This document discusses tools and techniques for network forensics. It describes email forensics tools like eMailTrackerPro and SmartWhoIs that can identify the physical location of an email sender. It also discusses web forensics tools like Web Historian and Index.dat Analyzer that reveal browsing history and files uploaded/downloaded. Packet sniffers like Ethereal are also covered, which capture and analyze network data. The document then surveys IP traceback techniques for identifying the source of attacking packets, and the use of honeypots and honeynets for gathering intelligence on network intruders.
The document discusses information technology law (also called cyber law) and cyber forensics. It explains that cyber law concerns the legal aspects of computing and the internet, including intellectual property, contracts, privacy, and jurisdiction. Cyber forensics involves examining digital evidence from computers and storage devices in a forensically sound manner to identify, preserve, recover, analyze and present digital information in a legal context.
Identifying Malicious Data in Social MediaIRJET Journal
This document discusses two approaches for identifying malicious data in social media: Shannon entropy and power law distribution. The Shannon entropy approach calculates the entropy of features like source/destination IP addresses and port numbers to detect anomalous network traffic patterns. The power law distribution approach models malware propagation across networks and finds that malware distribution transitions from exponential to power law over time. Experimental results on social media datasets found the Shannon entropy approach could detect malware based on the number of applications installed, while power law distribution identified good and malicious files shared between users. Both techniques aim to improve detection of malicious content shared over social networks.
Digital forensics involves the scientific analysis of digital evidence extracted from devices such as computers, laptops, mobiles, and storage devices. It aims to properly extract, analyze and document digital evidence for use in court. There are different stages including identifying purpose and resources, analyzing data using tools, interpreting results, documenting conclusions, and securing data for future use as evidence. Various branches of digital forensics examine different sources of digital evidence, such as network traffic and logs, firewall logs, databases, mobile devices, and email servers and accounts. Specialized tools are used to extract valuable information from these sources and assist with investigations.
INTRODUCTION TO COMPUTER FORENSICS
Introduction to Traditional Computer Crime, Traditional problems associated with Computer Crime. Introduction to Identity Theft & Identity Fraud. Types of CF techniques – Incident and incident response methodology – Forensic duplication and investigation. Preparation for IR: Creating response tool kit and IR team. – Forensics Technology and Systems – Understanding Computer Investigation – Data Acquisition.
Digital Forensics is a technique used to search for evidence of events that have occurred. This quest aims to reveal the hidden truth. The existence of digital forensic activities due to the occurrence of crimes both in the field of computers or other. Legal treatment in digital forensic field makes this area of science a compulsory device to dismantle crimes involving the computer world. In general, the cyber crime leaves a digital footprint, so it is necessary for a computer forensics expert to secure digital evidence. Computer forensics necessarily requires a standard operational procedure in taking digital evidence so as not to be contaminated or modified when the data is analyzed. The application of digital forensic is beneficial to the legal process going well and correctly.
This document discusses various topics related to cybercrime and computer security. It begins by defining cybercrime and computer crime, listing examples such as phishing, credit card fraud, and child pornography. It then discusses different types of security threats and computer threats, including accidental damages from environmental hazards or errors, and malicious damages intended to harm systems. The document also covers topics such as spam, computer fraud, data encryption, and the legal framework for electronic transactions. Overall, the document provides a broad overview of cybercrime and the various threats to computer and network security.
This document defines and discusses cyber crimes. It begins by defining cyber crimes as illegal activities involving computers and the internet, where computers can be the target, tool, or incidental to the crime. It then discusses the causes of cyber crimes, types of cyber crimes including hacking and phishing, who commits cyber crimes such as hackers and terrorists, and challenges and ways to prevent cyber crimes.
A hard bounce occurs when an email is sent to a recipient whose address cannot be found, while a soft bounce happens when an inbox is full. Computer spam involves sending emails with bad intentions like credit card scams or identity theft. Encryption uses an algorithm to transform readable information into an unreadable format, while decryption reverses this process. Netiquette refers to etiquette guidelines for safe and polite internet use.
The document discusses information technology law (also called cyber law) and cyber forensics. It explains that cyber law concerns the legal aspects of computing and the internet, including intellectual property, contracts, privacy, and jurisdiction. Cyber forensics involves examining digital evidence from computers and storage devices in a forensically sound manner to identify, preserve, recover, analyze and present digital information in a legal context.
Identifying Malicious Data in Social MediaIRJET Journal
This document discusses two approaches for identifying malicious data in social media: Shannon entropy and power law distribution. The Shannon entropy approach calculates the entropy of features like source/destination IP addresses and port numbers to detect anomalous network traffic patterns. The power law distribution approach models malware propagation across networks and finds that malware distribution transitions from exponential to power law over time. Experimental results on social media datasets found the Shannon entropy approach could detect malware based on the number of applications installed, while power law distribution identified good and malicious files shared between users. Both techniques aim to improve detection of malicious content shared over social networks.
Digital forensics involves the scientific analysis of digital evidence extracted from devices such as computers, laptops, mobiles, and storage devices. It aims to properly extract, analyze and document digital evidence for use in court. There are different stages including identifying purpose and resources, analyzing data using tools, interpreting results, documenting conclusions, and securing data for future use as evidence. Various branches of digital forensics examine different sources of digital evidence, such as network traffic and logs, firewall logs, databases, mobile devices, and email servers and accounts. Specialized tools are used to extract valuable information from these sources and assist with investigations.
INTRODUCTION TO COMPUTER FORENSICS
Introduction to Traditional Computer Crime, Traditional problems associated with Computer Crime. Introduction to Identity Theft & Identity Fraud. Types of CF techniques – Incident and incident response methodology – Forensic duplication and investigation. Preparation for IR: Creating response tool kit and IR team. – Forensics Technology and Systems – Understanding Computer Investigation – Data Acquisition.
Digital Forensics is a technique used to search for evidence of events that have occurred. This quest aims to reveal the hidden truth. The existence of digital forensic activities due to the occurrence of crimes both in the field of computers or other. Legal treatment in digital forensic field makes this area of science a compulsory device to dismantle crimes involving the computer world. In general, the cyber crime leaves a digital footprint, so it is necessary for a computer forensics expert to secure digital evidence. Computer forensics necessarily requires a standard operational procedure in taking digital evidence so as not to be contaminated or modified when the data is analyzed. The application of digital forensic is beneficial to the legal process going well and correctly.
This document discusses various topics related to cybercrime and computer security. It begins by defining cybercrime and computer crime, listing examples such as phishing, credit card fraud, and child pornography. It then discusses different types of security threats and computer threats, including accidental damages from environmental hazards or errors, and malicious damages intended to harm systems. The document also covers topics such as spam, computer fraud, data encryption, and the legal framework for electronic transactions. Overall, the document provides a broad overview of cybercrime and the various threats to computer and network security.
This document defines and discusses cyber crimes. It begins by defining cyber crimes as illegal activities involving computers and the internet, where computers can be the target, tool, or incidental to the crime. It then discusses the causes of cyber crimes, types of cyber crimes including hacking and phishing, who commits cyber crimes such as hackers and terrorists, and challenges and ways to prevent cyber crimes.
A hard bounce occurs when an email is sent to a recipient whose address cannot be found, while a soft bounce happens when an inbox is full. Computer spam involves sending emails with bad intentions like credit card scams or identity theft. Encryption uses an algorithm to transform readable information into an unreadable format, while decryption reverses this process. Netiquette refers to etiquette guidelines for safe and polite internet use.
1 ijaems sept-2015-3-different attacks in the network a reviewINFOGAIN PUBLICATION
This document discusses various types of network attacks. It categorizes attacks as either active or passive. Active attacks try to bypass security and modify information, and include denial of service attacks, IP spoofing, man-in-the-middle attacks, and masquerading. Passive attacks monitor unencrypted traffic to obtain sensitive information without detection, through eavesdropping, traffic analysis, or network analysis. Other attack types discussed are viruses, phishing, sniffing passwords. The document provides details on these different network attacks.
Now a day’s risk of becoming a victim of spam and phishing attacks increases while accessing Internet. Many Web
sites exhibit violent and illegal content. Most of users are now unable to protect their networks and themselves also. However,
some countries have deployed systems for filtering the Web content. Since, the existing systems show high latency and overblocking.
Thus, an efficient method for Web filtering concept to protect users at the Internet service provider level is
presented. The proposed solution can detect and block illegal and threatening Web sites. The suggested scalable softwarebased
approach can examine Internet domains in wire speed without over-blocking. The Web filter serves as security measure
for all connected users, especially for users with limited IT expert knowledge. This solution is totally transparent to all
Network devices in the network. Setup, installation and maintenance can be created only by the Internet Service provider
administrator. So, the suggested security system is safe from attacks from users and from the network side.
A denial-of-service (DoS) attack overwhelms a system's resources to prevent it from responding to requests, while a distributed denial-of-service (DDoS) attack uses multiple compromised systems. Common DoS/DDoS attacks include TCP SYN floods, teardrops, smurfing, and ping of death. In 2018, GitHub experienced a record 1.35 terabit DDoS attack. SQL injection occurs when malicious SQL queries are passed through user inputs to access databases. Man-in-the-middle attacks involve an attacker intercepting communications between two parties. Phishing scams use fraudulent emails to steal user information. Password attacks aim to obtain passwords through brute force guessing or
This document discusses why information security is needed for organizations. It provides four key functions of information security: 1) protecting the organization's ability to function, 2) enabling safe application operation, 3) protecting data, and 4) safeguarding technology assets. It then discusses various threats to information security, including intellectual property breaches, software attacks like viruses and worms, service disruptions, unauthorized access, natural disasters, human error, extortion, sabotage, theft, and technical failures. It concludes with discussing secure software development and common security problems.
The Proposed Development of Prototype with Secret Messages Model in Whatsapp ...IJECEIAES
Development of prototype at data security through secret messages is needed for disguising the messages sent in smartphone chatting application, WhatsApp (WA) Chat. We propose a model to disguise a plaintext message which is first encrypted by cryptosystem to change the plaintext message to ciphertext. Plaintext or plainimage entering the smartphone system is changed into encrypted text; receiver then can read the message by using similar key with the sender. The weakness of this proposal is the message random system is not planted directly in the chatting application; therefore message removing process from cryptosystem to WA application is still needed. The strength of using this model is the messages sent will not be easily re-encrypted by hacker and can be used at client computing section.
