SlideShare a Scribd company logo
Network Forensics




Network Forensics                       1
Cyber Threat Evolution


                     Malicious
                                                   Identity Theft                  Data Theft
 Virus                 Code                                                          Botnet
                                                     (Phishing)
                     (Melissa)                                                  Targeted Attacks




         Breaking                 Advanced Worm /                   Organised Crime
         Web Sites               Trojan (I LOVE YOU)                Data Theft, DoS /
                                                                          DDoS




1977     1995         2000         2003-04             2005-06      2007-08
                                                                                  2009-10
Global Attack Trend




                      Source: Websense
Network Forensics ?
• What we have seen is DEAD analysis
• Network evidences are highly volatile.
• Needs real time analysis of network traffic.




Network Forensics                                4
Network Forensics
• Network forensics is the capture, recording, and
  analysis of network events in order to discover the
  source of security attacks or other problem incidents.
• The ultimate goal is to provide sufficient evidence to
  allow the criminal to be successfully prosecuted.
• Network forensics can reveal evidence that is crucial to
  building a case.
• Forensics for computer networks is extremely difficult
  and depends completely on the quality of information
  you maintain.


Network Forensics                                        5
Why network-based evidence?
– Host-centric forensics is an established discipline,
  but many investigators ignore or do not
  understand network traffic
– Network-based evidence can be found
  everywhere
– Network-based evidence can be easy to collect --
  without anyone's notice
Vulnerability

  Applications


Operating System


    Network
Vulnerability Exploitation Trends




                          *Symantec
Network Forensics Model
Proactive   Detect     Reactive
Forensics              Forensics


  Capture              Identify


            Preserve        Data Aggregation


                            Data Validation
            Research


            Extract         Data Analysis



             Solve          Data Confirmation
Network Elements
                           MX
            PC
                           Proxy
            Laptop
                           Relay
            Web Server
            Web Server
            Mail Server
            DB Server
            Firewall
            IDS / IPS
            Switch
            Router
            Wifi Router
            Access Point
Network Forensics
• Systematic Capture and Analysis of network
  events and traffic in order to trace and prove
  a network incident.

  – Online Capture and Analysis
  – Offline Analysis
Online Analysis of Network Traffic

Network-based evidence complements host-based
evidence.

Network traffic can be used to show a timed sequence of user’s
network activities.

Suspicious network activities can be monitored real-time.
Online Analysis of Network Traffic
Network traffic also enables an investigator to extract
information that is difficult to obtain from host-based
evidence, such as
       IP addresses and other identity information a user uses
       Passwords

•Specialized knowledge and tools are required to process
network traffic as a source of evidence.

In general, there is only one chance to capture real-time
network data from a network.
Online Monitoring

If you need to have online analysis of network you need
to capture packets.

Network Traffic Analysis requires online capturing
and analysis of packets in real time.

Used in Stateful Analysis

      IPS
      IDS
      Firewall
Capturing
Network Traffic Flow Analysis

   Capturing Network Traffic using

          TAPS
          InLine Devices
          Hubs
          SPAN Ports
TAPS
Test Access Ports

Devices specially built for accessing traffic between
network devices

Usually pre-installed at important traffic points


Physical devices are able to capture traffic at the
physical layer
TAPS
Inline device

Similar to a tap, but implemented using a computer having
at least two bridged NICs

The two devices being monitored are connected to these
two NICs

Traffic through the bridged NICs is available to the
computer or another device connected to an extra NIC

Inline devices are also used to enforce access control.
Hub

The simplest and cheapest way to gain access to
network traffic

A hub forwards frames to all ports.

A monitoring station, connected to one of the ports,
sees all traffic passing through the hub.
SPAN Port - Switched Port Analyzer
             (Port Mirroring)
  Provided on good switches

  A switch can be configured to copy one or more switch
  ports to a dedicated port.

  A capture device connected to the SPAN port sees traffic
  flowing through specified switch ports.

   A SPAN port only copies valid network packets.
          Error packets may be ignored and not copied.
Collecting Network Traffic as Evidence

• Position the sensor properly
• Consider perimeter monitoring
  scenario at right
   – Perimeter is easiest place to
      monitor
   – However, sensor as shown
      may not be able to see all the
      traffic an analyst needs to
      understand the scope of an
      intrusion
• Alternative deployments shown
  on following slides
Collecting Network Traffic as Evidence
• At left we monitor perimeter (via tap) and DMZ (via switch SPAN)




• At right we add a filtering bridge/sensor to watch and/or
  control a high value target
Collecting Network Traffic as Evidence

• Don't forget to accommodate address translation issues
• Here we add a second interface behind the gateway
Collecting Network Traffic as Evidence

• This network shows a variety of instrumentation options
Collecting Network Traffic as Evidence

• Verify the sensor collects traffic as expected
Collecting Network Traffic as Evidence

• Consider using Network Security Monitoring principles to guide your data
  collection strategies
   – Alert data (Snort, other IDSs)
        • Traditional IDS alerts or judgments (“RPC call!”)
        • Context-sensitive, either by signature or anomaly
   – Full content data (Tcpdump)
        • All packet details, including application layer
        • Expensive to save, but always most granular analysis
   – Session data (Argus, SANCP, NetFlow)
        • Summaries of conversations between systems
        • Content-neutral, compact; encryption no problem
   – Statistical data (Capinfos, Tcpdstat)
        • Descriptive, high-level view of aggregated events
• Sguil (www.sguil.net) is an interface to much of this in a single open
  source suite
Protecting and Preserving Network-Based Evidence

•   Hash traces after collection and store hashes elsewhere
•   Understand forms of evidence
•   Copy evidence to read-only media when possible
•   Create derivative evidence
•   Follow chains of evidence
Protecting and Preserving Network-Based Evidence

• Understand forms of evidence
• Best evidence should, to the extent practically possible, never be analyzed
  directly.
   – Rather, investigators should make working copies of the best
      evidence, and analyze those duplications.
   – Network traffic saved on a sensor is the best evidence available.
   – Copies of that traffic transferred to a central location become working
      copies.
Protecting and Preserving Network-Based Evidence

Create derivative evidence
   1. Ensure you have a hash of the original file stored in a safe
      location.
   2. After verifying the hashes match, use the desired Packet
      Analysis to extract packets of interest to a new file and
      directory.
   3. Hash the resulting file
   4. Make multiple copies of the new local evidence file, and
      analyze them at will.
   5. Document these steps on both platforms.
Analyzing Network-Based Evidence

•   Validate results with more than one system
•   Beware of malicious traffic
•   Document not just what you find, but how you found it
•   Follow a methodology
Trends

• Significant increase in network-based DoS attacks
  over the last year
  – Attackers’ growing accessibility to networks
  – Growing number of organizations connected to
    networks
• Vulnerability
  – Most networks have not implemented spoof
    prevention filters
  – Very little protection currently implemented against
    attacks
Goals of Attacks

• Prevent another user from using network
  connection
  – “Smurf” attacks, “pepsi” (UDP floods), ping floods
• Disable a host or service
  – “Land”, “Teardrop”, “Bonk”, “Boink”, SYN
    flooding, “Ping of death”
• Traffic monitoring
  – Sniffing
“Smurfing”
• Very dangerous attack
   – Network-based, fills access pipes
   – Uses ICMP echo/reply packets with broadcast networks to multiply
     traffic
   – Requires the ability to send spoofed packets
• Abuses “bounce-sites” to attack victims
   – Traffic multiplied by a factor of 50 to 200
   – Low-bandwidth source can kill high-bandwidth connections
• Similar to ping flooding, UDP flooding but more
  dangerous due to traffic multiplication
“Smurfing” (cont’d)
     ICMP echo (spoofed source address of victim)
                      Sent to IP broadcast address
       ICMP echo reply




                                                     Internet


Perpetrator
                                                                Victim
“Smurfing” trend
• Smurf attacks are still “in style” for attackers
• Significant advances made in reducing the
  effects
  – Education campaigns through the use of white
    paper and other education by NOCs has reduced
    the average “smurf” attack from 80 Mbits/sec to 5
    Mbits/sec
• Most attacks can still inundate a T1 link
“Teardrop”, “Bonk”, “Boink”, “Ping of
               Death”
• Goal is to severely impair or disable a host or
  its IP stack
• Use packet fragmentation and reassembly
  vulnerabilities
• Require that a host IP stack be able to receive
  a packet from an attacker
SYN flooding
• Goal is to deny access to a TCP service running
  on a host
• Creates a number of half-open TCP
  connections which fill up a host’s listen queue;
  host stops accepting connections
• Requires the TCP service be open to
  connections from the victim
Sniffing
• Goal is generally to obtain information
  – Account usernames, passwords
  – Source code, business critical information
• Usually a program placing an Ethernet adapter
  into promiscuous mode and saving
  information for retrieval later
• Hosts running the sniffer program is
  compromised using host attack methods.
Network Packet Analysis




                          39
Packet Switched Networks
• Each message is divided into small data blocks called
  packets
• Packets are stored, and forwarded by intermediate
  nodes
• Packets from different nodes, and process get
  intermixed in the network
• Packets may follow different routes

• Shortest path to the destination
                                                          40
Packet Route
Sender                                 Receiver
         Process

                   Router




                                           ……
 …




                                                  41
Packet Route
Sender                                 Receiver
         Process

                   Router




                                           ……
 …




                                                  42
Benefits

• No user can monopolise the link for long time

• Network traffic load balancing

• Doesn’t waste resources of network

• No congestion at connection setup time


                                                  43
Drawbacks

• Packets may arrive out of order. Message needs to be re-
  assembled at receiving end.

• May cause delay in real-time applications (audio/video)

• Service is not guaranteed



                                                        44
Packet
                          Packet

                     Header        Data


– Is a formatted block of data carried by a computer
   network
– Internet, LAN uses packet technology to transfer data
– Key components are header and data



                                                          45
Data

• Information to be conveyed between sender and the
  receiver

• It can be text or binary
   – Images, documents, web page, email …

• It may be small enough to store in a single packet or else
  it has to be split and stored in multiple packets



                                                           46
Header

• Meta information added to the data

• With the help of header data reach the destination
  correctly

• Header contains Address, Length, Type, Error
  detection code, Packet order, Status flag …



                                                       47
Why header is needed?

• To ensure delivery to the right receiver
• To ensure correctness and order of data
• Proper routing of packets




                                             48
Packetisation
     Sender                                                Receiver

                       Eg. Internet             Eg. Web
     Process                                     server
                                                               Process
                        Explorer


     Message                                                   Message



      TCP/IP              Network                               TCP/IP
     Protocol          Interface Card                          Protocol
       Stack                                                     Stack

                               Communication Link
 1    Packets     2                                        1    Packets    2

H1   Mes   H2   sage    NIC                         NIC   H1   Mes   H2   sage

                                                                                 49
Protocol Suite
• Collection of protocols to deliver data
• Eg. TCP/IP, Xerox XNS, DECnet, AppleTalk
                                             Xerox XNS
    TCP/IP               ISO/OSI
                                              Level 4+
   Application          Application
                       Presentation           Level 3

                          Session
    Transport            Transport            Level 2
    Internet             Network              Level 1
                         Data Link
      Link                                    Level 0
                          Physical

                                                         50
TCP/IP Layers - Link Layer

• Main responsibility is to move the packet between hosts
  through physical medium
• Network interface card and its device driver does this
• Adds the link layer specific address and other details to the
  packet
• Has mechanism to resolve the physical address from logical
  address, in broadcast networks
• Characteristics of the communication signal is handled here


                                                                  51
TCP/IP Layers - Network Layer
• Main responsibility is to move the packet between network and
  to reach the final destination (Routing)

• This is an unreliable protocol, higher layers has to add reliability

• Handles fragmentation and reassembly of packets, when passed
  through different networks.

