Guide to Computer Forensics and Investigations, Fourth Edition
Chapter 11
Virtual Machines, Network Forensics, and Live
Acquisitions
At a Glance
Instructor’s Manual Table of Contents

Overview

Objectives

Teaching Tips

Quick Quizzes

Class Discussion Topics

Additional Projects

Additional Resources

Key Terms
11-1
Guide to Computer Forensics and Investigations, Fourth Edition
11-2
Lecture Notes
Overview
Chapter 11 is meant to serve as an overview of network forensics, not an in-depth
exploration. Tracing network forensics information can take long, tedious hours of
work, but this field overlaps computer forensics in many areas. It’s assumed you have
had an introductory networking class or Net+ equivalent. The information in this
chapter should give you an idea of how computer and network forensics complement
each other.
Chapter Objectives





Describe primary concerns in conducting forensic examinations of virtual machines
Describe the importance of network forensics
Explain standard procedures for performing a live acquisition
Explain standard procedures for network forensics
Describe the use of network tools
Teaching Tips
Network Forensics Overview
1. Define network forensics and how it works.
a. Intruders leave a trail behind
b. If you know the normal behavior of your network traffic you can identify
abnormal activity
c. Abnormal traffic can be produced by internal bugs or real attacks
Securing a Network
1. Explain that the layered network defense strategy sets up layers of protection to hide the
most valuable data at the innermost part of the network.
2. Define defense in depth (DiD) as a layered network defense approach developed by the
NSA that includes the following modes of protection:
a. People
b. Technology
c. Operations
3. Mention that testing networks is as important as testing servers. You need to be up to
date on the latest methods intruders use to infiltrate networks as well as methods
internal employees use to sabotage networks.
Guide to Computer Forensics and Investigations, Fourth Edition
Teaching
Tip
11-3
Read more about defense in depth (DiD) at:
http://en.wikipedia.org/wiki/Defense_in_Depth_(computing).
Performing Live Acquisitions
1. Explain that live acquisitions are especially useful when you’re dealing with active
network intrusions or attacks. Live acquisitions done before taking a system offline are
also becoming a necessity because attacks might leave footprints only in running
processes or RAM.
2. Mention that live acquisitions don’t follow typical forensics procedures.
3. Define order of volatility (OOV) as how long a piece of information lasts on a system.
4. Describe the general steps to perform a live acquisition, including:
a. Create or download a bootable forensic CD
b. Make sure you keep a log of all your actions
c. A network drive is ideal as a place to send the information you collect
d. Copy the physical memory (RAM)
e. The next step varies, depending on the incident you’re investigating
f. Be sure to get a forensic hash value of all files you recover during the live
acquisition
Teaching
Tip
You can obtain a copy of Helix from its official Web site: www.e-fense.com.
Developing Standard Procedures for Network Forensics
1. Mention that network forensics is a long, tedious process.
2. Describe the standard procedure for network forensics as follows:
a. Always use a standard installation image for systems on a network
b. Close any way in after an attack
c. Attempt to retrieve all volatile data
d. Acquire all compromised drives
e. Compare files on the forensic image to the original installation image
3. Illustrate the differences between computer forensics and network forensics. As a
network forensic investigator, you need to work on an isolated system to prevent
affecting other parts of your network.
Guide to Computer Forensics and Investigations, Fourth Edition
11-4
Reviewing Network Logs
1. Logs record all traffic leaving and entering your network. You can use logs from the
following network components during an investigation:
a. Network servers
b. Routers
c. Firewalls
2. Define Tcpdump as a common tool for analyzing network traffic.
3. Explain that analyzing traffic includes:
a. Creating top 10 lists
b. Looking for patterns to understand the attack
c. Determine if other companies are involved on the attack
