Transcript Document
Network Forensics Tools for Cybercrime Investigation Lead-off Presentation by Glen Myers, IP Fabrics May 12, 2009 Cybercrime Crimes (depending on locality of course) where the network (“Internet”) is the vehicle Targets can be Individuals Enterprises • Companies • Service providers / carriers • Government Network or part thereof Crimes include Illegal access Illegal interception Interference Fraud ID theft Theft of intellectual property Harassment Obscene/offensive content Crimes against children ... IPFabrics Cybercrime Forensics vs Lawful Intercept For lawful intercept, you have a target (e.g., suspect) • Court order to intercept the tel number 1-503-444-2499 • Court order to intercept the signaling information for sip:[email protected] • Court order to intercept the email of [email protected] For cybercrime, that’s the biggest challenge You discover “something’s going on” • You may or may not identify the potential victim(s) • You usually have no idea of the source • If you do eventually discover the source, you may find you have no legal jurisdiction • IPFabrics Email as a Vehicle to date: Jan 29, 2008 8:37 AM subject: Tax Refund - Online Form hide details 8:37 AM (25 minutes ago) Reply http://www.fbi.gov ANTI FRAUD & MONITARY CRIME DIVISION Warning: This message may not be from whom it claims to be. Beware of following any links in it or of providing the sender with any personal information. Learn more Code: FBI/111 Tel: 1-646-778-3497 Private Email: [email protected] Link omitted ATTENTION: BENEFICIARY After the last annual calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of $375.20. Please submit the tax refund request and allow us 3-9 days in order to process it. We the Federal Bureau Of Investigation (FBI) United States Of America have discovered through our intelligent monitoring network that you have a transaction going on as ... A refund can be delayed for a variety of reasons. For example submitting invalid records or applying after the deadline. text omitted YOURS FAITHFULLY, To access the form for your tax refund, please click here F.B.I DIRECTOR ROBERT S. MUELLER III. Note: For security reasons, we will record your ip-address, the date and time. Deliberate wrong inputs are criminally pursued and indicated. The United States Department of Justice Order 556-73 establishes rules and regulations for the subject of an FBI Identification Record to obtain a copy of his or her own Record for review. The FBI’s Criminal Justice Information Services (CJIS) Division processes these requests to chek illegal activities in U.S.A. Regards, Internal Revenue Service Copyright 2008, Internal Revenue Service U.S.A. All rights reserved. FOR CORPORATE AFFAIRS FEDERAL BUREAU OF INVESTIGATION (FBI) UNITED STATES OF AMERICA IPFabrics Network Capabilities Needed Great flexibility • • Real-time “onion peeling” capability • • Different pieces of the puzzle may go down different paths Evidentiary capabilities • Need to redirect your device from A to B to C to D to E ... E.g., by discovering some suspect content in an email, we then watch for traffic to a specific email address or IP addresses connecting to a particular URL. Ability to tap concurrently into multiple network segments • May need to look at a lot of things – SMTP email, webmail, web page interactions, P2P traffic, instant messaging, virus signatures, VoIP, chat rooms, file sharing, ... Need to filter out a lot of “noise” (ads, IPTV, YouTube, ...) Assurances on the data that will stand up in court Be completely invisible on the network Operate at network bandwidths Need to go a step beyond DPI ... IPFabrics Basic DPI isn’t Good Enough Typical IP packet traversing a network IP header TCP header Payload Typical DPI view Can’t rely on standard TCP port numbers • Can’t assume a “conversation” uses a fixed set of ports • E.g., the encoding of an email address is very different among Hotmail, Yahoo, Gmail, Mail.com, ... Gotta understand what is clutter and ignore it in order to keep up with line rate • All of the mail webmail services compress, including the addressing info Data is encoded in HTML, Javascript,... in application-specific manner • Risk of missing a signature that spans packets Most interesting data is gzip compressed • E.g., Yahoo Mail cycles through a wide range of client ports during one session TCP payloads often span multiple IP packets • Some apps have none, some can jump if a specific port is blocked, some can also jump to HTTP E.g., in webmail interactions, 90% of the TCP connections and 99% of the packets are clutter What is better is “deep application-protocol inspection” • Knowledge in the device of syntax and semantics for specific applications IPFabrics Example Tools DeepProbe-10 4 10GbE inputs 6 1GbE inputs DeepProbe-1 4 1GbE inputs Provided with software “surveillance modules” for specific applications Reconstructs the desired application information Maps different applications of like form (e.g., webmail, instant messengers) into single canonical form Generally provisioned from elsewhere over a networked API, but also has browser interface (e.g., for unpeeling the onion) IPFabrics Example Filters Give me all the email to/from [email protected] Give me any mail attachments sent by [email protected] Let me know if [email protected] ever sends a message with the URL www.darkmarket.com in it. Get me any IM message from [email protected] containing “how old r u” Get any Yahoo mail containing the phrase “U-238 enrichment” Give me just the to/from info on every yahoo.com email Give me all IM messages from [email protected]. Give me all the email downloaded by POP3 user glen_roberts Give me the to/from info from all calls associated with sip:[email protected] Give me all the presence information reported to Yahoo Messenger user glen_roberts Give me the output stream of chat room Hacker’s Lounge:1 Give me the voice traffic of [email protected] Give me all of the port 80 traffic from this specific cable modem address Watch all SMTP traffic for the appearance of this list of 1623 credit-card numbers and give me any mail that has one IPFabrics