• Facility for error handling and diagnosis – special protocols for
  conveying the intermediate node status and errors occurred

                                                                   52
TCP/IP Layers - Transport Layer
• End to end message transfer facility or process to process
  communication
• Have facility for flow control and error control
• This layer can add reliability to the data transferred
• Splits the large data in to small chunks for the network layer
• This layer associates the packet with a particular application
  through ports
• Port - Port is a logical address, it has nothing to do with the
  physical ports present on a computer.

                                                                    53
TCP/IP Layers - Application Layer

• Handles the details of particular application, eg. Email, web
• Adds meta information to the actual data to send (or Formats
  the data)
• This formatted message is encapsulated in transport layer
  protocol
• The respective applications can interpret this message
• The message may be plain text or binary and can be encrypted
  or compressed


                                                              54
TCP/IP stack with sample protocols
Application
           HTTP       SMTP     POP3     FTP     Telnet         DNS


Transport
                       TCP     UDP


Internet
                       IP      ICMP


Link
           Ethernet     FDDI     SLIP     PPP            ARP         RARP



                                                                            55
The way a packet is formed (Encapsulation)

                 App     HTTP
                layer



                         TCP
                 Trans
                 Layer




                         IP
               Network
                Layer




                         Ethernet
                Link
               Layer
                                             56
Packet Analysis




                  57
Uses of Packet Analysis
•   Forensics analysis
•   Trouble shooting and debugging
•   Collect sensitive information
•   Misuse detection
•   Gather Network Statistics




                                     58
Forensics analysis

• To collect evidence
• To track the source of attack
• To learn the attacker behavior




                                   59
Trouble shooting and debugging

• Debugging network applications
• Trouble shooting network problems




                                      60
Collect sensitive information

• Passwords
• Emails
• Other confidential data




                                    61
Misuse detection
• Company policy violation
  – Accessing restricted sites
  – Bandwidth misuse
• Email spoofing
• IP spoofing
• ARP spoofing



                                 62
Gather network statistics

• To collect bandwidth utilization information
• To find misbehaving nodes in the network




                                                 63
Packet Analysis Methods

•   Manual inspection
•   Filtering
•   Statistics
•   Session reconstruction




                                     64
Manual Inspection

•   Text search
•   Binary pattern search
•   Packet inspection
•   Protocol verification




                                 65
Filtering
• Filtering based on
  – MAC
  – IP
  – Date, Time
  – Pattern
• Combinations of the above
  – Packets between a particular date and time
  – Packets from a particular IP
• Complex filter expressions
                                                 66
Statistics
• Based on
  – Bandwidth utilization
  – IP
  – Date and time
  – Protocol based (Email, FTP, HTTP… )


• Eg. Top mail sender


                                          67
Statistics based analysis
Mails




        50
        40
        30




                                                                   Da 1
                                                                        4/
        20




                                                                     te
                                                                  1
                                                              3/
        10                                                                               Data traffic to different servers
                                                              1
                                                          2/
                                                         1
                                                         1/

         1.1.1.1   1.1.1.2   1.1.1.3   1.1.1.4


                                                                      M Bytes/Sec
                                                                                                                                         1.1.1.
                                                 Nodes                              7                                                    3
                                                                                    6
             Mail traffic of individuals on
                                                                                    5
                    different days                                                  4                                                     1.1.1.
                                                                                    3                                                     2
                                                                                                                                          1.1.1.
                                                                                    2
                                                                                                                                          1
                                                                                    1
                                                                                        0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 Time


                                                                                                                                                   68
Session reconstruction

Packet 1   P2   P3   …   Pn            File 1   F2
                                                     …   Fm



• TCP session reconstruction
    – Images, emails and other files
• UDP stream reconstruction
    – Streamed video, audio, VoIP and other types of
      communications

                                                              69
Network Forensics




Network Forensics                       70
Computer Forensics VS Network Forensics




Network Forensics                      71
Legal Issues
• You may not be able to use hacker techniques
  against them
• Laws for gathering evidence are confusing
• Logs may or may not be admissible
• Perpetrator may or may not be prosecutable
• It is important to know about:
      – Local laws on computer-related crimes
      – Legal processes and how to build a criminal case
Network Forensics                                          72
Network Traffic




Network Forensics                     73
Online Analysis of Network Traffic




Network Forensics                      74
Online Monitoring
• If you need to have online analysis of network
  you need to capture packets.
• Network Traffic Analysis requires online
  capturing and analysis of packets in real time.
• Used in Stateful Analysis
• IPS
• IDS
• Firewall
Network Forensics                               75
Collecting Network Traffic as Evidence




Network Forensics                     76
Protecting and Preserving Network-
                  Based Evidence
•    Hash traces after collection and store hashes elsewhere
•    Copy evidence to read-only media when possible
•    Create derivative evidence
•    Follow chains of evidence
•    Understand forms of evidence
•    Best evidence should, to the extent practically possible, never be
     analyzed directly.
      – Rather, investigators should make working copies of the best
         evidence, and analyze those duplications.
      – Network traffic saved on a sensor is the best evidence available.
      – Copies of that traffic transferred to a central location become
         working copies.


    Network Forensics                                                       77
Protecting and Preserving Network-
              Based Evidence




Network Forensics                        78
Network Forensics Procedure




Network Forensics                     79
Network Forensics Procedure




Network Forensics                     80
Analyzing Network-Based Evidence




Network Forensics              81
Live Analysis

• Allows for collection of data from volatile locations
  such as RAM and cache.
• Often will provide extremely useful data.
• Requires installation of software to capture data,
  possibly erasing critical data and spoiling the
  “preservation” of the system.




Network Forensics                                         82
Live Forensics - Goals

                        •   Gathers data from running
                            systems
                        •   Diagnosing your system
                            without killing it first.
                                                             ng
                        •   Snapshot of the state of the eni
      Wh
        o is                computer                  app
     wh
       at? doin                               t’ sh
               g                           ha ?
                                          W w
                                           no
Network Forensics                                             83
Live Forensics




Network Forensics                    84
Live / Volatile Data




Network Forensics                          85
Gathering Data
                                            more volatile
•     Volatile data
      –    registers, cache contents
      –    memory contents
      –    network connections
      –    running processes
•     Non-volatile data
      – content of filesystems and drives
      – content of removable media
                                            less volatile



Network Forensics                                           86
Presentation And Preservation




Network Forensics                      87
Typical Scenario
• “Dead” forensics information incomplete
   – discovered to be incomplete
   – predicted to be incomplete
• Non-local attacker or local user using network in
  inappropriate fashion
• Generally, another event triggers network
  investigation
• Company documents apparently stolen
• Denial of service attack
• Suspected use of unauthorized use of file sharing
  software
• “Cyberstalking” or threatening email
Information Available
• Summary information (router flow logs)
   – Routers generally provide this information
   – Includes basic connection information
      • source and destination IP address and ports
      • connection duration
      • number of packets sent
   – No content! Can only surmise what was sent
   – Can establish that connections between machines were
     established
   – Can corroborate data from log files (e.g., ssh’ing from one
     machine to another to another within a network)
   – Unusual ports (rootkits? botnet?)
   – Unusual activity (spam generator?)
Information Available (2)
• Complete information (packet dumps)
  – from programs like Ethereal/Wireshark, snort, tcpdump
  – on an active net, can generate a LOT of data
  – can provide filter options so programs only capture certain
    traffic (by IP, port, protocol)
  – includes full content—can reconstruct what happened
    (maybe)
  – reconstruct sessions
  – reconstruct transmitted files
  – retrieve typed passwords
  – identify which resources are involved in attack
  – BUT no easy way to decrypt encrypted traffic
Information Available (3)
• Port scans (nmap, etc.)
  – Identifies machines on your network
     • Often can identify operating system, printer type, etc.,
       without needing account on the machine
     • “OS fingerprinting”
  – Identifies ports open on those machines
     • Backdoors, unauthorized servers, …
  – Identifies suspicious situation (infected machine,
    rogue computer, etc.)
  – nmap: lots of options
Analysis
• Does not exist in a vacuum
• Link information in analysis to network and host log
  files
   – who was on the network
   – who was at the keyboard
   – what files are on the disk and where
• Look up the other sites (who are they, where are
  they, what’s the connection)
• Otherwise, network traces can be overwhelming
• Potentially huge amounts of data
• Limited automation!
Normal ICMP Traffic (tcpdump)
• Pings

IP   BOUDIN.mshome.net > www.google.com:   icmp   40:   echo   request seq 6400
IP   www.google.com > BOUDIN.mshome.net:   icmp   40:   echo   reply seq 6400
IP   BOUDIN.mshome.net > www.google.com:   icmp   40:   echo   request seq 6656
IP   www.google.com > BOUDIN.mshome.net:   icmp   40:   echo   reply seq 6656
IP   BOUDIN.mshome.net > www.google.com:   icmp   40:   echo   request seq 6912
IP   www.google.com > BOUDIN.mshome.net:   icmp   40:   echo   reply seq 6912
IP   BOUDIN.mshome.net > www.google.com:   icmp   40:   echo   request seq 7168
IP   www.google.com > BOUDIN.mshome.net:   icmp   40:   echo   reply seq 7168

• Host unreachable

xyz.com > boudin.cs.uno.edu: icmp: host blarg.xyz.com unreachable

• Port unreachable

xyz.com > boudin.cs.uno.edu: icmp: blarg.xyz.com port 7777 unreachable
HTTP Connections
• 3-way TCP handshake as laptop begins HTTP communication
  with a google.com server

IP tasso.1433 > qb-in-f104.google.com.80: S
  3064253594:306425359 4(0) win 16384 <mss
  1460,nop,nop,sackOK>
IP qb-in-f104.google.com.80 > tasso.1433: S
  2967044073:296704407 3(0) ack 3064253595
  win 8190 <mss 1460>
IP tasso.1433 > qb-in-f104.google.com.80: .
  ack 1 win 17520
Fragmentation Visualization
• Fragmentation can be seen by tcpdump
whatever.com > me.com: icmp: echo request (frag 5000:1400@0+)
whatever.com > me.com: (frag 5000:1000@1400)




