ForensicAndNetworks

Download Report

Transcript ForensicAndNetworks

COEN 252 Computer Forensics
Challenges of Network Forensics
Challenges of Network
Forensics

Evidence in a network is dispersed.




Scope of investigation fluid.
No isolated crime scene.
Hard to collect all evidence.
Equally hard to destroy all evidence.
Challenges of Network Forensics:
Preparation and Authorization



System administrators routinely gather
network data.
But usually, more data is needed.
Basic problem: Where to find all the
relevant data.
Challenges of Network Forensics:
Preparation and Authorization
Step 1:



Investigation of the network.
Determine the location of servers, …
Determine their type
Plan for the processing of the data

Often, evidence needs to be gathered
simultaneously at various sites.
This should not disrupt operations.


Network scanning is aggressive and can
lead to automatic response.
Challenges of Network Forensics:
Preparation and Authorization
2nd Step: Seek authorization.
 Depends on






Situation
Country
Type of data
Who is collecting data.
Sometimes, law enforcement needs to
demonstrate that they exhausted all other
means.
A warrant for all sites involved is advisable.
Challenges of Network Forensics:
Preparation and Authorization

Using passwords obtained during
investigation usually requires additional
authorization.
The FBI prosecuted successfully two Russian computer
intruders, Aleksey Ivanov and Gorshkov, for breaking into ecommerce sites. The FBI lured the two by a factitious jobinterview, then captured the passwords on their systems.
The FBI used these passwords to gain access to their
computers at home that yielded a wealth of evidence on the
men’s computer hacking and fraud.
Challenges of Network Forensics:
Preparation and Authorization
Russia’s counterintelligence service filed criminal
charges against an FBI agent because the agent
illegally seized evidence against them by
downloading data from their computers in
Chelyabinsk, Russia.
But U.S. District Judge John C. Coughenour of
Seattle ruled that Gorshkov and Ivanov gave up
any expectation of privacy by using computers in
what they believed were the offices of a public
company.
Challenges of Network Forensics:
Preparation and Authorization
“When (the) defendant sat down at the networked
computer … he knew that the systems administrator
could and likely would monitor his activities,”
Coughenour wrote. “Indeed, the undercover agents told
(Gorshkov) that they wanted to watch in order to see
what he was capable of doing.”
He also found that the Fourth Amendment did not
apply to the computers, “because they are the property
of a non-resident and located outside the United
States,” or to the data — at least until it was
transmitted to the United States.
Challenges of Network Forensics:
Preparation and Authorization
The judge noted that investigators obtained a search warrant before
viewing the vast store of data — nearly 250 gigabytes, according to
court records. He rejected the argument that the warrant should
have been obtained before the data was downloaded, noting that
“the agents had good reason to fear that if they did not copy the
data, (the) defendant’s co-conspirators would destroy the evidence
or make it unavailable.”
Finally, Coughenour rejected defense arguments that the FBI’s
actions “were unreasonable and illegal because they failed to comply
with Russian law,” saying that Russian law does not apply to the
agents’ actions.
Challenges of Network Forensics:
Preparation and Authorization

Warrants can be too broad:


Evidence collected under such a warrant
might be admissible.
Warrants can be too specific:

Do not allow investigators to find all the
relevant data.
Challenges of Network Forensics:
Preparation and Authorization


Warrants requesting email are harder to obtain.
Rather ask for:

Records associated with subscriber account:







Screen Name
Phone number
Address
Credit card numbers
Connection records (including IP addresses, logon dates, phone
numbers)
…
Some subscribers (ebay) can provide law
enforcement because the user agreement allows for
that.
Challenges of Network Forensics:
Preparation and Authorization