Detecting Spambot as an Antispam Technique for Web Internet BBSijsrd.com
Spam which is one of the most popular and also the most relevant topic that needs to be understood in the current scenario. Everyone whether it may be a small child or an old person are using emails everyday all around the world. The scenario which we are seeing is that almost no one is aware or in simple sentence they do not know what actually the spam is and what they will do in their systems. Spam in general means unsolicited or unwanted mails. Botnets are considered one of the main source of the spam. Botnet means the group of software's called bots and the function of these bots is to run on several compromised computers autonomously and automatically. The main objective of this paper is to detect such a bot or spambots for the Bulletin Board System (BBS). BBS is a computer that is running software that allows users to leave a message and access information of general interest. Originally BBSes were accessed only over a phone line using a modem, but nowadays some BBSes allowed access via a Telnet, packet switched network, or packet radio connection. The main methodology that we are going to focus is on Behavioural-based Spam Detection (BSD) method. Behavioral-based Spam Detector (BSD) combines several behaviours of the spam bots at different stages including the behaviour of spam preparation before the spam session when the spammers search for an open relay SMTP service to send e-mails through, and the behaviour of spammers while connecting to the mail server. Detecting the abnormal behaviour produced by the spam activities gives a high rate of suspicion on the existence of bots.
Digital forensics involves recovering and investigating material from digital devices, often related to computer crimes. The process includes seizing devices, imaging their contents, analyzing the data, and producing a report of evidence. Digital forensics has evolved over 30 years to address evolving crimes and now analyzes data from computers, networks, and mobile devices using specialized tools and methodologies. Skills required for digital forensics experts include technical, analytical, and legal expertise.
The document summarizes a technical analysis conducted by the FBI's Intelligence Safeguarding Branch to evaluate how well confidential information is protected. Simulations were run considering three locations - Washington D.C., Nebraska, and New Mexico - and using different information storage and sharing methods. The results showed the 2014 Washington D.C. methods had minimal leaks, Nebraska had no outside leaks but missing files, and New Mexico had some leaks but the highest was emails. Overall, the analysis found paper files with high tech security is currently best until new technology advances, and recommended new guidelines around sharing documents and using secured locations and communications.
SQL Vulnerability Prevention in Cybercrime using Dynamic Evaluation of Shell and Remote File Injection Attacks R. Ravi,
Department of Computer Science & Engineering,
Francis Xavier Engineering College, Tamil Nadu, India
Dr. Beulah Shekhar,
Department of Criminology,
Manonmanium Sundaranar University, Tamil Nadu, India
Network forensics is the capture, recording, and analysis of network events and traffic in order to discover the source of security attacks or other problem incidents. It involves systematically capturing and analyzing network traffic and events to trace and prove a network security incident. Network forensics provides crucial network-based evidence that can be used to successfully prosecute criminals. It is a difficult process that depends on maintaining high-quality network information.
A survey on Stack Path Identification and Encryption Adopted as Spoofing Defe...IOSR Journals
Abstract: Spoofing attacks are a constant nag in the information world, so many methodologies have been
invented to reduce on its effects but still there is a lot left to be desired. The kind of impact that this attacks have
on Electronic Payment Systems is so detrimental to the economic world given that this systems are viewed as
performance enhancers on payments. This study elaborates two methodologies a combination of StackPi and
Encryption as spoofing defense methodologies. Billions of shillings are lost in this rollercoaster thus giving rise
to a situation that deserves undivided attention and should be researched on. A profound argument on the
methodologies that have been used in this mission to eradicate spoofing attacks, the limitations that they posses
and other methodologies that have been brought in play to succeed them elicits an interesting he strategy of
integrating or combining methodologies and the benefits that this strategy contributes to curbing spoofing
attacks. With that knowledge underhand, it can be justified why the combination of Stack Pi and Encryption is a
recommended solution against spoofing attacks.
Keywords: Electronic Payment Systems, Encryption, Security, Spoofing attacks, Stack Pi
This document provides an overview of forensics and the history of the internet. It discusses early pioneers like Vannevar Bush and their ideas. It then summarizes the creation of ARPANET and how it led to the development of the internet. Key topics like domains, search engines, email, and hacking are defined. Examples of court cases involving digital forensics are also summarized. The document concludes by describing some cybersecurity products and services offered by Forensics Nation.
This document provides an overview of forensics and the history of the internet. It discusses early pioneers like Vannevar Bush and their ideas. It then outlines the creation of ARPANET and how it evolved into the modern internet, covering protocols, domains, search engines, and other key concepts. Examples are also given of criminal cases where digital forensics helped solve crimes involving hacking, child exploitation, and other internet-related offenses. Finally, various cybersecurity products from the company FNC are described.
Pattern Analysis and Signature Extraction for Intrusion Attacks on Web ServicesIJNSA Journal
The increasing popularity of web service technology is attracting hackers and attackers to hack the web services and the servers on which they run. Organizations are therefore facing the challenge of implementing adequate security for Web Services. A major threat is that of intruders which may maliciously try to access the data or services. The automated methods of signature extraction extract the binary pattern blindly resulting in more false positives. In this paper a semi automated approach is proposed to analyze the attacks and generate signatures for web services. For data collection, apart from the conventional SOAP data loggers, honeypots are also used that collect small data which is of high value. To filter out the most suspicious part of the data, SVM based classifier is employed to aid the system administrator. By applying an attack signature algorithm on the filtered data, a more balanced attack signature is extracted that results in fewer false positives and negatives. It helps the Security Administrator to identify the web services that are vulnerable or are attacked more frequently.
Experimental Analysis of Web Browser Sessions Using Live Forensics Method IJECEIAES
In today's digital era almost every aspect of life requires the internet, one way to access the internet is through a web browser. For security reasons, one developed is private mode. Unfortunately, some users using this feature do it for cybercrime. The use of this feature is to minimize the discovery of digital evidence. The standard investigative techniques of NIST need to be developed to uncover an ever-varied cybercrime. Live Forensics is an investigative development model for obtaining evidence of computer usage. This research provides a solution in forensic investigation effectively and efficiently by using live forensics. This paper proposes a framework for web browser analysis. Live Forensics allows investigators to obtain data from RAM that contains computer usage sessions.
Network Forensic Investigation of HTTPS ProtocolIJMER
International Journal of Modern Engineering Research (IJMER) is Peer reviewed, online Journal. It serves as an international archival forum of scholarly research related to engineering and science education.
The document discusses botnet detection using SSL encryption. It begins with an abstract discussing how botnets spread through distributed denial of service attacks and control large numbers of computers. The authors propose checking SSL traffic and features to detect malicious connections. It then discusses how botnets use peer-to-peer networks and protocols like HTTP and IRC, making detection challenging. The document outlines a framework for detecting P2P botnets using host-based and network-based methods. It describes applying the Apriori algorithm to find frequent itemsets in network data to identify systems likely to be infected. In conclusion, the authors present a detection system that can identify malicious connections over SSL and propose a graphical tool to detect future infected systems through data mining.
Optimised malware detection in digital forensicsIJNSA Journal
On the Internet, malware is one of the most serious threats to system security. Most complex issues and
problems on any systems are caused by malware and spam. Networks and systems can be accessed and
compromised by malware known as botnets, which compromise other systems through a coordinated
attack. Such malware uses anti-forensic techniques to avoid detection and investigation. To prevent systems
from the malicious activity of this malware, a new framework is required that aims to develop an optimised
technique for malware detection. Hence, this paper demonstrates new approaches to perform malware
analysis in forensic investigations and discusses how such a framework may be developed.
Lessons v on fraud awareness (digital forensics) [autosaved]Kolluru N Rao
Digital forensics is the scientific process of analyzing digital evidence from computers, mobile devices, and other electronic storage mediums. It involves securely acquiring and preserving digital evidence, extracting and analyzing relevant information, and documenting the process to present findings in a court of law. The key stages of digital forensics are identification, collection, analysis, interpretation, documentation and presentation of digital evidence. There are several branches of digital forensics including network forensics, firewall forensics, database forensics, mobile device forensics, and email forensics. Maintaining a proper chain of custody is also important to ensure digital evidence remains untampered and admissible in court.
This document provides an overview of how the internet can be used for forensic investigations. It discusses how the internet is a network of networks that connects computers globally. It describes how the world wide web, email, internet cookies, browsing history and bookmarks can be analyzed forensically to find evidence of a user's online activity. It also discusses how IP addresses, internet logs, volatile memory and network traffic can be investigated to identify hackers or in intrusion cases.
1 ijaems sept-2015-3-different attacks in the network a reviewINFOGAIN PUBLICATION
This document discusses various types of network attacks. It categorizes attacks as either active or passive. Active attacks try to bypass security and modify information, and include denial of service attacks, IP spoofing, man-in-the-middle attacks, and masquerading. Passive attacks monitor unencrypted traffic to obtain sensitive information without detection, through eavesdropping, traffic analysis, or network analysis. Other attack types discussed are viruses, phishing, sniffing passwords. The document provides details on these different network attacks.
Now a day’s risk of becoming a victim of spam and phishing attacks increases while accessing Internet. Many Web
sites exhibit violent and illegal content. Most of users are now unable to protect their networks and themselves also. However,
some countries have deployed systems for filtering the Web content. Since, the existing systems show high latency and overblocking.
Thus, an efficient method for Web filtering concept to protect users at the Internet service provider level is
presented. The proposed solution can detect and block illegal and threatening Web sites. The suggested scalable softwarebased
approach can examine Internet domains in wire speed without over-blocking. The Web filter serves as security measure
for all connected users, especially for users with limited IT expert knowledge. This solution is totally transparent to all
Network devices in the network. Setup, installation and maintenance can be created only by the Internet Service provider
administrator. So, the suggested security system is safe from attacks from users and from the network side.
A denial-of-service (DoS) attack overwhelms a system's resources to prevent it from responding to requests, while a distributed denial-of-service (DDoS) attack uses multiple compromised systems. Common DoS/DDoS attacks include TCP SYN floods, teardrops, smurfing, and ping of death. In 2018, GitHub experienced a record 1.35 terabit DDoS attack. SQL injection occurs when malicious SQL queries are passed through user inputs to access databases. Man-in-the-middle attacks involve an attacker intercepting communications between two parties. Phishing scams use fraudulent emails to steal user information. Password attacks aim to obtain passwords through brute force guessing or
This document discusses why information security is needed for organizations. It provides four key functions of information security: 1) protecting the organization's ability to function, 2) enabling safe application operation, 3) protecting data, and 4) safeguarding technology assets. It then discusses various threats to information security, including intellectual property breaches, software attacks like viruses and worms, service disruptions, unauthorized access, natural disasters, human error, extortion, sabotage, theft, and technical failures. It concludes with discussing secure software development and common security problems.