                         ID                    offset


                                        size
       Note that 2nd frag                               more frags flag
       isn’t identifiable as ICMP
       echo request…
nmap 137.30.120.*
Starting Nmap 4.11 ( http://www.insecure.org/nmap )
  at 2006-10-24 19:32
Interesting ports on 137.30.120.1:
Not shown: 1679 closed ports
PORT   STATE SERVICE
23/tcp open telnet
MAC Address: 00:0D:ED:41:A8:40 (Cisco Systems)
All 1680 scanned ports on 137.30.120.3 are closed
MAC Address: 00:0F:8F:34:7E:C2 (Cisco Systems)
All 1680 scanned ports on 137.30.120.4 are closed
MAC Address: 00:13:C3:13:B4:41 (Cisco Systems)
All 1680 scanned ports on 137.30.120.5 are closed
MAC Address: 00:0F:90:84:13:41 (Cisco Systems)
…
…
nmap 137.30.120.*
Interesting ports on mailsvcs.cs.uno.edu (137.30.120.32):
Not shown: 1644 closed ports
PORT      STATE SERVICE
7/tcp     open echo
9/tcp     open discard
13/tcp    open daytime
19/tcp    open chargen
21/tcp    open ftp
22/tcp    open ssh
23/tcp    open telnet
25/tcp    open smtp
37/tcp    open time
79/tcp    open finger
80/tcp    open http
110/tcp   open pop3
111/tcp   open rpcbind
143/tcp   open imap
443/tcp   open https
512/tcp   open exec
…
…
Wireshark (aka Ethereal)

Packet
listing




Detailed
packet
data at
various
protocol
levels




Raw data
Wireshark: Following a TCP Stream
Wireshark: FTP Control Stream
Wireshark: FTP Data Stream
Wireshark: FTP Data Stream
Wireshark: Extracted FTP Data Stream
Wireshark: HTTP Session



                  save, then trim away
                  HTTP headers to
                  retrieve image

                  Use: e.g., WinHex
HTTP (An application layer protocol)
                    Request from client




                           Response from server


                           HTML web page




                                                  105
Prevention Techniques
• How to prevent your network from being the source of the
  attack:
   – Apply filters to each customer network
       • Allow only those packets with source addresses within the customer’s
         assigned netblocks to enter your network
   – Apply filters to your upstreams
       • Allow only those packets with source addresses within your netblocks to
         exit your network, to protect others
       • Deny those packets with source addresses within your netblocks from
         coming into your network, to protect your network
• This removes the possibility of your network being used as an
  attack source for many attacks which rely on anonymity
Prevention Techniques

• How to prevent being a “bounce site” in a “Smurf” attack:
   – Turn off directed broadcasts to networks:
       • Cisco: Interface command “no ip directed-broadcast”
       • Proteon: IP protocol configuration “disable directed-broadcast”
       • Bay Networks: Set a false static ARP address for bcast address
   – Use access control lists (if necessary) to prevent ICMP echo requests
     from entering your network
   – Encourage vendors to turn off replies for ICMP echos to broadcast
     addresses
       • Host Requirements RFC-1122 Section 3.2.2.6 states “An ICMP Echo Request
         destined to an IP broadcast or IP multicast address MAY be silently discarded.”
       • Patches are available for free UNIX-ish operating systems.
Conclusion: Network Analysis
• Potentially a source of valuable evidence beyond
  that available from “dead” analysis
• By the time an incident occurs, may have lost the
  change to capture much of the interesting traffic
• Challenging: huge volumes of data
• Again, only one part of a complete investigative
  strategy
• This introduction didn’t include stepping stone
  analysis, many other factors (limited time)
THANK YOU

Network Forensics               109
NeSA – Network Session Analyser
NeSA Architecture
                                                           Packet
                                                          Hex View
 Packet             Protocol               Packet
Capture            Dissectors             Analyser          Packet
                                                             Tree
                                                             View

                     Packet      Filter
                                                                                       Hex
 Dump
                      Filter     Rules                                                 View
Pcap Format dump                                                                      Picture
                                                         (HTTP, SMTP, POP3 and FTP)
                                                                                       View
                     Packet               Packet                 Session                File
                    Classifier            Rebuild                Parser                View
                                                                                       Mail
                                              Rebuild   Crypto
                                                                        Parse
                                                                        Rules
                                                                                       View
                                               Rules
                                                                                      Media
                                                                                      Player
Packet Capture
• Uses pcap library
• Captures packet in promiscuous mode
• Similar capture features as of Wireshark
• Stores the captured packets to the user
  specified dump file
• Capture filter can be supplied
    – e.g. Capture only tcp traffic
Packet Filter
• Based on the filter rule supplied, filters
  packets as well as the TCP sessions.
• Packet filter language is same as that of pcap
• TCP session filter language is custom written
  – Filtering based on date/time
  – Protcol based filter
  – MAC, IP and Port based filtering
  – Complex combinations of the above
Protocol Dissector
• Shows each field of packet in very detail
• Dissects very common protocols like IP,
  TCP,UDP, ARP …
• Useful to get a very detailed view of each
  packet
• Helpful in detecting malformed packets
Packet Classifier
• At load time itself, classifies the packets to
  different groups in order to improve the
  performance of later analysis process
• TCP session filter (Rebuild filter) chooses only
  from this classified group of packets, thus it has
  to process only a very small portion of the entire
  dump file
Packet Analyser

• Has a packet filtering scheme
• Packets can be exported
• Has an easily extendible packet (protocol)
  dissector
• Shows the dissected packets in a hex view as
  well as in a tree control as that of in Wireshark
Packet Rebuild

• Rebuilds the TCP session
• Shows the rebuilt session in a hex view with
  data direction indication
• To identify different types of session,
  colouring schemes can be given
• Rebuilt session are passed to the session
  parser
Session Parser
• Parses the rebuilt session and tries to extract the
  available files in it.
• Presently parses HTTP, SMTP, POP3 and FTP.
• The above are the most common application layer
  protocols
• More parsers can be added
• Parses MIME and extracts files from it
• Shows the extracted files in a thumbnail view, file view
  and mail view.
• These files can be exported
Distinctive Features of NeSA

• NeSA is data centric as well as packet centric,
  but most other tools are packet centric, This
  makes NeSA a distinct product
  – Session parser
  – Session filter
  – Session views
NeSA (Network Session Analyser)
• A solution developed by CDAC for offline packet
  analysis
• Features
  – TCP session reconstruction and file recovery
  – Packet filter
  – Powerful session filter
  – Regular expression based search
  – File export, especially mail export
  – Packet dissect view

                                                   120
NeSA Architecture
                                                           Packet
                                                          Hex View
 Packet             Protocol               Packet
Capture            Dissectors             Analyser          Packet
                                                             Tree
                                                             View

                    Packet       Filter
                                                                                       Hex
 Dump
                     Filter      Rules                                                 View
Pcap Format dump                                                                      Picture
                                                         (HTTP, SMTP, POP3 and FTP)
                                                                                       View
                     Packet               Packet                 Session                File
                    Classifier            Rebuild                Parser                View
                                                                                       Mail
                                              Rebuild   Crypto
                                                                        Parse
                                                                        Rules
                                                                                       View
                                               Rules
                                                                                      Media
                                                                                      Player
                                                                                                121
Future plan –Moving to online
• Real-time packet analysis
• Decryption support
• Support for more protocols




                                  122
Catching Packets
• Enable promiscuous mode of Ethernet card, from which packets
  has to be caught
• Otherwise OS will see only the packets which are destined to
  that system only
• Packet capture tools:
   – tcpdump
   – wireshark
• Sample tcpdump comand:
   –   tcpdump –s0 –ieth0 –wfile/to/store.dump
   –   -s0 options tells to capture full length packet
   –   -ieth0 options instructs to capture from the interface eth0
   –   -w option indicates to which file the captured packets has to be stored

                                                                            123
Catching packets in an Enterprise
     Only packets passing
     through gateway, no local               Gateway
     traffic like “between N1 and
     N2”
                                                            Only traffic between N5,N6
                                                            and Gateway, no other
                                                            traffic like “between N1 and
                 Switch                              Switch N2”



                                                N5           N6
      Switch                   Switch

                                             Only traffic of N4


N1          N2            N3            N4

                                                  Place capture system
                                                  accordingly                       124
125
126
127
128
Issues and Challenges
•   Processing the large data
•   Lack of forensics tools
•   Lack of proven methods
•   Varied attacks
•   Encrypted data
•   Partial data
•   Spoofed packets
•   Unknown protocols
                                 129
Thank you




            130
Appendix A – ICMP Message types
Type   Name                       Type     Name
----   ------------------------   ----     -------------------------
  0    Echo Reply                  17      Address Mask Request
  1    Unassigned                  18      Address Mask Reply
  2    Unassigned                  19      Reserved (for Security)
  3    Destination Unreachable     20-29   Reserved (for Robustness
  4    Source Quench                  Experiment)
  5    Redirect                    30      Traceroute
  6    Alternate Host Address      31      Datagram Conversion Error
  7    Unassigned                  32      Mobile Host Redirect
  8    Echo                        33      IPv6 Where-Are-You
  9    Router Advertisement        34      IPv6 I-Am-Here
 10    Router Solicitation         35      Mobile Registration Request
                                   36      Mobile Registration Reply
 11    Time Exceeded               37      Domain Name Request
 12    Parameter Problem           38      Domain Name Reply
 13    Timestamp                   39      SKIP
                                   40      Photuris
 14    Timestamp Reply             41-255 Reserved
 15    Information Request

 16    Information Reply
                                                                         131

More Related Content

What's hot

Intrusion prevention system(ips)
Intrusion prevention system(ips)Intrusion prevention system(ips)
Intrusion prevention system(ips)
Papun Papun
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensic
Online
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
deaneal
 
intrusion detection system (IDS)
intrusion detection system (IDS)intrusion detection system (IDS)
intrusion detection system (IDS)
Aj Maurya
 
05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - Notes05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - Notes
Kranthi
 
Computer +forensics
Computer +forensicsComputer +forensics
Computer +forensics
Rahul Baghla
 
Wired and Wireless Network Forensics
Wired and Wireless Network ForensicsWired and Wireless Network Forensics
Wired and Wireless Network Forensics
Savvius, Inc
 
Digital forensics
Digital forensics Digital forensics
Digital forensics
vishnuv43
 
Malware forensics
Malware forensicsMalware forensics
Malware forensics
Sameera Amjad
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensics
primeteacher32
 
Network forensics and investigating logs
Network forensics and investigating logsNetwork forensics and investigating logs
Network forensics and investigating logs
anilinvns
 
Network intrusion detection system and analysis
Network intrusion detection system and analysisNetwork intrusion detection system and analysis
Network intrusion detection system and analysis
Bikrant Gautam
 
Module 02 ftk imager
Module 02 ftk imagerModule 02 ftk imager
Module 02 ftk imager
ParminderKaurBScHons
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
Mithileysh Sathiyanarayanan
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows System
Conferencias FIST
 
Encase Forensic
Encase ForensicEncase Forensic
Encase Forensic
Megha Sahu
 
Processing Crimes and Incident Scenes
Processing Crimes and Incident ScenesProcessing Crimes and Incident Scenes
Processing Crimes and Incident Scenes
primeteacher32
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPS
Santosh Khadsare
 
Computer Forensics ppt
Computer Forensics pptComputer Forensics ppt
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes
Kranthi
 

What's hot (20)

Intrusion prevention system(ips)
Intrusion prevention system(ips)Intrusion prevention system(ips)
Intrusion prevention system(ips)
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensic
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
intrusion detection system (IDS)
intrusion detection system (IDS)intrusion detection system (IDS)
intrusion detection system (IDS)
 