Investigators need not be present when
data at an internet provider is collected.
In October of 2000, police officers in Minnesota began investigating Dale
Robert Bach for potential child pornography crimes. As part of the
investigation, an officer obtained a search warrant to be served upon Yahoo, an
internet service provider (ISP) in California. Minnesota requires that an officer
be present at the service of a search warrant. Rather than adhering to the
requirements provided by Minnesota law, the officer investigating Mr. Bach
served the search warrant to Yahoo by fax. Upon receiving the fax, Yahoo
employees retrieved all data from Mr. Bach's account, including deleted email
messages. Yahoo then mailed the disk to Minnesota, where the data became
evidence in Bach's federal criminal prosecution.
Challenges of Network Forensics:
Preparation and Authorization
At trial, Bach moved to have the evidence suppressed, citing both violations
of the Minnesota statute, as well as violations of a federal statute. The district
court held that the evidence should be suppressed as the search was illegal
under both federal and state laws. The government appealed to the circuit
court.
On October 10, 2002, the Eighth Circuit held oral arguments in United States v.
Bach, the first Circuit case examining how a case examining how the Fourth
Amendment protects stored e-mail and other files held by Internet Service
Providers (ISPs). The district court suppressed the evidence, stating that the
law enforcement practice of faxing search warrants for the contents of e-mails
to ISPs violated the Constitution because the Fourth Amendment required the
government to be physically present to execute the warrant. The government
appealed to the circuit court. At oral argument, the government's attorney
urged the court to resolve the question on narrow reasonableness grounds,
without addressing the broader issue of whether an Internet user has an
expectation of privacy in remotely stored files held by an ISP.
Challenges of Network Forensics:
Preparation and Authorization
The Eighth Circuit ruled that service of a warrant on an ISP by fax complies
with the "reasonableness" requirements of the Fourth Amendment. The court
resolved the case on the narrow ground that the government's actions were
"reasonable," without deciding the broader issue of whether an Internet user
has a Fourth Amendment expectation of privacy in their e-mail. In January
2003, the Circuit judges narrowly rejected the defendant's petition for
reconsideration, voting 5 to 4 against the motion.
Challenges of Network Forensics:
Identification

Locate the systems that contain the
most useful evidence.



Seek end-points and intermediate systems
(switches, routers, proxies).
Look for log files that give an overview of
system activities.
Look for supporting systems such as
authentication servers and caller-id
systems.
Challenges of Network Forensics:
Identification

Example:



Investigator examines compromised
machine and determines the source and
method of attack.
Investigator locates other system that are
compromised and observes traffic on
compromised systems.
This determines the source of the attack.
Challenges of Network Forensics:
Identification

Example:




Investigator contacts ISP to preserve
related evidence.
Intruder has stolen a dial-up account.
But ISP has Automatic Number
Identification.
This gives the phone number used to dial
into the ISP modems.
Challenges of Network Forensics:
Identification

Example:




Investigator contacts ISP to preserve
related evidence.
Intruder has stolen a dial-up account.
But ISP has Automatic Number
Identification.
This gives the phone number used to dial
into the ISP modems.
Challenges of Network Forensics:
Identification

Example:


Phone number leads to intruder’s home.
Search warrant is obtained and intruder is
caught red-handed.
Challenges of Network Forensics:
Identification

Much network evidence is time-critical.



Logs are expunged.
Caches in highly active devices such as
routers are volatile.
This creates a need for instant analysis.


Gathering evidence is usually higher
priority.
Plan becomes important.
Challenges of Network Forensics:
Identification

Mistakes because of haste are common.




Subpoena to AOL for 3:13 pm instead of
3:13 am resulted in wrong subscriber
information for IP address.
Mistakes in IP address also leads to wrong
subscriber information.
Intruders try to mislead investigators by
hiding their tracks.
Corroborating Evidence is essential.
Challenges of Network Forensics:
Identification

Given the haste, the difficulties, the
wide variety of evidence, we need a
Methodical Approach.

Digital Evidence Map:

Lays out the evidentiary resources of a
network.
Challenges of Network Forensics:
Identification

Digital Evidence Map
Router
Intrusion Detection System
IDS logs & evidence proc.
UNIX Server
Firewall
Dial-up
rotaries
Kerberos Server
Firewall
Firewall logs
Firewall
Router
Router logs
Challenges of Network Forensics:
Documentation, Collection, Preservation

Byte-for-byte copy of network
computers is often impossible.





Systems cannot be shut down.
Too much data to collect.
Limited authority to access data.
Impossible to gain physical access.
Likely that evidence is altered before
physical access is gained.
Challenges of Network Forensics:
Documentation, Collection, Preservation

Real Time Evidence Gathering


From resources like hyperterminal or
Script.
IRC chat sessions


Equivalent of video-taping the session might be
required.
Monitoring of network traffic.

