Network Forensics Primer
Download
Report
Transcript Network Forensics Primer
Network Forensics Primer
Look sharp, troops.
It's time to learn
network forensics.
Richard Bejtlich
[email protected]
www.taosecurity.com / taosecurity.blogspot.com
1
Copyright 2005 Richard Bejtlich
Overview
•
•
•
•
•
•
•
Introduction
What is Network Forensics?
Collecting Network Traffic as Evidence
Protecting and Preserving Network-Based Evidence
Analyzing Network-Based Evidence
Presenting and Defending Conclusions
Conclusion
2
Copyright 2005 Richard Bejtlich
Overview
• Introduction
–
–
–
–
Speaker biography
Purpose of course
Why network forensics
Course outline
What better way to relate
to a law enforcement
audience than to turn to
the finest crime fighter of
the 80s -- TJ Hooker?
3
Copyright 2005 Richard Bejtlich
Introduction
• Bejtlich ("bate-lik") biography
– TaoSecurity LLC (05-present)
•
•
•
•
•
ManTech (04-05)
Foundstone (02-04)
Ball Aerospace (01-02)
Captain at US Air Force CERT (98-01)
Lt at Air Intelligence Agency (96-98)
– Author
• Tao of Network Security Monitoring: Beyond Intrusion
Detection (solo, Addison-Wesley, Jul 04)
• Extrusion Detection: Security Monitoring for Internal
Intrusions (solo, Addison-Wesley, Dec 05 - Jan 06)
• Real Digital Forensics (co-author, Addison-Wesley, Sep
05)
• Contributed to Incident Response, 2nd Ed and Hacking
Exposed, 4th Ed
4
Copyright 2005 Richard Bejtlich
Introduction
• Purpose of course
– Introduce ways to collect, protect, analyze, and present networkbased evidence
– Host-based forensics is not addressed
• For more coverage of host-based forensics, I recommend Incident
Response, 2nd Ed by Mandia, Prosise, and Pepe
– Share experiences conducting real network forensics
– Encourage attendees to plan to perform network forensics prior
to an incident, not during an incident
– This course is an introduction to material I present for an entire
day elsewhere
• Network Security Operations (www.taosecurity.com/training.html)
• Network Forensics at USENIX LISA (www.usenix.org/events/lisa05)
• Items in blue are not expanded upon in this hour-long talk
5
Copyright 2005 Richard Bejtlich
Introduction
• Why network-based evidence?
– Host-centric forensics is an established discipline, but many
investigators ignore or do not understand network traffic
– Network-based evidence can be found everywhere
– Network-based evidence can be easy to collect -- without
anyone's notice
• Network forensics should always be performed!
I'm sold. Let's talk
network forensics!
Rookies...
6
Copyright 2005 Richard Bejtlich
Introduction
Traffic
Threat
Assessment
Preparation
for Incident
Response
Plan
Protect
The Security
Process
Pervasive
Network
Awareness
Network
Security
Monitoring
Network
Incident
Response
Network
Forensics
Defensible
Network
Architecture
Respond
Detect
7
Copyright 2005 Richard Bejtlich
Overview
• What is Network Forensics?
–
–
–
–
You can't carry
enough weaponry
when performing
network forensics.
Phasers on stun.
Definitions
Evidence guidelines
Daubert
Kumho
To Serve
and to
Protect
Packets
Copyright 2005 Richard Bejtlich
8
What is Network Forensics?
• The "network" in "network forensics" != "computer"
– Network here means "relating to packets" or "network traffic"
• Definition of forensics (dictionary.com)
– Relating to, used in, or appropriate for courts of law or for public
discussion or argumentation.
– Of, relating to, or used in debate or argument; rhetorical.
– Relating to the use of science or technology in the investigation
and establishment of facts or evidence in a court of law: a
forensic laboratory.