05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - Notes05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - Notes
 
Computer +forensics
Computer +forensicsComputer +forensics
Computer +forensics
 
Wired and Wireless Network Forensics
Wired and Wireless Network ForensicsWired and Wireless Network Forensics
Wired and Wireless Network Forensics
 
Digital forensics
Digital forensics Digital forensics
Digital forensics
 
Malware forensics
Malware forensicsMalware forensics
Malware forensics
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensics
 
Network forensics and investigating logs
Network forensics and investigating logsNetwork forensics and investigating logs
Network forensics and investigating logs
 
Network intrusion detection system and analysis
Network intrusion detection system and analysisNetwork intrusion detection system and analysis
Network intrusion detection system and analysis
 
Module 02 ftk imager
Module 02 ftk imagerModule 02 ftk imager
Module 02 ftk imager
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows System
 
Encase Forensic
Encase ForensicEncase Forensic
Encase Forensic
 
Processing Crimes and Incident Scenes
Processing Crimes and Incident ScenesProcessing Crimes and Incident Scenes
Processing Crimes and Incident Scenes
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPS
 
Computer Forensics ppt
Computer Forensics pptComputer Forensics ppt
Computer Forensics ppt
 
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes
 

Viewers also liked

Network Forensics
Network ForensicsNetwork Forensics
Network Forensics
Andrea Lazzarotto
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensics
Conferencias FIST
 
Network Forensics: Packet Analysis Using Wireshark
Network Forensics: Packet Analysis Using WiresharkNetwork Forensics: Packet Analysis Using Wireshark
Network Forensics: Packet Analysis Using Wireshark
n|u - The Open Security Community
 
Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysis
GTKlondike
 
Wireshark
WiresharkWireshark
Wireshark
ashiesh0007
 
Forensic Analysis - Empower Tech Days 2013
Forensic Analysis - Empower Tech Days 2013Forensic Analysis - Empower Tech Days 2013
Forensic Analysis - Empower Tech Days 2013
Islam Azeddine Mennouchi
 
Computer And Network Forensics
Computer And Network ForensicsComputer And Network Forensics
Computer And Network Forensics
Pituphong Yavirach
 
Anatomy of File Analysis and Decomposition Engine
Anatomy of File Analysis and Decomposition EngineAnatomy of File Analysis and Decomposition Engine
Anatomy of File Analysis and Decomposition Engine
Mario Suvajac
 
Analysis of (unknown) file formats
Analysis of (unknown) file formatsAnalysis of (unknown) file formats
Analysis of (unknown) file formats
Mario Suvajac
 
Network Forensics - Your Only Choice at 10G
Network Forensics - Your Only Choice at 10GNetwork Forensics - Your Only Choice at 10G
Network Forensics - Your Only Choice at 10G
Savvius, Inc
 
Digital detective game
Digital detective gameDigital detective game
Digital detective game
Bill Carver
 
Digital forensics ahmed emam
Digital forensics   ahmed emamDigital forensics   ahmed emam
Digital forensics ahmed emam
ahmad abdelhafeez
 
Activity 6 home project - ppt presentation sample
Activity 6   home project - ppt presentation sampleActivity 6   home project - ppt presentation sample
Activity 6 home project - ppt presentation sample
Guilherme Pedro da Silva
 
DETECTIVE ELEMENTS
DETECTIVE ELEMENTSDETECTIVE ELEMENTS
DETECTIVE ELEMENTS
diana.koscik
 
Elements of the Detective Story
Elements of the Detective StoryElements of the Detective Story
Elements of the Detective Story
cristinarrama
 
Cloud Breach - Forensics Audit Planning
Cloud Breach - Forensics Audit PlanningCloud Breach - Forensics Audit Planning
Cloud Breach - Forensics Audit Planning
Valdez Ladd MBA, CISSP, CISA,
 
Cloud Computing : Security and Forensics
Cloud Computing : Security and ForensicsCloud Computing : Security and Forensics
Cloud Computing : Security and Forensics
Govind Maheswaran
 
Cloud-forensics
Cloud-forensicsCloud-forensics
Cloud-forensics
anupriti
 
Data Hiding Techniques
Data Hiding TechniquesData Hiding Techniques
Data Hiding Techniques
prashant3535
 
Wireshark
WiresharkWireshark
Wireshark
btohara
 

Viewers also liked (20)

Network Forensics
Network ForensicsNetwork Forensics
Network Forensics
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensics
 
Network Forensics: Packet Analysis Using Wireshark
Network Forensics: Packet Analysis Using WiresharkNetwork Forensics: Packet Analysis Using Wireshark
Network Forensics: Packet Analysis Using Wireshark
 
Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysis
 
Wireshark
WiresharkWireshark
Wireshark
 
Forensic Analysis - Empower Tech Days 2013
Forensic Analysis - Empower Tech Days 2013Forensic Analysis - Empower Tech Days 2013
Forensic Analysis - Empower Tech Days 2013
 
Computer And Network Forensics
Computer And Network ForensicsComputer And Network Forensics
Computer And Network Forensics
 
Anatomy of File Analysis and Decomposition Engine
Anatomy of File Analysis and Decomposition EngineAnatomy of File Analysis and Decomposition Engine
Anatomy of File Analysis and Decomposition Engine
 
Analysis of (unknown) file formats
Analysis of (unknown) file formatsAnalysis of (unknown) file formats
Analysis of (unknown) file formats
 
Network Forensics - Your Only Choice at 10G
Network Forensics - Your Only Choice at 10GNetwork Forensics - Your Only Choice at 10G
Network Forensics - Your Only Choice at 10G
 
Digital detective game
Digital detective gameDigital detective game
Digital detective game
 
Digital forensics ahmed emam
Digital forensics   ahmed emamDigital forensics   ahmed emam
Digital forensics ahmed emam
 
Activity 6 home project - ppt presentation sample
Activity 6   home project - ppt presentation sampleActivity 6   home project - ppt presentation sample
Activity 6 home project - ppt presentation sample
 
DETECTIVE ELEMENTS
DETECTIVE ELEMENTSDETECTIVE ELEMENTS
DETECTIVE ELEMENTS
 
Elements of the Detective Story
Elements of the Detective StoryElements of the Detective Story
Elements of the Detective Story
 
Cloud Breach - Forensics Audit Planning
Cloud Breach - Forensics Audit PlanningCloud Breach - Forensics Audit Planning
Cloud Breach - Forensics Audit Planning
 
Cloud Computing : Security and Forensics
Cloud Computing : Security and ForensicsCloud Computing : Security and Forensics
Cloud Computing : Security and Forensics
 
Cloud-forensics
Cloud-forensicsCloud-forensics
Cloud-forensics
 
Data Hiding Techniques
Data Hiding TechniquesData Hiding Techniques
Data Hiding Techniques
 
Wireshark
WiresharkWireshark
Wireshark
 

Similar to Network forensics1

Isys20261 lecture 06
Isys20261 lecture 06Isys20261 lecture 06
Isys20261 lecture 06
Wiliam Ferraciolli
 
Network traffic analysis with cyber security
Network traffic analysis with cyber securityNetwork traffic analysis with cyber security
Network traffic analysis with cyber security
KAMALI PRIYA P
 
Network Analysis Mini Project 2.pptx
Network Analysis Mini Project 2.pptxNetwork Analysis Mini Project 2.pptx
Network Analysis Mini Project 2.pptx
talkaton
 
Network Analysis Mini Project 2.pdf
Network Analysis Mini Project 2.pdfNetwork Analysis Mini Project 2.pdf
Network Analysis Mini Project 2.pdf
talkaton
 
honeypots.ppt
honeypots.ppthoneypots.ppt
honeypots.ppt
DetSersi
 
Network sec 1
Network sec 1Network sec 1
Network sec 1
Jasleen Kaur
 
Network sniffers & injection tools
Network sniffers  & injection toolsNetwork sniffers  & injection tools
Network sniffers & injection tools
vishalgohel12195
 
HSB15 - Pavel Minarik - INVEATECH
HSB15 - Pavel Minarik - INVEATECHHSB15 - Pavel Minarik - INVEATECH
HSB15 - Pavel Minarik - INVEATECH
Splend
 
Network forensics
Network forensicsNetwork forensics
Network forensics
ArthyR3
 
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence AnalysisDistributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
Jason Trost
 
DDOS ATTACKS
DDOS ATTACKSDDOS ATTACKS
DDOS ATTACKS
Shaurya Gogia
 
Intrusion_Detection_By_loay_elbasyouni
Intrusion_Detection_By_loay_elbasyouniIntrusion_Detection_By_loay_elbasyouni
Intrusion_Detection_By_loay_elbasyouni
Loay Elbasyouni
 
Phases of penetration testing
Phases of penetration testingPhases of penetration testing
Phases of penetration testing
Abdul Rahman
 
Modul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.pptModul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.ppt
cemporku
 
modul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdfmodul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdf
tehkotak4
 
Cyber_Threat_Intelligent_Cyber_Operation_Contest
Cyber_Threat_Intelligent_Cyber_Operation_ContestCyber_Threat_Intelligent_Cyber_Operation_Contest
Cyber_Threat_Intelligent_Cyber_Operation_Contest
nkrafacyberclub
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
shahhardik27
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
shahhardik27
 
Security Delivery Platform: Best practices
Security Delivery Platform: Best practicesSecurity Delivery Platform: Best practices
Security Delivery Platform: Best practices
Mihajlo Prerad
 
Practical Malware Analysis Ch 14: Malware-Focused Network Signatures
Practical Malware Analysis Ch 14: Malware-Focused Network SignaturesPractical Malware Analysis Ch 14: Malware-Focused Network Signatures
Practical Malware Analysis Ch 14: Malware-Focused Network Signatures
Sam Bowne
 

Similar to Network forensics1 (20)

Isys20261 lecture 06
Isys20261 lecture 06Isys20261 lecture 06
Isys20261 lecture 06
 
Network traffic analysis with cyber security
Network traffic analysis with cyber securityNetwork traffic analysis with cyber security
Network traffic analysis with cyber security
 
Network Analysis Mini Project 2.pptx
Network Analysis Mini Project 2.pptxNetwork Analysis Mini Project 2.pptx
Network Analysis Mini Project 2.pptx
 
Network Analysis Mini Project 2.pdf
Network Analysis Mini Project 2.pdfNetwork Analysis Mini Project 2.pdf
Network Analysis Mini Project 2.pdf
 
honeypots.ppt
honeypots.ppthoneypots.ppt
honeypots.ppt
 
Network sec 1
Network sec 1Network sec 1
Network sec 1
 
Network sniffers & injection tools
Network sniffers  & injection toolsNetwork sniffers  & injection tools
Network sniffers & injection tools
 
HSB15 - Pavel Minarik - INVEATECH
HSB15 - Pavel Minarik - INVEATECHHSB15 - Pavel Minarik - INVEATECH
HSB15 - Pavel Minarik - INVEATECH
 
Network forensics
Network forensicsNetwork forensics
Network forensics
 
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence AnalysisDistributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
 
