A 1-day short course developed for visiting guests from Tecsup on network forensics, prepared in a day : ]
The requirements/constraints were 5-7 hours of content and that the target audience had very little forensic or networking knowledge. [For that reason, flow analysis was not included as an exercise, discussion of network monitoring solutions was limited, and the focus was on end-node forensics, not networking devices/appliances themselves]
4. OVERVIEW
PURPOSE
Today’s lessons are intended to give you an introduction to elementary and intermediate
techniques in network forensics.
We are only scratching the surface, but it should be rewarding.
Please stop me at anytime to ask questions, or ask me to slow down!
5. OVERVIEW (CONT’D)
TOPICS
What is DFIR?
What is Network Forensics?
Digital Forensics vs. Incident Response
The Forensic Process (Abridged)
Quick Review: General Forensics
Quick Review: Fundamental Computing
Quick Review: Networking
Where does potential evidence exist?
What evidence are we looking for?
Environment Factors
Anti-Network Forensics
Acquisition
Wireshark Basics
Analysis
Exercise 1: Capturing browser traffic
Exercise 2: Ann and the Apple TV
Exercise 3: 10 Minutes of Internet
Exercise 4: Bad Actors and Bad Habits
6. WHAT IS DFIR?
Digital Forensics – More accurately Forensic Cybernetics
Forensic – "pertaining to or suitable for courts of law”
Cybernetics – “The field of study concerned with communication and control systems
in living organisms and machines.”
Cyber Forensics is then the investigation of the man-machine interface to a degree of
integrity and certainty that is suitable for a court of law.
Incident Response – the preparation and response to an emergency / emergent threat
7. DIGITAL FORENSICS VS. INCIDENT RESPONSE
Cyber
Forensics
Incident
Response
Sub-discipline of law
Sub-discipline of
disaster recovery
“Post-mortem”
Post or concurrent
to incident
Typically
independent
analysis
Working closely
with IT to control
situation
Must adhere to
rules of evidence
[federal, daubert,
etc.]
Must only be as
reliable as necessary
to determine a
course of action
End Goal:
Determine
sequence of events,
attest.
End Goal: determine
threat extent,
mitigate threat
8. DF V. IR (CONT’D)
WHY HIGHLIGHT THESE DISTINCTIONS?
We are going to speak today about techniques from the
perspective of a Forensic Investigator.
However, the transient nature of network forensics means
that, many times, it is not possible to perform an acquisition
of evidence that adheres to current standards of evidence.
In this capacity, we will also look at things relevant to IR.
9. THE FORENSIC PROCESS (ABRIDGED)
THE QUICK AND DIRTY RUNDOWN
Remember
the 3 A’s
Acquire
Today we will be discussing
acquisition and analysis
techniques for network
forensics
Analyze
Attest
• Document All Steps
• Establish Chain of Custody
• Authenticate Acquisition
• Document All Steps
• Follow a repeatable, explainable process
• Seek independence/exculpatory evidence
• Report Documented Findings
• Back Assertions with Evidence
• Inter-subjective conclusions
10. QUICK REVIEW: GENERAL FORENSICS
LIGHTNING TALKS
Locard’s Principle of Exchange – “the perpetrator of a crime will bring
something into the crime scene and leave with something from it.”
This holds true in cyber forensics as well.
The change, or what is left, may be lower than we typically look
(disturbing of electrons) and may be temporal, but in the majority of
incidents if you have been called in as an investigator, then there is
already suspicion of malign activity that careful yet rapid acquisition will
reveal.
11. QUICK REVIEW: GENERAL FORENSICS (CONT’D)
LIGHTNING TALKS
Rules of Evidence – standards (such as the Daubert criteria) set
guidelines for admissibility. These “standards” vary across all levels of
government, and many disparate standards exist. Situational awareness
of this is paramount.
Importantly, these standards typically dictate a scientific, repeatable,
method of acquisition against the same data set. In the case of
networking, volatile memory, and certain flash storage, this can be
practically impossible.
