Network forensics is a sub branch of digital forensics whose aim is to: capture, record, and analyze network events in order to discover the source of security attacks or other problem incidents or activities of legitimate users 2 IP and MAC addresses passwords files messages: mail, chat, web, who was doing what and when what is hidden behind firewalls what attacks have been or still are going on an organization s communication policies 3 P.Pale: Computer forensics 1
... relating to Network Evidence Acquisition Networks contain so many possible sources of evidence e.g. wireless access points, web proxies, central log servers... sometimes pinpointing the correct location of the evidence is tricky Content Network devices often have very limited storage capacity Storage The data which network devices contain may be so volatile as to not survive a reset of the device Seizure Very disruptive! In some cases, an entire network segment may be brought down indefinitely until equipment is returned and operations restored Admissibility Network forensics is a newer approach to digital investigations There are sometimes conflicting or even nonexisting legal precedents for admission of various types of network based digital evidence 4 Evidence acquisition Protocol analysis Packet analysis Flow analysis Network Logs Network devices Network intrusion detection/prevention systems Common network attacks Web browser forensics 5 Evidence acquisition Protocol analysis Packet analysis Flow analysis Network Logs Network devices Network intrusion detection/prevention systems Common network attacks Web browser forensics 6 P.Pale: Computer forensics 2
Is it possible to obtain network traffic without sending or modifying any data frames on the network? While it is never possible to have absolutely zero impact on the environment, the process of capturing (or sniffing) traffic can often be conducted with very little impact Sniffing can be done in these ways: A Physical interception B Traffic acquisition software C Active acquisition 7 A Passively acquire network traffic by intercepting it as it is transmitted across cables, through the air, (will be discussed in wireless forensics) or through network equipment or through network equipment such as hubs and switches 8 Most common materials for cables are Copper two most widely used types: coaxial and Twisted Pair (TP) Fiber Fiber optic cables consist of thin strands of glass (or sometimes plastic) which are bundled together in order to transmit signals across a distance Each of these can be sniffed, although the equipment and side effects vary depending on the physical media 9 P.Pale: Computer forensics 3
A Layer 1 device is inserted inline between two physically connected network devices The network tap will pass along the packets and also physically replicate copies to a separate port(s) Commonlyhave four ports: two connected inline to facilitate normal traffic, and two sniffing ports, which mirror that traffic (one for each direction) NOTE: causes a brief disruption, while cable being disconnected in order to connect the network tap inline Every additional break in a cable is a potential point of failure! Inline insertion of network taps necessarily increase the risk of network disruption 10 devices that pierce the shielding of copper wires in order to provide access to the signal within Unlike inline network taps, the cable does not need to be disconnected or severed in order for a vampire tap to be installed NOTE: inserting a vampire tap, even if done correctly, can bring down the link on a TP cable since the characteristics of the required balanced communication will be affected negatively 11 Inline network taps work similarly both for fiber optic cables and copper cables To place a network tap inline on a fiber optic cable, network technicians splice the optic cable and connect it to each port of a tap This causes a network disruption NOTE: Inline optical taps may cause noticeable signal degradation! Vampire taps Not as easy as with coper cables because of photon characteristics 12 P.Pale: Computer forensics 4
All wires conducting voltages emit various electromagnetic signals outside of the intended channel Such electromagnetic radiation is more pronounced in unshielded wires, such as UTP, due to the lack of shielding As a consequence, it is theoretically possible to introduce what is called an induction coil alongside such wiring in order to translate the laterally emitted signals into their original digital form Induction coils are devices that essentially transform the magnetism of weak signals to induce a much stronger signal in an external system Such a device could potentially capture the throughput of a cable without being detected by users, administrators, or owners of the wires However such devices are not commercially available in a way that the public can acquire in order to surreptitiously tap Cat5e and Cat6 cables 13 Layer 1 device that physically connects all stations on a local subnet to one