DDOS ATTACKS
DDOS ATTACKSDDOS ATTACKS
DDOS ATTACKS
 
Intrusion_Detection_By_loay_elbasyouni
Intrusion_Detection_By_loay_elbasyouniIntrusion_Detection_By_loay_elbasyouni
Intrusion_Detection_By_loay_elbasyouni
 
Phases of penetration testing
Phases of penetration testingPhases of penetration testing
Phases of penetration testing
 
Modul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.pptModul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.ppt
 
modul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdfmodul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdf
 
Cyber_Threat_Intelligent_Cyber_Operation_Contest
Cyber_Threat_Intelligent_Cyber_Operation_ContestCyber_Threat_Intelligent_Cyber_Operation_Contest
Cyber_Threat_Intelligent_Cyber_Operation_Contest
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
Security Delivery Platform: Best practices
Security Delivery Platform: Best practicesSecurity Delivery Platform: Best practices
Security Delivery Platform: Best practices
 
Practical Malware Analysis Ch 14: Malware-Focused Network Signatures
Practical Malware Analysis Ch 14: Malware-Focused Network SignaturesPractical Malware Analysis Ch 14: Malware-Focused Network Signatures
Practical Malware Analysis Ch 14: Malware-Focused Network Signatures
 

More from Santosh Khadsare

Cyber fraud (netflix)
Cyber fraud (netflix)Cyber fraud (netflix)
Cyber fraud (netflix)
Santosh Khadsare
 
INTERNET SECUIRTY TIPS
INTERNET SECUIRTY TIPSINTERNET SECUIRTY TIPS
INTERNET SECUIRTY TIPS
Santosh Khadsare
 
INDIAN NATIONAL CYBER SECURITY POLICY (NCSP-2013)
INDIAN NATIONAL CYBER SECURITY POLICY (NCSP-2013)INDIAN NATIONAL CYBER SECURITY POLICY (NCSP-2013)
INDIAN NATIONAL CYBER SECURITY POLICY (NCSP-2013)
Santosh Khadsare
 
Linux forensics
Linux forensicsLinux forensics
Linux forensics
Santosh Khadsare
 
Windowsforensics
WindowsforensicsWindowsforensics
Windowsforensics
Santosh Khadsare
 
Lec 1 apln security(4pd)
Lec  1 apln security(4pd)Lec  1 apln security(4pd)
Lec 1 apln security(4pd)
Santosh Khadsare
 
Smart card
Smart cardSmart card
Smart card
Santosh Khadsare
 
Guassvirus
GuassvirusGuassvirus
Guassvirus
Santosh Khadsare
 
Webmail
WebmailWebmail
Linux Forensics
Linux ForensicsLinux Forensics
Linux Forensics
Santosh Khadsare
 
Web server
Web serverWeb server
Web server
Santosh Khadsare
 
Samba server
Samba serverSamba server
Samba server
Santosh Khadsare
 
Firewall(linux)
Firewall(linux)Firewall(linux)
Firewall(linux)
Santosh Khadsare
 
Securitytips
SecuritytipsSecuritytips
Securitytips
Santosh Khadsare
 
Linux basics
Linux basicsLinux basics
Linux basics
Santosh Khadsare
 
Linuxfilesys
LinuxfilesysLinuxfilesys
Linuxfilesys
Santosh Khadsare
 
Linuxconcepts
LinuxconceptsLinuxconcepts
Linuxconcepts
Santosh Khadsare
 
Introtolinux
IntrotolinuxIntrotolinux
Introtolinux
Santosh Khadsare
 
New internet
New internetNew internet
New internet
Santosh Khadsare
 
Stuxnet flame
Stuxnet flameStuxnet flame
Stuxnet flame
Santosh Khadsare
 

More from Santosh Khadsare (20)

Cyber fraud (netflix)
Cyber fraud (netflix)Cyber fraud (netflix)
Cyber fraud (netflix)
 
INTERNET SECUIRTY TIPS
INTERNET SECUIRTY TIPSINTERNET SECUIRTY TIPS
INTERNET SECUIRTY TIPS
 
INDIAN NATIONAL CYBER SECURITY POLICY (NCSP-2013)
INDIAN NATIONAL CYBER SECURITY POLICY (NCSP-2013)INDIAN NATIONAL CYBER SECURITY POLICY (NCSP-2013)
INDIAN NATIONAL CYBER SECURITY POLICY (NCSP-2013)
 
Linux forensics
Linux forensicsLinux forensics
Linux forensics
 
Windowsforensics
WindowsforensicsWindowsforensics
Windowsforensics
 
Lec 1 apln security(4pd)
Lec  1 apln security(4pd)Lec  1 apln security(4pd)
Lec 1 apln security(4pd)
 
Smart card
Smart cardSmart card
Smart card
 
Guassvirus
GuassvirusGuassvirus
Guassvirus
 
Webmail
WebmailWebmail
Webmail
 
Linux Forensics
Linux ForensicsLinux Forensics
Linux Forensics
 
Web server
Web serverWeb server
Web server
 
Samba server
Samba serverSamba server
Samba server
 
Firewall(linux)
Firewall(linux)Firewall(linux)
Firewall(linux)
 
Securitytips
SecuritytipsSecuritytips
Securitytips
 
Linux basics
Linux basicsLinux basics
Linux basics
 
Linuxfilesys
LinuxfilesysLinuxfilesys
Linuxfilesys
 
Linuxconcepts
LinuxconceptsLinuxconcepts
Linuxconcepts
 
Introtolinux
IntrotolinuxIntrotolinux
Introtolinux
 
New internet
New internetNew internet
New internet
 
Stuxnet flame
Stuxnet flameStuxnet flame
Stuxnet flame
 

Recently uploaded

5. Postharvest deterioration of fruits and vegetables.pptx
5. Postharvest deterioration of fruits and vegetables.pptx5. Postharvest deterioration of fruits and vegetables.pptx
5. Postharvest deterioration of fruits and vegetables.pptx
UmeshTimilsina1
 
BỘ ĐỀ THI HỌC SINH GIỎI CÁC TỈNH MÔN TIẾNG ANH LỚP 9 NĂM HỌC 2023-2024 (CÓ FI...
BỘ ĐỀ THI HỌC SINH GIỎI CÁC TỈNH MÔN TIẾNG ANH LỚP 9 NĂM HỌC 2023-2024 (CÓ FI...BỘ ĐỀ THI HỌC SINH GIỎI CÁC TỈNH MÔN TIẾNG ANH LỚP 9 NĂM HỌC 2023-2024 (CÓ FI...
BỘ ĐỀ THI HỌC SINH GIỎI CÁC TỈNH MÔN TIẾNG ANH LỚP 9 NĂM HỌC 2023-2024 (CÓ FI...
Nguyen Thanh Tu Collection
 
SD_Integrating 21st Century Skills in Classroom-based Assessment.pptx
SD_Integrating 21st Century Skills in Classroom-based Assessment.pptxSD_Integrating 21st Century Skills in Classroom-based Assessment.pptx
SD_Integrating 21st Century Skills in Classroom-based Assessment.pptx
elwoodprias1
 
Lecture Notes Unit4 Chapter13 users , roles and privileges
Lecture Notes Unit4 Chapter13 users , roles and privilegesLecture Notes Unit4 Chapter13 users , roles and privileges
Lecture Notes Unit4 Chapter13 users , roles and privileges
Murugan146644
 
BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH LỚP 12 - GLOBAL SUCCESS - FORM MỚI 2025 - ...
BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH LỚP 12 - GLOBAL SUCCESS - FORM MỚI 2025 - ...BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH LỚP 12 - GLOBAL SUCCESS - FORM MỚI 2025 - ...
BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH LỚP 12 - GLOBAL SUCCESS - FORM MỚI 2025 - ...
Nguyen Thanh Tu Collection
 
RDBMS Lecture Notes Unit4 chapter12 VIEW
RDBMS Lecture Notes Unit4 chapter12 VIEWRDBMS Lecture Notes Unit4 chapter12 VIEW
RDBMS Lecture Notes Unit4 chapter12 VIEW
Murugan Solaiyappan
 
3. Maturity_indices_of_fruits_and_vegetable.pptx
3. Maturity_indices_of_fruits_and_vegetable.pptx3. Maturity_indices_of_fruits_and_vegetable.pptx
3. Maturity_indices_of_fruits_and_vegetable.pptx
UmeshTimilsina1
 
E-learning Odoo 17 New features - Odoo 17 Slides
E-learning Odoo 17  New features - Odoo 17 SlidesE-learning Odoo 17  New features - Odoo 17 Slides
E-learning Odoo 17 New features - Odoo 17 Slides
Celine George
 
Parkinson Disease & Anti-Parkinsonian Drugs.pptx
Parkinson Disease & Anti-Parkinsonian Drugs.pptxParkinson Disease & Anti-Parkinsonian Drugs.pptx
Parkinson Disease & Anti-Parkinsonian Drugs.pptx
AnujVishwakarma34
 
11. Post harvest quality, Quality criteria and Judgement.pptx
11. Post harvest quality, Quality criteria and Judgement.pptx11. Post harvest quality, Quality criteria and Judgement.pptx
11. Post harvest quality, Quality criteria and Judgement.pptx
UmeshTimilsina1
 
Brigada Eskwela 2024 PowerPoint Update for SY 2024-2025
Brigada Eskwela 2024 PowerPoint Update for SY 2024-2025Brigada Eskwela 2024 PowerPoint Update for SY 2024-2025
Brigada Eskwela 2024 PowerPoint Update for SY 2024-2025
ALBERTHISOLER1
 
SQL Server Interview Questions PDF By ScholarHat
SQL Server Interview Questions PDF By ScholarHatSQL Server Interview Questions PDF By ScholarHat
SQL Server Interview Questions PDF By ScholarHat
Scholarhat
 
Benchmarking Sustainability: Neurosciences and AI Tech Research in Macau - Ke...
Benchmarking Sustainability: Neurosciences and AI Tech Research in Macau - Ke...Benchmarking Sustainability: Neurosciences and AI Tech Research in Macau - Ke...
Benchmarking Sustainability: Neurosciences and AI Tech Research in Macau - Ke...
Alvaro Barbosa
 
Introduction to Banking System in India.ppt
Introduction to Banking System in India.pptIntroduction to Banking System in India.ppt
Introduction to Banking System in India.ppt
Dr. S. Bulomine Regi
 
Odoo 17 Events - Attendees List Scanning
Odoo 17 Events - Attendees List ScanningOdoo 17 Events - Attendees List Scanning
Odoo 17 Events - Attendees List Scanning
Celine George
 
Open Source and AI - ByWater Closing Keynote Presentation.pdf
Open Source and AI - ByWater Closing Keynote Presentation.pdfOpen Source and AI - ByWater Closing Keynote Presentation.pdf
Open Source and AI - ByWater Closing Keynote Presentation.pdf
Jessica Zairo
 
How To Sell Hamster Kombat Coin In Pre-market
How To Sell Hamster Kombat Coin In Pre-marketHow To Sell Hamster Kombat Coin In Pre-market
How To Sell Hamster Kombat Coin In Pre-market
Sikandar Ali
 
