guide to computer forensics and investigations, second edition chapter 12 network forensics
TRANSCRIPT
Guide to Computer Guide to Computer Forensics and Forensics and Investigations, Investigations, Second EditionSecond Edition
Chapter 12Network Forensics
Guide to Computer Forensics and Investigations, 2e 2
ObjectivesObjectives
• Understand Internet fundamentals
• Understand network basics
• Acquire data on a Linux computer
Guide to Computer Forensics and Investigations, 2e 3
Objectives (continued)Objectives (continued)
• Understand network forensics
• Understand the use of network tools
• Understand the goals of the Honeynet Project
Guide to Computer Forensics and Investigations, 2e 4
Understanding Internet FundamentalsUnderstanding Internet Fundamentals
• Internet = Collection of networks
• Internet protocols for message exchange– E-mail
• Internet Service Provider (ISP)– Internet entry point– Username and password
• Common software– Web browsers and e-mail clients
Guide to Computer Forensics and Investigations, 2e 5
Internet ProtocolsInternet Protocols
• Standards and rules
• Every computer must observe a protocol
• TCP/IP default Internet protocol– TCP connection-oriented– UDP connectionless
• Addressing (IPv4)– 32-bit long divided into four groups of 8 bits– Binary representation
Guide to Computer Forensics and Investigations, 2e 6
Internet Protocols (continued)Internet Protocols (continued)
• Addressing (continued)– Dotted quad (205.55.29.170)– Several classes (A, B, C, D and E)
• Domain Name Service– Translate IP addresses to named addresses or vice
versa
Guide to Computer Forensics and Investigations, 2e 7
Understanding Network BasicsUnderstanding Network Basics
• Hardening networks– Applying latest patches– Layered network defense strategies
• Protocols– TCP/IP– IPX/SPX
• Network Address Translation– Translates IP addresses
Guide to Computer Forensics and Investigations, 2e 8
Understanding Network Basics Understanding Network Basics (continued)(continued)
• DHCP– Dynamically assigns IP addresses to hosts
• Attacks– Internal– External– Early and mid-1990s
• 70% internal/30% external
Guide to Computer Forensics and Investigations, 2e 9
Acquiring Data on Linux ComputersAcquiring Data on Linux Computers
• dd command– Disk-to-disk file– Disk-to-image file– Block-to-block copy– Block-to-file copy– Ext2fs, Ext3fs, NTFS, FAT, NTFS, HFS, HPFS
• Gzip command to compress image files
Guide to Computer Forensics and Investigations, 2e 10
Acquiring Data on Linux Computers Acquiring Data on Linux Computers (continued)(continued)
• Linux boot disks– Knoppix– MandrakeMove– Fedora Rescue– Gentoo Live– F.I.R.E.– Penguin Sleuth Kit– Tom’s Root Boot Kit
Guide to Computer Forensics and Investigations, 2e 11
Acquiring Data on Linux Computers Acquiring Data on Linux Computers (continued)(continued)
Guide to Computer Forensics and Investigations, 2e 12
Acquiring Data on Linux Computers Acquiring Data on Linux Computers (continued)(continued)
Guide to Computer Forensics and Investigations, 2e 13
Acquiring Data on Linux Computers Acquiring Data on Linux Computers (continued)(continued)
• Steps for using dd– Boot PC in Linux– Create disk mounting points– Mount all disks needed– Create copies
• For multiple volumes– Determine number of bytes per volume– Calculate number of segments you need to create
Guide to Computer Forensics and Investigations, 2e 14
Acquiring Data on Linux Computers Acquiring Data on Linux Computers (continued)(continued)
Guide to Computer Forensics and Investigations, 2e 15
Acquiring Data on Linux Computers Acquiring Data on Linux Computers (continued)(continued)
• Linux dd script file– Input source– Output source– Block size– Number of blocks to save
• Hash check original media– Linux md5sum command– Linux sha1sum command
Guide to Computer Forensics and Investigations, 2e 16
Acquiring Data on Linux Computers Acquiring Data on Linux Computers (continued)(continued)
• Image creation script example:
• Image restore script example:
Guide to Computer Forensics and Investigations, 2e 17
Understanding Network ForensicsUnderstanding Network Forensics
• Systematic tracking of incoming and outgoing traffic– Need to know normal traffic behavior
• Intruders leave trace behind– Experimented intruders are harder to trace
• Determine the cause of the abnormal traffic– Internal bug– Attackers
Guide to Computer Forensics and Investigations, 2e 18
Approach to Network ForensicsApproach to Network Forensics
• Long, tedious process
• Standard procedure– Use image for machines on network– Close any way in after an attack– Acquire all compromised drives– Make a bit-stream image of the drives– Compare images to original images– Optionally, store images on a server