The Proposed Development of Prototype with Secret Messages Model in Whatsapp ...IJECEIAES
Development of prototype at data security through secret messages is needed for disguising the messages sent in smartphone chatting application, WhatsApp (WA) Chat. We propose a model to disguise a plaintext message which is first encrypted by cryptosystem to change the plaintext message to ciphertext. Plaintext or plainimage entering the smartphone system is changed into encrypted text; receiver then can read the message by using similar key with the sender. The weakness of this proposal is the message random system is not planted directly in the chatting application; therefore message removing process from cryptosystem to WA application is still needed. The strength of using this model is the messages sent will not be easily re-encrypted by hacker and can be used at client computing section.
Detecting Spambot as an Antispam Technique for Web Internet BBSijsrd.com
Spam which is one of the most popular and also the most relevant topic that needs to be understood in the current scenario. Everyone whether it may be a small child or an old person are using emails everyday all around the world. The scenario which we are seeing is that almost no one is aware or in simple sentence they do not know what actually the spam is and what they will do in their systems. Spam in general means unsolicited or unwanted mails. Botnets are considered one of the main source of the spam. Botnet means the group of software's called bots and the function of these bots is to run on several compromised computers autonomously and automatically. The main objective of this paper is to detect such a bot or spambots for the Bulletin Board System (BBS). BBS is a computer that is running software that allows users to leave a message and access information of general interest. Originally BBSes were accessed only over a phone line using a modem, but nowadays some BBSes allowed access via a Telnet, packet switched network, or packet radio connection. The main methodology that we are going to focus is on Behavioural-based Spam Detection (BSD) method. Behavioral-based Spam Detector (BSD) combines several behaviours of the spam bots at different stages including the behaviour of spam preparation before the spam session when the spammers search for an open relay SMTP service to send e-mails through, and the behaviour of spammers while connecting to the mail server. Detecting the abnormal behaviour produced by the spam activities gives a high rate of suspicion on the existence of bots.
Digital forensics involves recovering and investigating material from digital devices, often related to computer crimes. The process includes seizing devices, imaging their contents, analyzing the data, and producing a report of evidence. Digital forensics has evolved over 30 years to address evolving crimes and now analyzes data from computers, networks, and mobile devices using specialized tools and methodologies. Skills required for digital forensics experts include technical, analytical, and legal expertise.
The document summarizes a technical analysis conducted by the FBI's Intelligence Safeguarding Branch to evaluate how well confidential information is protected. Simulations were run considering three locations - Washington D.C., Nebraska, and New Mexico - and using different information storage and sharing methods. The results showed the 2014 Washington D.C. methods had minimal leaks, Nebraska had no outside leaks but missing files, and New Mexico had some leaks but the highest was emails. Overall, the analysis found paper files with high tech security is currently best until new technology advances, and recommended new guidelines around sharing documents and using secured locations and communications.
SQL Vulnerability Prevention in Cybercrime using Dynamic Evaluation of Shell and Remote File Injection Attacks R. Ravi,
Department of Computer Science & Engineering,
Francis Xavier Engineering College, Tamil Nadu, India
Dr. Beulah Shekhar,
Department of Criminology,
Manonmanium Sundaranar University, Tamil Nadu, India
Network forensics is the capture, recording, and analysis of network events and traffic in order to discover the source of security attacks or other problem incidents. It involves systematically capturing and analyzing network traffic and events to trace and prove a network security incident. Network forensics provides crucial network-based evidence that can be used to successfully prosecute criminals. It is a difficult process that depends on maintaining high-quality network information.
A survey on Stack Path Identification and Encryption Adopted as Spoofing Defe...IOSR Journals
Abstract: Spoofing attacks are a constant nag in the information world, so many methodologies have been
invented to reduce on its effects but still there is a lot left to be desired. The kind of impact that this attacks have
on Electronic Payment Systems is so detrimental to the economic world given that this systems are viewed as
performance enhancers on payments. This study elaborates two methodologies a combination of StackPi and
Encryption as spoofing defense methodologies. Billions of shillings are lost in this rollercoaster thus giving rise
to a situation that deserves undivided attention and should be researched on. A profound argument on the
methodologies that have been used in this mission to eradicate spoofing attacks, the limitations that they posses
and other methodologies that have been brought in play to succeed them elicits an interesting he strategy of
integrating or combining methodologies and the benefits that this strategy contributes to curbing spoofing
attacks. With that knowledge underhand, it can be justified why the combination of Stack Pi and Encryption is a
recommended solution against spoofing attacks.
Keywords: Electronic Payment Systems, Encryption, Security, Spoofing attacks, Stack Pi
This document provides an overview of forensics and the history of the internet. It discusses early pioneers like Vannevar Bush and their ideas. It then summarizes the creation of ARPANET and how it led to the development of the internet. Key topics like domains, search engines, email, and hacking are defined. Examples of court cases involving digital forensics are also summarized. The document concludes by describing some cybersecurity products and services offered by Forensics Nation.
This document provides an overview of forensics and the history of the internet. It discusses early pioneers like Vannevar Bush and their ideas. It then outlines the creation of ARPANET and how it evolved into the modern internet, covering protocols, domains, search engines, and other key concepts. Examples are also given of criminal cases where digital forensics helped solve crimes involving hacking, child exploitation, and other internet-related offenses. Finally, various cybersecurity products from the company FNC are described.
Pattern Analysis and Signature Extraction for Intrusion Attacks on Web ServicesIJNSA Journal
The increasing popularity of web service technology is attracting hackers and attackers to hack the web services and the servers on which they run. Organizations are therefore facing the challenge of implementing adequate security for Web Services. A major threat is that of intruders which may maliciously try to access the data or services. The automated methods of signature extraction extract the binary pattern blindly resulting in more false positives. In this paper a semi automated approach is proposed to analyze the attacks and generate signatures for web services. For data collection, apart from the conventional SOAP data loggers, honeypots are also used that collect small data which is of high value. To filter out the most suspicious part of the data, SVM based classifier is employed to aid the system administrator. By applying an attack signature algorithm on the filtered data, a more balanced attack signature is extracted that results in fewer false positives and negatives. It helps the Security Administrator to identify the web services that are vulnerable or are attacked more frequently.
Experimental Analysis of Web Browser Sessions Using Live Forensics Method IJECEIAES
In today's digital era almost every aspect of life requires the internet, one way to access the internet is through a web browser. For security reasons, one developed is private mode. Unfortunately, some users using this feature do it for cybercrime. The use of this feature is to minimize the discovery of digital evidence. The standard investigative techniques of NIST need to be developed to uncover an ever-varied cybercrime. Live Forensics is an investigative development model for obtaining evidence of computer usage. This research provides a solution in forensic investigation effectively and efficiently by using live forensics. This paper proposes a framework for web browser analysis. Live Forensics allows investigators to obtain data from RAM that contains computer usage sessions.
Network Forensic Investigation of HTTPS ProtocolIJMER
International Journal of Modern Engineering Research (IJMER) is Peer reviewed, online Journal. It serves as an international archival forum of scholarly research related to engineering and science education.
The document discusses botnet detection using SSL encryption. It begins with an abstract discussing how botnets spread through distributed denial of service attacks and control large numbers of computers. The authors propose checking SSL traffic and features to detect malicious connections. It then discusses how botnets use peer-to-peer networks and protocols like HTTP and IRC, making detection challenging. The document outlines a framework for detecting P2P botnets using host-based and network-based methods. It describes applying the Apriori algorithm to find frequent itemsets in network data to identify systems likely to be infected. In conclusion, the authors present a detection system that can identify malicious connections over SSL and propose a graphical tool to detect future infected systems through data mining.
Optimised malware detection in digital forensicsIJNSA Journal
On the Internet, malware is one of the most serious threats to system security. Most complex issues and
problems on any systems are caused by malware and spam. Networks and systems can be accessed and
compromised by malware known as botnets, which compromise other systems through a coordinated
attack. Such malware uses anti-forensic techniques to avoid detection and investigation. To prevent systems
from the malicious activity of this malware, a new framework is required that aims to develop an optimised
technique for malware detection. Hence, this paper demonstrates new approaches to perform malware
analysis in forensic investigations and discusses how such a framework may be developed.
Lessons v on fraud awareness (digital forensics) [autosaved]Kolluru N Rao
Digital forensics is the scientific process of analyzing digital evidence from computers, mobile devices, and other electronic storage mediums. It involves securely acquiring and preserving digital evidence, extracting and analyzing relevant information, and documenting the process to present findings in a court of law. The key stages of digital forensics are identification, collection, analysis, interpretation, documentation and presentation of digital evidence. There are several branches of digital forensics including network forensics, firewall forensics, database forensics, mobile device forensics, and email forensics. Maintaining a proper chain of custody is also important to ensure digital evidence remains untampered and admissible in court.
This document provides an overview of how the internet can be used for forensic investigations. It discusses how the internet is a network of networks that connects computers globally. It describes how the world wide web, email, internet cookies, browsing history and bookmarks can be analyzed forensically to find evidence of a user's online activity. It also discusses how IP addresses, internet logs, volatile memory and network traffic can be investigated to identify hackers or in intrusion cases.
Internet Relay Chat, or IRC, is a protocol that allows users that connect to Internet Relay Chat Servers to have conversation with others in real time. Users connect to IRC Servers using an IRC Client. Commercial chat client’s like yahoo! and google chat are quite popular in wide use. To other chat clients were worth exploring. These tools are arguably better suited for criminal activity. IRC is one such tool. There are basically two options available to investigators involved in an IRC occurrence. They can look at log files on servers or clients or they can monitor transmission directly. In this paper we have been using X Chat application for the IRC Forensic Investigation. We capture the IRC Client’s packets and analyze that packets.
AN EMPIRICAL ANALYSIS OF EMAIL FORENSICS TOOLSIJNSA Journal
Emails are the most common service on the Internet for communication and sending documents. Email is used not only from computers but also from many other electronic devices such as tablets; smartphones, etc. Emails can also be used for criminal activities. Email forensic refers to the study of email detail and content as evidence to identify the actual sender and recipient of a message, date/time of transmission, detailed record of email transaction, intent of the sender, etc. Email forensics involves investigation of metadata, keyword, searching, port scanning and generating report based on investigators need. Many tools are available for any investigation that involves email forensics. Investigators should be very careful of not violating user’s privacy. To this end, investigators should run keyword searches to reveal only the relevant emails. Therefore, knowledge of the features of the tool and the search features is necessary for the tool selection. In this research, we experimentally compare the performance of several email forensics tools. Our aim is to help the investigators with the tool selection task. We evaluate the tools in terms of their keyword search, report generation, and other features such as, email format, size of the file accepted, whether they work online or offline, format of the reports, etc. We use Enron email dataset for our experiment.
