Network Forensics: Log Analysis

Transcription

1 Network Forensics: Analysis Richard Baskerville Agenda P Terms & -based Tracing P Application Layer Analysis P Lower Layer Analysis Georgia State University 1 2 Two Important Terms PPromiscuous Mode < An Ethernet Network Interface Card (NIC) in promiscuous mode is a configuration that will pass all traffic received by the card to the operating system, rather than just packets addressed to it. This feature is normally used for packet sniffing. PIPSpoofing < Forging the source address in the header of an IP packet so that it contains a different address, making it appear that the packet was sent by a different machine. Responses to spoofed packets will go to the forged source address. Mainly used for Denial of Service where the attacker does not care about the response, or defeating IP-based authentication. It is sometimes possible for an attacker to recover responses, when the spoofed address is on LAN or WAN controlled by the attacker. Rootkit P Blackhat software that gains control over a computer or network. "Root" refers to the administrative (superuser) computer account. Kit refers to mechanisms that initiate entry into the target computer modify it for later, and more simplified means of access (a backdoor). P Rootkits will usually erase the system event logging capacity in an attempt to hide attack evidence and may disclose sensitive data. A well designed rootkit will replace parts of the operating system with rootkit processes and files, and obscure itself from security scanning. 3 4 Client HTTP Data TCP Data + TL Pr IP Data + TL/IL Pr X.25 ging Tracing Application Layer Transport Layer Internet Layer Network Access Layer HTTP Data TCP Data + TL Pr IP Data + TL/IL Pr X.25 Proxy or Firewall Router Sniffers ging Options PIssues of efficiency in logfile space and processing time PSometimes options, e.g., < Off < Succinct < Verbose Data + TL/IL/NA Pr Forensics Analysis 5 6

2 Web s Application Layer Analysis Example of Application Layer gin P Access File < Access log file contains a log of all the requests. P Proxy Access File < (If directed) a separate log of proxy transactions (otherwise logged to Access ) P CacheAccess < (If directed) a separate log of cache accesses (otherwise logged to Access ) P Error File < of errors 7 8 The Common file Format World Wide Web Consortium (W3C) P Format: remotehost rfc931 authuser [date] "request" status bytes < remotehost Remote hostname (or IP number if DNS hostname is not available, or if DNSLookup is Off. < rfc931 The remote logname of the user. < authuser The username as which the user has authenticated himself. < [date] Date and time of the request. < "request" The request line exactly as it came from the client. < status The HTTP status code returned to the client. < bytes The content-length of the document transferred. Web file Example [03/Jan/2001:15:20: ] "GET /Inauguration.htm HTTP/1.0" " "Mozilla/3.0 WebTV/1.2 (compatible; MSIE 2.0)" 9 10 IIS ging Options Web Access 11 12

3 Web Analysis Tools: Page Delivery Web Analysis Tools: File Delivery Usually Intended for Management Web Analysis Tools: Users Web file Live Example # [27/Mar/2010:22:27: ] "GET /cis8080/readings/sec_you.pdf HTTP/1.0" "-" "eliza-google-crawler (Enterprise; S5- JDM5GCVTD6NJB; [email protected],[email protected])" Unauthorized Access Nothing delivered Subject to Spoofing Simple Who Is Tracing Web file Live Example # infosecstudent [25/Mar/2010:13:34: ] "GET /cis8080/readings/stratisrm_final_typescript.pdf HTTP/1.1" " "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;.NET CLR )" Request fulfilled 60KB delivered 17 18

4 Simple Who is Tracing Help for Tracing Abuse Lower Layer Analysis Transport, Internet, Network Access ging Reconstructing Data Flows Transport Layer Internet Layer TCP Data + TL Pr IP Data + TL/IL Pr Proxy or Firewall Router P s record packet headers, not sessions or flows P s usually ignore packet contents for efficiency P Flow can be logically reconstructed from < IP addresses < Port numbers < Implied Protocols < Sequencing Network Access Layer X.25 Sniffers Reconstructing TCP flows from raw IP network traffic. From E. Casey (2004) Network Traffic as a source of evidence, Digital Investigation 1 (1) TCP Connection Graph Incoming TCP Connection Graph Network Analysis Tools Inbound port 139 connections suggest the firewall and the host are controlled by intruders. Port 139: This is the single most dangerous port on the Internet. All "File and Printer Sharing" on a Windows machine runs over this port. About 10% of all users on the Internet leave their hard disks exposed on this port. This is the first port hackers want to connect to, and the port that firewalls block. Example from Raynal, et al. (2004) Honeypot Forensics IEEE Security & Privacy Example from Raynal, et al. (2004) Honeypot Forensics IEEE Security & Privacy

5 Outgoing TCP Connection Graph Detecting the Moment of Compromise These outgoing port 139 connections suggest this machine has been compromised by intruders. Port is not listening, attempts to connect are reset (RST). 25 Example from Raynal, et al. (2004) Honeypot Forensics IEEE Security & Privacy Port starts listening, attempts to connect finish (FIN), some software has started monitoring this port at 5:50:37 Example from Raynal, et al. (2004) Honeypot Forensics IEEE Security & Privacy tcpdump Snort Free packet analyzer that allows a computer to intercept and display packets transmitted and received over its attached network. Runs on Unix-like operating systems and there is a port to Windows (WinDump). Uses packet capture engines libpcap (or WinPcap). Tcpdump file format is standard now. Free open source network intrusion prevention and detection system that logs packets and analyzes traffic on IP networks. It performs protocol analysis, content searching/matching, and actively blocks or passively detects many attacks and probes, such as buffer overflows, stealth port scans, web application attacks, SMB probes, and OS fingerprinting attempts NetDetector Continuous capture and warehousing of network packets and statistics. Alerts on signatures, traffic patterns. and statistical anomalies. Reconstructs web, , instant messaging, FTP, Telnet, etc. NetIntercept Captures and stores LAN traffic in raw dump files using a promiscuous Ethernet card and a modified UNIX kernel. Can write directly to removable media or network transfer to other machines for archiving. Stream reconstruction on demand. assembles user-defined range of packets into network connection data streams. The analysis subsystem is graphical, constructing a tree stored in an SQL database

6 Network Forensics: s Richard Baskerville 31 Georgia State University