• Many claim to perform network forensics, but most of
these practitioners are probably just capturing packets
– These guidelines will elevate your game to forensic levels
• Forensics helps with "patch and proceed" or "pursue and
prosecute"
9
Copyright 2005 Richard Bejtlich
What is Network Forensics?
• Evidence Guidelines: three broad sources
– Federal Rules of Evidence
– Daubert v. Merrell Dow Pharmaceuticals, Inc., 113 S. Ct. 2786
(1993)
– Kumho Tire Company, Ltd v. Patrick Carmichael 119 S.Ct. 1167
(March 23, 1999)
Let it go, Bill.
Good grief Spock,
what happened to
your ears?
10
Copyright 2005 Richard Bejtlich
What is Network Forensics?
• Daubert criteria
– “[W]hether it [a scientific theory or technique] can be (and has
been) tested”
– “[W]hether the theory or technique has been subjected to peer
review and publication”
– “[C]onsider the known or potential rate of error... and the
existence and maintenance of standards controlling the
technique's operation”
– “The technique is ‘generally accepted’ as reliable in the relevant
scientific community”
• The better your network forensic methodology meets
these criteria, the more success you will have in the
board room or court room
11
Copyright 2005 Richard Bejtlich
What is Network Forensics?
• Kumho findings
– Required the Court “to decide how Daubert applies to the
testimony of engineers and other experts who are not scientists.”
– “Daubert's general holding -- setting forth the trial judge's general
‘gatekeeping’ obligation -- applies not only to testimony based on
‘scientific’ knowledge, but also to testimony based on ‘technical’
and ‘other specialized’ knowledge.”
– “[A] trial court may consider one or more of the more specific
factors that Daubert mentioned when doing so will help
determine that testimony's reliability.”
– Introduced a level of “flexibility” and discretion into the process of
accepting expert witness testimony.
– “Daubert's list of specific factors neither necessarily nor
exclusively applies to all experts or in every case. Rather, the
law grants a district court the same broad latitude when it
decides how to determine reliability as it enjoys in respect to its
ultimate reliability determination.”
12
Copyright 2005 Richard Bejtlich
Collecting Network Traffic as Evidence
•
•
•
•
•
•
•
•
Secure the sensor
Limit access to the sensor
Position the sensor properly
Verify the sensor collects traffic as expected
Determine sensor failure modes
Recognize and compensate for collection weaknesses
Use trusted tools and techniques
Document and automate the collection process
Nice bandana and
"workout gloves", Adrian.
13
Copyright 2005 Richard Bejtlich
Collecting Network Traffic as Evidence
• Position the sensor
properly
• Consider perimeter
monitoring scenario at
right
– Perimeter is easiest place
to monitor
– However, sensor as shown
may not be able to see all
the traffic an analyst needs
to understand the scope of
an intrusion
• Alternative deployments
shown on following slides
14
Copyright 2005 Richard Bejtlich
Collecting Network Traffic as Evidence
• At left we monitor perimeter (via tap) and DMZ (via switch
SPAN)
• At right we add a filtering bridge/sensor to
watch and/or control a high value target
15
Copyright 2005 Richard Bejtlich
Collecting Network Traffic as Evidence
• Don't forget to accommodate address translation issues
• Here we add a second interface behind the gateway
16
Copyright 2005 Richard Bejtlich
Collecting Network Traffic as Evidence
• This network shows a variety of instrumentation options
17
Copyright 2005 Richard Bejtlich
Collecting Network Traffic as Evidence
• My preferred platform for serious monitoring at a
reasonable cost is configured as follows
–
–
–
–
–
–
–
Appliance: Dell PowerEdge 750 1U rackmount server
512 MB RAM
Intel PIV 2.8 GHz CPU
2X250 GB SATA drives in RAID 0 configuration
Dual onboard NICs plus extra dual NICs
Approximately $2,000 without discounts
OS: FreeBSD 5.4 RELEASE (sample dmesg output at
http://www.nycbug.org/?NAV=dmesgd&dmesgd_criteria=&dmes
gid=647#647)
– Network access: Net Optics tap
(http://www.netoptics.com/products/product_family_details.asp?c
id=1&pid=4&Section=products&menuitem=1)
18
Copyright 2005 Richard Bejtlich
Collecting Network Traffic as Evidence
• Consider using Network Security Monitoring principles to
guide your data collection strategies
– Alert data (Snort, other IDSs)
• Traditional IDS alerts or judgments (“RPC call!”)
