Forensics Assignment 12
didosld
forensic3e_ppt_ch12.pptxSystem Forensics, Investigation, and Response
Lesson 12
Performing Network Analysis
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1
Learning Objective
Explain how to perform a network analysis.
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
2
Key Concepts
Network packet analysis basics
Traffic analysis
Router forensics
Firewall forensics
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3
Network Packets: Structure
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Information that is sent across a network is divided into chunks, called packets. Packets exist in the OSI model at Layer 3 and are typically formatted according to the Internet Protocol—though you may come across many other protocols and their unique formats. Packets are divided into two parts:
The header—Contains the address information (to and from as well as any special handling instructions)
The payload—Contains the content
7/3/2017
4
Header
Payload
Packet Header
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The Ethernet header has the source and destination MAC address.
• The IP header contains the source IP address, the destination IP address, and the protocol number of the protocol in the IP packet’s payload. These are critical
pieces of information.
• The TCP header contains the source port, destination port, a sequence number, and several other fields. The sequence number is very important to network traffic; for example, knowing this is packet 4 of 10 is important. The TCP header also has synchronization bits that are used to establish and terminate communications between both communicating parties.
• It is also possible that certain types of traffic will have a User Datagram Protocol (UDP) header instead of a TCP header. A UDP header still has a source and destination port number, but it lacks a sequence number and synchronization bits.
7/3/2017
5
Ethernet Header
Source MAC
Destin-ation
MAC
IP Header
IP addresses
Protocol #s
TCP Header
Ports
Seq. #
Data
TCP Header Bits, of Interest
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
URG (1 bit)—Traffic is marked as urgent, though this bit is rarely used. It is more common that the IP precedence bits are used for priority when there is a need.
ACK (1 bit)—This bit acknowledges the attempt to synchronize communications.
RST (1 bit)—The RST bit resets the connection.
SYN (1 bit)—This bit synchronizes sequence numbers.
FIN (1 bit)—This bit indicates there is no more data from the sender.
7/3/2017
6
URG
Traffic marked as urgent
ACK
Acknowledges the attempt to synchronize communications
RST
Resets the connection
SYN
FIN
Synchronizes sequence numbers
Indicates there is no more data from the sender
Bit is rarely used
TCP Three-Way Handshake
Server
Host
1 - SYN
2 - SYN/ACK
3 - ACK
Synchronize (SYN)
Acknowledge (ACK)
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The TCP three-way handshake used by TCP establishes a session between two systems.
The first system sends a packet with the SYN flag set.
The second system responds with a packet that has the SYN and ACK flags set.
The first system responds with a packet with the ACK flag set.
The two systems have now started a session.
7/3/2017
7
TCP Connection Termination
Acknowledge (ACK)
Finish (FIN)
Server
Host
1 – ACK/FIN
2 – ACK
4 – ACK
3 – ACK/FIN
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Because a TCP connection is two-way, it needs to be “torn down” in both directions.
The TCP connection termination process uses four packets.
The first system sends a TCP packet with the ACK and FIN flags set requesting termination.
The second system sends an ACK response.
The second system then sends a packet with ACK and FIN flags set.
The first system returns an ACK response.
7/3/2017
8
FIN Scan
Server
Host
1 – FIN
2 – No response
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Sometimes a host may need to terminate a connection quickly, due to a port being unreachable or a timeout, for example.
Can send a Reset (RST) packet.
Initial SYN packet should never have FIN or RST associated with it. Indicates an attack/malicious attempt to get by your firewall.
7/3/2017
9
Christmas Tree Scan
Server
Host
1 – FIN, URG, PSH
2 – RST
Finish (FIN)
Urgent (URG)
Push (PSH)
Reset (RST)
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
7/3/2017
10
Null Scan
Server
Host
1 – 000000
2 – RST
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
7/3/2017
11
Network Packet: Payload
The body or information content of a packet
Actual content that the packet is delivering to the destination
If packet is fixed length, payload may be padded with blank information or a specific pattern to make it the right size
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
7/3/2017
12
Network Packet: Trailer
Contains error-checking data to detect errors that occur during transmission
May be part of the Ethernet or Point-to-Point Protocol (PPP) frame or other Layer 2 protocol
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The TCP (OSI model Layer 4) and IP (OSI model Layer 3) portions of a unit of information transfer contain only a header and payload. However, if the Layer 2 portion of a unit of information transfer is analyzed, then in addition to a header and payload, there is also a part at the end called the trailer.
