Transcript ch12

Guide to Computer
Forensics and
Investigations,
Second Edition
Chapter 12
Network Forensics
Objectives
• Understand Internet fundamentals
• Understand network basics
• Acquire data on a Linux computer
Guide to Computer Forensics and Investigations, 2e
2
Objectives (continued)
• Understand network forensics
• Understand the use of network tools
• Understand the goals of the Honeynet Project
Guide to Computer Forensics and Investigations, 2e
3
Understanding Internet Fundamentals
• Internet = Collection of networks
• Internet protocols for message exchange
– E-mail
• Internet Service Provider (ISP)
– Internet entry point
– Username and password
• Common software
– Web browsers and e-mail clients
Guide to Computer Forensics and Investigations, 2e
4
Internet Protocols
• Standards and rules
• Every computer must observe a protocol
• TCP/IP default Internet protocol
– TCP connection-oriented
– UDP connectionless
• Addressing (IPv4)
– 32-bit long divided into four groups of 8 bits
– Binary representation
Guide to Computer Forensics and Investigations, 2e
5
Internet Protocols (continued)
• Addressing (continued)
– Dotted quad (205.55.29.170)
– Several classes (A, B, C, D and E)
• Domain Name Service
– Translate IP addresses to named addresses or vice
versa
Guide to Computer Forensics and Investigations, 2e
6
Understanding Network Basics
• Hardening networks
– Applying latest patches
– Layered network defense strategies
• Protocols
– TCP/IP
– IPX/SPX
• Network Address Translation
– Translates IP addresses
Guide to Computer Forensics and Investigations, 2e
7
Understanding Network Basics
(continued)
• DHCP
– Dynamically assigns IP addresses to hosts
• Attacks
– Internal
– External
– Early and mid-1990s
• 70% internal/30% external
Guide to Computer Forensics and Investigations, 2e
8
Acquiring Data on Linux Computers
• dd command
–
–
–
–
–
Disk-to-disk file
Disk-to-image file
Block-to-block copy
Block-to-file copy
Ext2fs, Ext3fs, NTFS, FAT, NTFS, HFS, HPFS
• Gzip command to compress image files
Guide to Computer Forensics and Investigations, 2e
9
Acquiring Data on Linux Computers
(continued)
• Linux boot disks
–
–
–
–
–
–
–
Knoppix
MandrakeMove
Fedora Rescue
Gentoo Live
F.I.R.E.
Penguin Sleuth Kit
Tom’s Root Boot Kit
Guide to Computer Forensics and Investigations, 2e
10
Acquiring Data on Linux Computers
(continued)
Guide to Computer Forensics and Investigations, 2e
11
Acquiring Data on Linux Computers
(continued)
Guide to Computer Forensics and Investigations, 2e
12
Acquiring Data on Linux Computers
(continued)
• Steps for using dd
–
–
–
–
Boot PC in Linux
Create disk mounting points
Mount all disks needed
Create copies
• For multiple volumes
– Determine number of bytes per volume
– Calculate number of segments you need to create
Guide to Computer Forensics and Investigations, 2e
13
Acquiring Data on Linux Computers
(continued)
Guide to Computer Forensics and Investigations, 2e
14
Acquiring Data on Linux Computers
(continued)
• Linux dd script file
–
–
–
–
Input source
Output source
Block size
Number of blocks to save
• Hash check original media
– Linux md5sum command
– Linux sha1sum command
Guide to Computer Forensics and Investigations, 2e
15
Acquiring Data on Linux Computers
(continued)
• Image creation script example:
• Image restore script example:
Guide to Computer Forensics and Investigations, 2e
16
Understanding Network Forensics
• Systematic tracking of incoming and outgoing traffic
– Need to know normal traffic behavior
• Intruders leave trace behind
– Experimented intruders are harder to trace
• Determine the cause of the abnormal traffic
– Internal bug
– Attackers
Guide to Computer Forensics and Investigations, 2e
17
Approach to Network Forensics
• Long, tedious process
• Standard procedure
–
–
–
–
–
–
Use image for machines on network
Close any way in after an attack
Acquire all compromised drives
Make a bit-stream image of the drives
Compare images to original images
Optionally, store images on a server
Guide to Computer Forensics and Investigations, 2e
18
Approach to Network Forensics
(continued)
• Computer forensics