• Context-sensitive, either by signature or anomaly
– Full content data (Tcpdump)
• All packet details, including application layer
• Expensive to save, but always most granular analysis
– Session data (Argus, SANCP, NetFlow)
• Summaries of conversations between systems
• Content-neutral, compact; encryption no problem
– Statistical data (Capinfos, Tcpdstat)
• Descriptive, high-level view of aggregated events
• Sguil (www.sguil.net) is an interface to much of this in a
single open source suite
19
Copyright 2005 Richard Bejtlich
Collecting Network Traffic as Evidence
• Collect network traffic using NSM principles
20
Copyright 2005 Richard Bejtlich
Collecting Network Traffic as Evidence
• Verify the sensor collects traffic as expected
21
Copyright 2005 Richard Bejtlich
Protecting and Preserving Network-Based Evidence
•
•
•
•
•
Hash traces after collection and store hashes elsewhere
Understand forms of evidence
Copy evidence to read-only media when possible
Create derivative evidence
Follow chains of evidence
Beam me up,
Scotty. Bill's
lost it.
22
Copyright 2005 Richard Bejtlich
Protecting and Preserving Network-Based Evidence
• Understand forms of evidence
• Best evidence: original form of network-based evidence
available to the investigator
– If the NBE is given to the investigator as an attachment in an
email, that email and its attachment is the investigator’s best
evidence.
– It is much preferred from a forensic standpoint to obtain the
original file containing traffic as it was written to a hard drive.
• Best evidence should, to the extent practically possible,
never be analyzed directly.
– Rather, investigators should make working copies of the best
evidence, and analyze those duplications.
– Network traffic saved on a sensor is the best evidence available.
– Copies of that traffic transferred to a central location become
working copies.
23
Copyright 2005 Richard Bejtlich
Protecting and Preserving Network-Based Evidence
•
Create derivative evidence
1. Ensure you have a SHA256 hash of the original file stored in a
safe location.
2. After verifying the hashes match, use the desired Tcpdump filter
to extract packets of interest to a new file and directory.
elise@bourque$ tcpdump -n -r 2005-06-01-14\:23\:41.bourque.taosecurity.com.ngeth0.lpc
-w /home/analyst/2005-06-01-14\:23\:41.bourque.taosecurity.com.ngeth0.lpc.excerpt
port 80
reading from file
2005-06-01-14:23:41.bourque.taosecurity.com.ngeth0.lpc, link-type EN10MB (Ethernet)
3. Hash the resulting file locally and remotely.
4. Copy the remote file to the local workstation.
5. Make multiple copies of the new local evidence file, and analyze
them at will.
6. Document these steps on both platforms.
24
Copyright 2005 Richard Bejtlich
Analyzing Network-Based Evidence
•
•
•
•
Validate results with more than one system
Beware of malicious traffic
Document not just what you find, but how you found it
Follow a methodology
You know the ladies used to
call me "Jim Kirk." You
wouldn't happen to be a
green alien...?
25
Copyright 2005 Richard Bejtlich
Analyzing Network-Based Evidence
• Validate results with more than
one system
– Use different tools. Example:
Tcpdump, Snort, Ethereal
– Use different operating systems.
Example: Unix (BSD, Linux,
Solaris), Windows
– Use different architectures.
Example: x86, SPARC
– Use different libraries: Example:
Libpcap, Data Link Provider
Interface (DLPI on Solaris,
http://docs.sun.com/app/docs/doc/
8160222/6m6nmlstj?q=dlpi&a=view)
I'm quite
an expert
with the
police
baton, aka
the "tonfa"
to you
martial
arts types.