7/3/2017
13
Cyclical Redundancy Check (CRC)
preamble
destination address
source address
type
data
CRC
If CRC found, frame discarded
Why is the CRC almost always in a trailer, rather than in a header?
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Ethernet uses a 32-bit cyclic redundancy check (CRC). The sender calculates the CRC using a very complex calculation on the source address, destination address, length, payload, and pad, if any. The four-octet (32-bit) result is stored in the trailer by the sender and the frame is transmitted. The receiving device repeats the exact same calculation as the sender and compares the result with the value stored in the trailer.
If the values match, the frame is good and the frame is processed. But if the values do not match, the receiving device has a decision to make. The decision is made consistently based upon the protocol involved.
In the case of Ethernet, the receiver discards the errored frame and sends no indication whatsoever that the frame has been discarded. The receiver usually
does, however, update some internal counter, which can be queried to say how many frames were discarded. There is also a counter that says how many frames arrived and passed the CRC check.
Ethernet relies on the fact that an upper-layer protocol may or may not request a retransmission of the errored frame or may or may not do something else, based on how the protocol works. In the case of Internet Protocol, there is, likewise, not a retransmission request for an errored or missing frame, nor is there a retransmission request in the UDP protocol. TCP, on the other hand, does request a retransmission. If a frame does not pass the CRC check of Ethernet, it is discarded. TCP knows that Ethernet discarded a frame because of the sequence number in the TCP header. If a lower-level frame is discarded, and therefore is missing from the sequence, then TCP will request a retransmission. It will also usually request a retransmission in the case of a sequence error.
7/3/2017
14
Ports
A number that identifies a channel in which communication can occur
65,635 possible ports
Knowing what port a packet was destined for (or coming from) tells you what protocol it was using
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
7/3/2017
15
Some Important Ports
| Port Number | Protocol that Uses Port |
| 20, 21 | File Transfer Protocol (FTP) |
| 22 | Secure Shell (SSH) |
| 23 | Telnet |
| 25 | Simple Mail Transfer Protocol (SMTP) |
| 53 | Domain Name Service (DNS) |
| 80 | Hypertext Markup Language (HTML) |
| 110 | Post Office Protocol Version 3 (POP3) |
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Consider the information you gather from these ports.
Assume you capture traffic going to and from a database server on port 21. This means someone is using FTP to upload or download files with that server. But you
query the network administrator and find he or she doesn’t use FTP on his or her database server. This is likely a sign of an intruder or, at the very least, of an insider who is not adhering to system policy.
Frequent attempts to connect to a web server on port 23 (Telnet) is evidence of a well-known old hacker trick, which is to attempt to telnet into a web server and grab the server’s banner or banners. This allows the hacker to determine the exact operating system and web server running unless the system administrator has modified the banner to avoid this hacker trick.
7/3/2017
16
Important Intruder Ports
| Port Number | Utility |
| 407 | Timbuktu |
| 6666 | Beast |
| 23476/23477 | Donald Dick |
| 31337 | Back Orifice |
| 43188 | Reachout |
| 54320/54321 | B02K |
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
These are utilities that give an intruder complete access to the target system.
Only Timbuktu has any legitimate use. Timbuktu is an open source alternative to PC Anywhere. It allows program users to log on to a remote system and work just like they were sitting in front of the desktop. It is possible that technical support personnel are using Timbuktu to make support calls more efficient. But it is also possible that an intruder is logging on and taking over the system.
The other items are examples of backdoor hacker software with no legitimate use.
