
embedded systems.
Structured Query
Language
Structured Query Language (SQL) is a data-manipulation
language that is the de facto standard used to manage actual
data
in relational database management systems.
Telnet Telnet enables remote use and supervision of systems.
Network
administrators monitor and control systems remotely using
Telnet.
Traceroute Traceroute traces the path of packets across an IP
network. An
intruder uses traceroute to map routers for known destinations
around the targeted system.
56. Whatsup Whatsup is a network-monitoring software.
Wireshark Wireshark is a free and open-source packet analyzer.
It is used for
network troubleshooting, analysis, software and
communications
protocol development, and education.
Write Blocking Write blocking is a forensic technique used to
avoid altering the
state of the source computer, in order to create a forensically
sound image of that computer.
Zombie A zombie is a computer that is remotely controlled by a
bot herder
or botmaster in a botnet.