INSIDE OUT - PowerPoint Presentation.pptx
INSIDE OUT - PowerPoint Presentation.pptxINSIDE OUT - PowerPoint Presentation.pptx
INSIDE OUT - PowerPoint Presentation.pptx
RODELAZARES3
 
2 Post harvest Physiology of Horticulture produce.pptx
2 Post harvest Physiology of Horticulture  produce.pptx2 Post harvest Physiology of Horticulture  produce.pptx
2 Post harvest Physiology of Horticulture produce.pptx
UmeshTimilsina1
 
Java MCQ Questions and Answers PDF By ScholarHat
Java MCQ Questions and Answers PDF By ScholarHatJava MCQ Questions and Answers PDF By ScholarHat
Java MCQ Questions and Answers PDF By ScholarHat
Scholarhat
 

Recently uploaded (20)

5. Postharvest deterioration of fruits and vegetables.pptx
5. Postharvest deterioration of fruits and vegetables.pptx5. Postharvest deterioration of fruits and vegetables.pptx
5. Postharvest deterioration of fruits and vegetables.pptx
 
BỘ ĐỀ THI HỌC SINH GIỎI CÁC TỈNH MÔN TIẾNG ANH LỚP 9 NĂM HỌC 2023-2024 (CÓ FI...
BỘ ĐỀ THI HỌC SINH GIỎI CÁC TỈNH MÔN TIẾNG ANH LỚP 9 NĂM HỌC 2023-2024 (CÓ FI...BỘ ĐỀ THI HỌC SINH GIỎI CÁC TỈNH MÔN TIẾNG ANH LỚP 9 NĂM HỌC 2023-2024 (CÓ FI...
BỘ ĐỀ THI HỌC SINH GIỎI CÁC TỈNH MÔN TIẾNG ANH LỚP 9 NĂM HỌC 2023-2024 (CÓ FI...
 
SD_Integrating 21st Century Skills in Classroom-based Assessment.pptx
SD_Integrating 21st Century Skills in Classroom-based Assessment.pptxSD_Integrating 21st Century Skills in Classroom-based Assessment.pptx
SD_Integrating 21st Century Skills in Classroom-based Assessment.pptx
 
Lecture Notes Unit4 Chapter13 users , roles and privileges
Lecture Notes Unit4 Chapter13 users , roles and privilegesLecture Notes Unit4 Chapter13 users , roles and privileges
Lecture Notes Unit4 Chapter13 users , roles and privileges
 
BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH LỚP 12 - GLOBAL SUCCESS - FORM MỚI 2025 - ...
BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH LỚP 12 - GLOBAL SUCCESS - FORM MỚI 2025 - ...BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH LỚP 12 - GLOBAL SUCCESS - FORM MỚI 2025 - ...
BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH LỚP 12 - GLOBAL SUCCESS - FORM MỚI 2025 - ...
 
RDBMS Lecture Notes Unit4 chapter12 VIEW
RDBMS Lecture Notes Unit4 chapter12 VIEWRDBMS Lecture Notes Unit4 chapter12 VIEW
RDBMS Lecture Notes Unit4 chapter12 VIEW
 
3. Maturity_indices_of_fruits_and_vegetable.pptx
3. Maturity_indices_of_fruits_and_vegetable.pptx3. Maturity_indices_of_fruits_and_vegetable.pptx
3. Maturity_indices_of_fruits_and_vegetable.pptx
 
E-learning Odoo 17 New features - Odoo 17 Slides
E-learning Odoo 17  New features - Odoo 17 SlidesE-learning Odoo 17  New features - Odoo 17 Slides
E-learning Odoo 17 New features - Odoo 17 Slides
 
Parkinson Disease & Anti-Parkinsonian Drugs.pptx
Parkinson Disease & Anti-Parkinsonian Drugs.pptxParkinson Disease & Anti-Parkinsonian Drugs.pptx
Parkinson Disease & Anti-Parkinsonian Drugs.pptx
 
11. Post harvest quality, Quality criteria and Judgement.pptx
11. Post harvest quality, Quality criteria and Judgement.pptx11. Post harvest quality, Quality criteria and Judgement.pptx
11. Post harvest quality, Quality criteria and Judgement.pptx
 
Brigada Eskwela 2024 PowerPoint Update for SY 2024-2025
Brigada Eskwela 2024 PowerPoint Update for SY 2024-2025Brigada Eskwela 2024 PowerPoint Update for SY 2024-2025
Brigada Eskwela 2024 PowerPoint Update for SY 2024-2025
 
SQL Server Interview Questions PDF By ScholarHat
SQL Server Interview Questions PDF By ScholarHatSQL Server Interview Questions PDF By ScholarHat
SQL Server Interview Questions PDF By ScholarHat
 
Benchmarking Sustainability: Neurosciences and AI Tech Research in Macau - Ke...
Benchmarking Sustainability: Neurosciences and AI Tech Research in Macau - Ke...Benchmarking Sustainability: Neurosciences and AI Tech Research in Macau - Ke...
Benchmarking Sustainability: Neurosciences and AI Tech Research in Macau - Ke...
 
Introduction to Banking System in India.ppt
Introduction to Banking System in India.pptIntroduction to Banking System in India.ppt
Introduction to Banking System in India.ppt
 
Odoo 17 Events - Attendees List Scanning
Odoo 17 Events - Attendees List ScanningOdoo 17 Events - Attendees List Scanning
Odoo 17 Events - Attendees List Scanning
 
Open Source and AI - ByWater Closing Keynote Presentation.pdf
Open Source and AI - ByWater Closing Keynote Presentation.pdfOpen Source and AI - ByWater Closing Keynote Presentation.pdf
Open Source and AI - ByWater Closing Keynote Presentation.pdf
 
How To Sell Hamster Kombat Coin In Pre-market
How To Sell Hamster Kombat Coin In Pre-marketHow To Sell Hamster Kombat Coin In Pre-market
How To Sell Hamster Kombat Coin In Pre-market
 
INSIDE OUT - PowerPoint Presentation.pptx
INSIDE OUT - PowerPoint Presentation.pptxINSIDE OUT - PowerPoint Presentation.pptx
INSIDE OUT - PowerPoint Presentation.pptx
 
2 Post harvest Physiology of Horticulture produce.pptx
2 Post harvest Physiology of Horticulture  produce.pptx2 Post harvest Physiology of Horticulture  produce.pptx
2 Post harvest Physiology of Horticulture produce.pptx
 
Java MCQ Questions and Answers PDF By ScholarHat
Java MCQ Questions and Answers PDF By ScholarHatJava MCQ Questions and Answers PDF By ScholarHat
Java MCQ Questions and Answers PDF By ScholarHat
 