26
Copyright 2005 Richard Bejtlich
Analyzing Network-Based Evidence
•
Follow a methodology
1. Make a new directory on the analysis platform to contain data
provided by the client or collected by yourself.
2. Copy the evidence provided by the client into the analysis
directory.
3. Change the permissions of the copy to ensure the analyst user
cannot accidentally modify the file.
4. Hash the file and copy the hash elsewhere.
5. Use the Capinfos program packaged with Ethereal to gain initial
statistics on the capture file.
6. Run Dave Dittrich’s Tcpdstat to obtain basic statistics on the
trace .
7. Extract sessions from the trace using Argus.
8. Gain some high-level idea of the contents of the Argus file with
Racount.
27
Copyright 2005 Richard Bejtlich
Analyzing Network-Based Evidence
•
Follow a methodology (continued)
9. Use the Rahosts program to create an ordered list of all of the
IP addresses seen in the Argus data.
10. (optional) Confirm the number of Argus records.
11. (optional) Enumeration source IP, dest IP, dest port combos.
12. Perform traffic threat assessment.
13. (optional) Process trace with Snort to find obviously malicious
events, or build custom signatures.
When hitting suspects, it's important to keep your eyes
closed! Tonfa-chop!
28
Copyright 2005 Richard Bejtlich
Presenting and Defending Conclusions
• Forget the OSI model
• Obtain relevant
certifications
• Consider how you
would attack the
evidence
Up front, Officer
Locklear. We'll take
cover behind that
mane of yours.
29
Copyright 2005 Richard Bejtlich
Presenting and Defending Conclusions
• Forget the OSI Model
30
Copyright 2005 Richard Bejtlich
Presenting and Defending Conclusions
• Forget the OSI model
– TCP/IP is like the postal service. It gets messages across the
globe or country.
– TCP packets are like message sent via certified mail.
– UDP packets are like normal, best-effort mail delivery. Nothing is
guaranteed but drops are not that common.
– An IP address is like the street address on an envelope.
– A hostname is like a well-known name for a specific location. If
an IP address is like 1600 Pennsylvania Avenue, Washington
DC, a hostname is like “The White House.”
– A TCP or UDP port is like the name of a person. Multiple people
can reside at any address. Names help sort out the recipient of
the letter.
31
Copyright 2005 Richard Bejtlich
Presenting and Defending Conclusions
• Obtain relevant certifications
– Certified Information Systems Security Professional: CISSP is
the must-have certification for security professionals; while its
technical merits are lacking, I find its Code of Ethics valuable.
– Certified Information Forensics Investigator: CIFI is a vendorneutral forensics certification sponsored by the International
Information Systems Forensics Association; will help
demonstrate your knowledge of core forensic investigation
principles.
– Cisco Certified Network Associate: CCNA is Cisco’s entry-level
networking certification; shows a basic level of comprehension of
networking and device configuration.
32
Copyright 2005 Richard Bejtlich
Conclusion
• This presentation introduced
key points on network
forensics
• For more information, attend
my next day-long class
and/or read my books
• Contact me at
[email protected]
Never shoot from the
gut when doing network
forensics. Warp speed,
Mr. Sulu!
33
Copyright 2005 Richard Bejtlich
References
• Tools
–
–
–
–
–
–
Snort: www.snort.org
Tcpdump: www.tcpdump.org
Ethereal, Tethereal, Capinfos: www.ethereal.org
Argus: www.qosient.com/argus
SANCP: www.metre.net/sancp.html
Tcpdstat:
staff.washington.edu/dittrich/talks/core02/tools/tools.html
– NetFlow format: www.cisco.com/go/netflow
• Certifications
–
–
–
–
CISSP: www.isc2.org
CISSP code of ethics: www.isc2.org/cgi/content.cgi?category=12
CIFI: www.iisfa.org
CCNA: www.cisco.com/go/ccna
34
Copyright 2005 Richard Bejtlich