A Review on Recovering and Examining Computer Forensic EvidencesBRNSSPublicationHubI
This document discusses computer forensics and the process of recovering and examining digital evidence. It begins by defining computer forensics as the process of preserving, identifying, extracting, and documenting electronic evidence in a way that is admissible in a court of law. The goals of computer forensics are to identify intruders, prosecute criminals, and present digital evidence in court. Key methodologies used in computer forensics examinations include making bit-for-bit copies of storage devices, using forensic tools to recover deleted files and data, and examining log files and metadata.
Topic Since information extracted from router or switch interfaces.docxjuliennehar
Topic Since information extracted from router or switch interfaces to not provide specific evidence of a particular crime in most cases, what use is the information collected from these devices.
Read and respond to atleast two other students Discussions. (5-6 lines would be more sufficient)
#1.Posted by Srikanth
Routers and switches give the availability, both inside the demilitarized Zone (DMZ) environment and to different tareas of the system to which the DMZ is connected. This makes Routers and switches prime targets for hackers to exploit and gather data about the system or just use as springboards on other devices. This section presents data on the best way to information and arrange some significant router and switch security includes that enable run safely and ensure the devices that they associate. Routers direct traffic all through the undertaking system and are normally the first line of barrier when the system is associating with the Internet. Hackers try to infiltrate routers to gather data or use them as launching pads for further attacks. This is the reason it is critical to secure switches' management interfaces and services to make them trouble for an interloper to hack. Similarly as with routers, switches have an expanding job in system security. The switch gives numerous highlights, including port security. VLANs and PVLANs give the tools to keep the devices on the DMZ secure. It is additionally imperative to secure the switch's management interfaces and services with the goal that hackers can't break into the switch to change VLAN designs, change port settings, or utilize the switch to connect with different parts of the network.
Network forensics is capture, recording and analysis of network packets in order to determine the source of network security attacks. The major goal of network forensics is to collect evidence. It tries to analyze network traffic data, which is collected from different sites and different network equipment, such as firewalls and IDS. In addition, it monitors on the network to detect attacks and analyze the nature of attackers. Network forensics is also the process of detecting intrusion patterns, focusing on attacker activity.
Computer documents, emails, text and instant messages, transactions, images and Internet histories are examples of information that can be gathered from electronic devices and used very effectively as evidence. For example, mobile devices use online-based based backup systems, also known as the “cloud”, that provide forensic investigators with access to text messages and pictures taken from a particular phone. These systems keep an average of 1,000–1,500 or more of the last text messages sent to and received from that phone.In addition, many mobile devices store information about the locations where the device traveled and when it was there. To gain this knowledge, investigators can access an average of the last 200 cell locations accessed by a mobile device. Satellite navig ...
Live forensics of tools on android devices for email forensicsTELKOMNIKA JOURNAL
Email is one communication technology that can be used to exchange information, data, and etc. The development of email technology not only can be opened using a computer but can be opened using an smartphone. The most widely used smartphone in Indonesian society is Android. Within a row, the development technology of higher cybercrime such as email fraud catching cybercrime offenders need evidence to be submitted to a court, for obtain evidence can use tools like Wireshark and Networkminer to analyzing network traffic on live networks. Opportunity, we will do a comparison of the forensic tools it to acquire digital evidence. The subject of this research focused on Android-based email service to get as much digital evidence as possible on both tools. This process uses National Institute of Standards and Technology method. The results of this research that networkminer managed to get the receiving port, while in Wireshark not found.
A Literature Review On Cyber Forensic And Its Analysis ToolsSamantha Vargas
This document discusses cyber forensics and analysis tools. It begins with an abstract that outlines how digital forensics is used to investigate cyber attacks and acquire electronic evidence in a way that is admissible in court. It then provides details on common digital forensics procedures like isolating devices, making copies of storage media, and using recovery software to examine copies searching for deleted, encrypted, or damaged files. The document also summarizes several research papers on topics like recovering encryption keys from memory dumps, decrypting encrypted drives, analyzing computer usage policies and violations, collecting evidence from attacker and victim machines, using clustering algorithms to analyze unstructured text in investigations, and analyzing encrypted volumes and memory to obtain digital evidence.
The presentation provides an overview of digital/computer forensics. It defines key concepts like digital evidence and the forensic process. The objectives are to introduce forensic concepts, understand investigation goals and tools, and how forensics is used for cybercrime. The presentation outlines include topics like rationale for forensics, the investigator's role, comparing cybercrime and evidence, challenges, and open-source tools available in Kali Linux.
Forensic the word which indicate the detective work, which searches for and attempting to discover information. Mainly search is carried out for collecting evidence for investigation which is useful in criminal, civil or corporate investigations. Investigation is applicable in presence of some legal rules.
As criminals are getting smarter to perform crime that is, using data hiding techniques such as encryption and steganography, so forensic department has become alert has introduced a new concept called as Digital Forensic, which handles sensitive data which is responsible and confidential.
Network security involves protecting networks from unauthorized access and risks. It is important for network administrators to take preventive measures to secure networks used by individuals, businesses, and governments. There are various types of network security devices that fulfill different functions like blocking surplus traffic (active devices), identifying unwanted traffic (passive devices), and scanning for potential problems (preventative devices). Firewalls are a key example of an active device that establishes a barrier between internal and external networks and regulates incoming and outgoing traffic.
This document discusses the network analysis tools Network Miner and Wireshark. Network Miner is described as a powerful tool that allows users to parse libcap files, do live packet captures, and reconstruct FTP, SMB, HTTP and TFTP data streams. It can capture data from multiple network interfaces, view credential data, use DNS information, search for keywords, view clear text, and reconstruct files transferred. Wireshark is an open source network protocol analyzer that allows users to interactively browse network data traffic. It supports live data reading, display filters to organize data, and new protocol analysis through plugins. The document concludes by stating it will look at using Network Miner and Wireshark in practice.
Team research paper and project on network vulnerabilities with multiple attacks and defesnses:
Cybersecurity
-For this project, our class was paired with teams to attempt to find vulnerabilities in other teams networks and to successfully beach their network.
-My role in this group was to help breach other team vulnerabilities through different attacks like responder attacks, honeypots, etc.
-The main challenges of this project were trying to find the vulnerabilities successfully, as the whole team had troubles with each of our different attacks and defenses.
-We learned how to use cybersecurity tools to help find vulnerabilities in networks and how to protect against them better. For example, in the honeypot we used we deployed it to port 80, when the attacker tried to access our fake server we were notified. We also deployed palto alto firewall to create our private and secure network. For an attack, we also used password crackers like john the ripper. This project taught us how to breach networks as a team.
IRJET- Security from Threats of Computer SystemIRJET Journal
Governments are finding cyber security to be a major challenge as they store far more data than the private sector, often in older and more vulnerable systems, and are regularly targeted by hackers and sophisticated malware. The document discusses various threats to computer systems like malware, viruses, phishing, and zero-day attacks. It proposes solutions like usernames and passwords, firewalls, email encryption, updated anti-virus software, and regular backups to provide security from these threats. Analysis of existing security solutions can help determine weaknesses in data security.
Applicability of Network Logs for Securing Computer SystemsIDES Editor
Logging the events occurring on the network has
become very essential and thus playing a major role in
monitoring the events in order to keep check over them so
that they doesn’t harm any resources of the system or the
system itself. The analysis of network logs are becoming the
beneficial security research oriented field which will be desired
in the computer era. Organizations are reluctant to expose
their logs due to risk of attackers stealing the sensitive
information from their respective logs. In this paper we are
defining architecture and the security measures that can be
applied for a particular network log.
Guarding Against Large-Scale Scrabble In Social NetworkEditor IJCATR
Generally, the botnet is one of the most dangerous threats in the network. It has number attackers in the network. The
attacker consists of DDOS attack, remote attack, etc., Bots perform perform repetitive tasks automatically or on a schedule over the
internet, tasks that would be too mundane or time-consuming for an actual person. But the botnets have stealthy behavior as they are
very difficult to identify. These botnets have to be identified and the internet have to be protected. Also the the activity of botnets must
be prevented to provide the users, a reliable service. The past of botnet detection has a transaction process which is not secure. A
efficient stastical data classifier is required to train the botent preventions system. To provide the above features clustering based
analysis is done. our approach can detect and profile various P2P applications rather than identifying a specific P2P application.
Anomaly based detection technique is used to obtain this goal.
A CASE STUDY ON VARIOUS NETWORK SECURITY TOOLSKatie Robinson
Network security tools play an important role in cybersecurity. The document discusses various network security tools including vulnerability scanners like Nessus, packet sniffers like Wireshark, password crackers like John the Ripper, honeypots, and wireless security tools like NetStumbler. It provides an overview of the most popular tools, how they work, and what features they provide to enhance network security through activities like vulnerability detection, packet analysis, password cracking, and monitoring of network traffic. The top five tools discussed are Wireshark, Nessus, Snort, John the Ripper, and NetStumbler.
Deep Learning based Threat / Intrusion detection systemAffine Analytics
The document describes a proposed intrusion/threat detection system with the following key components:
1. A feature engineering module to extract relevant features from organizational data like employee information and online activities.
2. A text processing and topic modeling module to analyze communications data and identify confidential information.
3. An internal threat detection system using deep learning to detect threats in real-time with a risk score and predefined response policies.
4. An external threat detection system using signatures and anomaly detection to enforce actions against external threats.
Cybercrime is increasing at a faster pace and sometimes causes billions of dollars of business- losses so
investigating attackers after commitment is of utmost importance and become one of the main concerns of
network managers. Network forensics as the process of Collecting, identifying, extracting and analyzing
data and systematically monitoring traffic of network is one of the main requirements in detection and
tracking of criminals. In this paper, we propose an architecture for network forensic system. Our proposed
architecture consists of five main components: collection and indexing, database management, analysis
component, SOC communication component and the database.
The main difference between our proposed architecture and other systems is in analysis component. This
component is composed of four parts: Analysis and investigation subsystem, Reporting subsystem, Alert
and visualization subsystem and the malware analysis subsystem. The most important differentiating
factors of the proposed system with existing systems are: clustering and ranking of malware, dynamic
analysis of malware, collecting and analysis of network flows and anomalous behavior analysis.