4. Mention that if other companies are involved in the attack, you must proceed as in a
computer forensic investigation. You shouldn’t reveal information discovered about
other companies. In these situations, the best course of action is to contact the
companies and enlist their aid in tracking down network intruders.
Teaching
Tip
You can download a copy of tcpdump from:
http://sourceforge.net/projects/tcpdump/.
Quick Quiz 1
1. ____ is the process of collecting and analyzing raw network data and systematically
tracking network traffic to ascertain how an attack was carried out or how an event
occurred on a network.
Answer: Network forensics
2. True or False: Testing networks is not as important as testing servers.
Answer: False
Guide to Computer Forensics and Investigations, Fourth Edition
11-5
3. ____ means how long a piece of information lasts on a system.
Answer: Order of volatility (OOV)
Order of volatility
OOV
4. True or False: GUI tools are easy to use, but they’re resource intensive.
Answer: True
Using Network Tools
1. Define Sysinternals as a collection of free tools for examining Windows products. Use
Figure 11-4 to illustrate your explanation.
2. Describe some of the Sysinternals tools, including:
a. RegMon shows Registry data in real time
b. Process Explorer shows what is loaded
c. Handle shows open files and processes using them
d. Filemon shows file system activity
3. Explain the main functions or commands from the PsTools suite developed by
Sysinternals, including:
a. RegMon shows Registry data in real time
b. Process Explorer shows what is loaded
c. Handle shows open files and processes using them
d. PsExec runs processes remotely
e. PsGetSid displays security identifier (SID)
f. PsKill kills process by name or ID
g. PsList lists details about a process
h. PsLoggedOn shows who’s logged locally
i. PsPasswd changes account passwords
j. PsService controls and views services
k. PsShutdown shuts down and restarts PCs
l. PsSuspend suspends processes
Teaching
Tip
For a better description of PsTools utilities visit:
www.microsoft.com/technet/sysinternals/Utilities/PsTools.mspx.
Using UNIX/Linux Tools
1. Define Knoppix Security Tools Distribution (STD) as a bootable Linux CD intended for
computer and network forensics.
Guide to Computer Forensics and Investigations, Fourth Edition
11-6
2. Lists the main tools for Knoppix, including:
a. dcfldd, the U.S. DoD dd version
b. memfetch forces a memory dump
c. photorec grabs files from a digital camera
d. snort, an intrusion detection system
e. oinkmaster helps manage your snort rules
f. john, latest version of John the Ripper
g. chntpw resets passwords on a Windows PC
h. tcpdump and ethereal are packet sniffers (see Figures 11-5 and 11-6)
3. Mention that with the Knoppix STD tools on a portable CD, you can examine almost
any network system.
4. List the main tool categories for The Auditor, another tool based on Knoppix with more
than 300 tools:
a. Network scanning
b. Brute-force attack
c. Bluetooh and wireless
d. Autopsy and Sleuth Kit
e. Word lists with more than 64 million entries
Using Packet Sniffers
1. Define packet sniffers as devices or software that monitor network traffic. Most sniffers
work at layer 2 or 3 of the OSI model. In addition, most packet sniffer tools follow the
PCAP format.
2. Explain how network sniffers work. Some packets can be identified by examining the
flags in their TCP headers. Use Figure 11-8 to illustrate your explanation.
3. Describe some of the most common network sniffer tools, including:
a. Tcpdump
b. Tethereal
c. Snort
d. Tcpslice
e. Tcpreplay
f. Tcpdstat
g. Ngrep
h. Etherape
i. Netdude
j. Argus
k. Ethereal (see Figures 11-9 through 11-11)
Teaching
Tip
Ethereal changed its name to Wireshark recently (www.wireshark.org). You can
download the Wireshark version, if you like, but be aware that steps and screens
might differ from what’s shown in this chapter.
Guide to Computer Forensics and Investigations, Fourth Edition
11-7
Examining the Honeynet Project
1. Define the Honeynet project as an attempt to thwart Internet and network hackers. The
objectives are awareness, information, and tools. Use Figure 11-12 to illustrate your
explanation.
2. Define a distributed denial-of-service (DDoS) attack as a recent major threat where