circuit Important characteristics relevant to forensics: does not store enough state to track what is connected to it, or how maintains no knowledge of what htdevices are connected tdto what htports received frames are retransmitted on all other ports Thus: traffic on the segment can be seen by everyone else, not just the investigators Confusion Many devices that are currently labeled as hubs by the manufacturer are, in fact, switches 14 Most prevalent Layer 2 device Unlike hubs, switches use software to keep track of which stations are connected to which ports,, in its CAM table. When a switch receives a packet, it forwards it only to the destination station s port Switches operate at Layer 2 (the data link layer), and sometimes Layer 3 CAM table Switches populate the CAM table by listening to arriving traffic When a switch receives a frame from a device, it looks at the source MAC address and remembers the port associated with that MAC address Later, when the switch receives a packet destined for that device, it looks up the MAC address and corresponding port in the CAM table And passes the packet only to that port Switches with sufficient software capabilities can be configured to replicate traffic from one or more ports to some other port for aggregation and analysis Switches have varying port mirroring capabilities, depending on their make and model Port mirroring is inherently limited by the physical capacity of the switch itself 15 P.Pale: Computer forensics 5
B Once physical access to network traffic is gained, one needs software tools to record it The most common software libraries used for recording, parsing, and analyzing captured packet data: libpcap WinPcap Most popular tools: Tcpdump Wireshark 16 Libpcap is a UNIX C library that provides an API for capturing and filtering data link layer frames from arbitrary network interfaces Different UNIX systems have different architectures for processing link layer layer frames Consequently, programmers writing a utility on UNIX to inspect or manipulate link layer frames originally had to write operating system specific routines for accessing them The purpose of libpcap was to provide a layer of abstraction so that programmers could design portable packet capture and analysis tools WinPcap is a library based on libpcap designed for Windows In 1999 by the Computer Networks Group (NetGroup) in the Politecnico di Torino In order to inspect traffic we need a program like WireShark or tcpdump which uses libpcap or winpcap 17 An extremely powerful filtering language included in Libpcap the volume of data that flows across networks has become so huge that it is very important for investigators to be able to filter it during both capture and analysis enables to filter traffic based on value comparisons in fields for Layer 2, 3, and 4 protocols includes built in in references called primitives for many commonly used protocol fields filters can also consist of elaborate conditional chains, nesting logical ANDs and ORs 18 P.Pale: Computer forensics 6
easiest way to construct a BPF filter is to use BPF primitives to refer to specific protocols, protocol elements, or qualities of a packet capture three different kinds of qualifiers Type Dir Proto For example: host 192.168.0.1 and not host 10.1.1.1 and (port 138 or port 139 or port 445) will show us only the traffic in which a computer with the IP address 192.168.0.1 communicates with any other system except 10.1.1.1 over ports 138, 139, or 445 19 A tool for capturing, filtering, and analyzing network traffic was originally designed as a UNIX tool In 1999 it was ported to Windows as WinDump Tcpdump captures traffic bit by bitbit as it traverses any physical media Suitable for conducting link layer traffic capture copper, fiber, or even air Since tcpdump is based on libpcap, it captures at Layer 2 (the data link layer) Fidelity (not dropping packets) One reason that tcpdump is such a powerful tool is that it is capable of capturing traffic with high fidelity, to the degree that the resulting packet capture can constitute evidence admissible in court However, the quality of the packet capture can be impacted by hardware limitations and configuration constraints 20 # tcpdump -nni eth0 'not (tcp and port 80) tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link -type EN10MB (Ethernet), capture size 65535 bytes 12:49:33.631163 IP 10.30.30.20.123 > 10.30.30.255.123: NTPv4, Broadcast,length 48 12:49:38.197072 IP 192.168.30.100.57699 > 192.168.30.30.514: SYSLOG local2.notice, length: 1472 12:49:38.197319 IP 192.168.30.100.57699 > 192.168.30.30.514: SYSLOG local2.notice, length: 1472 12:49:38.197324 IP 192.168.30.100 > 192.168.30.30: udp 12:49:38.197327 IP 192.168.30.100 > 192.168.30.30: udp 12:49:38.197568 IP 192.168.30.100.57699 > 192.168.30.30.514: SYSLOG local2.notice, length: 1472 12:49:38.197819 IP 192.168.30.100.57699 > 192.168.30.30.514: SYSLOG local2.notice, length: 1472 12:49:38.197825 IP 192.168.30.100 > 192.168.30.30: udp 21 P.Pale: Computer forensics 7