12. QUICK REVIEW: GENERAL FORENSICS (CONT’D)
LIGHTNING TALKS
Our Mission as a forensic investigator – To understand and describe
an event, collection of events, or system in the most accurate and
detailed manner possible given all of the available information.
To maintain the integrity of the evidence and scene to ensure that
accuracy.
Sometimes, we must admit that there isn’t a conclusion that can be
accurately drawn based on the evidence.
Our mission is not to convict someone, nor to inject/assert conjecture as
fact.
13. QUICK REVIEW: FUNDAMENTAL COMPUTING
LIGHTNING TALKS
Computing
Processing, Storage, and Transmission [I/O]
Systems of Systems
Information
Has both Content and Context that we are interested in
Content – things the user/entity/protocol directly creates, accesses, or
modifies
Context – metadata that frames the content, providing a point of
reference & relativity
Cyber
The man-machine interface – adding people to the mix
14. QUICK REVIEW: NETWORKING
Networking – “To link together to allow the sharing of data, interactive operation, and
efficient utilization of resources”
EXAMPLES OF NETWORK ARCHITECTURES
IMPORTANT TAKE-AWAYS
(organized by protocol/suite)
TCP/IP
Control System
SCADA/ICS
ModBus, DNP3
CAN
CanBus, MilCAN
USB/Firewire protocols
Bluetooth
PCI/PCIe Bus
Many more, including technologies like
Ethernet and 802.11 suite
Systems must use transmission to
acquire/share information.
If it is in the browser, it came over the
network, and can be reconstructed*
All malware that was not built into a
system or physically added via
hardware alteration must have
traversed a network to infect that
system.
15. QUICK REVIEW: NETWORKING (CONT’D)
TCP/IP NETWORKING AND THE OSI MODEL
For today’s exercises, we are only looking at Ethernet/TCP/IP
Several different models exist for defining these networking layers logically – we are going
to focus on the Open Systems Interconnection (OSI) model (slightly modified)
Why does this matter?
[
Logically grasping a unified model of internetworking
fundamentally shapes your process for searching, identifying, acquiring,
and understanding evidence, and your interactions with the tools used
to acquire and analyze that evidence.
]
16. QUICK REVIEW: NETWORKING (CONT’D)
The OSI Model of networking for the Internet
[Layer 8] – Human
Layer 7 – Application
e
n
c
a
p
s
u
l
a
t
i
o
n
Layer 6 – Presentation
Layer 5 – Session
Layer 4 - Transportation
Layer 3 – Network
Layer 2 – Data-link
Layer 1 – Physical
[Layer 0] – Media
The OSI Model is typically
composed of 7 layers, with each upper
layer being encapsulated in the
subsequent layer below it (or the next
lowest layer to it).
We’ve modified the OSI model to meet
our needs by adding 2 layers. “Layer 8” is
a concept out of Social Engineering, but
also applies to Forensic investigations.
“Layer 0” is the physical media and can
hold traditional forensic evidence like
latent fingerprints, but can also tell us
about unique constraints.
17. QUICK REVIEW: NETWORKING (CONT’D)
The OSI Model of networking for the Internet and common protocols at each level
[Layer 8] – Human
Layer 7 – Application
e
n
c
a
p
s
u
l
a
t
i
o
n
Layer 6 – Presentation
Layer 5 – Session
Layer 4 - Transportation
Layer 3 – Network
Layer 2 – Data-link
Protocol Highlights
HTTP, DHCP, DNS, SMB, OSPF…lots more
MIME
SSL/TLS, NetBIOS, SAP, PPTP, RTP
TCP, UDP
IP, ICMP, IPSec, IGMP, IPX
ARP, PPP, L2TP, Frame Relay
Layer 1 – Physical
Ethernet, USB, FireWire, RS-232, 802.11
Layer 0 – Media
RJ45 ethernet cables, 2.4-5Ghz spectrum
18. QUICK REVIEW: NETWORKING (CONT’D)
The OSI Model of networking for the Internet
[Layer 8] – Human
Layer 7 – Application
e
n
c
a
p
s
u
l
a
t
i
o
n
Layer 6 – Presentation
Layer 5 – Session
Layer 4 - Transportation
Layer 3 – Network
Layer 2 – Data-link
Layer 1 – Physical
[Layer 0] – Media
Content can be found mainly at the
application and transport layers,
although technically could exist
anywhere via obscure/custom protocols
(such as the use of covert channels).