Optimised Malware Detection in Digital Forensics IJNSA Journal
This summarizes a research paper that proposes developing a new framework to optimize malware detection in digital forensics investigations. The paper discusses challenges with existing detection methods, such as signature-based approaches requiring extensive manual analysis. Through a market research survey of forensics professionals, the paper finds weaknesses in current skills, tools, and accuracy rates. Most respondents agreed a new customized detection tool is needed that employs both dynamic and static analysis methods. The proposed framework aims to address these issues to more effectively detect and analyze malware.
Similar to TOOLS AND TECHNIQUES FOR NETWORK FORENSICS (20)
Comparative analysis between traditional aquaponics and reconstructed aquapon...bijceesjournal
The aquaponic system of planting is a method that does not require soil usage. It is a method that only needs water, fish, lava rocks (a substitute for soil), and plants. Aquaponic systems are sustainable and environmentally friendly. Its use not only helps to plant in small spaces but also helps reduce artificial chemical use and minimizes excess water use, as aquaponics consumes 90% less water than soil-based gardening. The study applied a descriptive and experimental design to assess and compare conventional and reconstructed aquaponic methods for reproducing tomatoes. The researchers created an observation checklist to determine the significant factors of the study. The study aims to determine the significant difference between traditional aquaponics and reconstructed aquaponics systems propagating tomatoes in terms of height, weight, girth, and number of fruits. The reconstructed aquaponics system’s higher growth yield results in a much more nourished crop than the traditional aquaponics system. It is superior in its number of fruits, height, weight, and girth measurement. Moreover, the reconstructed aquaponics system is proven to eliminate all the hindrances present in the traditional aquaponics system, which are overcrowding of fish, algae growth, pest problems, contaminated water, and dead fish.
Batteries -Introduction – Types of Batteries – discharging and charging of battery - characteristics of battery –battery rating- various tests on battery- – Primary battery: silver button cell- Secondary battery :Ni-Cd battery-modern battery: lithium ion battery-maintenance of batteries-choices of batteries for electric vehicle applications.
Fuel Cells: Introduction- importance and classification of fuel cells - description, principle, components, applications of fuel cells: H2-O2 fuel cell, alkaline fuel cell, molten carbonate fuel cell and direct methanol fuel cells.
ACEP Magazine edition 4th launched on 05.06.2024Rahul
This document provides information about the third edition of the magazine "Sthapatya" published by the Association of Civil Engineers (Practicing) Aurangabad. It includes messages from current and past presidents of ACEP, memories and photos from past ACEP events, information on life time achievement awards given by ACEP, and a technical article on concrete maintenance, repairs and strengthening. The document highlights activities of ACEP and provides a technical educational article for members.
A review on techniques and modelling methodologies used for checking electrom...nooriasukmaningtyas
The proper function of the integrated circuit (IC) in an inhibiting electromagnetic environment has always been a serious concern throughout the decades of revolution in the world of electronics, from disjunct devices to today’s integrated circuit technology, where billions of transistors are combined on a single chip. The automotive industry and smart vehicles in particular, are confronting design issues such as being prone to electromagnetic interference (EMI). Electronic control devices calculate incorrect outputs because of EMI and sensors give misleading values which can prove fatal in case of automotives. In this paper, the authors have non exhaustively tried to review research work concerned with the investigation of EMI in ICs and prediction of this EMI using various modelling methodologies and measurement setups.
TIME DIVISION MULTIPLEXING TECHNIQUE FOR COMMUNICATION SYSTEMHODECEDSIET
Time Division Multiplexing (TDM) is a method of transmitting multiple signals over a single communication channel by dividing the signal into many segments, each having a very short duration of time. These time slots are then allocated to different data streams, allowing multiple signals to share the same transmission medium efficiently. TDM is widely used in telecommunications and data communication systems.
### How TDM Works
1. **Time Slots Allocation**: The core principle of TDM is to assign distinct time slots to each signal. During each time slot, the respective signal is transmitted, and then the process repeats cyclically. For example, if there are four signals to be transmitted, the TDM cycle will divide time into four slots, each assigned to one signal.
2. **Synchronization**: Synchronization is crucial in TDM systems to ensure that the signals are correctly aligned with their respective time slots. Both the transmitter and receiver must be synchronized to avoid any overlap or loss of data. This synchronization is typically maintained by a clock signal that ensures time slots are accurately aligned.
3. **Frame Structure**: TDM data is organized into frames, where each frame consists of a set of time slots. Each frame is repeated at regular intervals, ensuring continuous transmission of data streams. The frame structure helps in managing the data streams and maintaining the synchronization between the transmitter and receiver.
4. **Multiplexer and Demultiplexer**: At the transmitting end, a multiplexer combines multiple input signals into a single composite signal by assigning each signal to a specific time slot. At the receiving end, a demultiplexer separates the composite signal back into individual signals based on their respective time slots.
### Types of TDM
1. **Synchronous TDM**: In synchronous TDM, time slots are pre-assigned to each signal, regardless of whether the signal has data to transmit or not. This can lead to inefficiencies if some time slots remain empty due to the absence of data.
2. **Asynchronous TDM (or Statistical TDM)**: Asynchronous TDM addresses the inefficiencies of synchronous TDM by allocating time slots dynamically based on the presence of data. Time slots are assigned only when there is data to transmit, which optimizes the use of the communication channel.
### Applications of TDM
- **Telecommunications**: TDM is extensively used in telecommunication systems, such as in T1 and E1 lines, where multiple telephone calls are transmitted over a single line by assigning each call to a specific time slot.
- **Digital Audio and Video Broadcasting**: TDM is used in broadcasting systems to transmit multiple audio or video streams over a single channel, ensuring efficient use of bandwidth.
- **Computer Networks**: TDM is used in network protocols and systems to manage the transmission of data from multiple sources over a single network medium.
### Advantages of TDM
- **Efficient Use of Bandwidth**: TDM all
KuberTENes Birthday Bash Guadalajara - K8sGPT first impressionsVictor Morales
K8sGPT is a tool that analyzes and diagnoses Kubernetes clusters. This presentation was used to share the requirements and dependencies to deploy K8sGPT in a local environment.
Embedded machine learning-based road conditions and driving behavior monitoringIJECEIAES
Car accident rates have increased in recent years, resulting in losses in human lives, properties, and other financial costs. An embedded machine learning-based system is developed to address this critical issue. The system can monitor road conditions, detect driving patterns, and identify aggressive driving behaviors. The system is based on neural networks trained on a comprehensive dataset of driving events, driving styles, and road conditions. The system effectively detects potential risks and helps mitigate the frequency and impact of accidents. The primary goal is to ensure the safety of drivers and vehicles. Collecting data involved gathering information on three key road events: normal street and normal drive, speed bumps, circular yellow speed bumps, and three aggressive driving actions: sudden start, sudden stop, and sudden entry. The gathered data is processed and analyzed using a machine learning system designed for limited power and memory devices. The developed system resulted in 91.9% accuracy, 93.6% precision, and 92% recall. The achieved inference time on an Arduino Nano 33 BLE Sense with a 32-bit CPU running at 64 MHz is 34 ms and requires 2.6 kB peak RAM and 139.9 kB program flash memory, making it suitable for resource-constrained embedded systems.
Presentation of IEEE Slovenia CIS (Computational Intelligence Society) Chapte...University of Maribor
Slides from talk presenting:
Aleš Zamuda: Presentation of IEEE Slovenia CIS (Computational Intelligence Society) Chapter and Networking.
Presentation at IcETRAN 2024 session:
"Inter-Society Networking Panel GRSS/MTT-S/CIS
Panel Session: Promoting Connection and Cooperation"
IEEE Slovenia GRSS
IEEE Serbia and Montenegro MTT-S
IEEE Slovenia CIS
11TH INTERNATIONAL CONFERENCE ON ELECTRICAL, ELECTRONIC AND COMPUTING ENGINEERING
3-6 June 2024, Niš, Serbia
Introduction- e - waste – definition - sources of e-waste– hazardous substances in e-waste - effects of e-waste on environment and human health- need for e-waste management– e-waste handling rules - waste minimization techniques for managing e-waste – recycling of e-waste - disposal treatment methods of e- waste – mechanism of extraction of precious metal from leaching solution-global Scenario of E-waste – E-waste in India- case studies.
1. InternationalJournalofNetworkSecurity&ItsApplications(IJNSA),Vol.1,No.1,April2009
14
TOOLS AND TECHNIQUES FOR NETWORK
FORENSICS
Natarajan Meghanathan, Sumanth Reddy Allam and Loretta A. Moore
Department of Computer Science, Jackson State University, Jackson, MS 39217, USA
1
nmeghanathan@jsums.edu,
2
sumanth.project@gmail.com,
3
loretta.a.moore@jsums.edu
ABSTRACT
Network forensics deals with the capture, recording and analysis of network events in order to discover
evidential information about the source of security attacks in a court of law. This paper discusses the
different tools and techniques available to conduct network forensics. Some of the tools discussed
include: eMailTrackerPro – to identify the physical location of an email sender; Web Historian – to find
the duration of each visit and the files uploaded and downloaded from the visited website; packet sniffers
like Ethereal – to capture and analyze the data exchanged among the different computers in the network.
The second half of the paper presents a survey of different IP traceback techniques like packet marking
that help a forensic investigator to identify the true sources of the attacking IP packets. We also discuss
the use of Honeypots and Honeynets that gather intelligence about the enemy and the tools and tactics of
network intruders.
KEYWORDS
Network Forensics, IP Traceback, Honeypots, Packet Sniffers, Legal Aspects
1. INTRODUCTION
Internet usage has increased drastically in the past ten years. Recent studies reveal that today in
the United States for every three people, one would be using the Internet for their personal
activity, or for their business needs [1]. As the number of people using the Internet increases,
the number of illegal activities such as data theft, identity theft, etc also increases exponentially.
Computer Forensics deals with the collection and analysis of data from computer systems,
networks, communication streams (wired and wireless) and storage media in a manner
admissible in a court of law [2]. Network forensics deals with the capture, recording or analysis
of network events in order to discover evidential information about the source of security
attacks in a court of law [3]. With the rapid growth and use of Internet, network forensics has
become an integral part of computer forensics. This paper surveys the tools and techniques
(efficient, easy to use and cost effective) available to conduct network forensics.
