computer forensics n.
Skip this Video
Loading SlideShow in 5 Seconds..
Computer Forensics PowerPoint Presentation
Download Presentation
Computer Forensics

Computer Forensics

189 Vues Download Presentation
Télécharger la présentation

Computer Forensics

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Computer Forensics Network Protocols Overview for Network Forensics

  2. Focus of this presentation Protocols With a few anecdotes, how-to-dos & previews thrown in.

  3. Network Protocols: Layering • Complexity of networking leads to layered architectures. • TCP/IP stack has four levels. • OSI has seven.

  4. Network Protocols: Layering

  5. Network Protocols: Layering • Each layer adds a header. • Application • TCP • IP • Link

  6. Repetition:Capturing Data on a Network • Develop a threat model before deploying Network Security Monitoring • Internal / External Attacker • Wireless / Wired / … • Develop Monitoring zoning • Demilitarized zone • Wireless zone • Intranet zones

  7. Repetition: Capturing Data on a Network • Wired monitoring • Hubs • SPAN ports • Taps • Inline devices

  8. Repetition: Capturing Data on a Network • Hubs • Broadcasts incoming data on all interfaces. • Be careful about NIC capacity (10/100/1000 Mb/sec) • Be careful about hub quality • Are inexpensive, but can introduce collisions on the links where the hub sits.

  9. Repetition: Capturing Data on a Network • Switched Port Analyzer (SPAN) • A.k.a. Port mirroring, Port monitoring. • SPAN port located on enterprise class switches. • Copy traffic between certain ports to SPAN port. • Configurable • Easy access to traffic. • Can make mistakes with configuration. • Under heavy load, SPAN port might not get all traffic. • SPAN only allows monitoring of a single switch.

  10. Repetition: Capturing Data on a Network • Test Access Port (TAP) • Networking device specifically designed for monitoring applications. • Typically four ports: • Router • Firewall • Monitor traffic on remaining ports. • One port sees incoming, the other outgoing traffic. • Moderately high costs.

  11. Repetition: Capturing Data on a Network • Specialized inline devices: • Server or hardware device • Filtering bridges • Server with OpenBSD and two NICs

  12. Link Layer • Network Interface Cards (NIC) • Unique Medium Access Control (MAC) number • Format 48b written as twelve hex bytes. • First 6 identify vendor. • Last 6 serial number. • NICs either select based on MAC address or are in promiscuous mode (capture every packet).

  13. Link Layer • Address Resolution Protocol (ARP) • Resolves IP addresses to MAC addresses • RFC 826

  14. Link Layer: ARP Resolution Protocol • Assume node A with IP address and MAC 00:01:02:03:04:05 wants to talk to IP address • Sends out a broadcast who-has request: 00:01:02:03:04:05; ff:ff:ff:ff:ff:ff; arp 42 who-has • All devices on the link capture the packet and pass it to the IP layer. • is the only one to answer: a0:a0:a0:a0:a0:a0; 00:01:02:03:04:05; arp 64; arp reply is-at a0:a0:a0:a0:a0:a0 • A caches the value in its arp cache.

  15. Link Layer: ARP Resolution Protocol ARP requests:

  16. Link Layer: ARP Resolution Protocol

  17. Link Layer Forensics Network monitoring tools such as Argus or Ethereal / Wireshark log MAC addresses.

  18. Link Layer Forensics Example: Spike in network traffic comes from a computer with a certain IP address. However, Argus logs reveal that the traffic comes from a computer with a different MAC then the computer assigned that IP. (Spoofing) Finally, intrusion response finds the computer with that MAC, a Linux laptop that has been compromised and is used for a Denial of Service attack.

  19. Link Layer Forensics • ARP cache can be viewed on Windows NT/2000/XP with arp –a command.

  20. ATM • ATM • uses fiber optic cables and ATM switches. • encapsulates data into ATM cells. • number identifies the circuit that ATM has established between two computers. • ATMARP allows machines to discover MAC addresses. • ATMARP has a central server that responds to ARP requests. • ATM forensics is similar.

  21. Link Layer Evidence • Sniffers in promiscuous mode. • Intruders also use sniffers. • Typically monitor traffic to / from compromised system. • Sometimes they monitor themselves coming back to look at the sniffer logs. • Intruders sometimes encrypt their traffic. • But the sniffers still see the packets, they just cannot read them. • Installing sniffers can violate the wire-tapping and other laws and is resource-intensive. • FreeBSD / OpenBSD seem to be the best platforms.

  22. Link Layer Evidence • Sniffer location: • On compromised machine. • Evidence not trustworthy. • Nearby host. • Switched Port Analyzer (SPAN) • Copies network traffic from one switch port to another • Only copy valid ethernet packets. • Do not duplicate all error information. • Copying process has lower priority and some packets might not be mirrored. • Misses out on traffic on the local link.

  23. Link Layer Evidence • Sniffer configuration • Can capture entire frames. • Or only first part. • Tcpdump default setting.

  24. Link Layer Evidence • Some organizations log ARP information. • Routers keep ARP tables. • show ip arp • All hosts keep ARP tables. • DHCP often assigns addresses only to computers with known MAC.