7/3/2017
17
Denial of Service (DoS) Attacks
Can be targeted at a given server; increased traffic affects rest of the target network
Attacker usually floods the network with malicious packets, preventing legitimate network traffic from passing
Attacker uses one of three approaches:
Damages the target machine’s ability to operate
Overflows the target machine with open connections at the same time
Uses the bandwidth to the target machine
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
7/3/2017
18
Ping of Death Attack
Attacker
Server
IP Header
ICMP Header
ICMP Data
20 bytes
8 bytes
>65,507
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
7/3/2017
19
Ping Flood
Attacker
ICMP packets to broadcast address
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
7/3/2017
20
Teardrop Attack
Attacker sends fragments of packets with bad values in them
Causes the target system to crash when it tries to reassemble fragments
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
7/3/2017
21
SYN Flood Attack
1 – SYN
2 – SYN/ACK
3 – SYN
Attacker
Server
4 – SYN/ACK
. . .
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
7/3/2017
22
Land Attack
Attacker sends a fake TCP SYN packet with the same source and destination IP addresses and ports as the target computer
Victim computer is tricked into thinking it is sending messages to itself because the packets coming from the outside use the computer’s own IP address
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
7/3/2017
23
Smurf Attack
Attacker
Victim
Network
Amplification
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
7/3/2017
24
Fraggle Attack
Similar to a smurf attack
Fraggle uses spoofed User Datagram Protocol (UDP) packets instead of Internet Control Message Protocol (ICMP) echo replies
Can often bypass a firewall
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
7/3/2017
25
Packet Mistreating
Occurs when a compromised router mishandles packets
Results in congestion in a part of the network
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
7/3/2017
26
Network Traffic Analysis Overview
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Forensic network analysis uses tools and techniques of the network trade. Network monitoring helps get the “big picture” perspective, an insight into how networks and systems behave. Network analysis takes a deeper look at the traces between systems, networks, and intruders.
Also referred to as “network forensic analysis.” Analysis of network data to reconstruct network activity over a specific period of time
Commonly used to:
Reconstruct the sequence of events that took place during a network-based security incident
Discover the source of security policy violations, vulnerabilities, or information assurance breaches
Investigate individuals suspected of crimes
7/3/2017
27
Big Picture
Network Monitoring
Details
Network Analysis
What Is a Sniffer?
Software or hardware that can intercept and log traffic passing over a digital network
Extracts network packets and performs a statistical analysis on the dumped information
Commonly applied sniffers include Tcpdump (UNIX platforms and) WinDump
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Tcpdump and WinDump
Tcpdump
A commonly applied sniffer for various UNIX platforms
WinDump
A version of Tcpdump for Windows
Both programs extract network packets and perform statistical analysis on dumped information
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
7/3/2017
29
Wireshark
Network protocol analyzer
Captures Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and other packets
Analyzes real-time and saved data
Runs on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and others
Supports IPv4 and IPv6
Allows Voice over IP (VoIP) analysis
Freely available
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
7/3/2017
30
Wireshark Packet Capture
Courtesy of the Wireshark Foundation
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Simply select an interface, or network card, then start the process.
Image shows the address the packets are either coming from or going to, protocols, timing, and many other useful pieces of information. At any time, you can
stop the packet-capture process and view the individual packets.
7/3/2017
31
Wireshark Packet Details
Courtesy of the Wireshark Foundation
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Details of of a particular packet
You can see the source and destination MAC address, protocol, source and destination IP addresses—if appropriate—and much more.
You can see the data in the packet at the bottom of the screen. Data isn't always readable. If the packet is an image file or is encrypted, you won’t
be able to read much of what is displayed.
7/3/2017
32
HTTPSniffer
Courtesy of EffeTech
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Similar to Wireshark.
Captures web traffic.
You can see all the HTTP commands going to the server and the responses from the server.
To interpret data, you need to understand the basic HTTP commands as well as the response codes.
The most common HTTP commands are GET, HEAD, PUT, and POST. You might see only those four during most of your analysis of web traffic.