Wireshark A libpcap based graphical, open source tool designed for capturing, filtering, and analyzing traffic due to GUI mostly used for manual/human inspection Tshark command line network protocol analysis tool that is part of the Wireshark distribution like Wireshark, it is libpcap based, and can read and save files in the same standard formats as Wireshark mostly used to prepare captured data for automatic processing and analysis can prepare CSV files Dumpcap Part of wireshark Used to capture network packets 22 C Active evidence acquisition network traffic is acquired directly on the target computer for example using tcpdump, wireshark, and is stored in a file which is then: analysed on the target computer or transferred to investigator s computer this process modifies df the environment!!!! Investigators should be highly aware of various ways in which live acquisition modifies the devices and environment under investigation and work to minimize the impact Common Interfaces Console, Secure Shell (SSH), Secure Copy (SCP), SSH File Transfer Protocol (SFTP), Telnet, Simple Network Management Protocol (SNMP), Trivial File Transfer Protocol (TFTP) etc 23 Evidence acquisition Protocol analysis Packet analysis Flow analysis Network Logs Network devices Network intrusion detection/prevention systems Common network attacks Web browser forensics 24 P.Pale: Computer forensics 8
refers to the art and science of understanding how a particular communications protocol works, what is it used for, how to identify it, and how to dissect it. This may not be as straightforward as one might expect In an ideal world, all protocols would be neatly cataloged, publicized, and implemented according to specification in reality, however, none of this is true Many protocols are deliberately kept secret by their inventors, either to protect intellectual property, keep out competition, or for the purposes of security and covert communications Other protocols are simply not documented well enough because no one has taken the time to do so 25 26 IETF Request for Comments (RFC) RFCs have emerged as a way to develop, communicate, and define international standards for internetworking They are developed and distributed by the Internet Engineering Task Force (IETF) which is a loosely self organized group of people who contribute to the engineering and evolution of Internet technologies... the principal body engaged in the development of new Internet standard specifications. https://www.ietf.org/rfc.html Other Standards Bodies IEEE SA Institute of Electrical and Electronics Engineers Standards Association ISO International Organization for Standardization Vendors 27 P.Pale: Computer forensics 9
How do you identify which protocols are in use in a packet capture? Search for common binary/hexadecimal/ascii values that are typically associated with a specific protocol Leverage information in the encapsulating protocol Leverage the TCP/UDP port number many of which are associated with standard default services Analyze the function of the source or destination server specified by IP address or hostname Test for the presence of recognizable protocol structures 28 Example: IPv4 Most protocols contain sequences of bits that are commonly, if not always, present in packets associated with that protocol, in predictable places beginning of an IPv4 is often marked with the hexadecimal sequence 0x4500 Example: 29 Many TCP/UDP ports are associated with usual, default services A simple and common way to identify protocols is by examining the TCP or UDP port number in use 65,535 possible port numbers for each of TCP and UDP IANA publishes a list of known services: http://www.iana.org/assignments/port numbers Identifying protocols by port number is not always reliable servers can easily be configured to use nonstandard ports for specific services Port Service 21 FTP 22 SSH 23 telnet 25 SMTP 53 DNS 80 HTTP 110 POP3 123 NTP 143 IMAP 30 P.Pale: Computer forensics 10
Higher layer protocols Can be extremely useful when analyzing modern applications which rely heavily on them Examples Hypertext Transfer Protocol (HTTP) Simple Mail Transfer Protocol (SMTP) Domain Name System (DNS) Dynamic Host Configuration Protocol (DHCP) Of course, there are many, many others 31 Layer 7 protocol that facilitates automatic configuration of network details assigning an IP address to a MAC address also gateway, DNS servers, etc Forensic value DHCP server logs and packet captures contain: pairs: IP and MAC address which can provide clues to the hardware manufacturer client hostname, routing information etc who used and IP address at specific time 10,12/09/15,00:00:21,Assign,161.53.64.100,Nikola-PC.WIN.LSS.HR, 0013D30C227E 12,12/09/15,00:03:21,Release,161.53.64.100,Nikola-PC.WIN.LSS.HR, 0013D30C227E 25,12/09/15,00:07:00,2 leases expired and 4 leases deleted,,,,,0,6,,, 30,12/09/15,00:09:00,DNS Update Request,161.53.64.178,Anya-PC.WIN.LSS.HR,,,0,6,,, 32 33 P.Pale: Computer forensics 11