Section 2 explains how to conduct “Email Forensics” using certain freely available tools such as
EmailTrackerPro [4] and SmartWhoIs [5]. Spam emails are a major source of concern within
the Internet community. The tools described in this Section could be used to trace the sender of
an email. Section 3 describes how to conduct “Web Forensics” using freely available tools like
Web Historian [6] and Index.dat analyzer [7]. These tools help to reveal the browsing history of
a person including the number of times a website has been visited in the past and the duration of
each visit, the files that have been uploaded and downloaded from the visited website, the
cookies setup as part of the visits and other critical information. Section 4 describes the use of
packet sniffers like Ethereal [8] to explore the hidden information in the different headers of the
TCP/IP protocol stack. These sniffers capture the packets exchanged in the Ethernet and allow
the investigator to collect critical information from the packets.
2. InternationalJournalofNetworkSecurity&ItsApplications(IJNSA),Vol.1,No.1,April2009
15
The second half of the paper presents a survey on the different techniques proposed for network
forensics in research articles. Section 5 describes the use of IP traceback techniques to reliably
determine the origin of a packet in the Internet, i.e., to help the forensic investigator to identify
the true sources of the attacking IP packets [9]. The IP traceback techniques allow a victim to
identify the network paths traversed by the attack traffic without requiring interactive
operational support from Internet Service Providers (ISPs). Section 6 describes the use of
Honeypots and Honeynets in intrusion detection systems [10, 11]. A Honeypot is a computer in
a network to which no traffic should come from outside. A network of Honeypots across the
Internet is called a Honeynet. As no traffic from outside should arrive to a Honeypot, if one
notices packets arriving to a Honeypot, it is an indication of an attack being launched on the
network in which the Honeypot is located. This information could be used to counter threats or
an imminent attack. Section 7 presents the conclusions.
2. EMAIL FORENSICS
Email is one of the most common ways people communicate, ranging from internal meeting
requests, to distribution of documents and general conversation. Emails are now being used for
all sorts of communication including providing confidentiality, authentication, non-repudiation
and data integrity. As email usage increases, attackers and hackers began to use emails for
malicious activities. Spam emails are a major source of concern within the Internet community.
Emails are more vulnerable to be intercepted and might be used by hackers to learn of secret
communication. Email forensics refers to studying the source and content of electronic mail as
evidence, identifying the actual sender and recipient of a message, date/time it was sent and etc.
Emails frequently contain malicious viruses, threats and scams that can result in the loss of data,
confidential information and even identity theft. The tools described in this section provide an
easy-to-use browser format, automated reporting and easy tool bar access features. The tools
help to identify the point of origin of the message, trace the path traversed by the message (used
to identify the spammers) and also to identify the phishing emails that try to obtain confidential
information from the receiver.
eMailTrackerPro [4] analyzes the header of an email to detect the IP address of the machine
that sent the message so that the sender can be tracked down. All email messages contain a
header, located at the top of the email. The header contains the source of an email in the “From”
line, while in the “Received” lines, the header lists every point the email passed through on its
journey, along with the date and time. The message header provides an audit trail of every
machine the email has passed through. The built-in location database in eMailTrackerPro helps
to track emails to a country or region of the world, showing information on a global map. To
trace an email message, one has to just copy and paste the header of the email in
eMailTrackerPro and start the tool. A basic trace will be shown on the main Graphical User
Interface and a summary report can be obtained. The summary report provides an option to
report the abuse of the particular email address to the administrators of the sender and/or victim
networks and also contains some critical information that can be useful for forensic analysis and
investigation. The report includes the geographic location of the IP address from which the
email was sent, and if this cannot be found, the report at least includes the location of the
target’s ISP. The report also includes the domain contact information of the network owner or
the ISP, depending on the sender email address. The domain registration details provide
information such as who has registered the website address, from what time and how many
emails have been sent from that address, and etc.
SmartWhoIs [5] is a freeware network utility to look up all the available information about an IP
address, hostname or domain, including country, state or province, city, name of the network
provider, administrator and technical support contact information. Sometimes, one has to use
SmartWhoIs along with eMailTrackerPro if the information provided by the latter is not
3. InternationalJournalofNetworkSecurity&ItsApplications(IJNSA),Vol.1,No.1,April2009
16
complete. Once installed on a machine, a SmartWhoIs button will be added to the Internet
Explorer (IE) toolbar. Using this handy button, one can invoke SmartWhoIs anytime one wants
to get more information about the website currently being visited. Using SmartWhoIs, one can
also query about multiple IP addresses, hostnames or domains at a time.
3. WEB FORENSICS
The predominant web browsers in use today are Microsoft’s Internet Explorer (IE) and the
Firefox/ Mozilla/ Netscape family. Each of these browsers saves, in their own unique formats,
the web browsing activity (also known as web browsing history) of the different users who have
accounts on a machine. IE stores the browsing history of a user in the index.dat file and the
Firefox/ Mozilla/ Netscape family browsers save the web activity in a file named history.dat.
These two files are hidden files. So, in order to view them, the browser should be setup to show
both hidden files and system files. One cannot easily delete these two files in any regular way.
There is also no proof that deleting these files has sped up the browsing experience of the users.
Web forensics deals with gathering critical information related to a crime by exploring the
browsing history of a person, the number of times a website has been visited, the duration of
each visit, the files that have been uploaded and downloaded from the visited website, the
cookies setup as part of the visit and other critical information.
Mandiant Web Historian [6] assists users in reviewing web site URLs that are stored in the
history files of the most commonly used web browsers. The tool allows the forensic examiner to
determine what, when, where, and how the intruders looked into the different sites. Web
Historian can be used to parse a specific history file or recursively search through a given folder
or drive and find all the browser history files that the tool knows how to parse. Web Historian
generates a single report (that can be saved in different file formats) containing the Internet
activity from all of the browser history files it is able to locate.
The Index.dat analyzer [7] is a forensic tool to view, examine and delete the contents of
index.dat files. The tool can be used to simultaneously or individually view the browsing
history, the cookies and the cache. The tool provides support to directly visit the website listed
in the output of the analyzer and also to open the file uploaded to or downloaded from the
website. The tool also provides critical information about a cookie like its key-value pair, the
website address associated with the cookie, the date/time the cookie was first created and last
accessed and etc. In addition to these two tools, there exist tools like Total Recall [12], which
can be used to extract the list of favourite websites stored in the browser history.
4. PACKET SNIFFERS
A sniffer is software that collects traffic flowing into and out of a computer attached to a
network [13]. Network engineers, system administrators and security professionals use sniffers
to monitor and collect information about different communications occurring over a network.
Sniffers are used as the main source for data collection in Intrusion Detection Systems (IDS) to
match packets against a rule-set designed to notify anything malicious or strange. Law
enforcement agencies use sniffers to gather specific traffic in a network and use the data for
investigative analysis.
4.1 Ethereal
Ethereal is an open source software and widely used as a network packet analyzer. It captures
packets live from the network. It displays the information in the headers of all the protocols
used in the transmission of the packets captured. It filters the packets depending on user needs.
Ethereal allows search for packets with some specifications. It gives better representation to
understand the results easily by using a colorized display of packets belonging to different
4. InternationalJournalofNetworkSecurity&ItsApplications(IJNSA),Vol.1,No.1,April2009
17
protocols. The platforms supported by Ethereal include Microsoft Windows, UNIX and Linux.
Ethereal provides an option to select the interface across which one wants to capture the
packets. Ethereal can also be run in promiscuous mode to capture packets that are not addressed
to the machine running Ethereal. While packet capture is under progress, Ethereal shows the
kind of packets captured along with their protocols like Transport Control Protocol (TCP), User
Datagram Protocol (UDP), Address Resolution Protocol (ARP) and etc. When the capturing
process is done, it displays the packet list with all the detailed information (refer Figure 1).
Figure 1. Screenshot of Packet List Displayed by Ethereal
The output obtained from Ethereal is organized in three panes: Packet List pane, Packet Details
pane and Packet Bytes pane. The Packet List pane displays all the packets in the current capture
file. Each line in this list corresponds to a packet in the capture file. When one selects a
particular line in this list, more details will be listed in the “Packet Details” and “Packet Bytes”
panes. The Packet List pane displays high-level details of the packets in several columns.
Though, there are a lot of different columns available, the default columns are as follows: (i)
No: The number of the packet in the capture file; (ii) Time: The timestamp of the packet; (iii)
Source: The IP address of the sender of the packet; (iv) Destination: The IP address of the
system to which the packet is destined to go and (v) Protocol: The high-level protocol name in a
short abbreviated form.
The Packet Details pane shows the structure of the different headers (starting from the frame-
level) of the packet selected in the Packet List pane. Each header can be expanded and
collapsed. When one selects a particular header in the Packet Details pane, the byte-level
content of the header is displayed in the Packet Bytes pane in a Hexdump style. Generally in
Hexdump, the left side shows the offset in the packet data, in the middle the packet data is
shown and on the right side, the corresponding ASCII characters are displayed.
Ethereal provides options to save the capture file, export the results and also to search for
packets based on a specific field or value in the current capture file or a saved capture file.
Another useful option provided by Ethereal is packet colorization. One can setup the packet
colors according to a filter. This helps to easily identify and explore the packets one is usually
interested in.
4.2 WinPcap and AirPcap
WinPcap [14] is the packet capture tool used to capture the packets intercepted at the network
interface of a system running the Windows Operating System. WinPcap is the tool used for
link-layer network access in Windows. WinPcap includes a network statistics engine and
provides support for kernel-level packet filtering and remote packet capture.
AirPcap [15] is the packet capture tool for the IEEE 802.11b/g Wireless LAN interfaces. This
tool is currently available only for Windows systems. AirPcap can be used to capture the
5. InternationalJournalofNetworkSecurity&ItsApplications(IJNSA),Vol.1,No.1,April2009
18
control frames (ACK, RTS, CTS), management frames (Beacon, Probe Requests and
Responses, Authentication) and data frames of the 802.11 traffic. The AirPcap adapter captures
the per-packet power information, which can be used to detect weak signal areas and measure
the transmission efficiency of the wireless devices.
5. IP TRACEBACK TECHNIQUES
Masquerade attacks [9] can be produced by spoofing at the link-layer (e.g., using a different
MAC address than the original), at the Internet layer (e.g., using a different source IP address
than the original), at the transport layer (e.g., using a different TCP/IP port than the original
one), at the application layer (e.g., using a different email address than the original). Let C = h1
h2 … hi hi+1 … hn be the connection path between hosts h1 to hn. Then, the IP
traceback problem is defined as: Given the IP address hn, identify the actual IP addresses of
hosts h n-1, …, h1. If h1 is the source and hn is the victim machine of a security attack, then C is
called the attack path [9].
