Download
computer forensics n.
Skip this Video
Loading SlideShow in 5 Seconds..
Computer Forensics PowerPoint Presentation
Download Presentation
Computer Forensics

Computer Forensics

177 Views Download Presentation
Download Presentation

Computer Forensics

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Computer Forensics Network Protocols Overview for Network Forensics

  2. Focus of this presentation Protocols With a few anecdotes, how-to-dos & previews thrown in.

  3. Network Protocols: Layering • Complexity of networking leads to layered architectures. • TCP/IP stack has four levels. • OSI has seven.

  4. Network Protocols: Layering

  5. Network Protocols: Layering • Each layer adds a header. • Application • TCP • IP • Link

  6. Repetition:Capturing Data on a Network • Develop a threat model before deploying Network Security Monitoring • Internal / External Attacker • Wireless / Wired / … • Develop Monitoring zoning • Demilitarized zone • Wireless zone • Intranet zones

  7. Repetition: Capturing Data on a Network • Wired monitoring • Hubs • SPAN ports • Taps • Inline devices

  8. Repetition: Capturing Data on a Network • Hubs • Broadcasts incoming data on all interfaces. • Be careful about NIC capacity (10/100/1000 Mb/sec) • Be careful about hub quality • Are inexpensive, but can introduce collisions on the links where the hub sits.

  9. Repetition: Capturing Data on a Network • Switched Port Analyzer (SPAN) • A.k.a. Port mirroring, Port monitoring. • SPAN port located on enterprise class switches. • Copy traffic between certain ports to SPAN port. • Configurable • Easy access to traffic. • Can make mistakes with configuration. • Under heavy load, SPAN port might not get all traffic. • SPAN only allows monitoring of a single switch.

  10. Repetition: Capturing Data on a Network • Test Access Port (TAP) • Networking device specifically designed for monitoring applications. • Typically four ports: • Router • Firewall • Monitor traffic on remaining ports. • One port sees incoming, the other outgoing traffic. • Moderately high costs.

  11. Repetition: Capturing Data on a Network • Specialized inline devices: • Server or hardware device • Filtering bridges • Server with OpenBSD and two NICs

  12. Link Layer • Network Interface Cards (NIC) • Unique Medium Access Control (MAC) number • Format 48b written as twelve hex bytes. • First 6 identify vendor. • Last 6 serial number. • NICs either select based on MAC address or are in promiscuous mode (capture every packet).

  13. Link Layer • Address Resolution Protocol (ARP) • Resolves IP addresses to MAC addresses • RFC 826

  14. Link Layer: ARP Resolution Protocol • Assume node A with IP address 10.10.10.100 and MAC 00:01:02:03:04:05 wants to talk to IP address 10.10.10.101. • Sends out a broadcast who-has request: 00:01:02:03:04:05; ff:ff:ff:ff:ff:ff; arp 42 who-has 10.10.10.101 • All devices on the link capture the packet and pass it to the IP layer. • 10.10.10.101 is the only one to answer: a0:a0:a0:a0:a0:a0; 00:01:02:03:04:05; arp 64; arp reply 10.10.10.101 is-at a0:a0:a0:a0:a0:a0 • A caches the value in its arp cache.

  15. Link Layer: ARP Resolution Protocol ARP requests:

  16. Link Layer: ARP Resolution Protocol

  17. Link Layer Forensics Network monitoring tools such as Argus or Ethereal / Wireshark log MAC addresses.

  18. Link Layer Forensics Example: Spike in network traffic comes from a computer with a certain IP address. However, Argus logs reveal that the traffic comes from a computer with a different MAC then the computer assigned that IP. (Spoofing) Finally, intrusion response finds the computer with that MAC, a Linux laptop that has been compromised and is used for a Denial of Service attack.

  19. Link Layer Forensics • ARP cache can be viewed on Windows NT/2000/XP with arp –a command.

  20. ATM • ATM • uses fiber optic cables and ATM switches. • encapsulates data into ATM cells. • number identifies the circuit that ATM has established between two computers. • ATMARP allows machines to discover MAC addresses. • ATMARP has a central server that responds to ARP requests. • ATM forensics is similar.

  21. Link Layer Evidence • Sniffers in promiscuous mode. • Intruders also use sniffers. • Typically monitor traffic to / from compromised system. • Sometimes they monitor themselves coming back to look at the sniffer logs. • Intruders sometimes encrypt their traffic. • But the sniffers still see the packets, they just cannot read them. • Installing sniffers can violate the wire-tapping and other laws and is resource-intensive. • FreeBSD / OpenBSD seem to be the best platforms.

  22. Link Layer Evidence • Sniffer location: • On compromised machine. • Evidence not trustworthy. • Nearby host. • Switched Port Analyzer (SPAN) • Copies network traffic from one switch port to another • Only copy valid ethernet packets. • Do not duplicate all error information. • Copying process has lower priority and some packets might not be mirrored. • Misses out on traffic on the local link.

  23. Link Layer Evidence • Sniffer configuration • Can capture entire frames. • Or only first part. • Tcpdump default setting.

  24. Link Layer Evidence • Some organizations log ARP information. • Routers keep ARP tables. • show ip arp • All hosts keep ARP tables. • DHCP often assigns addresses only to computers with known MAC.

  25. Link Layer Evidence An employee received harassing e-mail from a host on the employer’s network with IP address 192.168.1.65. DHCP server database showed that this IP was assigned to a computer with MAC address 00:00:48:5c:3a:6c. This MAC belonged to a network printer. The router’s ARP table showed that the IP address 192.168.1.65. was used by a computer with MAC 00:30:65:4b:2a:5c. (IP-spoofing) Although this MAC was not on the organization’s list, there were only a few Apple computers on the network and the culprit was soon found.