– Work from the image to find what has changed
• Network forensics
– Restore drives to understand attack
• Work on an isolated system
– Prevents malware from affecting other systems
Guide to Computer Forensics and Investigations, 2e
19
Network Logs
• Record ingoing and outgoing traffic
– Network servers
– Routers
– Firewalls
• Tcpdump tool for examining network traffic
– Top 10 lists
– Pattern
• Attacks might include other companies
– Distributed Denial of Service (DDoS)
Guide to Computer Forensics and Investigations, 2e
20
Using Network Tools
• PsTools suite
–
–
–
–
–
–
RegMon shows Registry data in real time
Process Explorer shows what is loaded
Handle shows open files and processes using them
PsExec runs processes remotely
PsGetSid display SID
PsKill kills process by name or ID
Guide to Computer Forensics and Investigations, 2e
21
Using Network Tools (continued)
• PsTools suite (continued)
–
–
–
–
–
–
PsList lists details about a process
PsLoggedOn shows who’s logged locally
PsPasswd changes account passwords
PsService controls and views services
PsShutdown shuts down and restarts PCs
PsSuspend suspends processes
Guide to Computer Forensics and Investigations, 2e
22
Using Network Tools (continued)
Guide to Computer Forensics and Investigations, 2e
23
UNIX/Linux Tools
• Knoppix-STD tools
–
–
–
–
–
–
–
Dcfldd the U.S. DoD dd version
Memfetch forces a memory dump
Photorec grabs files from a digital camera
Snort intrusion detection system
Oinkmaster helps manage your snort rules
John the Ripper
Chntpw resets passwords on a Windows PC
Guide to Computer Forensics and Investigations, 2e
24
UNIX/Linux Tools (continued)
• Knoppix-STD tools (continued)
– Tcpdum is a packet sniffer
– Ethereal another packet sniffer
• Packet sniffer
– Devices or software that monitors network traffic
– Most Work at layer 2 or 3 of the OSI model
Guide to Computer Forensics and Investigations, 2e
25
UNIX/Linux Tools (continued)
Guide to Computer Forensics and Investigations, 2e
26
UNIX/Linux Tools (continued)
• The Auditor
– Based on Knoppix
– Contains more than 300 tools
•
•
•
•
•
•
20 for scanning
10 for network scanning
Brute-force attack
Bluetooh and wireless
Autopsy and Sleuth Kit
Word lists with more than 64 million entries
Guide to Computer Forensics and Investigations, 2e
27
Network Sniffers
• Operate at layers 2 or 3 of the OSI model
• Most tools follow the PCAP format
• Tools:
–
–
–
–
–
Tcpdump
Tethereal
Snort
Tcpslice
Tcpreplay
Guide to Computer Forensics and Investigations, 2e
28
Network Sniffers (continued)
• Tools (continued):
–
–
–
–
–
–
–
Tcpdstat
Ngrep
Etherape
Netdude
Argus
Ethereal
The Auditor
Guide to Computer Forensics and Investigations, 2e
29
Network Sniffers (continued)
Guide to Computer Forensics and Investigations, 2e
30
The Honeynet Project
• Attempt to thwart Internet and network hackers
– Provides information about attack methods
• Honeypots
– Normal looking computer that lures attackers to it
• Honeywalls
– Monitor outbound connections
– Snort-inline intrusion prevention systems
Guide to Computer Forensics and Investigations, 2e
31
The Honeynet Project (continued)
Guide to Computer Forensics and Investigations, 2e
32
The Honeynet Project (continued)
• Its legality has been questioned
– Cannot be used in court
– Can be used to learn about attacks
• Scan of the month
– Monthly challenge contest
– Good as a learning experience
Guide to Computer Forensics and Investigations, 2e
33
The Honeynet Project (continued)
Guide to Computer Forensics and Investigations, 2e
34
Summary
• Network forensics tracks down internal and
external network intrusions
• Most networks today use TCP/IP
• Networks must be hardened by using good
architecture
• Each NOS has its own way of handling security,
and you must become familiar with how yours
operates
Guide to Computer Forensics and Investigations, 2e
35
Summary (continued)
• Tools such as PsTools, Knoppix-STD, and others
can be used to monitor what’s happening on your
network
• The Honeynet Project is designed to help people
learn the latest intrusion techniques that hackers
are using
Guide to Computer Forensics and Investigations, 2e
36