Network Forensics

Holly Ferguson

Discussion Points:

1. Frame of Reference

2. Functionality of the Field

3. Details per 4 Categories

4. News – Proceed for own Reference

5. Attacker Techniques

Network Forensics

Digital Forensics

- Database Forensics

- Mobile Device Forensics

- Computer Forensics

- Audio & Video Forensics

- Network Forensics•Ethernet•TCP/IP•Internet•Wireless Forensics

Network forensics is categorized as a single branch of digital forensics; it includes

the areas of monitoring and analyzing computer network traffic and allows

individuals to gather information, compile evidence, and/or detect intrusions.

Digital Forensics

Investigation Stages: 1) acquisition/imaging of exhibits (write-blocking device),

*) --examination (National Instit of Standards and Tech.)

2) analysis (systematic search for differences), and

3) reporting (documented findings and conclusions)

2000+

1980/90s

1978

1970s

Evolving as Field with Policies

Evolving Need for the Field & Multiple Instances Fraud and Abuse Legislation, “sysadmin”

Florida Computer Crimes Act

Rise of Personal UseSHA-1 & MD5

1) Security = •Monitoring for intrusions•Network evidence may be the only type if a drive was wiped clean

2) Law Enforcement = •Reassembling transferred files•Finding keywords•Searching for keywords•Parsing messages•Examining packet filters •Examining firewalls•Examining existing systems

Recall types of Network Forensics

Unique because it is volatile Unique because it is rarely logged

Reactionary Field of Work, with 2 general uses:

"Catch-it-as-you-can"

• All packets are captured• Large storage needed• Analysis in batch mode• Usually @ packet level• For later analysis

Data Collection Methods

"Stop, look and listen"

• Requires faster processor for incoming traffic• Each analyzed in memory• Certain ones are stored• Usually @ packet level• Real-time filtering

"Catch-it-as-you-can"

• All packets are captured• Large storage needed• Analysis in batch mode• Usually @ packet level• For later analysis

Data Collection Methods

Methods are achieved with eavesdropping bit streams (on the Ethernet layer).

• Uses monitoring tools or sniffers

• Wireshark (a.k.a. Ethereal)

• Then protocols can be consulted, such as the Address Resolution Protocol (ARP)

• Network Interface Card (NIC), but can be averted with encryption

Ethernet TCP/IP Internet Wireless Forensics

Ethernet TCP/IP Internet Wireless Forensics

Methods are achieved with router information investigations (on the Network layer).

• Each router includes routing tables to pass along packets

• These are some of the best information sources for data tracking

• Follow compromised packets, reverse route, ID the source

• Network layer also provides authentication log evidence

Ethernet TCP/IP Internet Wireless Forensics

Methods are achieved by identifying server logs (on the Internet).

• Includes web-browsing, email, chat, and other types of traffic & communication

• Server logs collect information

• Email accounts have useful information except when email headers are faked

• User account information associated with a particular user

Ethernet TCP/IP Internet Wireless Forensics

Methods are achieved by collecting & analyzing wireless traffic (Wireless Networks).

• A sub-discipline of the field

• To get that which is considered “valid digital evidence”

• This can be normal data OR voice communications via VoIP

• Analysis is similar to wired network situations, with different security issues

• Almost non-stop security compromises exist involving transmitted credit card numbers, personal accounts, proprietary information, passwords, and other valuable data.

• One example involving Facebook(2011): Before only the login was encrypted and now wanted to encrypt all communications to servers with HTTPS instead of SSL, else can sniff at any free WiFi at a public place.

Criminal Techniques:

• Encryption

• Hiding Data within Codes

• Hiding with Steganography

• Hiding with Embedding

• Hiding with Obscurity

• Hiding with Nonames on Files

• Text to Image Types

• Compression

• Changing behavior of System Commands

• Changing behavior of Operating Systems

• Hiding Data via other means…

Criminal Techniques:

• Encryption

• Hiding Data within Codes

• Hiding with Steganography

• Hiding with Embedding

• Hiding with Obscurity

• Hiding with Nonames on Files

• Text to Image Types

• Compression

• Changing behavior of System Commands

• Changing behavior of Operating Systems

• Hiding Data via other means…

• Almost non-stop security compromises exist involving transmitted credit card numbers, personal accounts, proprietary information, passwords, and other valuable data.

• One example involving Facebook(2011): Before only the login was encrypted and now wanted to encrypt all communications to servers with HTTPS instead of SSL, else can sniff at any free WiFi at a public place.

+ +

1) Removing all but the two least significant bits of each color component

2) Apply a subsequent normalization

Right: = extracted image

Steganography

Encryption Key Original DataEncrypted Message

Embedding (w/ multiple images)

Using y = 2x +2:“Here, if the value of x=1 then y will be 4, indicating thatthe first byte of secret data will be stored in the first byteplace of second pixel. i.e. ( 8 – bit Red position). Similarly,x=2 will give y=6 so the second secret byte data will bestored in last byte of second pixel (i.e. 8-bit Blue position)and so on. Hence, by a suitable choice of a and b all bytesof the secret data can be mapped entirely into the containerimage.”1

Compression

Two Types of Compression for Hiding Files

1) Lossless compression Hiding files where the original information needs to remain intact and can be reconstructed exactly (GIF and BMP).

2) Lossy compression, Hiding files where the integrity of the original image is not maintained. (JPGs, but very good compression rate/saves more space).

Sources Consulted and Referenced:

1. http://www.e-evidence.info/thiefs_page.html

2. http://www.netresec.com/?page=Blog&month=2011-01&post=Facebook-SSL-and-Network-Forensics

3. http://en.wikipedia.org/wiki/Network_forensics

4. Image citation: http://e-fense.com/index.php

5. https://www.blackhat.com/html/bh-us-12/training/courses/bh-us-12-training_network_forensics.html

6. http://www.garykessler.net/library/fsc_stego.html

7. 1 http://paper.ijcsns.org/07_book/200801/20080132.pdf

8. http://courses.ece.ubc.ca/592/PDFfiles/Data_Compression.pdf

9. http://ansoncse.hubpages.com/hub/Effective-Secret-Hiding-Steganography

Questions ?