hundreds or even thousands of machines (zombies) can be used.
3. Define zero day attacks as another major threat where attackers look for holes in
networks and OSs and exploit these weaknesses before patches are available.
4. Describe the differences between a honeypot and a honeywall.
5. Comment on the legal validity of a honeynet.
6. Explain that the Manuka Project used the Honeynet Project’s principles to create a
usable database for students to examine compromised honeypots.
7. Describe the Honeynet Challenges hosted by the Honeynet project as a good learning
experience.
Teaching
Tip
www.honeynet.org/papers/ is an excellent source for papers about honeynets.
Quick Quiz 2
1. ____ is a collection of free tools that were created by Mark Russinovich and Bryce
Cogswell and acquired by Microsoft.
Answer: Systinternals
2. ____ are devices and/or software placed on a network to monitor traffic.
Answer: Packet sniffers
3. A(n) ____ is a computer set up to look like any other machine on your network; its
purpose is to lure attackers to your network, but the computer contains no information
of real value.
Answer: honeypot
4. ____ are computers set up to monitor what’s happening to honeypots on your network
and record what attackers are doing.
Answer: Honeywalls
Guide to Computer Forensics and Investigations, Fourth Edition
11-8
Class Discussion Topics
1. Ask your students to discuss the right of a corporate network administrator to use packet
sniffers. Are employees’ privacy rights being violated?
2. Ask students to debate the legal validity of honeynets. Divide them into two groups, one
supporting honeynets and one against honeynets. Groups should present sound
arguments to support their positions.
Additional Projects
1. Ask students to read more about denial-of-service attacks (DoS) and distributed denialof-service attacks (DDoS). As a network administrator, what can you do to prevent
them?
2. Ask your students to read about legal issues with honeynets.
Additional Resources
1. tcpdump:
http://en.wikipedia.org/wiki/Tcpdump
2. Monitoring with tcpdump:
www-iepm.slac.stanford.edu/monitoring/passive/tcpdump.html
3. Windows Sysinternals:
www.microsoft.com/technet/sysinternals/default.mspx
4. Other network attacks Web sites:
a. How to plan for a possible network attack
www.windowsecurity.com/articles/Plan-Possible-Network-Attack.html
b. ARP poisoning www.securitywarnings.com/encyclopedia/?id=12
c. Smurf attack www.cert.org/advisories/CA-1998-01.html
d. IP spoofing www.securityfocus.com/infocus/1674
e. Session hijacking
www.iss.net/security_center/advice/Exploits/TCP/session_hijacking/default.htm
Key Terms
 defense in depth (DiD) — The NSA’s approach to implementing a layered network
defense strategy. It focuses on three modes of protection: people, technology, and
operations.
 distributed denial-of-service (DDoS) attacks — In these attacks, an Internet attacker
uses other online machines, unbeknownst to the owners, to launch an attack.
Guide to Computer Forensics and Investigations, Fourth Edition
11-9
 honeypot — A computer or network set up to lure an attacker.
 honeystick — A honeypot and honeywall combined on a bootable memory stick.
 honeywall — An intrusion prevention and monitoring system that tracks what an
attacker does on honeypots.
 layered network defense strategy — An approach to network hardening that sets up
several network layers to place the most valuable data at the innermost part of the
network.
 malware — Any code used to cause damage to a system, including viruses, worms,
Trojan programs, and so on.
 network forensics — The process of collecting and analyzing raw network data and
systematically tracking network traffic to determine how security incidents occur.
 order of volatility (OOV) — A term that refers to how long an item on a network lasts.
RAM and running processes might last only milliseconds; items stored on hard drives
can last for years.
 packet sniffers — Devices and software used to examine network traffic. On TCP/IP
networks, they examine packets, hence the name.
 zero day attacks — Attacks launched before vendors or network administrators have
discovered vulnerabilities and patches for them have been released.
 zombie — A computer used without the owner’s knowledge in a DDoS attack.