  25. Link Layer Evidence An employee received harassing e-mail from a host on the employer’s network with IP address DHCP server database showed that this IP was assigned to a computer with MAC address 00:00:48:5c:3a:6c. This MAC belonged to a network printer. The router’s ARP table showed that the IP address was used by a computer with MAC 00:30:65:4b:2a:5c. (IP-spoofing) Although this MAC was not on the organization’s list, there were only a few Apple computers on the network and the culprit was soon found.

  26. Link Layer Evidence • Analyze and filter log files: • Keyword searches • E.g. for USER, PASS, login • Nicknames, channel names • Filters • Reconstruction • E.g. contents of web-mail inbox.

  27. Link Layer Evidence NetIntercept Screenshot An example for a Network Forensics / Network Intrusion Detection commercial tool that reveals link layer evidence

  28. ARP Package • RFC 826 • ARP package : • 0-1: Hardware type (0x0001 – Ethernet) • 2-3: Protocol type (0x0800 – IP) • 4: Number of bytes in hardware address (6 for MAC) • 5: Number of bytes in protocol address (4 for IP) • 6-7: Opcode: 1 for ARP request, 2 for an ARP reply • 8-13: Source MAC • 14-17: Source IP • 18-23: Target MAC • 24-27: Target IP

  29. ARP Package Source:

  30. ARP Package Ethereal deassembly of ARP package

  31. Monitoring Tools • Arpwatch • monitors ethernet activity and keeps a database of ethernet/ip address pairings.

  32. Attacks on ARP • Package Generators for various OS. • Allow an attacker to subvert a chosen protocol • hping2 for Windows. • *NIX, XWindows: • packit • • IP Sorcery • and many, many more. • Use to create arbitrary packages

  33. Attacks on ARP • Switch Flooding • Switches contain a switch address table. • Switch address table associates ports with MAC addresses. • Switch flooding creates many false entries. • Switches fail in two different modes: • Fail open: • Switch converts into a hub. • This allows to monitor traffic through the switch from any port. • Fail closed: • Switch stops functioning. • Denial of Service (DoS) attack

  34. Attacks on ARP • ARP Poisoning: attacker switch victim Outside world router

  35. Attacks on ARP • ARP Poisoning: Attacker configures IP forwarding to send packets to the default router for the LAN attacker switch victim Outside world router

  36. Attacks on ARP • ARP Poisoning: Attacker sends fake ARP to remap default router IP address to his MAC address attacker switch victim Outside world router

  37. Attacks on ARP • ARP Poisoning: Switch now takes packet from victim and forwards it to attacker. attacker switch victim Outside world router

  38. Attacks on ARP • ARP Poisoning: Attackers machine intercepts message for sniffing and sends it back to the switch with the MAC address of router. attacker switch victim Outside world router

  39. Attacks on ARP

  40. RARP • RARP (Reverse Address Resolution Protocol) • Used to allow diskless systems to obtain a static IP address. • System requests an IP address from another machine (with its MAC-address). • Responder either uses DNS with name-to-Ethernet address or looks up a MAC to IP ARP table. • Administrator needs to place table in a gateway. • RARP-daemon (RARP-d) responds to RARP requests.

  41. RARP • RARP vulnerability • Use RARP together with ARP spoofing to request an IP address and take part in communications over the network.

  42. RARP Package • Package Format as in ARP: • 0-1: Hardware type (0x0001 – Ethernet) • 2-3: Protocol type (0x0800 – IP) • 4: Number of bytes in hardware address (6 for MAC) • 5: Number of bytes in protocol address (4 for IP) • 6-7: Opcode: 1 for ARP request, 2 for an ARP reply • 8-13: Source MAC • 14-17: Source IP • 18-23: Target MAC • 24-27: Target IP

  43. IP • Uses IP addresses of source and destination. • IP datagrams are moved from hop to hop. • “Best Effort” service. • Corrupted datagrams are detected and dropped.

  44. IP • Addresses contain IP address and port number. • IPv4 addresses are 32 bit longs • • IPv6 addresses are 8*16 bits long. • Eight groups of four hexadecimal digits, each group is separated by a colon (:). • 2001:0db8:85a3:0000:0000:8a2e:0370:7334 • Simplification addressed in protocol • Notation also valid: 2001:db8:85a3::8a2e:370:7334

  45. IP Source:

  46. IP: ICMP • Internet Control Message Protocol • Created to deal with non-transient problems. For example • Fragmentation is necessary, but the No Frag flag is set. • UPD datagram sent to a non-listening port. • Ping. • Used to detect network connectivity before it became too useful for attack reconnaissance. • Does not use ports. • Allows broadcasting. • More on ICMP later

  47. IP: ICMP • ICMP error messages should not be sent: • For any but the first fragment. • A source address of broadcast or loopback address. • Are probably malicious, anyway. • Otherwise: ICMP messages could proliferate and throttle a network

  48. IP: ICMP • ICMP errors are not sent: • In response to an ICMP error message. • Otherwise, craft a message with invalid UDP source and destination port. Then watch ICMP ping-pong. • A destination broadcast address. • Don’t answer with destination unreachable for a broadcast. Otherwise, this makes it trivial to scan a network.

  49. Transport Layer: TCP and UDP • Transmission Control Protocol (TCP) • Reliable • Connection-Oriented. • Slow • User Datagram Protocol (UDP) • Unreliable • Connectionless. • Fast.

  50. TCP • Only supports unicasting. • Full duplex connection. • Message numbers to prevent loss of messages.