Intrusion Detection Systems (IDS) do not log
everything.
Challenges of Network Forensics:
Documentation, Collection, Preservation

Real Time Gathering
Preserving evidence and establishing
a chain of custody is a challenge.
 Example:


Log files can be preserved:



With time and date stamp.
Documentation of file location and
metadata.
Copied to disk, MD5ed, printed out, …
Challenges of Network Forensics:
Documentation, Collection, Preservation
Case Example:
In a homicide case, investigators collected all the log
entries of network activity of the victim, but not the
entire file. It was later determined that the offender
might have logged in at the same time in order to
chat and to arrange a meeting an hour later. By the
time this was realized, the tapes with the log file was
already reused and all other log entries were lost. It
was now impossible to determine who else was
logged on at the same time as the victim.
Challenges of Network Forensics:
Documentation, Collection, Preservation

Maintain a detailed record of the entire
collection process to authenticate the
evidence at a later time.
Challenges of Network Forensics:
Documentation, Collection, Preservation
Case Example:
An intruder was caught breaking into a computer system on an
organization’s network via the internet. Before disconnecting the system
from the network, investigators gathered evidence that showed clearly
that a crime was being committed. To achieve the equivalent of a
videotape of the crime, they used a sniffer to monitor network traffic.
They logged onto the compromised system using a client that kept a log
of the session, then gathered evidence of the intruder’s presence on the
system and the programs the intruder was running. They found other
compromised systems and connected to them through a backdoor
created by the intruder. Because there was a risk that the intruder
might destroy evidence, they collected evidence remotely. Recall that
they used a program that monitored their keystrokes and thus
documented the investigation.
Challenges of Network Forensics:
Documentation, Collection, Preservation
Standard Procedure






Follow a standard operating procedure to reduce
mistakes and increase consistency.
Retain a log of all activities during the collection
process (including screen shots).
Document from which server the data actually
comes.
Calculate MD5 values of evidence prior to
transferring it.
Possibly digitally sign and encrypt the data.
Possibly use write-once media to collect evidence.
Challenges of Network Forensics:
Filtering


Forensic analysis of a network incident
typically contains too much data.
Some collected data is privileged or
confidential.

For example, if all traffic through a router
is collected during an incident.
Challenges of Network Forensics:
Filtering

Filter before collecting data?


Can loose evidence.
Better to filter after data is collected.
Challenges of Network Forensics:
Filtering

Filtering for log files:

Usually part of command interface.



Ntlast extracts from the NT Event log.
Collect log from a Cisco router in a file, then
use a filtering tool.
Sniffers (commercial, non-commercial) have
filters. Capture all, then filter the results.
Challenges of Network Forensics:
Filtering

Emails


Filter for portions of headers
Filter for IP addresses
Challenges of Network Forensics:
Evidence Recovery

Sometimes, we can recover deleted log
files.

At least portions of it.
Challenges of Network Forensics:
Reconstruction of the Event

Investigative Reconstruction


Systematic process of piecing together
evidence and information gathered during
an investigation to gain a better
understanding of what transpired.
Use physical imprints to infer offense
related behavior.
Challenges of Network Forensics:
Reconstruction of the Event

Some intruders use toolkits, which are
left behind after an intrusion.


Individualization of toolkit allows
conclusions about intruder.
Absence of a toolkit might indicate




Successful removal of toolkit.
Intruder skilful enough to not need a toolkit.
Perhaps intruder had legitimate access.
…
Challenges of Network Forensics:
Reconstruction of the Event







Investigative reconstruction
Develops leads
Locates additional evidence
Develops an understanding
of case facts and their
relations
Locates concealed evidence
Develop suspects with
motive, means, opportunity
Establishes evidence for
insider knowledge






Prioritizes investigations
Anticipates intruder
actions
Links related crimes with
same behavioral impact.
Give insight into offender
fantasy, motives, intents,
state of mind.
Guides suspect interviews.
Presents case in court.
Challenges of Network Forensics:
Reconstruction of the Event

Evidence used to reconstruct a crime is

Relational

Example: Intruder obtained unauthorized access to a
computer behind a firewall and then broke into the
accounting system.



Intruder needed to know a password.
That fact can be used to locate potential sources of
evidence: router error logs, intrusion detection logs, …
Example: Cyberstalking.

How did the offender obtain information about the victim.
Challenges of Network Forensics:
Reconstruction of the Event

Evidence used to reconstruct a crime is

Functional



What conditions were necessary for certain
aspects of the incident to be possible?
E.g.: Defense attorney questions how you
know that the suspect could create his floppy
with his computer.
Temporal

Creates chronological list of events

A timeline
Challenges of Network Forensics:
Reconstruction of the Event

Examples

Relational evidence:


Which computer generates most of the network
traffic during an incident?
Intruders might communicate in real time via
IRC while breaking into computers around the
world.