Network forensics1

  • 2. Cyber Threat Evolution Malicious Identity Theft Data Theft Virus Code Botnet (Phishing) (Melissa) Targeted Attacks Breaking Advanced Worm / Organised Crime Web Sites Trojan (I LOVE YOU) Data Theft, DoS / DDoS 1977 1995 2000 2003-04 2005-06 2007-08 2009-10
  • 3. Global Attack Trend Source: Websense
  • 4. Network Forensics ? • What we have seen is DEAD analysis • Network evidences are highly volatile. • Needs real time analysis of network traffic. Network Forensics 4
  • 5. Network Forensics • Network forensics is the capture, recording, and analysis of network events in order to discover the source of security attacks or other problem incidents. • The ultimate goal is to provide sufficient evidence to allow the criminal to be successfully prosecuted. • Network forensics can reveal evidence that is crucial to building a case. • Forensics for computer networks is extremely difficult and depends completely on the quality of information you maintain. Network Forensics 5
  • 6. Why network-based evidence? – Host-centric forensics is an established discipline, but many investigators ignore or do not understand network traffic – Network-based evidence can be found everywhere – Network-based evidence can be easy to collect -- without anyone's notice
  • 9. Network Forensics Model Proactive Detect Reactive Forensics Forensics Capture Identify Preserve Data Aggregation Data Validation Research Extract Data Analysis Solve Data Confirmation
  • 10. Network Elements MX PC Proxy Laptop Relay Web Server Web Server Mail Server DB Server Firewall IDS / IPS Switch Router Wifi Router Access Point
  • 11. Network Forensics • Systematic Capture and Analysis of network events and traffic in order to trace and prove a network incident. – Online Capture and Analysis – Offline Analysis
  • 12. Online Analysis of Network Traffic Network-based evidence complements host-based evidence. Network traffic can be used to show a timed sequence of user’s network activities. Suspicious network activities can be monitored real-time.
  • 13. Online Analysis of Network Traffic Network traffic also enables an investigator to extract information that is difficult to obtain from host-based evidence, such as IP addresses and other identity information a user uses Passwords •Specialized knowledge and tools are required to process network traffic as a source of evidence. In general, there is only one chance to capture real-time network data from a network.
  • 14. Online Monitoring If you need to have online analysis of network you need to capture packets. Network Traffic Analysis requires online capturing and analysis of packets in real time. Used in Stateful Analysis IPS IDS Firewall
  • 15. Capturing Network Traffic Flow Analysis Capturing Network Traffic using TAPS InLine Devices Hubs SPAN Ports
  • 16. TAPS Test Access Ports Devices specially built for accessing traffic between network devices Usually pre-installed at important traffic points Physical devices are able to capture traffic at the physical layer
  • 17. TAPS
  • 18. Inline device Similar to a tap, but implemented using a computer having at least two bridged NICs The two devices being monitored are connected to these two NICs Traffic through the bridged NICs is available to the computer or another device connected to an extra NIC Inline devices are also used to enforce access control.
  • 19. Hub The simplest and cheapest way to gain access to network traffic A hub forwards frames to all ports. A monitoring station, connected to one of the ports, sees all traffic passing through the hub.
  • 20. SPAN Port - Switched Port Analyzer (Port Mirroring) Provided on good switches A switch can be configured to copy one or more switch ports to a dedicated port. A capture device connected to the SPAN port sees traffic flowing through specified switch ports. A SPAN port only copies valid network packets. Error packets may be ignored and not copied.
  • 21. Collecting Network Traffic as Evidence • Position the sensor properly • Consider perimeter monitoring scenario at right – Perimeter is easiest place to monitor – However, sensor as shown may not be able to see all the traffic an analyst needs to understand the scope of an intrusion • Alternative deployments shown on following slides
  • 22. Collecting Network Traffic as Evidence • At left we monitor perimeter (via tap) and DMZ (via switch SPAN) • At right we add a filtering bridge/sensor to watch and/or control a high value target
  • 23. Collecting Network Traffic as Evidence • Don't forget to accommodate address translation issues • Here we add a second interface behind the gateway
  • 24. Collecting Network Traffic as Evidence • This network shows a variety of instrumentation options
  • 25. Collecting Network Traffic as Evidence • Verify the sensor collects traffic as expected
  • 26. Collecting Network Traffic as Evidence • Consider using Network Security Monitoring principles to guide your data collection strategies – Alert data (Snort, other IDSs) • Traditional IDS alerts or judgments (“RPC call!”) • Context-sensitive, either by signature or anomaly – Full content data (Tcpdump) • All packet details, including application layer • Expensive to save, but always most granular analysis – Session data (Argus, SANCP, NetFlow) • Summaries of conversations between systems • Content-neutral, compact; encryption no problem – Statistical data (Capinfos, Tcpdstat) • Descriptive, high-level view of aggregated events • Sguil (www.sguil.net) is an interface to much of this in a single open source suite
  • 27. Protecting and Preserving Network-Based Evidence • Hash traces after collection and store hashes elsewhere • Understand forms of evidence • Copy evidence to read-only media when possible • Create derivative evidence • Follow chains of evidence
  • 28. Protecting and Preserving Network-Based Evidence • Understand forms of evidence • Best evidence should, to the extent practically possible, never be analyzed directly. – Rather, investigators should make working copies of the best evidence, and analyze those duplications. – Network traffic saved on a sensor is the best evidence available. – Copies of that traffic transferred to a central location become working copies.
  • 29. Protecting and Preserving Network-Based Evidence Create derivative evidence 1. Ensure you have a hash of the original file stored in a safe location. 2. After verifying the hashes match, use the desired Packet Analysis to extract packets of interest to a new file and directory. 3. Hash the resulting file 4. Make multiple copies of the new local evidence file, and analyze them at will. 5. Document these steps on both platforms.
  • 30. Analyzing Network-Based Evidence • Validate results with more than one system • Beware of malicious traffic • Document not just what you find, but how you found it • Follow a methodology
  • 31. Trends • Significant increase in network-based DoS attacks over the last year – Attackers’ growing accessibility to networks – Growing number of organizations connected to networks • Vulnerability – Most networks have not implemented spoof prevention filters – Very little protection currently implemented against attacks
  • 32. Goals of Attacks • Prevent another user from using network connection – “Smurf” attacks, “pepsi” (UDP floods), ping floods • Disable a host or service – “Land”, “Teardrop”, “Bonk”, “Boink”, SYN flooding, “Ping of death” • Traffic monitoring – Sniffing
  • 33. “Smurfing” • Very dangerous attack – Network-based, fills access pipes – Uses ICMP echo/reply packets with broadcast networks to multiply traffic – Requires the ability to send spoofed packets • Abuses “bounce-sites” to attack victims – Traffic multiplied by a factor of 50 to 200 – Low-bandwidth source can kill high-bandwidth connections • Similar to ping flooding, UDP flooding but more dangerous due to traffic multiplication
  • 34. “Smurfing” (cont’d) ICMP echo (spoofed source address of victim) Sent to IP broadcast address ICMP echo reply Internet Perpetrator Victim
  • 35. “Smurfing” trend • Smurf attacks are still “in style” for attackers • Significant advances made in reducing the effects – Education campaigns through the use of white paper and other education by NOCs has reduced the average “smurf” attack from 80 Mbits/sec to 5 Mbits/sec • Most attacks can still inundate a T1 link
  • 36. “Teardrop”, “Bonk”, “Boink”, “Ping of Death” • Goal is to severely impair or disable a host or its IP stack • Use packet fragmentation and reassembly vulnerabilities • Require that a host IP stack be able to receive a packet from an attacker
  • 37. SYN flooding • Goal is to deny access to a TCP service running on a host • Creates a number of half-open TCP connections which fill up a host’s listen queue; host stops accepting connections • Requires the TCP service be open to connections from the victim
  • 38. Sniffing • Goal is generally to obtain information – Account usernames, passwords – Source code, business critical information • Usually a program placing an Ethernet adapter into promiscuous mode and saving information for retrieval later • Hosts running the sniffer program is compromised using host attack methods.
  • 40. Packet Switched Networks • Each message is divided into small data blocks called packets • Packets are stored, and forwarded by intermediate nodes • Packets from different nodes, and process get intermixed in the network • Packets may follow different routes • Shortest path to the destination 40
  • 41. Packet Route Sender Receiver Process Router …… … 41
  • 42. Packet Route Sender Receiver Process Router …… … 42
  • 43. Benefits • No user can monopolise the link for long time • Network traffic load balancing • Doesn’t waste resources of network • No congestion at connection setup time 43
  • 44. Drawbacks • Packets may arrive out of order. Message needs to be re- assembled at receiving end. • May cause delay in real-time applications (audio/video) • Service is not guaranteed 44
  • 45. Packet Packet Header Data – Is a formatted block of data carried by a computer network – Internet, LAN uses packet technology to transfer data – Key components are header and data 45
  • 46. Data • Information to be conveyed between sender and the receiver • It can be text or binary – Images, documents, web page, email … • It may be small enough to store in a single packet or else it has to be split and stored in multiple packets 46
  • 47. Header • Meta information added to the data • With the help of header data reach the destination correctly • Header contains Address, Length, Type, Error detection code, Packet order, Status flag … 47
  • 48. Why header is needed? • To ensure delivery to the right receiver • To ensure correctness and order of data • Proper routing of packets 48
  • 49. Packetisation Sender Receiver Eg. Internet Eg. Web Process server Process Explorer Message Message TCP/IP Network TCP/IP Protocol Interface Card Protocol Stack Stack Communication Link 1 Packets 2 1 Packets 2 H1 Mes H2 sage NIC NIC H1 Mes H2 sage 49
  • 50. Protocol Suite • Collection of protocols to deliver data • Eg. TCP/IP, Xerox XNS, DECnet, AppleTalk Xerox XNS TCP/IP ISO/OSI Level 4+ Application Application Presentation Level 3 Session Transport Transport Level 2 Internet Network Level 1 Data Link Link Level 0 Physical 50
  • 51. TCP/IP Layers - Link Layer • Main responsibility is to move the packet between hosts through physical medium • Network interface card and its device driver does this • Adds the link layer specific address and other details to the packet • Has mechanism to resolve the physical address from logical address, in broadcast networks • Characteristics of the communication signal is handled here 51
  • 52. TCP/IP Layers - Network Layer • Main responsibility is to move the packet between network and to reach the final destination (Routing) • This is an unreliable protocol, higher layers has to add reliability • Handles fragmentation and reassembly of packets, when passed through different networks. • Facility for error handling and diagnosis – special protocols for conveying the intermediate node status and errors occurred 52
  • 53. TCP/IP Layers - Transport Layer • End to end message transfer facility or process to process communication • Have facility for flow control and error control • This layer can add reliability to the data transferred • Splits the large data in to small chunks for the network layer • This layer associates the packet with a particular application through ports • Port - Port is a logical address, it has nothing to do with the physical ports present on a computer. 53
  • 54. TCP/IP Layers - Application Layer • Handles the details of particular application, eg. Email, web • Adds meta information to the actual data to send (or Formats the data) • This formatted message is encapsulated in transport layer protocol • The respective applications can interpret this message • The message may be plain text or binary and can be encrypted or compressed 54
  • 55. TCP/IP stack with sample protocols Application HTTP SMTP POP3 FTP Telnet DNS Transport TCP UDP Internet IP ICMP Link Ethernet FDDI SLIP PPP ARP RARP 55
  • 56. The way a packet is formed (Encapsulation) App HTTP layer TCP Trans Layer IP Network Layer Ethernet Link Layer 56
  • 58. Uses of Packet Analysis • Forensics analysis • Trouble shooting and debugging • Collect sensitive information • Misuse detection • Gather Network Statistics 58
  • 59. Forensics analysis • To collect evidence • To track the source of attack • To learn the attacker behavior 59
  • 60. Trouble shooting and debugging • Debugging network applications • Trouble shooting network problems 60
  • 61. Collect sensitive information • Passwords • Emails • Other confidential data 61
  • 62. Misuse detection • Company policy violation – Accessing restricted sites – Bandwidth misuse • Email spoofing • IP spoofing • ARP spoofing 62
  • 63. Gather network statistics • To collect bandwidth utilization information • To find misbehaving nodes in the network 63
  • 64. Packet Analysis Methods • Manual inspection • Filtering • Statistics • Session reconstruction 64
  • 65. Manual Inspection • Text search • Binary pattern search • Packet inspection • Protocol verification 65
  • 66. Filtering • Filtering based on – MAC – IP – Date, Time – Pattern • Combinations of the above – Packets between a particular date and time – Packets from a particular IP • Complex filter expressions 66
  • 67. Statistics • Based on – Bandwidth utilization – IP – Date and time – Protocol based (Email, FTP, HTTP… ) • Eg. Top mail sender 67