7/3/2017
33
HTTP Commands
Courtesy of EffeTech
| HTTP Command | Description |
| GET | Request to read a webpage |
| HEAD | Request to read just the head section of a webpage |
| PUT | Request to write a webpage |
| POST | Request to append to a webpage |
| DELETE | Remove the webpage |
| LINK | Connects two existing resources |
| UNLINK | Breaks an existing connection between two resources |
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
7/3/2017
34
HTTP Response Messages
Courtesy of EffeTech
| Message Range | Meaning |
| 100–199 | Informational; the server is giving your browser some information, most of which will never be displayed to the user |
| 200–299 | “OK” messages, meaning that whatever the browser requested, the server successfully processed |
| 300–399 | Redirect messages telling the browser to go to another URL |
| 400–499 | Client errors |
| 500–599 | Server-side errors |
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
7/3/2017
35
Nmap/Zenmap
Courtesy of Nmap.org
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Allows the user to map out what ports are open on a target system and what services are running
Is a command-line tool, but has a Windows interface called Zenmap
Popular with hackers because it can be configured to operate stealthily and determine all open ports on an individual machine, or for all machines in an entire range of IP addresses
Popular with administrators because of its ability to discover open ports on the network
7/3/2017
36
Snort
Primarily used as an open source intrusion detection system
Can function as a robust packet sniffer with a lot of configuration options
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
7/3/2017
37
RSA NetWitness
Threat analysis software/protocol analyzer
Captures raw packets from wired and wireless interfaces
Analyzes real-time data throughout the seven layers
Filters by Media Access Control (MAC) address, Internet Protocol (IP) address, user, and more
Freely available and threat analysis software
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Network Traffic Analysis
Can reveal:
Vulnerabilities and probing
Denial of service (DoS) attacks
User-to-root attacks
Remote-to-local attacks
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Vulnerabilities: unnecessary services, open ports
Probing: an attacker scans a network to gather information or find known vulnerabilities. May use Nmap, SAINT, or other vulnerability assessment tools.
DoS: Overwhelming a system with requests
User-to-root: attacker uses an ordinary user account to access a system, and then exploits a vulnerability to get root privileges
Remote-to-local: attacker does not have a user account but exploits a vulnerability to gain access
7/3/2017
39
Log Files as Source of Evidence
Log files contain primary records of a person’s activities on a system or network
Log files can often identify:
Source, nature, and time of an attack
Specific user account of events related to illicit activities
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
7/3/2017
40
Types of Logs
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Authentication logs show accounts related to a particular event and the authenticated user’s IP address. They contain date and timestamps as well as
the username and IP address of the requestor.
Application logs record the time, date, and application identifier. When someone uses an application, it produces a text file on the
desktop system containing the application identifier, the date and time the user started the application, and how long that person used the application.
Operating systems log certain events, such as the use of devices, errors, and reboots. Operating system logs can be analyzed to identify patterns of activity and unusual events.
Network device logs, such as firewall and router logs, provide information about the activities that take place on the network. You can also coordinate and synchronize them with logs provided by other systems to create a more complete picture of an attack. For example, a firewall log may show access attempts that the firewall blocked. These attempts may indicate an attack. Log files can show how an attacker entered a network. They can also help find the source of illicit activities.
Log files from servers and Windows security event logs on domain controllers, for instance, can attribute activities to a specific user account. This may lead you to the person responsible.
Intrusion detection systems (IDSs) record events that match known attack signatures, such as buffer overflows or malicious code execution. Configure an IDS to capture all the network traffic associated with a specific event. In this way, you can discover what commands an attacker ran and what files he or she accessed. You can also determine what files the criminal downloaded, such as malicious code, or uploaded, such as files copied from the system.
7/3/2017
41
Authentication
Application
Operating system event
Network device
Security event
Challenges when Using Logs
Logs change rapidly
Getting permission to collect evidence from some sources, such as Internet service providers (ISPs), takes time
Volatile evidence is easily lost
Hackers can easily alter logs to include false information
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
7/3/2017
42
Wireless Networking
| Specification | Description |
| 802.11a | First widely used Wi-Fi standard Operates at 5 GHz |
| 802.11b | Operates at 2.4 GHz Indoor range of 125 ft Bandwidth of 11 Mbps |
| 802.11g | Backward compatibility with 802.11b Indoor range of 125 ft Bandwidth of 54 Mbps |
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
802.11a—This was the first widely used Wi-Fi standard. It operated at 5 GHz and was relatively slow.
802.11b—This standard operated at 2.4 GHz and had an indoor range of 125 feet with a bandwidth of 11 megabits per second (Mbps).
802.11g—There are still many of these wireless networks in operation, but you can no longer purchase new Wi-Fi access points that use it. This standard has an indoor range of 125 feet and a bandwidth of 54 Mbps. It includes backward compatibility with 802.11b.