Guide to Computer Forensics and Investigations, 2e 19
Approach to Network Forensics Approach to Network Forensics (continued)(continued)
• Computer forensics– Work from the image to find what has changed
• Network forensics– Restore drives to understand attack
• Work on an isolated system– Prevents malware from affecting other systems
Guide to Computer Forensics and Investigations, 2e 20
Network LogsNetwork Logs
• Record ingoing and outgoing traffic– Network servers– Routers– Firewalls
• Tcpdump tool for examining network traffic– Top 10 lists– Pattern
• Attacks might include other companies– Distributed Denial of Service (DDoS)
Guide to Computer Forensics and Investigations, 2e 21
Using Network ToolsUsing Network Tools
• PsTools suite– RegMon shows Registry data in real time– Process Explorer shows what is loaded– Handle shows open files and processes using them– PsExec runs processes remotely– PsGetSid display SID– PsKill kills process by name or ID
Guide to Computer Forensics and Investigations, 2e 22
Using Network Tools (continued)Using Network Tools (continued)
• PsTools suite (continued)– PsList lists details about a process– PsLoggedOn shows who’s logged locally– PsPasswd changes account passwords– PsService controls and views services– PsShutdown shuts down and restarts PCs– PsSuspend suspends processes
Guide to Computer Forensics and Investigations, 2e 23
Using Network Tools (continued)Using Network Tools (continued)
Guide to Computer Forensics and Investigations, 2e 24
UNIX/Linux ToolsUNIX/Linux Tools
• Knoppix-STD tools– Dcfldd the U.S. DoD dd version– Memfetch forces a memory dump– Photorec grabs files from a digital camera– Snort intrusion detection system– Oinkmaster helps manage your snort rules– John the Ripper– Chntpw resets passwords on a Windows PC
Guide to Computer Forensics and Investigations, 2e 25
UNIX/Linux Tools (continued)UNIX/Linux Tools (continued)
• Knoppix-STD tools (continued)– Tcpdum is a packet sniffer– Ethereal another packet sniffer
• Packet sniffer– Devices or software that monitors network traffic– Most Work at layer 2 or 3 of the OSI model
Guide to Computer Forensics and Investigations, 2e 26
UNIX/Linux Tools (continued)UNIX/Linux Tools (continued)
Guide to Computer Forensics and Investigations, 2e 27
UNIX/Linux Tools (continued)UNIX/Linux Tools (continued)
• The Auditor– Based on Knoppix– Contains more than 300 tools
• 20 for scanning
• 10 for network scanning
• Brute-force attack
• Bluetooh and wireless
• Autopsy and Sleuth Kit
• Word lists with more than 64 million entries
Guide to Computer Forensics and Investigations, 2e 28
Network SniffersNetwork Sniffers
• Operate at layers 2 or 3 of the OSI model
• Most tools follow the PCAP format
• Tools:– Tcpdump– Tethereal– Snort– Tcpslice– Tcpreplay
Guide to Computer Forensics and Investigations, 2e 29
Network Sniffers (continued)Network Sniffers (continued)
• Tools (continued):– Tcpdstat– Ngrep– Etherape– Netdude– Argus– Ethereal– The Auditor
Guide to Computer Forensics and Investigations, 2e 30
Network Sniffers (continued)Network Sniffers (continued)
Guide to Computer Forensics and Investigations, 2e 31
The Honeynet ProjectThe Honeynet Project
• Attempt to thwart Internet and network hackers– Provides information about attack methods
• Honeypots– Normal looking computer that lures attackers to it
• Honeywalls– Monitor outbound connections– Snort-inline intrusion prevention systems
Guide to Computer Forensics and Investigations, 2e 32
The Honeynet Project (continued)The Honeynet Project (continued)
Guide to Computer Forensics and Investigations, 2e 33
The Honeynet Project (continued)The Honeynet Project (continued)
• Its legality has been questioned– Cannot be used in court– Can be used to learn about attacks
• Scan of the month– Monthly challenge contest– Good as a learning experience
Guide to Computer Forensics and Investigations, 2e 34
The Honeynet Project (continued)The Honeynet Project (continued)
Guide to Computer Forensics and Investigations, 2e 35
SummarySummary
• Network forensics tracks down internal and external network intrusions
• Most networks today use TCP/IP
• Networks must be hardened by using good architecture
• Each NOS has its own way of handling security, and you must become familiar with how yours operates
Guide to Computer Forensics and Investigations, 2e 36
Summary (continued)Summary (continued)
• Tools such as PsTools, Knoppix-STD, and others can be used to monitor what’s happening on your network
• The Honeynet Project is designed to help people learn the latest intrusion techniques that hackers are using