Reconstruction of the attack path back to the originating attacker h1 may not be a
straightforward process because of possible spoofing at different layers of the TCP/IP protocol
stack and also the intermediate hosts becoming compromised hosts, called stepping-stone, and
acting as a conduit for the attacker’s communication. The security functions practiced in
existing networks may also preclude the capability to follow the reverse path. For example, if
the attacker lies behind a firewall, then most of the traceback packets are filtered at the firewall
and one may not be able to exactly reach the attacker. The link testing techniques start the
traceback from the router closest to the victim and interactively determine the upstream link that
was used to carry the attack traffic. The technique is then recursively applied on the upstream
routers until the source is reached. Link testing assumes the attack is in progress and cannot be
used “post-mortem”. There are two varieties of link testing techniques: input debugging and
controlled flooding.
5.1 Input Debugging
After recognizing that it is being attacked, the victim develops an attack signature that describes
a common feature contained in all the attack packets. The victim communicates this attack
signature to the upstream router that sends it the attack packets. Based on this signature, the
upstream router employs filters that prevent the attack packets from being forwarded through an
egress port and determines which ingress port they arrived on. The process is then repeated
recursively on the upstream routers, until the originating site is reached or the trace leaves the
boundary of the network provider or the Internet Service Provider (ISP). From now on, the
upstream ISP has to be contacted to repeat the procedure. The most obvious problem with the
input debugging approach, even with the automated tools, is the considerable management
overhead at the ISP level to communicate and coordinate the traceback across domains.
5.2 Controlled Flooding
The victim uses a pre-generated map of the Internet topology to iteratively select hosts that
could be coerced to flood each of the incoming links of the upstream router. Since the router
buffer is shared by packets coming across all incoming links, it is possible that the attack
packets have a higher probability of being dropped due to this flooding. By observing changes
in the rate of packets received from the attacker, the victim infers the link through which the
attack packet would have come to the upstream router. This basic testing procedure is then
recursively applied on all the upstream routers until the source is reached. Though this method
is both ingenious and pragmatic, using unsuspecting hosts to flood is itself a denial-of-service
attack. It would be a tremendous overhead to use flooding to detect distributed denial-of-service
6. InternationalJournalofNetworkSecurity&ItsApplications(IJNSA),Vol.1,No.1,April2009
19
attacks when multiple upstream links may be contributing to the attack. The victim also needs to
possess an accurate topology map to select the hosts that would flood the upstream routers.
5.3 ICMP Traceback
In [16], Bellovin proposed the iTrace scheme, which is currently one of the IETF standards.
According to iTrace, every router will sample, with a low probability (like 0.00005), one of the
packets it is forwarding and copy the contents into an ICMP traceback message, which will
have information about adjacent routers and the message will be sent to the destination. This
technique is more likely to be applicable for attacks that originate from a few sources and are of
flooding-style attacks so that the receiver gets enough packets to reconstruct the attack path. To
handle the situation of attackers sending their own ICMP traceback messages to mislead the
destination, the iTrace scheme uses HMAC [17] and supports the use of X.509 Digital
Certificates [18] for authenticating and evaluating ICMP traceback messages. A couple of
potential drawbacks for this scheme are that: (1) ICMP traffic is increasingly getting filtered
compared to normal traffic and (2) If certain routers in the attack path are not enabled with
iTrace, the destination would have to reconstruct several possible attack paths that have a
sequence of participating routers, followed by one or more non-participating routers and
followed by a sequence of participating routers and so on.
5.4 Packet Marking Techniques
The idea behind the packet marking techniques is to sample the path one node at a time rather
than recording the entire path. A “node” field, large enough to hold a single router address, in
the packet header is reserved. For IPv4, this would be a 32-bit field in the Options portion of the
IP header. Upon receiving a packet, a router chooses to write its own address in the node field
with a probability p. Given that enough packets could be sent and the route remains stable, the
victim would receive at least one sample for every router in the attack path.
Since the routers are ordered serially, the probability that a packet will be marked by a router
and not marked by the downstream routers is a strictly decreasing function of the distance to the
victim. Assuming the probability of marking p is the same for every router, the probability of
receiving a packet marked from a router d hops away and not marked by any other router since
then is p(1-p)d-1
. Figure 2 illustrates the probability of receiving a packet marked from a router
1, 2, 3, 4, 5 and 6 hops away and not marked by any other router on a 6-hop path for different
values of the individual probability of marking p.
Figure 2. Probability of Marking by a Router Figure 3. Threshold Probability of Marking
Vs Hop Count of Attack Path Vs Hop Count of Attack Path
The threshold probability of marking is defined as the minimum probability value to be
assigned to every router on a path in order to guarantee with 99% probability that at least one
router on the path will mark a packet. The threshold probability of marking decreases with the
increase in the number of hops. The larger the number of intermediate routers, the greater is the
7. InternationalJournalofNetworkSecurity&ItsApplications(IJNSA),Vol.1,No.1,April2009
20
chance of at least one router in the path deciding to mark the packet. Figure 3 shows the
threshold probability of marking as the number of hops is varied from 1 to 25.
The convergence time is defined as the minimum threshold number of packets required to
determine the sequence of routers that form the attack path. To determine the order of the
routers in the attack path, each router on the path should have marked different number of times
on the packets. The router that is closest to the victim will have the highest number of marks
and the router that is closest to the attacker will have the minimum number of marks. In general,
to determine an n-hop attack path Attacker Rn Rn-1 … Ri Ri-1 … R2 R1
Victim, the following two conditions should be satisfied: (i) the victim should receive packets
such that every router in the attack path should have marked at least one packet and (ii) the
number of packets marked by Router Ri should be strictly greater than Ri-1, for any 2 ≤ i ≤ n. The
convergence time is basically the minimum number of packets the victim needs to receive such
that the above two conditions are satisfied.
Figure 4. Convergence Time Figure 5. Convergence Time
for a 3-hop Attack Path for a 6-hop Attack Path
Figure 6. Convergence Time Figure 7. Convergence Time
for a 9-hop Attack Path for a 12-hop Attack Path
Figure 8. Convergence Time Figure 9. Convergence Time
for a 15-hop Attack Path for a 18-hop Attack Path
The value of the convergence time depends on the probability of marking by a router and the
hop count of the attack path. Figures 4 through 9 show the convergence time measured for
8. InternationalJournalofNetworkSecurity&ItsApplications(IJNSA),Vol.1,No.1,April2009
21
different probability of marking values on attacks paths with different hop counts, measured
with 95% to 97% confidence intervals. For a given hop count of the attack path, the
convergence time is minimum for a certain range of values for the probability of marking. The
value of the threshold marking probability decreases as the hop count of the attack path is
increased because the probability of any router on the attack path marking the packet increases
as the hop count increases. Thus, it is possible to reduce the threshold probability of marking a
packet as the hop count increases. The minimum convergence time also increases as the hop
count of the attack path increases. This is because as the hop count increases, it takes more time
for a router closer to the attacker to have a packet marked such that the packet is not marked by
any downstream router on the attack path. In order to lower the convergence time in larger hop
count attack paths, it is essential to assign a lower probability of marking for the routers.
5.5 Source Path Isolation Engine (SPIE) Architecture
The Source Path Isolation Engine (SPIE) architecture [19] implements the log-based IP
traceback technique to trace the path for a single packet across autonomous systems. In SPIE,
routers compute a 32-bit digest of the packets based on the 20 byte IP header and the first 8
bytes of the payload. The routers store these 32-bit packet digests, instead of the packets
themselves, in a space-efficient data structure called Bloom filter [20].
Within each autonomous system (AS), SPIE consists of three major architectural components:
Data Generation Agent (DGA), SPIE collection and reduction agent (SCAR) and SPIE
Traceback Manager (STM). The DGA is in charge of computing the 32-bit digests and storing
them in the Bloom filter. The SCAR is responsible for generating the attack path within a region
of the AS. When requested for an attack path, the SCAR queries the DGAs in the region and
compiles the attack path based on the replies from the DGAs. The STM controls the whole SPIE
system in the AS. When the STM receives a request to trace an IP packet, it generates requests
to the SCARs and then grafts the attack paths returned by the SCARs to form a complete attack
path through the AS. As illustrated in Figure 10 and explained below, it is possible to trace an
attack path for a single packet that traversed through a mix of SPIE-deployed and non SPIE-
deployed ASes.
Figure 10. Traceback across Autonomous Systems using SPIE (adapted from [19])
It is assumed that all SPIE-deployed ASes exchange the SPIE deployment information as an
attribute in the network route advertisement messages of the Border Gateway Protocol [21]. As
a result, each SPIE-deployed AS knows about the other SPIE-deployed ASes, the number of
hops (AS levels) and their respective STMs. In Figure 10, an attack packet is sent from an
attacker in AS10 to a victim in AS1. When the victim reports about the attack packet to the
STM in AS1, the STM queries its one-hop STMs in other ASes about the attack path. Note that
AS1 cannot directly contact AS2 as the latter is not SPIE-deployed. So, the STM in AS1 will
first query the STM in AS7. Since the attack packet did not traverse through this AS, the STM
9. InternationalJournalofNetworkSecurity&ItsApplications(IJNSA),Vol.1,No.1,April2009
22
in AS7, after an internal traceback, sends a negative reply message to the STM in AS1. The
STM in AS1 then queries the two-hop STMs in AS3 and AS4. After an internal traceback, these
two STMs send back positive reply messages that contain the attack path within their AS. The
two ASes will also let AS1 know who are their one-hop and two-hop SPIE-deployed ASes so
that AS1 can query the STMs of those ASes. AS3 will let AS1 know that AS10 and AS4 are its
one-hop SPIE-deployed ASes and that AS5 and AS7 are two-hop SPIE-deployed ASes. The
STM of AS1 contacts its counterpart in AS10. The STM in AS10 will then conduct an internal
trace and report back to the STM in AS1 about the attack path that includes the attacker in its
AS. The STM of AS1 grafts the attack path in AS1 and the attack paths returned from AS3 and
AS10 to get the entire attack path.
The SPIE approach is scalable in the Internet because of the following two reasons: (i) Each
STM could be configured with the furthest level of SPIE deployment information to maintain.
Generally, STMs need to maintain SPIE deployment information only about nearby ASes (like
one-hop, two-hop ASes). A remote STM will notify the victim STM about the nearby STMs to
the remote AS and the victim STM can continue querying those STMs as explained before. (ii)
An STM need not keep track of the status of ongoing traceback processes.
