Transcript Document

Network Forensics Tools for
Cybercrime Investigation
Lead-off Presentation by
Glen Myers, IP Fabrics
May 12, 2009
Cybercrime
Crimes (depending on locality of course) where the network (“Internet”) is the vehicle
Targets can be


Individuals
Enterprises
•
Companies
• Service providers / carriers
• Government

Network or part thereof
Crimes include










Illegal access
Illegal interception
Interference
Fraud
ID theft
Theft of intellectual property
Harassment
Obscene/offensive content
Crimes against children
...
IPFabrics
Cybercrime Forensics vs Lawful Intercept

For lawful intercept, you have a target (e.g., suspect)
•
Court order to intercept the tel number 1-503-444-2499
• Court order to intercept the signaling information for
sip:[email protected]
• Court order to intercept the email of [email protected]

For cybercrime, that’s the biggest challenge
You discover “something’s going on”
• You may or may not identify the potential victim(s)
• You usually have no idea of the source
• If you do eventually discover the source, you may find you have no
legal jurisdiction
•
IPFabrics
Email as a Vehicle
to
date: Jan 29, 2008 8:37 AM
subject: Tax Refund - Online Form
hide details 8:37 AM (25 minutes ago) Reply
http://www.fbi.gov
ANTI FRAUD & MONITARY CRIME DIVISION
Warning: This message may not be from whom it claims to be.
Beware of following any links in it or of providing the sender with any
personal information. Learn more
Code: FBI/111
Tel: 1-646-778-3497
Private Email: [email protected]
Link omitted
ATTENTION: BENEFICIARY
After the last annual calculations of your fiscal activity we have
determined that you are eligible to receive a tax refund of $375.20.
Please submit the tax refund request and allow us 3-9 days in order
to process it.
We the Federal Bureau Of Investigation (FBI) United States Of America have
discovered through our intelligent monitoring network that you have a
transaction going on as ...
A refund can be delayed for a variety of reasons. For example
submitting invalid records or applying after the deadline.
text omitted
YOURS FAITHFULLY,
To access the form for your tax refund, please click here
F.B.I DIRECTOR ROBERT S. MUELLER III.
Note: For security reasons, we will record your ip-address, the date
and time. Deliberate wrong inputs are criminally pursued and
indicated.
The United States Department of Justice Order 556-73 establishes rules
and regulations for the subject of an FBI Identification Record to
obtain a copy of his or her own Record for review. The FBI’s Criminal
Justice Information Services (CJIS) Division processes these requests to
chek illegal activities in U.S.A.
Regards,
Internal Revenue Service
Copyright 2008, Internal Revenue Service U.S.A. All rights reserved.
FOR CORPORATE AFFAIRS
FEDERAL BUREAU OF INVESTIGATION (FBI)
UNITED STATES OF AMERICA
IPFabrics
Network Capabilities Needed

Great flexibility
•
•

Real-time “onion peeling” capability
•
•



Different pieces of the puzzle may go down different paths
Evidentiary capabilities
•

Need to redirect your device from A to B to C to D to E ...
E.g., by discovering some suspect content in an email, we then watch for
traffic to a specific email address or IP addresses connecting to a particular
URL.
Ability to tap concurrently into multiple network segments
•

May need to look at a lot of things – SMTP email, webmail, web page
interactions, P2P traffic, instant messaging, virus signatures, VoIP, chat
rooms, file sharing, ...
Need to filter out a lot of “noise” (ads, IPTV, YouTube, ...)
Assurances on the data that will stand up in court
Be completely invisible on the network
Operate at network bandwidths
Need to go a step beyond DPI ...
IPFabrics
Basic DPI isn’t Good Enough
Typical IP packet traversing a network
IP header
TCP header
Payload
Typical DPI view

Can’t rely on standard TCP port numbers
•

Can’t assume a “conversation” uses a fixed set of ports
•

E.g., the encoding of an email address is very different among Hotmail, Yahoo, Gmail, Mail.com, ...
Gotta understand what is clutter and ignore it in order to keep up with line rate
•

All of the mail webmail services compress, including the addressing info
Data is encoded in HTML, Javascript,... in application-specific manner
•

Risk of missing a signature that spans packets
Most interesting data is gzip compressed
•

E.g., Yahoo Mail cycles through a wide range of client ports during one session
TCP payloads often span multiple IP packets
•

Some apps have none, some can jump if a specific port is blocked, some can also jump to HTTP
E.g., in webmail interactions, 90% of the TCP connections and 99% of the packets are clutter
What is better is “deep application-protocol inspection”
•
Knowledge in the device of syntax and semantics for specific applications
IPFabrics
Example Tools
DeepProbe-10
4 10GbE inputs
6 1GbE inputs



DeepProbe-1
4 1GbE inputs

Provided with software “surveillance
modules” for specific applications
Reconstructs the desired application
information
Maps different applications of like form
(e.g., webmail, instant messengers)
into single canonical form
Generally provisioned from elsewhere
over a networked API, but also has
browser interface (e.g., for unpeeling
the onion)
IPFabrics
Example Filters
Give me all the email
to/from [email protected]
Give me any mail attachments
sent by [email protected]
Let me know if [email protected]
ever sends a message with the
URL www.darkmarket.com in it.
Get me any IM message
from [email protected]
containing “how old r u”
Get any Yahoo mail containing
the phrase “U-238 enrichment”
Give me just the to/from info
on every yahoo.com email
Give me all IM messages
from [email protected].
Give me all the email downloaded
by POP3 user glen_roberts
Give me the to/from info from all calls
associated with sip:[email protected]
Give me all the presence information
reported to Yahoo Messenger user
glen_roberts
Give me the output stream of
chat room Hacker’s Lounge:1
Give me the voice
traffic of [email protected]
Give me all of the port 80
traffic from this specific cable
modem address
Watch all SMTP traffic for the appearance of
this list of 1623 credit-card numbers and give
me any mail that has one
IPFabrics