19. QUICK REVIEW: NETWORKING (CONT’D)
The OSI Model of networking for the Internet
[Layer 8] – Human
Layer 7 – Application
e
n
c
a
p
s
u
l
a
t
i
o
n
Layer 6 – Presentation
Layer 5 – Session
Layer 4 - Transportation
Layer 3 – Network
Layer 2 – Data-link
Layer 1 – Physical
[Layer 0] – Media
Context can be found at every level
of the OSI model, however the most
useful context is typically:
Layer 2 – MAC addresses to ID devices
Layer 3 – IP Addresses, ICMP response
flags (OS Finger Printing)
Layer 4 – Timing/sizing information (OS
Finger Printing)
Layer 7 – Meta data provided by HTTP,
NBNS, and Routing protocols
Layer 8 – naming conventions and other
indicative habits/patterns
21. WHERE DOES POTENTIAL EVIDENCE EXIST?
What sources are we trying to acquire?
[
It is paramount to understand that this is not a discrete question –
these are SYSTEMS of systems that are interdependent. A pcap alone
is not the extent of network forensics.
]
22. WHERE DOES POTENTIAL EVIDENCE EXIST?
EVIDENCE PROVIDERS FOR A SINGLE SYSTEM OF A SERVER/CLIENT DEVICE
Network
Transmissions
Volatile
[Main]
Memory
Persistent
[Secondary]
Memory
23. WHERE DOES POTENTIAL EVIDENCE EXIST?
For Your Situational Awareness:
Be aware that modern malware can do interesting things like network
through high-frequency sounds and hide in firmware/BIOS
Understand that your investigation is limited by what evidence providers
you collect from, and document such limitations in your analysis
24. WHAT POTENTIAL EVIDENCE EXISTS?
EXAMPLE NETWORK ARTIFACTS IN STORAGE MEDIA [NON-EXHAUSTIVE]
Volatile (Primary/Main) Memory
(this includes buffers on NICs)
open/prior connections, paired with processes that initiated them
recently used/downloaded programs and temporary files
recently run command output (ping/tracert/etc)
DNS cache
routing/arp table information
packets (buffered in memory)
Persistent (Secondary) Memory
recently run network programs (prefetch on Windows >= XP for instance)
logs/event records
recently visited URLs
IP addresses in email headers, configuration files, etc
Network captures (did the person have packet captures on their machine?)
25. WHAT POTENTIAL EVIDENCE EXISTS?
EVIDENCE PROVIDERS FOR ENTERPRISE SYSTEM NETWORK FORENSICS
There is overlap between these mediums. This is good:
Convergent sources of evidence means more support for that evidence,
which can be critical in court.
The more ways to verify an event, the better.
Remember: Network communications are a conversation. Evidence on one side
of this conversation means evidence may exist on the other side as well.
(and anywhere in between too)
26. WHAT ARE WE INTERESTED IN?
“IT DEPENDS”
What Evidence are we looking for?
It depends on:
Scope
Threat source (human intelligence vs. malware)
A multitude of other factors
Content:
Exists largely at the Application/Transportation Layer
Could be executables, documents, conversations, media (images/video/audio)
proof of transactions (CCNs, web URLs, etc.)
Context:
Timeline & Statistics (Sessions/Hosts/Ports/Protocols/Sizes)
Network Topology/Connected Devices
Historical Data (baselines/anomalies, previously connected to networks/keys,
etc.)
27. THE ENVIRONMENT
“NO REALLY, IT DEPENDS”
Whether doing Cyber Forensics or Incident Response, network transmissions are
temporal.
It may not be possible to personally collect the data that will be analyzed in a timely, cost
effective manner. This may necessitate instructing others in this process. You can only
hope that there is an IDS/NSM solution.