  26. Link Layer Evidence • Analyze and filter log files: • Keyword searches • E.g. for USER, PASS, login • Nicknames, channel names • Filters • Reconstruction • E.g. contents of web-mail inbox.

  27. Link Layer Evidence NetIntercept Screenshot An example for a Network Forensics / Network Intrusion Detection commercial tool that reveals link layer evidence

  28. ARP Package • RFC 826 • ARP package : • 0-1: Hardware type (0x0001 – Ethernet) • 2-3: Protocol type (0x0800 – IP) • 4: Number of bytes in hardware address (6 for MAC) • 5: Number of bytes in protocol address (4 for IP) • 6-7: Opcode: 1 for ARP request, 2 for an ARP reply • 8-13: Source MAC • 14-17: Source IP • 18-23: Target MAC • 24-27: Target IP

  29. ARP Package Source: http://binarios.com/lnb/tcpip-slides/slide11.html

  30. ARP Package Ethereal deassembly of ARP package

  31. Monitoring Tools • Arpwatch • monitors ethernet activity and keeps a database of ethernet/ip address pairings.

  32. Attacks on ARP • Package Generators for various OS. • Allow an attacker to subvert a chosen protocol • hping2 for Windows. • *NIX, XWindows: • packit • http://sourceforge.net/projects/packitgui/ • IP Sorcery • and many, many more. • Use to create arbitrary packages

  33. Attacks on ARP • Switch Flooding • Switches contain a switch address table. • Switch address table associates ports with MAC addresses. • Switch flooding creates many false entries. • Switches fail in two different modes: • Fail open: • Switch converts into a hub. • This allows to monitor traffic through the switch from any port. • Fail closed: • Switch stops functioning. • Denial of Service (DoS) attack

  34. Attacks on ARP • ARP Poisoning: attacker switch victim Outside world router

  35. Attacks on ARP • ARP Poisoning: Attacker configures IP forwarding to send packets to the default router for the LAN attacker switch victim Outside world router

  36. Attacks on ARP • ARP Poisoning: Attacker sends fake ARP to remap default router IP address to his MAC address attacker switch victim Outside world router

  37. Attacks on ARP • ARP Poisoning: Switch now takes packet from victim and forwards it to attacker. attacker switch victim Outside world router

  38. Attacks on ARP • ARP Poisoning: Attackers machine intercepts message for sniffing and sends it back to the switch with the MAC address of router. attacker switch victim Outside world router

  39. Attacks on ARP http://www.watchguard.com/

  40. RARP • RARP (Reverse Address Resolution Protocol) • Used to allow diskless systems to obtain a static IP address. • System requests an IP address from another machine (with its MAC-address). • Responder either uses DNS with name-to-Ethernet address or looks up a MAC to IP ARP table. • Administrator needs to place table in a gateway. • RARP-daemon (RARP-d) responds to RARP requests.

  41. RARP • RARP vulnerability • Use RARP together with ARP spoofing to request an IP address and take part in communications over the network.

  42. RARP Package • Package Format as in ARP: • 0-1: Hardware type (0x0001 – Ethernet) • 2-3: Protocol type (0x0800 – IP) • 4: Number of bytes in hardware address (6 for MAC) • 5: Number of bytes in protocol address (4 for IP) • 6-7: Opcode: 1 for ARP request, 2 for an ARP reply • 8-13: Source MAC • 14-17: Source IP • 18-23: Target MAC • 24-27: Target IP

  43. IP • Uses IP addresses of source and destination. • IP datagrams are moved from hop to hop. • “Best Effort” service. • Corrupted datagrams are detected and dropped.

  44. IP • Addresses contain IP address and port number. • IPv4 addresses are 32 bit longs • 10.20.36.134 • IPv6 addresses are 8*16 bits long. • Eight groups of four hexadecimal digits, each group is separated by a colon (:). • 2001:0db8:85a3:0000:0000:8a2e:0370:7334 • Simplification addressed in protocol • Notation also valid: 2001:db8:85a3::8a2e:370:7334

  45. IP Source: http://binarios.com/lnb/tcpip-slides/slide15.html

  46. IP: ICMP • Internet Control Message Protocol • Created to deal with non-transient problems. For example • Fragmentation is necessary, but the No Frag flag is set. • UPD datagram sent to a non-listening port. • Ping. • Used to detect network connectivity before it became too useful for attack reconnaissance. • Does not use ports. • Allows broadcasting. • More on ICMP later

  47. IP: ICMP • ICMP error messages should not be sent: • For any but the first fragment. • A source address of broadcast or loopback address. • Are probably malicious, anyway. • Otherwise: ICMP messages could proliferate and throttle a network

  48. IP: ICMP • ICMP errors are not sent: • In response to an ICMP error message. • Otherwise, craft a message with invalid UDP source and destination port. Then watch ICMP ping-pong. • A destination broadcast address. • Don’t answer with destination unreachable for a broadcast. Otherwise, this makes it trivial to scan a network.

  49. Transport Layer: TCP and UDP • Transmission Control Protocol (TCP) • Reliable • Connection-Oriented. • Slow • User Datagram Protocol (UDP) • Unreliable • Connectionless. • Fast.

  50. TCP • Only supports unicasting. • Full duplex connection. • Message numbers to prevent loss of messages.