File000139

Module XXVI – Network Forensics and
Investigating Logs

EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
News: Accused SF Network
Hacker Facing Felony Charges
Source: http://www.foxreno.com/

EC-Council
Module Objective
• Network Forensics
• Network Attacks
• Where to Look for Evidence
• Investigating Logs
• Handling Logs as Evidence
• Log Injection Attacks
This module will familiarize you with:

EC-Council
Module Flow
Network Forensics
Investigating Logs Where to Look for Evidence
Handling Logs as Evidence
Network Attacks
Log Injection Attacks

EC-Council
Network Forensics
• Source of security incidents and network attacks
• Path of the attack
• Intrusion techniques used by attackers
Network forensics can reveal:
Network forensics can be defined as sniffing, recording, acquisition
and analysis of the network traffic, and event logs in order to
investigate a network security incident

EC-Council
The Intrusion Process
Internet
Laptop
CORPORATE NETWORK
Mainframe
Server
Computer
Laptop
Printer
Server
Server
Firewall
Router
Firewall
Server
Hub
Hub Router
Intermediate
"Owned"
Computer
Intermediate
"Owned"
Computer
Intermediate
"Owned"
Computer
Intermediate
"Owned"
Computer
ISP Router
ISP Router
ISP Router
ISP Router
ISP Router

EC-Council
Network Vulnerabilities
• These vulnerabilities occur due to the
overextension of bandwidth and bottlenecks
Internal network vulnerabilities:
• These vulnerabilities occur due to the threats such
as DoS/DDoS attacks and network data
interception
External network vulnerabilities:

EC-Council
Network Attacks
IP Spoofing
Router attacks
Eavesdropping
Denial-of-Service
Man-in-the-Middle Attack
Sniffer Attack
Data Modification Attacks
Enumeration
Virus
Trojan
E-mail Infection
Password Cracking
Malware attacks

EC-Council
Where to Look for Evidence
Log files from following devices and applications can be used as
evidence for network security incidents:
• Firewalls
• Routers and switches
• Intrusion Detection Systems
• Intrusion Prevention Systems
• Servers, desktops, and mainframes
• Business applications
• Databases
• Anti-virus
• VPNs

EC-Council
Investigating Logs

EC-Council
Postmortem and Real-Time
Analysis
Forensic examination of logs are divided into two categories :
• Postmortem of logs are done for the investigation of something
that has already happened
Postmortem
• Real-Time analysis are done for the ongoing process
Real-Time Analysis
Practically, IDS is the real-time analysis where as the forensic
examination is postmortem

EC-Council
Handling Logs as Evidence
• It is hard to refute one log entry if two separate devices record
the same information
• Firewall logs, IDS logs, and TCPDump can help to prove that
an IP address hits a specific server at a specific time
Use Multiple Logs as Evidence
• When no log files exist, there is no way of knowing if the
server got no hits (say it was offline for a day) or if the log file
was actually deleted
Avoid Missing Logs

EC-Council
Log File Authenticity
Log files can be said to be authentic if it can be proven that they have not been modified
since they were originally recorded
Move the Logs - If a server has been compromised, you must consider that the log files also
could have been compromised
Move the logs to a master server and then move them offline to a tape, CD

EC-Council
Use Signatures, Encryption, and
Checksums
To ensure that the log file is not modified, encrypt the log by using some public-
key encryption scheme
File signature makes the log file more secure
Use Fsum tool, MD5 to generate the hash code
Store the signature and hashes with the log
Store secure copy in a separate location

EC-Council
Work with Copies
Do not use original log files for analysis; always work on copies
Ensure that the original logs are never touched to maintain the authenticity of
the original log files
If you use log files as court evidence, you must present original files in their
original form

EC-Council
Ensure System’s Integrity
Always maintain up-to-date on service packs and hotfixes that assures that the
system’s file is valid
Audit all changes to binary files in WINNT directory
If an intruder modifies the system files that record log files then the usability of
the log files as evidence is not valid