It’s difficult to be long range tech support and guarantee a forensically sound collection
process, or that the desired evidence is even collected (chain of custody can also be an
issue).
Be cognizant of this possibility and be able to define and explain your steps to others.
28. ANTI-NETWORK FORENSICS
THE 60,000 FT. VIEW
Largely these can be grouped into active/passive or exploitation vs. obfuscation
Obfuscation:
Spoofing (IP/MAC or IP Stack/User Agent strings to hide OS/Browser type)
Encryption (including TLS, Tor, custom)
Packing/compression of executables/files (Metasploit Stage 2 encoding)
Steganography : (
Covert channels (IP in DNS is a popular derivative, also Telex project)
Fragmentation/Order fuzzing (tools like SniffJoke)
Exploitation
Attacks against investigator/IDS tools (a la CVE-2011-1591)
Active detection of network monitoring (e.g. detecting promiscuous mode by
setting the MAC to illegal value and sending TCP SYN packet)
30. ACQUISITION
THE RIGHT TOOL FOR THE JOB
For our lab purposes we will be looking at relatively small data sets.
Enterprise networks have voluminous throughput -- possibly terabytes/petabytes a day at
multiple gigabits per second depending on the size of the organization.
The tools we use today, such as Wireshark, are often not capable of capturing this amount
of data without dropping packets/other degradation. Even command line tools like tshark
may have issues (they are also hardware/topology constrained).
There are open-source tools such as argus and ntop which can capture this kind of data,
but these are outside the scope of this lecture.
We will be manually analyzing packet data, but an automated solution may be required in
order to be successful and efficient within the time and resource constraints that are
present in “big data” situations.
31. ACQUISITION (CONT’D)
THE RIGHT TOOL FOR THE JOB
today we will use and discuss:
Wireshark/tshark for network acquisition
(argus/nfcapd will be discussed for flow acquisition)
foremost (compiled for Windows) for carving data out of TCP streams in the pcap
(winpmem/LiME will be discussed for volatile memory acquisition)
(dd will be discussed for persistent memory acquisition)
and for analysis we will be using:
Wireshark (network capture analysis)
(chaosreader/SiLK will be discussed for automated packet capture extraction/analysis)
Volatility/NAFT (volatile memory analysis)
(Bulk Extractor will be discussed for persistent memory analysis)
32. WIRESHARK BASICS
FRAMES, STREAMS, AND FILTERS OH MY!
Open Wireshark, and follow along with me
Notice OSI structure for packet dissectors
Color represents level of OSI model/unique protocols
Display filters (including auto-generation of filter)
Following TCP streams (okay, so it’s still a display filter)
Resource for Display filters: http://www.firstdigest.com/2009/05/wiresharks-most-usefuldisplay-filters/
33. EXERCISE 1
CAPTURING BROWSER TRAFFIC
JOINT ACTIVITY:10 MINUTES
Summary: Start a network capture with Wireshark, note the initial traffic, open a web
browser, note the traffic generated by this action, browse to a webpage, stop the
capture, and use Wireshark to extract file artifacts from the HTTP/TCP streams.
34. CASE STUDY: ANN AND THE APPLE TV
This is a challenge provided by the network forensic puzzle contest. The pcap and
questions can be downloaded from
http://forensicscontest.com/2009/12/28/anns-appletv
It’s included to highlight the fact that over the past decade, unique sources of evidence in
the form of embedded devices and appliances have crept into the consumer world,
offering additional, potentially useful, information about a suspects habits, anomalous
activities, and whereabouts.
35. EXERCISE 2
ANN AND THE APPLE TV
JOINT ACTIVITY: 20MIN
Summary: Given a pcap of an individual’s interactions with an AppleTV, answer the
associated questions.