Wireless Networking (Cont.)
| Specification | Description |
| 802.11n | Operates at 2.4 or 5.0 GHz Indoor range of up to 230 ft Bandwidth of 100 to 140 Mbps |
| IEEE 802.11n-2009 | Four spatial streams at a channel width of 40 MHz Bandwidth of up to 600 Mbps Uses multiple-input multiple-output MIMO |
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
802.11n—This standard was a tremendous improvement over preceding wireless networks. It obtained a bandwidth of 100 to 140 Mbps. It operates at frequencies of 2.4 or 5.0 GHz, and has an indoor range of up to 230 feet.
IEEE 802.11n-2009—This technology gets bandwidth of up to 600 Mbps with the use of four spatial streams at a channel width of 40 MHz. It uses multiple-input multiple-output (MIMO), which uses multiple antennas to coherently resolve more information than possible using a single antenna.
Wireless Networking (Cont.)
| Specification | Description |
| IEEE 802.11ac | Throughput of up to 1 Gbps with at least 500 Mbps Uses up to eight MIMO |
| IEEE 802.11ad Wireless Gigabyte Alliance | Data transmission rates up to 7 Gbps—more than 10 times faster than the highest 802.11n rate |
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
IEEE 802.11ac—This standard was approved in January 2014. It has throughput of up to 1 Gbps with at least 500 Mbps. It uses up to eight MIMO.
IEEE 802.11ad Wireless Gigabyte Alliance—This supports data transmission rates up to 7 Gbps—more than 10 times faster than the highest 802.11n rate.
Wireless Networking (Cont.)
Wardriving
Process of driving around an area while a passenger in the vehicle scans for insecure, or weakly secured, wireless networks
Participants then attempt to breach the targets they find
Warflying
A twist on war driving
A radio-controlled airplane is equipped with wardriving equipment
Radio-controlled (RC) plane can be used to fly over an area to gather data on wireless networks
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
7/3/2017
46
Wireless Concerns
Did a perpetrator use a wireless network entry point for a direct network attack or theft of data?
Did an attacker use a third-party wireless network, such as a hotel hotspot, to conceal his or her identity?
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
7/3/2017
47
Wireless Storage Devices
Wireless digital and video cameras
Wireless printers with storage capacity
Wireless network-attached storage (NAS) devices
Tablets and smartphones
Wireless digital video recorders (DVRs)
Wireless game consoles
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
7/3/2017
48
Wireless Network Discovery Tools
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
7/3/2017
49
NetStumbler
MacStumbler
iStumbler
Router Forensics
Router is hardware or software device that forwards data packets across a network to a destination network
May contain:
Read-only memory (ROM) with power-on self test code
Flash memory containing the router’s operating system
Nonvolatile random access memory (RAM) containing configuration information
Volatile RAM containing routing tables and log information
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
7/3/2017
50
Basic Network Devices
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
A network interface card (NIC) allows the computer to be connected to a network. Network interface cards are relatively simple devices that don’t store information for any appreciable period of time.
A hub connects computers on an Ethernet LAN. Essentially, a hub does not do anything to see that packets get to their proper destination
A switch prevents traffic jams by ensuring that data goes straight from its origin to its proper destination. Switches remember the address of every node on the network and anticipate where data needs to go. A switch operates only with the computers on the same LAN because it operates based on the MAC address in a packet, which is not routable. It cannot send data out to the Internet or across a wide area network (WAN). These functions require a router.
A router is similar to a switch, but it can also connect different logical networks or subnets and enable traffic that is destined for the networks on the other side of the router to pass through. Routers utilize the IP address to determine the path of outgoing packets and work at the Network Layer of the OSI model.
Modern routers are complex devices. They handle packets, often have firewall and Dynamic Host Configuration Protocol (DHCP) capabilities, are programmable, and maintain logs.
