Stage 2 group briefing
Download
Report
Transcript Stage 2 group briefing
FTP Research
Convert investigation of ftp
servers and other file to file
platforms
The Projection
Having had some
time to conduct test’s
and research in this
area. It became clear
that there is three
main segments to the
project.
How ever these
segments also hold
sub-segments
ftp covert
investigation
Detection
Surveillance
Incursion
Detection
Port scanner
Service’s detection
Server profiling
(this is currently one of the main areas of the
research)
Service authentication
The use of the packet headers to detect the true
service type
Surveillance
Traffic monitoring remotely
A type of IDS Signature detection of a remote
source[1]
Pattern detection of previous illicitly
installed FTP servers
Open proxy gateway traffic logs (hosted by
the system)
Proxy gateway
The system uses a set of proxies to
distribute the port scanning
These could be configured to act as
transporting FTP proxy gateways
This would allow passwords and user
names to be gathered along with other
such data like FTP IP address’s and any
other information that the system might
need
Incursion
After the target system has been identified
as a positive the time for incursion into the
server/servers for further evidence
gathering.
This should attempt to leave as little foot
print as possible, in order not to change
anything on the target system.
Incursion Events
Entry
Do this and stay looking like a standard user
Mapping
Fully map the file structure
Evidence gathering
Gather as much information about the content
while still looking like a standard user and not
altering the evidence or influencing it.
Typical system layout
WEB
Target system
Control
system
proxies
1.
2.
3.
4.
The CS (control system) starts the port scan and services detection this is
done via the proxy network
The CS uses the information gathered to profile the system this profile can
be used to select if the target need further investigation
The CS then set up part of the proxy network to monitor traffic if this traffic
is determined as a positive (using the signature matching)
The remaining part of the proxy network would go to work on the intrusion
So where am I
At current I am some where between the first two sections (detection and
surveillance)
I currently have a port scanner that identifies ports and the services running
(need to finish looking at making a profiling plug in )
My Resreach at the moment is looking at remote traffic monitoring on a
different network to the program. I’m looking at few things to help with this
they are IDS and hacking methodologies. I will also be approaching Brian
and graham to see what work they have done in this area. I have been
looking at the work done by others in this area such as : K Thompson, GJ Miller, R Wilder [2]
M Polychronakis, EP Markatos, KG Anagnostakis [3]
B Pande[4]
Looking at proxy gateways as a way to monitor traffic and detect possible
targets for investigation
Looking for an external for my transfer to PHD from MPhil
Writing up my transfer paper
Writing papers
Papers and Posters
Ecce paper
Transferring crime fighting methods to the internet
Static remote server profiling. outline done)
What is wire taping and what is not, when it
comes to internet investigation?
Remote traffic analysis for internet forensics, is it
possible?
Who is learning from who?, what can we learn
from the internet criminal networks such as
hackers and virus programmers.
References
1. JE Dickerson, JA Dickerson - Fuzzy
Information Processing Society, 2000.
NAFIPS. 19th , 2000 - ieeexplore.ieee.org
2. K Thompson, GJ Miller, R Wilder - IEEE
Network Magazine, 1997 netlab.cs.tsinghua.edu.cn
3. M Polychronakis, EP Markatos, KG
Anagnostakis - Network Operations and
Management Symposium, 2004. NOMS 2004,
2004 - ieeexplore.ieee.org
4. B Pande - 2002 - cse.iitk.ac.in