  • 68. Statistics based analysis Mails 50 40 30 Da 1 4/ 20 te 1 3/ 10 Data traffic to different servers 1 2/ 1 1/ 1.1.1.1 1.1.1.2 1.1.1.3 1.1.1.4 M Bytes/Sec 1.1.1. Nodes 7 3 6 Mail traffic of individuals on 5 different days 4 1.1.1. 3 2 1.1.1. 2 1 1 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 Time 68
  • 69. Session reconstruction Packet 1 P2 P3 … Pn File 1 F2 … Fm • TCP session reconstruction – Images, emails and other files • UDP stream reconstruction – Streamed video, audio, VoIP and other types of communications 69
  • 71. Computer Forensics VS Network Forensics Network Forensics 71
  • 72. Legal Issues • You may not be able to use hacker techniques against them • Laws for gathering evidence are confusing • Logs may or may not be admissible • Perpetrator may or may not be prosecutable • It is important to know about: – Local laws on computer-related crimes – Legal processes and how to build a criminal case Network Forensics 72
  • 74. Online Analysis of Network Traffic Network Forensics 74
  • 75. Online Monitoring • If you need to have online analysis of network you need to capture packets. • Network Traffic Analysis requires online capturing and analysis of packets in real time. • Used in Stateful Analysis • IPS • IDS • Firewall Network Forensics 75
  • 76. Collecting Network Traffic as Evidence Network Forensics 76
  • 77. Protecting and Preserving Network- Based Evidence • Hash traces after collection and store hashes elsewhere • Copy evidence to read-only media when possible • Create derivative evidence • Follow chains of evidence • Understand forms of evidence • Best evidence should, to the extent practically possible, never be analyzed directly. – Rather, investigators should make working copies of the best evidence, and analyze those duplications. – Network traffic saved on a sensor is the best evidence available. – Copies of that traffic transferred to a central location become working copies. Network Forensics 77
  • 78. Protecting and Preserving Network- Based Evidence Network Forensics 78
  • 82. Live Analysis • Allows for collection of data from volatile locations such as RAM and cache. • Often will provide extremely useful data. • Requires installation of software to capture data, possibly erasing critical data and spoiling the “preservation” of the system. Network Forensics 82
  • 83. Live Forensics - Goals • Gathers data from running systems • Diagnosing your system without killing it first. ng • Snapshot of the state of the eni Wh o is computer app wh at? doin t’ sh g ha ? W w no Network Forensics 83
  • 85. Live / Volatile Data Network Forensics 85
  • 86. Gathering Data more volatile • Volatile data – registers, cache contents – memory contents – network connections – running processes • Non-volatile data – content of filesystems and drives – content of removable media less volatile Network Forensics 86
  • 88. Typical Scenario • “Dead” forensics information incomplete – discovered to be incomplete – predicted to be incomplete • Non-local attacker or local user using network in inappropriate fashion • Generally, another event triggers network investigation • Company documents apparently stolen • Denial of service attack • Suspected use of unauthorized use of file sharing software • “Cyberstalking” or threatening email
  • 89. Information Available • Summary information (router flow logs) – Routers generally provide this information – Includes basic connection information • source and destination IP address and ports • connection duration • number of packets sent – No content! Can only surmise what was sent – Can establish that connections between machines were established – Can corroborate data from log files (e.g., ssh’ing from one machine to another to another within a network) – Unusual ports (rootkits? botnet?) – Unusual activity (spam generator?)
  • 90. Information Available (2) • Complete information (packet dumps) – from programs like Ethereal/Wireshark, snort, tcpdump – on an active net, can generate a LOT of data – can provide filter options so programs only capture certain traffic (by IP, port, protocol) – includes full content—can reconstruct what happened (maybe) – reconstruct sessions – reconstruct transmitted files – retrieve typed passwords – identify which resources are involved in attack – BUT no easy way to decrypt encrypted traffic
  • 91. Information Available (3) • Port scans (nmap, etc.) – Identifies machines on your network • Often can identify operating system, printer type, etc., without needing account on the machine • “OS fingerprinting” – Identifies ports open on those machines • Backdoors, unauthorized servers, … – Identifies suspicious situation (infected machine, rogue computer, etc.) – nmap: lots of options
  • 92. Analysis • Does not exist in a vacuum • Link information in analysis to network and host log files – who was on the network – who was at the keyboard – what files are on the disk and where • Look up the other sites (who are they, where are they, what’s the connection) • Otherwise, network traces can be overwhelming • Potentially huge amounts of data • Limited automation!
  • 93. Normal ICMP Traffic (tcpdump) • Pings IP BOUDIN.mshome.net > www.google.com: icmp 40: echo request seq 6400 IP www.google.com > BOUDIN.mshome.net: icmp 40: echo reply seq 6400 IP BOUDIN.mshome.net > www.google.com: icmp 40: echo request seq 6656 IP www.google.com > BOUDIN.mshome.net: icmp 40: echo reply seq 6656 IP BOUDIN.mshome.net > www.google.com: icmp 40: echo request seq 6912 IP www.google.com > BOUDIN.mshome.net: icmp 40: echo reply seq 6912 IP BOUDIN.mshome.net > www.google.com: icmp 40: echo request seq 7168 IP www.google.com > BOUDIN.mshome.net: icmp 40: echo reply seq 7168 • Host unreachable xyz.com > boudin.cs.uno.edu: icmp: host blarg.xyz.com unreachable • Port unreachable xyz.com > boudin.cs.uno.edu: icmp: blarg.xyz.com port 7777 unreachable
  • 94. HTTP Connections • 3-way TCP handshake as laptop begins HTTP communication with a google.com server IP tasso.1433 > qb-in-f104.google.com.80: S 3064253594:306425359 4(0) win 16384 <mss 1460,nop,nop,sackOK> IP qb-in-f104.google.com.80 > tasso.1433: S 2967044073:296704407 3(0) ack 3064253595 win 8190 <mss 1460> IP tasso.1433 > qb-in-f104.google.com.80: . ack 1 win 17520
  • 95. Fragmentation Visualization • Fragmentation can be seen by tcpdump whatever.com > me.com: icmp: echo request (frag 5000:1400@0+) whatever.com > me.com: (frag 5000:1000@1400) ID offset size Note that 2nd frag more frags flag isn’t identifiable as ICMP echo request…
  • 96. nmap 137.30.120.* Starting Nmap 4.11 ( http://www.insecure.org/nmap ) at 2006-10-24 19:32 Interesting ports on 137.30.120.1: Not shown: 1679 closed ports PORT STATE SERVICE 23/tcp open telnet MAC Address: 00:0D:ED:41:A8:40 (Cisco Systems) All 1680 scanned ports on 137.30.120.3 are closed MAC Address: 00:0F:8F:34:7E:C2 (Cisco Systems) All 1680 scanned ports on 137.30.120.4 are closed MAC Address: 00:13:C3:13:B4:41 (Cisco Systems) All 1680 scanned ports on 137.30.120.5 are closed MAC Address: 00:0F:90:84:13:41 (Cisco Systems) … …
  • 97. nmap 137.30.120.* Interesting ports on mailsvcs.cs.uno.edu (137.30.120.32): Not shown: 1644 closed ports PORT STATE SERVICE 7/tcp open echo 9/tcp open discard 13/tcp open daytime 19/tcp open chargen 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 25/tcp open smtp 37/tcp open time 79/tcp open finger 80/tcp open http 110/tcp open pop3 111/tcp open rpcbind 143/tcp open imap 443/tcp open https 512/tcp open exec … …
  • 103. Wireshark: Extracted FTP Data Stream
  • 104. Wireshark: HTTP Session save, then trim away HTTP headers to retrieve image Use: e.g., WinHex
  • 105. HTTP (An application layer protocol) Request from client Response from server HTML web page 105
  • 106. Prevention Techniques • How to prevent your network from being the source of the attack: – Apply filters to each customer network • Allow only those packets with source addresses within the customer’s assigned netblocks to enter your network – Apply filters to your upstreams • Allow only those packets with source addresses within your netblocks to exit your network, to protect others • Deny those packets with source addresses within your netblocks from coming into your network, to protect your network • This removes the possibility of your network being used as an attack source for many attacks which rely on anonymity
  • 107. Prevention Techniques • How to prevent being a “bounce site” in a “Smurf” attack: – Turn off directed broadcasts to networks: • Cisco: Interface command “no ip directed-broadcast” • Proteon: IP protocol configuration “disable directed-broadcast” • Bay Networks: Set a false static ARP address for bcast address – Use access control lists (if necessary) to prevent ICMP echo requests from entering your network – Encourage vendors to turn off replies for ICMP echos to broadcast addresses • Host Requirements RFC-1122 Section 3.2.2.6 states “An ICMP Echo Request destined to an IP broadcast or IP multicast address MAY be silently discarded.” • Patches are available for free UNIX-ish operating systems.
  • 108. Conclusion: Network Analysis • Potentially a source of valuable evidence beyond that available from “dead” analysis • By the time an incident occurs, may have lost the change to capture much of the interesting traffic • Challenging: huge volumes of data • Again, only one part of a complete investigative strategy • This introduction didn’t include stepping stone analysis, many other factors (limited time)
  • 110. NeSA – Network Session Analyser
  • 111. NeSA Architecture Packet Hex View Packet Protocol Packet Capture Dissectors Analyser Packet Tree View Packet Filter Hex Dump Filter Rules View Pcap Format dump Picture (HTTP, SMTP, POP3 and FTP) View Packet Packet Session File Classifier Rebuild Parser View Mail Rebuild Crypto Parse Rules View Rules Media Player
  • 112. Packet Capture • Uses pcap library • Captures packet in promiscuous mode • Similar capture features as of Wireshark • Stores the captured packets to the user specified dump file • Capture filter can be supplied – e.g. Capture only tcp traffic
  • 113. Packet Filter • Based on the filter rule supplied, filters packets as well as the TCP sessions. • Packet filter language is same as that of pcap • TCP session filter language is custom written – Filtering based on date/time – Protcol based filter – MAC, IP and Port based filtering – Complex combinations of the above
  • 114. Protocol Dissector • Shows each field of packet in very detail • Dissects very common protocols like IP, TCP,UDP, ARP … • Useful to get a very detailed view of each packet • Helpful in detecting malformed packets
  • 115. Packet Classifier • At load time itself, classifies the packets to different groups in order to improve the performance of later analysis process • TCP session filter (Rebuild filter) chooses only from this classified group of packets, thus it has to process only a very small portion of the entire dump file
  • 116. Packet Analyser • Has a packet filtering scheme • Packets can be exported • Has an easily extendible packet (protocol) dissector • Shows the dissected packets in a hex view as well as in a tree control as that of in Wireshark
  • 117. Packet Rebuild • Rebuilds the TCP session • Shows the rebuilt session in a hex view with data direction indication • To identify different types of session, colouring schemes can be given • Rebuilt session are passed to the session parser
  • 118. Session Parser • Parses the rebuilt session and tries to extract the available files in it. • Presently parses HTTP, SMTP, POP3 and FTP. • The above are the most common application layer protocols • More parsers can be added • Parses MIME and extracts files from it • Shows the extracted files in a thumbnail view, file view and mail view. • These files can be exported
  • 119. Distinctive Features of NeSA • NeSA is data centric as well as packet centric, but most other tools are packet centric, This makes NeSA a distinct product – Session parser – Session filter – Session views
  • 120. NeSA (Network Session Analyser) • A solution developed by CDAC for offline packet analysis • Features – TCP session reconstruction and file recovery – Packet filter – Powerful session filter – Regular expression based search – File export, especially mail export – Packet dissect view 120
  • 121. NeSA Architecture Packet Hex View Packet Protocol Packet Capture Dissectors Analyser Packet Tree View Packet Filter Hex Dump Filter Rules View Pcap Format dump Picture (HTTP, SMTP, POP3 and FTP) View Packet Packet Session File Classifier Rebuild Parser View Mail Rebuild Crypto Parse Rules View Rules Media Player 121
  • 122. Future plan –Moving to online • Real-time packet analysis • Decryption support • Support for more protocols 122
  • 123. Catching Packets • Enable promiscuous mode of Ethernet card, from which packets has to be caught • Otherwise OS will see only the packets which are destined to that system only • Packet capture tools: – tcpdump – wireshark • Sample tcpdump comand: – tcpdump –s0 –ieth0 –wfile/to/store.dump – -s0 options tells to capture full length packet – -ieth0 options instructs to capture from the interface eth0 – -w option indicates to which file the captured packets has to be stored 123
  • 124. Catching packets in an Enterprise Only packets passing through gateway, no local Gateway traffic like “between N1 and N2” Only traffic between N5,N6 and Gateway, no other traffic like “between N1 and Switch Switch N2” N5 N6 Switch Switch Only traffic of N4 N1 N2 N3 N4 Place capture system accordingly 124
  • 125. 125
  • 126. 126
  • 127. 127
  • 128. 128
  • 129. Issues and Challenges • Processing the large data • Lack of forensics tools • Lack of proven methods • Varied attacks • Encrypted data • Partial data • Spoofed packets • Unknown protocols 129
  • 130. Thank you 130
  • 131. Appendix A – ICMP Message types Type Name Type Name ---- ------------------------ ---- ------------------------- 0 Echo Reply 17 Address Mask Request 1 Unassigned 18 Address Mask Reply 2 Unassigned 19 Reserved (for Security) 3 Destination Unreachable 20-29 Reserved (for Robustness 4 Source Quench Experiment) 5 Redirect 30 Traceroute 6 Alternate Host Address 31 Datagram Conversion Error 7 Unassigned 32 Mobile Host Redirect 8 Echo 33 IPv6 Where-Are-You 9 Router Advertisement 34 IPv6 I-Am-Here 10 Router Solicitation 35 Mobile Registration Request 36 Mobile Registration Reply 11 Time Exceeded 37 Domain Name Request 12 Parameter Problem 38 Domain Name Reply 13 Timestamp 39 SKIP 40 Photuris 14 Timestamp Reply 41-255 Reserved 15 Information Request 16 Information Reply 131