7/3/2017
51
Network card
Enables computer to be connected to a network
Hub
Connects computers on an Ethernet local area network (LAN)
Switch
Prevents traffic jams by ensuring that data goes straight from its origin to its proper destination
Router
Can connect different logical networks or subnets and enable traffic destined for the networks on the other side of the router to pass through
Sends any packet it receives out every port
Routers in Detail
Determine where to send information from one computer to another
Are specialized computers that send your messages and those of every other Internet user to their destinations along thousands of pathways
Maintain a routing table to keep track of routes
Some routes are programmed manually, many are “learned” automatically by route
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Routers determine where to send information from one computer to another. They maintain a routing table to keep track of routes, or which connections are to be used for different networks. Some of these routes are programmed in manually, but many are “learned” automatically by the router. It does this by examining incoming packets and, if one comes from an IP address the router has not seen before, adding that address to its routing table. Modern routers also inform each other about new routes and routes that are no longer working to make routing as efficient as possible.
7/3/2017
52
Router Attacks
Router table poisoning
Incorrect router table entries can result in:
Artificial congestion
The router becoming overwhelmed
An attacker being allowed access to data in the compromised network
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Routers can be vulnerable to several types of attacks, including router table poisoning. Router table poisoning is one of the most common and effective attacks. With router table poisoning, an attacker alters the routing data update packets that the routing protocols need, resulting in incorrect entries in the routing table.
7/3/2017
53
Getting Evidence from Routers
Don't shut down router
Can erase valuable evidence
Don't alter anything
Document your process
Connect with the router to run certain commands
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Connect with the router so you can run certain commands. HyperTerminal is a free tool that can be used to connect to and interact with your routers. Because the router is live, it is important to record everything you do.
7/3/2017
54
Recording with HyperTerminal
Courtesy of HILGRAEVE
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
HyperTerminal is an example of a tool you can use to connect to and interact with routers.
7/3/2017
55
Router Commands
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Several commands are important to router forensics. The most important and most commonly used commands from Cisco routers are:
show version—Provides a significant amount of hardware and software detail about the router. It displays the platform, operating system version, system image file, any interfaces, the amount of RAM the router has, and the number of network and voice interfaces there are.
show running-config—Provides the currently executing configuration.
show startup-config—Provides the system’s start-up configurations. Differences between show startup-config and show running-config can be indicative of a hacker having altered the system.
show ip route—Shows the routing table. A primary reason that hackers infiltrate routers is to manipulate the routing table.
7/3/2017
56
show version
show running-config
show startup-config
show ip route
show interfaces
show logging
What Is a Firewall?
A network traffic control device or service
Enforces network security policy
Protects the network against external attacks
Establishes control over network traffic
Prevents connections from unauthorized sources to protected network systems, services, and resources
Firewall Analogy
Bouncer at a night club with a guest list that defines specific names or types of individuals allowed in or specifically prohibited from the club
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
7/3/2017
57
Network-Based Firewalls
Span an entire network
Filter all traffic passing in and out of network or network segment
Firewall
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Can filter between other networks and systems
Commercial or corporate firewalls
Optimized for network-wide firewall filtering
Incorporate enterprise-grade network services
VPN
Enterprise-class encryption protocols
Enterprise-class security services
7/3/2017
58
Firewall Categories
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Packet filter firewall
The most basic type of firewall
Filters incoming packets and either allows them entrance or denies them passage based on a set of rules
Also referred to as a screened firewall
Can filter packets based on packet size, protocol used, source IP address, and so on
Many routers offer this type of firewall option in addition to their normal routing functions
Stateful packet inspection (SPI) firewall
Examines each and every packet, denying or permitting based on not only the current packet, but also considering previous packets in the conversation
Firewall is aware of the context in which a specific packet was sent
Are far less susceptible to ping floods, SYN floods, and spoofing
Application filter
Combines stateful packet inspection with scanning for specific application issues
Example: Web Application Firewall (WAF) scans for typical web attacks such as SQL injection and cross-site scripting
7/3/2017
59
Packet filter
Permits/denies incoming packets based on rules
Aka screened firewall
Stateful packet inspection
Examines all packets
Considers previous packets when permitting/denying
Collecting Data
| Type of Port | Port Numbers |
| Well-known ports | 0 to 1023 |
| Registered ports | 1024 to 49151 |
| Dynamic ports | 49152 to 65535 |
All the traffic going through a firewall is part of a connection. A connection consists of two IP addresses communicating with each other and two port numbers that identify the protocol or service.