EC-Council
Access Control
Once a log file is created, it is important to prevent the file from being accessed
and audit any authorized and unauthorized access
If you properly secure and audit a log file using NTFS permissions, you will have
documented evidence to establish its credibility

EC-Council
Chain of Custody
As you move log files from the server and later to an offline device, you should
keep track of where the file goes
This can be done either through technical or non-technical methods such as
MD5 authentication

EC-Council
Condensing Log File
Log files can be sorted by using a syslog but the output of the syslog contains
large log file
It is difficult for the forensic team to look for the important log entry
Log entries need to be filtered as per the requirement
Tools that can be used:
• Swatch
• Logcheck

EC-Council
Log Injection Attacks

EC-Council
New Line Injection Attack
In this attack, the attacker injects plaintext into the log files
The attacker tries to divert the attention of the investigator towards other
person
The log files application relates the user to the action performed
The log file before attack:

EC-Council
(cont’d)
The attacker changes the log file source code by inserting
[LINEBREAK] and changing the user name “Tester01” to say
“Manager01”
The log file after attack:
Figure: New lines inserted by attackers

EC-Council
Countermeasure
Remove all the new line characters such as carriage return (0x0D) and
line feed (0x0A) characters
The resulting log file would be as shown below:
Figure: Removing new lines

EC-Council
Separator Injection Attack
In this attack, the attacker injects a single pipe character or multiple pipe characters into
the log files
Some systems contain log files which has several data columns; these log files contain
single line of text file and data field separated by a pipe character
The sample log file is as shown:

EC-Council
(cont’d)
When the attacker injects single or multiple pipe characters the previous values
are replaced and shifted from one column to the next
Consider the example and if the value in the value field is replaced as “9.99 |
WRITE”
The values are shifted from one column to the next as shown:
Figure: Replaced value field

EC-Council
(cont’d)
Shifting log columns causes inconsistency in a log
file
The attack damages the log file integrity
It shows that the attack is performed on a pipe
character
Though the shifting of values is uncovered, it is
difficult to find the defender

EC-Council
Defending Separator Injection
Attack
Sanitize the inputs by morphing incoming data to a different representation
URL encoding and slash (“”) encoding techniques can be used to sanitize the inputs
In URL encoding technique the pipe character is encoded to a percentage sign followed by
the hexadecimal representation of its ASCII value
The log file after implementing URL encoding is as shown:
Figure: URL encoding

EC-Council
Timestamp Injection Attack
This attack uses combination of the New Lines and Separator injection
The log maintains the action that was taken, by whom it was initiated,
and when it occurred
Consider a stock trading system that stores all trade information in a
log file as shown:
Figure: Log of all trade information

EC-Council
(cont’d)
The new line input injection may look like:
• “AccountY[LINEBREAK] 21-05-2010 : 1002 : Trader1 has
retracted sell order”
The log output is as follows:
Figure: New line input injection

EC-Council
(cont’d)
The attacker must know the date and time of the logging component
The entries cannot be injected in a chronological order
The time stamp should lie between the surrounding time stamps
It is easy to find out region of uncertainty if limited number of lines are
injected
These scenarios create doubts in the legal case

EC-Council
Defending Timestamp Injection
Attack
Use sequence numbering, it is similar to time stamping and helps in overcoming the
predictable entry creation problems
The following figure illustrates that line 3 is out of sequence
Figure: Example with sequence numbering

EC-Council
Word Wrap Abuse Attack
In word wrap abuse attack, unusual log entries are created by using
white space padding
The line may wrap and cause an attack similar to new line injection
attack

EC-Council
Word Wrap Abuse Attack
(cont’d)
Instead of new line removal technique, the attacker may use the
following input:
• “Tester01. __________________Failed to delete all files
for Manager01.________Failed to move all files for
Manager01.__________Failed to remove user Manager01 for
Manager01.___Failed to logon for Tester01”
The log file looks like:
Figure: Word wrap abuse attack

