Holly Ferguson. Network Forensics

Size: px

Start display at page:

Download "Holly Ferguson. Network Forensics"

Augustus Cameron
7 years ago
Views:

1 Holly Ferguson Network Forensics

2 Discussion Points: 1. Frame of Reference 2. Functionality of the Field 3. Details per 4 Categories 4. News Proceed for own Reference 5. Attacker Techniques

3 Network Forensics Network forensics is categorized as a single branch of digital forensics; it includes the areas of monitoring and analyzing computer network traffic and allows individuals to gather information, compile evidence, and/or detect intrusions. - Computer Forensics - Database Forensics Digital Forensics - Mobile Device Forensics - Network Forensics Ethernet TCP/IP Internet Wireless Forensics - Audio & Video Forensics

4 Investigation Stages: 1) acquisition/imaging of exhibits (write-blocking device), *) --examination (National Instit of Standards and Tech.) 2) analysis (systematic search for differences), and 3) reporting (documented findings and conclusions) Evolving as Field with Policies Digital Forensics 1980/90s 1978 Evolving Need for the Field & Multiple Instances Fraud and Abuse Legislation, sysadmin Florida Computer Crimes Act SHA-1 & MD5 1970s Rise of Personal Use

5 Recall types of Network Forensics Unique because it is volatile Unique because it is rarely logged Reactionary Field of Work, with 2 general uses: 1) Security = Monitoring for intrusions Network evidence may be the only type if a drive was wiped clean 2) Law Enforcement = Reassembling transferred files Finding keywords Searching for keywords Parsing messages Examining packet filters Examining firewalls Examining existing systems

6 Data Collection Methods "Catch-it-as-you-can" All packets are captured Large storage needed Analysis in batch mode packet level For later analysis

7 Data Collection Methods "Catch-it-as-you-can" All packets are captured Large storage needed Analysis in batch mode packet level For later analysis "Stop, look and listen" Requires faster processor for incoming traffic Each analyzed in memory Certain ones are stored packet level Real-time filtering

8 Ethernet TCP/IP Internet Wireless Forensics Methods are achieved with eavesdropping bit streams (on the Ethernet layer). Uses monitoring tools or sniffers Wireshark (a.k.a. Ethereal) Then protocols can be consulted, such as the Address Resolution Protocol (ARP) Network Interface Card (NIC), but can be averted with encryption

9 Ethernet TCP/IP Internet Wireless Forensics Methods are achieved with router information investigations (on the Network layer). Each router includes routing tables to pass along packets These are some of the best information sources for data tracking Follow compromised packets, reverse route, ID the source Network layer also provides authentication log evidence

10 Ethernet TCP/IP Internet Wireless Forensics Methods are achieved by identifying server logs (on the Internet). Includes web-browsing, , chat, and other types of traffic & communication Server logs collect information accounts have useful information except when headers are faked User account information associated with a particular user

11 Ethernet TCP/IP Internet Wireless Forensics Methods are achieved by collecting & analyzing wireless traffic (Wireless Networks). A sub-discipline of the field To get that which is considered valid digital evidence This can be normal data OR voice communications via VoIP Analysis is similar to wired network situations, with different security issues

12 Criminal Techniques: Encryption Hiding Data within Codes Hiding with Steganography Hiding with Embedding Hiding with Obscurity Hiding with Nonames on Files Text to Image Types Compression Changing behavior of System Commands Changing behavior of Operating Systems Hiding Data via other means Almost non-stop security compromises exist involving transmitted credit card numbers, personal accounts, proprietary information, passwords, and other valuable data. One example involving Facebook (2011): Before only the login was encrypted and now wanted to encrypt all communications to servers with HTTPS instead of SSL, else can sniff at any free WiFi at a public place.

13 Criminal Techniques: Encryption Hiding Data within Codes Hiding with Steganography Hiding with Embedding Hiding with Obscurity Hiding with Nonames on Files Text to Image Types Compression Changing behavior of System Commands Changing behavior of Operating Systems Hiding Data via other means Almost non-stop security compromises exist involving transmitted credit card numbers, personal accounts, proprietary information, passwords, and other valuable data. One example involving Facebook (2011): Before only the login was encrypted and now wanted to encrypt all communications to servers with HTTPS instead of SSL, else can sniff at any free WiFi at a public place.

14 Steganography 1) Removing all but the two least significant bits of each color component 2) Apply a subsequent normalization Right: = extracted image Encryption Key + Original Data + Encrypted Message

Embedding (w/ multiple images) Using y = 2x +2: Here, if the value of x=1 then y will be 4, indicating that the first byte of secret data will be stored in the first byte place of second pixel. i.e. ( 8 bit Red position).

15 Embedding (w/ multiple images) Using y = 2x +2: Here, if the value of x=1 then y will be 4, indicating that the first byte of secret data will be stored in the first byte place of second pixel. i.e. ( 8 bit Red position). Similarly, x=2 will give y=6 so the second secret byte data will be stored in last byte of second pixel (i.e. 8-bit Blue position) and so on. Hence, by a suitable choice of a and b all bytes of the secret data can be mapped entirely into the container image. 1

Compression Two Types of Compression for Hiding Files 1) Lossless compression Hiding files where the original information needs to remain intact and can be reconstructed

16 Compression Two Types of Compression for Hiding Files 1) Lossless compression Hiding files where the original information needs to remain intact and can be reconstructed exactly (GIF and BMP). 2) Lossy compression, Hiding files where the integrity of the original image is not maintained. (JPGs, but very good compression rate/saves more space).

17 Sources Consulted and Referenced: Image citation: Questions?

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security? 7 Network Security 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework 7.4 Firewalls 7.5 Absolute Security? 7.1 Introduction Security of Communications data transport e.g. risk