Used to access resources on the web Web applications Web APIs (especially interesting for mobile devices) Content (audio/video, images,.) Simple set of request messages GET, POST, HEAD, OPTIONS, DELETE, TRACE Simple set of response messages 1xx Informational Request received, continuing process 2xx Success The action was successfully received, understood and accepted 3xx Redirection Further action must be taken in order to complete the request 4xx Client Error The request contains bad syntax or cannot be fulfilled 5xx Server Error The server failed to fulfill an apparently valid request 34 provides a hierarchical distributed database for resolving the names that people prefer to use with the 32 bit IPv4 numerical addresses or 128 bit for IPv6 example: maja.zesoi.fer.hr > 161.53.64.3 DNS is a query response response protocol Client typically asks a question within a single UDP packet Server responds with a single UDP packet It is possible to route normal DNS traffic over TCP server s response to a query is too large to fit within a single UDP packet DNS zone transfers transfer everything a DNS server knows about a domain a security risk!!! 35 36 P.Pale: Computer forensics 12
Evidence acquisition Protocol analysis Packet analysis Flow analysis Network Logs Network devices Network intrusion detection/prevention systems Common network attacks Web browser forensics 37 The art and science of inspecting the protocols within a set of packets in order to Identify packets of interest and understand their structure and relationship in order to gather evidence and facilitate further analysis To identify packets of interest use filtering techniques to isolate packets based on protocol fields or their contents search for strings or patterns in packet contents to identify targets for further inspection even if the protocol in use is not yet known 38 Wireshark/tshark Include a display filter language allows the end user to isolate packets of interest based on protocol fields example: capture only packets from a specific computer to a specific computer $ tshark -r capturefile.pcap -R "ip.src ==192.168.1.158 && ip.dst ==10.1.1.10" Hex editors 39 P.Pale: Computer forensics 13
Evidence acquisition Protocol analysis Packet analysis Flow analysis Network Logs Network devices Network intrusion detection/prevention systems Common network attacks Web browser forensics 40 practice of examining related groups of packets in order to identify patterns, analyze higher layer protocols, or extract data Flow is defined as: a sequence of packets sent from a particular source to a particular unicast, anycast, or multicast destination that the source desires to label as a flow. A flow could consist of all packets in a specific transport connection or a media stream. However, a flow is not necessarily 1:1 mapped to a transport connection. 41 42 P.Pale: Computer forensics 14
Tshark Can list all conversations and/or flows within a packet capture, or only specific flows based on their characteristics 43 Useful to identify the specific flows of interest so that we can get ready to extract the higher layer protocol data Example: $ pcapcat -r evidence01.pcap [1] TCP 192.168.1.2:54419168 1 2:54419 -> 192.168.1.157:80168 1 157:80 [2] TCP 192.168.1.159:1271 -> 205.188.13.12:443 [3] TCP 192.168.1.159:1272 -> 192.168.1.158:5190 [4] TCP 192.168.1.159:1273 -> 64.236.68.246:80 Enter the index number of the conversation to dump or press enter to quit: 44 Files Can be crucial to any investigation Are often transported over a network Data Such as HTML/JavaScript and other resources on the WWW can be useful Wireshark Has the ability to extract all files and data that were transferred during a capture Network miner Point and click tool for extracting files & data, viewing network packets (similar to Wireshark): http://www.netresec.com/?page=networkminer 45 P.Pale: Computer forensics 15
Evidence acquisition Protocol analysis Packet analysis Flow analysis Network Logs Network devices Network intrusion detection/prevention systems Common network attacks Web browser forensics 46 Why are they important? Event logs are simply selected records that provide information about the state of the system and/or environment at a given time Event logs may include information about system access (such as server logins and logouts), startup and shutdown times, errors and problems, or just routine data such as the data center temperature Where do they come from? Application servers, routers, firewalls, network devices, cameras, HVAC all kinds of other devices generate event logs Different types of devices generate different types of event logs Where are they stored? on the device that generates them on a computer in the network on a (remote?) computer dedicated to collecting logs 47 Sep 20 21:53:09 bigserver postfix/sendmail [10815]: fatal: usage: sendmail [options] Sep 20 22:27:48 bigserver postfix/sendmail [10961]: fatal: Recipient addresses must be specified on the command line or via the t option Sep 20 