EC-Council
Defending Word Wrap Abuse
Attack
The solution for this type of attack is entry splitting
Log is split into multiple lines after a specific length
Insert a marker to indicate that splitting has occurred
This technique provides generalized protection forms of
injection as they depend on long inputs being
undetectable

EC-Council
Defending Word Wrap Abuse
Attack (cont’d)
The log file entry after splitting looks like:
Here [CR] indicates that login software has inserted a carriage return
The disadvantage of this method is integrity of entries may be compromised

EC-Council
HTML Injection Attack
In this attack, the attacker injects HTML tags into a log
This will control the display of the subsequent entries
Consider a HTML log file which is potentially not secure
The browser under normal condition displays a list of all the
invalid session identifiers along with a timestamp

EC-Council
HTML Injection Attack (cont’d)
The HTML log file looks like:
Figure: HTML injection attack

EC-Council
Line7 in the example shows the potentially malicious Session ID which is under
the attacker’s control
The attacker can disable logging to perform other attacks changing the Session
ID to:
• “A345EFF345987435</tr></td>
• </table><font color=white>”
A new table will start closing the current row of the table with background color
as font color
Due to this, the session IDs will be logged in white font color which makes it
difficult to identify them against the background color

EC-Council
The log file is changed to:
Figure: Changed log file

EC-Council
Defending HTML Injection
Attack
Token removal is the solution for this kind of attack
Identify the inputs given by the attacker and remove the tokens so that they are not
interpreted upon display
Remove ‘<’ and ‘>’ characters wherever you find that a malicious input is given
The secured log file is written as:
Figure: Token removal

EC-Council
Terminal Injection Attack
It is an attack on log viewing interface
In this attack, terminal emulation is used to interpret
character sequence as the special action directives to the
terminal
Terminal injection can be used on a FTP client log file on a
Linux system
As an example, a bash shell command is used as a
backdoor by an attacker to display all the users’ passwords

EC-Council
Terminal Injection Attack
(cont’d)
Finally, FTP client leaves the log file with passwords
If attacker knows that the administrator of the system inspects the log file via a cat
command that displays its output in a terminal window, he can abuse its use of ANSI
terminal sequences to clear the screen and make the log file appear empty
The log file viewed by the attacker is:

EC-Council
Defending Terminal Injection
Attack
These attacks can be defended using a raw viewer such as hex editor
Using hex editor, the file contents can be viewed without any interpretation
It provides an hexadecimal output which is difficult to identify as shown:
Figure: Hex output of a terminal injection attack

EC-Council
Other Kinds of Log File Attacks
The other forms of attacks that to be known before developing a logging system
are:
• Buffer overflows in log files may corrupt the records and damage
the log file integrity
Buffer Overflows:
• These are mostly popular in Unix based logging systems and
dangerous in unproven components
Format Strings:
• This is the threat caused to the user data stored in relational
database
SQL Injection:

EC-Council
Other Kinds of Log File Attacks
(Cont’d)
• Attackers may use special characters to navigate unauthorized directories or
drives to overwrite important files
Directory Traversal:
• XML stores the different types of information including log data; external
and internal entity references and excessive recursion in XML may change
the functionality of log writing and reading
XML Attacks:
• This attack causes overflow of entries, individual logs and storage can be
filled to capacity, and log file infrastructure is appended with a ‘noise’ which
makes it difficult to identify real entries
Denial of Services:

EC-Council
Summary
Log files can be sorted by using a syslog but the output of the syslog contains a large log
file
Log entries need to be filtered
Postmortem of logs are done for the investigation of something which has already
happened
By combining logs from several devices, you strengthen the value of each
Investigate the logs for different log injection attacks

EC-Council

File000139

More Related Content

What's hot

Similar to File000139

More from Desmond Devendran

Recently uploaded

File000139