Questions:
1. What is the MAC address of Ann’s AppleTV?
2. What User-Agent string did Ann’s AppleTV use in HTTP requests?
3. What were Ann’s first four search terms on the AppleTV (all incremental searches count)?
4. What was the title of the first movie Ann clicked on?
5. What was the full URL to the movie trailer (defined by “preview-url”)?
6. What was the title of the second movie Ann clicked on?
7. What was the price to buy it (defined by “price-display”)?
8. What was the last full term Ann searched for?
36. SOLUTIONS: ANN AND THE APPLE TV
WIRESHARK FILTERS TO FIND SOLUTIONS
1) What is the MAC address of Ann’s AppleTV?
1) eth.addr == 00:25:00:fe:07:c4
2) What User-Agent string did Ann’s AppleTV use in HTTP requests?
1) http.user_agent == "AppleTV/2.4"
3) What were Ann’s first four search terms on the AppleTV (all incremental searches count)?
1) http.request.uri contains "/MZSearch.woa/wa/incrementalSearch"
4) What was the title of the first movie Ann clicked on?
1) http.request.uri contains "viewMovie?"
5) What was the full URL to the movie trailer (defined by “preview-url”)?
1) http.request.uri contains "viewMovie?"
6) What was the title of the second movie Ann clicked on?
1) http.request.uri contains "viewMovie?"
7) What was the price to buy it (defined by “price-display”)?
1) http.request.uri contains "viewMovie?"
8) What was the last full term Ann searched for?
1) http.request.uri contains "/MZSearch.woa/wa/incrementalSearch"
38. PRACTICE MAKES NEAR-PERFECT
MOOOOOOOOOAR WIRESHARK
Now that you’ve been exposed to display filters, content extractors, and
the dissectors within Wireshark, we are going to take a deeper dive.
The next exercise will familiarize you with some of Wireshark’s other
features
39. EXERCISE 3
10 MINUTES OF INTERNET
INDIVIDUAL ACTIVITY: 30 MINUTES
Summary: You’ve been provided with a slice of an enterprise network capture. You are
charged with identifying different network segments, and extracting data from different
protocols within the capture using Wireshark. There is not a right/wrong answer: this is
exploratory.
Hint: Follow the TCP streams, and remember that not everything worth extracting is a file.
40. VOLATILE MEMORY ANALYSIS
FOR NETWORK ARTIFACTS
We are going to use Volatility, an open source volatile memory analysis tool originally
developed here at Purdue by Aaron Walters. A special thanks to Aaron and his team!
Specifically, we are going to walk through the following network forensic steps on volatile
memory:
identifying network connections that were active at the time of the memory capture
scanning processes which have had active connections for evidence of malware
extracting a malicious DLL that was injected over the network, and comparing it to one
carved from a packet capture that triggered on the same attack
extracting packets from volatile memory and analyzing them for further evidence
42. EXERCISE 4
BAD ACTORS AND BAD HABITS
INDIVIDUAL/JOINT ACTIVITY
Summary: You’ve been provided with a pcap and a volatile memory capture that
contain evidence of a network exploitation. Determine where the exploit occurred in the
pcap, and extract the malicious executable. Then find network artifacts in the memory
capture which correlate to the pcap and compare.
Hint: https://code.google.com/p/volatility/wiki/CommandReference23#Networking
Bonus Hint: The executable is also in memory :D do they match?
43. SUMMARY
Network forensics can present problems with repeatability and rules of evidence when
it comes to acquisition of the evidence because it is transient.
The network forensic process is largely the same as that of a traditional digital forensic
investigation.
Network forensics is more than just packets on the wire.
Network forensics spans transmission, volatile memory, and persistent memory.
Use the right tools for the job – small packet captures can successfully be analyzed
with Wireshark, large scale captures may need to be automatically parsed before
narrowing down sections which can be further analyzed.
Hopefully, you walk away with a little more hands-on experience
44. PARTING THOUGHTS
You still have a lot to learn ( I still have a lot to learn )
Technology is constantly evolving, you need to stay current
As they say, practice makes perfect (well….nobody’s perfect :D)
If this topic interests you, speak to me later or research:
Structured Traffic Analysis
Network Security Monitoring (Richard Bejtlich just release a new book)
Intrusion Detection Systems
https://tools.netsa.cert.org
https://www.enisa.europa.eu/activities/cert/support/exercise