22:27:48 bigserver postfix/sendmail [10963]: fatal: Recipient addresses must be specified on the command line or via the t option Sep 20 22:28:29 bigserver postfix/sendmail [10979]: fatal: Recipient addresses must be specified on the command line or via the t option Sep 22 13:04:31 bigserver postfix/sendmail [24424]: fatal: usage: sendmail [options] Sep 22 15:32:07 bigserver postfix/postmap [25785]: fatal: open database /etc/postfix/generic.db: Permission denied Sep 22 15:55:40 bigserver postfix/postmap [26209]: fatal: open database /etc/postfix/virtual.db: Permission denied Sep 22 17:01:33 bigserver postfix [27072]: error: to submit mail, use the Postfix sendmail command Sep 22 17:01:33 bigserver postfix [27072]: fatal: the postfix command is reserved for the superuser 48 P.Pale: Computer forensics 16
Evidence acquisition Protocol analysis Packet analysis Flow analysis Network Logs Network devices Network intrusion detection/prevention systems Common network attacks Web browser forensics 49 Hub analogue only electrically restores the signal in order to span longer distances create star topology Switch digital collects whole packet and looks at addresses based on destination address forwards it on just one port there is no need to decide where to forward the packet outgoing port is taken from CAM table puts source address in CAM table all interfaces (ports) are of the same type and protocol typically works on Layer 2 although Layer 3 switches exist, too Router has potentially different interfaces and different protocols has to make the decision where to forward the packet depending on final destination address and properties of paths behind the port speed, error rate, usage, price, can perform network address translation an incoming packet sent to port X can be sent to completely different address internally likewise, outgoing packet will be appearing to com from router s port Y Firewall essentially a router but refuses to forward some packets both in and out depending on packet s source and destination addresses source and destination ports The line between switches, routers, and firewalls has become very blurred It only exists as a theoretical line, which is no longer strictly implemented at all if it ever really was What does that mean for the forensic investigator? The evidence you may expect to find on one device may actually exist on another A device called a switch may actually contain logs that you would expect to find on a firewall 51 P.Pale: Computer forensics 17
Network infrastructure devices contain configurations that reflect the state of the network and activities and the policies of the enterprise that s deployed them descriptive information about the investigated environment and (perhaps) evidence relating to a particular event of interest for example: blocked ports, subnets, port mirroring access lists, NAT, routing tables 52 Dynamic Random Access Memory (DRAM) very volatile and does not retain data (for long) when power is turned off operational data can be found here very difficult to capture Content Addressable Memory(CAM) a special kind of very fast memory used to store information that must be accessed extremely quickly most famously used on switches for storing tables that map MAC addresses to ports Nonvolatile Random Access Memory (NVRAM) retains data when the power is turned off, but can also be easily modified most common type found in network equipment is flash memory it is typically used to store configurations > instructions to device how to work also for logs Hard drive Most switches, routers, and firewalls do not include a hard drive However, general purpose servers can be configured to act as routers or firewalls Read Only Memory (ROM) ROM is a type of random access memory that is designed to permanently store data without modification it is typically used for storing device s programs HIGH Memory volatility LOW 53 Content Addressable Memory (CAM) Table Can be very valuable, since it contains the MAC addresses of the network cards communicating on the local subnet Very volatile and can change quickly, depending on network activity Example: 54 P.Pale: Computer forensics 18
when a computer needs to send an IP packet it has to be encapsulated in Layer 2 packet typically Ethernet (IEEE 802.3) which means MAC address is needed corresponding to IP address thesepairs are stored in ARPtable however, if table does not contain required pair ARP request is sent as a broadcast message on Layer 2 containing the IP address the computer using this IP address will respond thus, its MAC address will be associated with its IP address and remembered in ARP table 55 Routers are typically involved in investigations because: Traffic of interest may traverse the router, resulting in associated flow data and related records A router is one of the most basic logging devices on any network and also one of the most fundamental The network topology is the key to understanding evidence and incidents, and is described at Layer 3 by