6. HONEYPOTS AND HONEYNETS
A Honeynet is a network specifically designed for the purpose of being compromised [11]. A
compromised Honeynet can be used to observe the activities and behaviour of the intruder. A
Honeynet allows to conduct a detailed analysis of the tools used by the intruders and to identify
the vulnerabilities exploited by the intruders to compromise the Honeypots. In general, a
Honeypot could range from a simple port-listening socket program to a full production system
that can be emulated under various operating systems. Sometimes, a Honeypot would attract
traffic by acting as a decoy system, posing itself to the Internet as a legitimate system offering
services. The essential idea is that any traffic directed to the Honeypot is considered an attack or
intrusion. Any connection initiated inbound to Honeypot is likely to be a probe, scan or attack.
Any outbound connection from a Honeypot implies someone has compromised the Honeypot
and has initiated outbound activity. Hence, forensic analysis of the activities of a Honeypot is
less likely to lead to false negatives and false positives when compared to the more evasive and
signature-dependent network intrusion detection systems [22]. Honeypots can help us to detect
vulnerabilities that are not yet understood or not yet seen before.
Honeypots can be classified to two types [23] depending on the configured services available
for an adversary to compromise or probe the system: low-interaction and high-interaction
Honeypots. A high-interaction Honeypot can be compromised completely, thus allowing an
adversary to gain access to all aspects of the operating system and launch further network
attacks. The larger the number of Honeypots deployed, the more likely that one can effectively
gather information about network attacks or probes. For example, most of the TCP connection
requests are generated and sent to randomly selected IP addresses. One can identify that the
connection request is for malicious traffic only after a TCP handshake is over and payload
containing malicious contents is received. The probability of this happening will be more as the
number of Honeypots increases.
A Honeynet normally employs a Honeywall [11], which acts as a firewall to protect the outside
world from attacks emanating from within the Honeynet. In order to protect non-Honeypot
systems with attacks originating from a compromised Honeypot, a Honeywall could be setup
with several data control and data capture features. A Honeywall could limit the number of
outbound connections allowed per hour. It could limit the bandwidth available to the attacker’s
traffic. A Honeywall can also on-the-fly modify malicious data packets that specifically target
vulnerabilities on other systems and make them benign.
10. InternationalJournalofNetworkSecurity&ItsApplications(IJNSA),Vol.1,No.1,April2009
23
A Honeywall can capture and monitor all data traffic entering, leaving, or inside the Honeynet.
The captured data can be used to analyze the steps an attacker took to compromise a Honeypot
and how a compromised Honeypot is being used further. In order to prevent a Honeywall from
intercepting the communications, an attacker may sometimes install encryption software to
encrypt all communications between the attacker’s machine and the Honeypot. In such
situations, a Honeywall may not be capable of decrypting the communications. To address this
problem, a logging software called Sebek [10] has been recently developed. Sebek is a software
tool running on each Honeypot and is part of the machine’s operating system. Sebek merely
intercepts the data after the attacker’s encryption software decrypts it. The decrypted
information is sent to a remote server for further analysis.
6.1 Serial Vs Parallel Architecture
A Honeynet could be setup based on either a serial architecture (refer Figure 11) or a parallel
architecture (refer Figure 12) [24]. With a serial architecture, the Honeywall filters all traffic
forwarded to the firewall of the production system (the network of machines that provide useful
services) and all traffic in and out of the production system goes through the Honeynet. If a
Honeynet is compromised, the firewall of the production system is alerted. Even if the attack is
in progress in the Honeynet, the firewall will make sure the attack does not expand into the
production system. When sufficient evidence is collected in the Honeynet, one can stop running
the Honeynet and start analyzing the malicious traffic directed towards it. The advantage of a
Honeynet with a serial architecture is that it protects the production system from direct
malicious attacks. The disadvantage would be the delay suffered for every incoming and
outgoing packet, including the genuine benign ones, at the Honeynet/ firewall.
Figure 11. Serial Architecture Figure 12. Parallel Architecture
With a parallel architecture, both the Honeynet and the production system are exposed directly
to the Internet so that the delay incurred for every packet at the Honeynet/ firewall could be
avoided. On the other hand, a blackhat could directly attack the production system and hence
the firewall at the production system should be configured with stringent packet filtering
policies to reduce the chances of untoward attacks. If the Honeynet gets some traffic, it analyzes
that traffic and updates the firewall depending on the nature of the traffic received. The firewall
will then become more stringent in protecting the production system.
6.2 Virtual Honeypots
A physical Honeypot is a real machine with its own IP address. A virtual Honeypot [25] is a
simulated machine that can be modelled to behave as required. Multiple virtual Honeypots, each
running the same or different operating systems, can be simulated on a single system. Each of
these virtual Honeypots can be configured with specific services that will be exploited by the
attackers to gain access to a Honeypot. As attackers attempt to contact machines with randomly
11. InternationalJournalofNetworkSecurity&ItsApplications(IJNSA),Vol.1,No.1,April2009
24
chosen IP addresses, the more the number of virtual Honeypots deployed with the same kind of
services, the more it helps to capture the connection requests and payload traffic generated by
the attackers.
Honeyd [25] is a framework for virtual Honeypots to simulate computer systems at the network
level. It creates virtual networks consisting of arbitrary routing topologies with configurable link
characteristics like delay, bandwidth, packet loss and etc. To deceive TCP/IP stack
fingerprinting tools like Xprobe [26] or Nmap [27] and to convince the adversaries that a virtual
Honeypot is running a given operating system, Honeyd simulates the TCP/IP stack of the target
operating system. A virtual Honeypot responds to network requests according to the services
that are configured in it.
7. CONCLUSIONS AND FUTURE WORK
The overall contribution of this paper is an exhaustive survey of the several tools and techniques
available to conduct network forensics. All the tools surveyed in this paper are free to use, at
least available for trials. The paper explored in detail the different IP traceback mechanisms.
Simulations were run to find out the convergence time for attack paths with different lengths
and attack routers with different probabilities of marking. Finally, the paper described the
Honeynet Architecture and the use of Honeypots, both and physical and virtual, in detecting
malicious attack traffic and protecting the production systems.
In general, the security and forensic personnel need to keep up pace with the latest attack tools
and techniques adopted by the attackers. With freely available tools, one can enforce the
security mechanisms and analyze attack traffic only to a certain extent. To detect all kinds of
attacks and conduct a comprehensive forensic analysis, one would have to deploy and analyze
the effectiveness of commercial tools. This is the plan for future research. Future work would
also involve exploring the tools and techniques available for wireless network forensics.
REFERENCES
[1] http://www.time.com
[2] G. Kessler, “Online Education in Computer and Digital Forensics,” Proceedings of the 40th
Hawaii
International Conference on System Sciences, 2007.
[3] K. Sisaat and D. Miyamoto, “Source Address Validation Support for Network Forensics,”
Proceedings of the 1st
Joint Workshop on Information Security, Sep 2006.
[4] http://www.emailtrackerpro.com
[5] http://www.tamos.com
[6] http://www.mandian.com
[7] http://www.majorgeeks.com/index.dat_analyzer_d5259.html, last accessed: 04/03/2009
[8] http://www.ethereal.com
[9] S. Mitropoulos, D. Pastos and C. Douligers, “Network Forensics: Towards a Classification of
Traceback Mechanisms,” Proceedings of the Workshop on Security and Privacy for Emerging Areas
in Communication Networks, pp. 9 – 16, Sep 2005.
[10] Honeynet Project, http://www.honeynets.org
[11] V. Maheswari and P. Sankaranarayan, “Honeypots: Deployment and Data Forensic Analysis,”
International Conference on Computational Intelligence and Multi-media Applications, May 2007.
[12] http://www.janusware.com
12. InternationalJournalofNetworkSecurity&ItsApplications(IJNSA),Vol.1,No.1,April2009
25
[13] S. Ansari, S. Rajeev and H. Chandrasekhar, “Packet Sniffing: A Brief Introduction,” IEEE
Potentials, Vol. 21, No. 5, pp. 17 – 19, Dec 2002/Jan 2003.
[14] http://www.winpcap.org
[15] http://www.airpcap.co.uk/
[16] S. Bellovin, M. Leech and T. Taylor, ICMP Traceback Messages, Internet Draft, February 2003.
[17] US Department of Commerce, Federal Information Processing Standards, Publication 198, The
Keyed-Hash Message Authentication Code (HMAC), March 6 2002.
[18] C. Adams, Internet X. 509 Public Key Infrastructure Certificate Management Protocols, RFC 2510,
Available at http://www.ietf.org/
[19] T. Korkmaz, C. Gong, K. Sarac and S. Dykes, “Single Packet IP Traceback in AS-level Partial
Deployment Scenario,” International Journal of Security and Networks, Vol. 2, No. 1/2, pp. 95 –
108, 2007.
[20] B. Bloom, “Space/time Trade-offs in Hash Coding with Allowable Errors,” Communications of
ACM, Vol. 13, No. 7, pp. 422 – 426, July 1970.
[21] L. L. Peterson and B. Davie, “Computer Networks: A Systems Approach,” 4th
Edition, Morgan
Kaufmann Series in Networking, March 2007.
[22] V. Paxson, “Bro: A System for Detecting Network Intruders in Real-Time,” Proceedings of the 7th
USENIX Security Symposium, January 1998.
[23] R. Stone, “CenterTrack: An IP Overlay Network for Tracking DoS Floods,” Proceedings of the
USENIX Security Symposium, July 2000.
[24] Y. Manzano and A. Yasinsac, “Honeytraps, a Valuable Tool to Provide Effective Countermeasures
for Crime against Computer and Network Systems,” Proceedings of the 7th
World Multi-conference
on Systemics, Cybernetics and Informatics, July 2003.
[25] N. Provos, “A Virtual Honeypot Framework,” Proceedings of the 13th
USENIX Security Symposium,
August 2004.
[26] http://www.xprobe2.org
[27] http://www.nmap.org
Authors
Dr. Natarajan Meghanathan is an Assistant
Professor of Computer
Science at Jackson State
University. He graduated with
MS and PhD degrees in
Computer Science from
Auburn University and The
University of Texas at Dallas
in August 2002 and May 2005
respectively. His research interests are: Ad hoc
Networks, Network Security and Graph Theory.
He has received grants from NSF and ARL.
Mr. Sumanth Reddy Allam
was a graduate student in
Computer Science at Jackson
State University. He
graduated with MS degree in
May 2008.
Dr. Loretta A. Moore is the Professor and Chair
of the Department of
Computer Science at
Jackson State University,
Jackson, MS. She
graduated with MS and
PhD Degrees in
Computer Science from
the Illinois Institute of
Technology in 1986 and
1991 respectively. Her research interests are:
Intelligent Systems, Software Systems Design,
Data and Information Management, Computer
Security and Forensics. She has received grants
from NSF, ARL and several other federal/state
agencies.