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
7/3/2017
60
Collecting Data (Cont.)
Attempts on same set of ports from many different Internet sources are usually due to decoy scans
Carefully check firewall logs for any sort of connections or attempted connections on those ports
Use protocol analysis to determine who attacker is
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
In a decoy scan strategy, an attacker spoofs scans that originate from a large number of decoy machines and adds his or her IP address somewhere in the mix.
7/3/2017
61
Summary
Network packet analysis basics
Traffic analysis
Router forensics
Firewall forensics
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
OPTIONAL SLIDES
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
7/3/2017
63
TCP/IP Networking and OSI Reference Models
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The TCP/IP model corresponds to layers in the OSI model.
The OSI layers are:
Application layer (layer 7)—This layer enables communications with the host software, including the operating system. The application layer is the interface
between host software and the network protocol stack. The sub-protocols of this layer support specifi c applications or types of data.
• Presentation layer (layer 6)—This layer translates the data received from the host software into a format acceptable to the network. This layer also performs this task in reverse for data going from the network to the host software.
• Session layer (layer 5)—This layer manages the communication channel, known as a session, between the endpoints of the network communication. A single transport layer connection between two systems can support multiple, simultaneous sessions.
• Transport layer (layer 4)—This layer formats and handles data transportation. The transportation is independent of and transparent to the application.
• Network layer (layer 3)—This layer handles logical addressing (IP addresses) and routing traffic.
• Data link layer (layer 2)—This layer manages physical addressing (MAC addresses) and supports the network topology, such as Ethernet.
• Physical layer (layer 1)—This layer converts data into transmitted bits over the physical network medium.
7/3/2017
64
7. Application
6. Presentation
5. Session
4. Transport
3. Network
1. Physical
2. Data link
Application
Transport
Internet
Network Interface
TCP/IP Protocol Suite
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
7/3/2017
65
Application
Internet
Network Interface
Transport
Domain Name System (DNS), Dynamic Host Configuration Protocol (DHCP), Hypertext Transfer Protocol (HTTP), Tele-network (Telnet), File Transfer Protocol (FTP)
Transmission Control Protocol (TCP), User Datagram Protocol (UDP)
Internet Protocol (IP), IPSec, Internet Control Message Protocol (ICMP), Address Resolution Protocol (ARP), and Internet Group Management Protocol IGMP
Serial Line Internet Protocol (SLIP), Purchasing Power Parity (PPP)
Why Analyze Data Packets?
Detect network problems, such as bottlenecks
Detect network intrusions
Gather network statistics
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
What Does a Protocol Analyzer Do?
Captures and decodes data packets traveling on a network
Allows you to read and analyze them
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Where to Capture Data on the Network?
Must first understand the network’s architecture: where is the traffic of interest?
Internal LAN usually generates too much traffic to analyze
Monitor or capture at:
External (demilitarized zone, or DMZ) network
Just inside the perimeter firewall
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
7/3/2017
68
Where to Capture Data on the Network? (Cont.)
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
7/3/2017
69
Packet Capture and Analysis
MEASURE
Response time
Percentage of packets lost
TCP or UDP connection start and end
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
TCP stands for Transmission control protocol
UDP stands for User Datagram Protocol
Create a baseline of the network
Capture data at specific points on the network
Analyze captured data, compare to baseline, review logs
Use results of analysis to:
Investigate and resolve issues, such as removing unnecessary services or closing open ports that present a vulnerability
Update baseline, if necessary
After an incident, build signatures into the IDS/IPS to prevent further losses
Perform a statistical analysis on the dumped information. You can use them to measure response time, the percentage of packets lost, and TCP/UDP connection startup and end
7/3/2017
70
Create a baseline
Capture packets
Analyze packets
Investigate or resolve
Examine Packets
Normal packet
Connecting to an FTP server
Port 53 (dns) in User Datagram Protocol (UDP)
Three-way handshake completes
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Examine Packets (Cont.)
Packet showing evidence of port scan
Series of TCP packets, part of three-way handshake
Arrange segments in sequential order by source port
Destination ports also in sequential order?
Classic TCP port scan
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