the aggregate of routing tables NOTE: The router itself may be compromised 56 Types of evidence that can be gathered from routers, categorized by expected volatility Volatile Routing tables, Stored packets before they are forwarded, Packet counts and statistics, ARP table, DHCP lease assignments, Access control lists, I/O memory, Running configuration, Processor memory, Flow data and related statistics Persistent Operating system image, Boot loader, Startup configuration files, Access logs, DHCP logs Off System Routers tend to include very little, if any, writable persistent storage on board Most enterprise class devices can be configured to automatically export data to external systems for storage through syslog, FTP, TFTP, SNMP, and other 57 P.Pale: Computer forensics 19
are essentially routers Capable of inspecting and filtering traffic to a much higher degree then routers Early firewalls were most often built and configured by local system administrators using general operating system tools and commercial or open source firewall software packages However, general purpose hardware introduced significant latency, and as a result inspection capabilities were limited Furthermore, system administrators were not always well versed in operating system hardening procedures 58 Firewall logs tend to include extensive information about connection attempts, whether or not these were successful, and if so, how much data was transferred from source to destination Firewall logs may also include extensive details regarding protocols and applications in use, or even packet contents Firewall configuration can reveal whether hth services or data dt were exposed to the world, or to systems of interest It can also inform an investigator as to the type of evidence that logs may or may not include An investigator may need to modify firewall configuration in order to collect more evidence, or to gain access to systems of interest during the course of an investigation NOTE: The firewall itself may be compromised 59 Packet Filters route packets and can allow or deny traffic based on source and destination addresses (at Layer 3) and Layer 4 protocol header information such as TCP ports and flags Session Layer firewall a device between the source and destination that intercepts connections in order to make stateful decisions whether the firewall will establish or continue a connection on behalf of the endpoints Application firewall take this concept even further by inspecting traffic all the way up to Layer 7 The protocols inspected and reconstructed vary depending on the manufacturer, model, and purpose of the device 60 P.Pale: Computer forensics 20
Evidence acquisition Protocol analysis Packet analysis Flow analysis Network Logs Network devices Network intrusion detection/prevention systems Common network attacks Web browser forensics 61 specialized sniffers with the added capability of evaluating captured traffic to determine whether it is malicious or legitimate After rebranding Most IDS systems have become IPS systems Intrusion Prevention Systems Over the years, IDS/IPS product space has developed two separate niches: NIDS/NIPS monitor network traffic and alert on suspicious network events HIDS/HIPS monitor system events and alert on suspicious system activities 62 Are often a very good starting point in an investigation They detect potentially adverse events via network monitoring Chances are they have logged the incident that is investigated Unfortunately They can t always reconstruct a sequence of events and explain them to us at least not easily Useful because: Logs contain details regarding illicit connections (or even attempts) that are not recorded anywhere else Can be configured to alert and log traffic that firewalls deem perfectly acceptable An investigator could potentially modify a NIDS/NIPS configuration to begin detecting events it wasn t previously configured to record NIDS/NIPS are well positioned as inspection points for network traffic 63 P.Pale: Computer forensics 21
Rules Descriptions of how to compare a packet or stream containing known malicious traffic Alerts Lists of suspicious packets/streams Packet captures Certain NIDS/NIPS can be configured to capture suspicious packets and save them for later analysis not always configured to do this by default Other features: Higher Layer Protocol Awareness for example: Signature Based Analysis explain Behavioral analysis explain 64 Types of Evidence Configuration Alert data Packet header and/or flow record information Packet payloads Activities correlated across multiple sensors NIDS/NIPS are specifically designed to sift through large amounts of network traffic and pick out specific events of interest particularly those that relate to security Useful as a starting point! 65 Commercial Check Point IPS 1 Cisco IPS Corero Network Security Enterasys IPS HPTippingPoint IPS IBM Security NIPS Sourcefire 3D System Open source Snort Bro Network Security Monitor 66 P.Pale: Computer forensics 22