ch12
advertisement
Guide to Computer Forensics and Investigations, Second Edition Chapter 12 Network Forensics Objectives • Understand Internet fundamentals • Understand network basics • Acquire data on a Linux computer Guide to Computer Forensics and Investigations, 2e 2 Objectives (continued) • Understand network forensics • Understand the use of network tools • Understand the goals of the Honeynet Project Guide to Computer Forensics and Investigations, 2e 3 Understanding Internet Fundamentals • Internet = Collection of networks • Internet protocols for message exchange – E-mail • Internet Service Provider (ISP) – Internet entry point – Username and password • Common software – Web browsers and e-mail clients Guide to Computer Forensics and Investigations, 2e 4 Internet Protocols • Standards and rules • Every computer must observe a protocol • TCP/IP default Internet protocol – TCP connection-oriented – UDP connectionless • Addressing (IPv4) – 32-bit long divided into four groups of 8 bits – Binary representation Guide to Computer Forensics and Investigations, 2e 5 Internet Protocols (continued) • Addressing (continued) – Dotted quad (205.55.29.170) – Several classes (A, B, C, D and E) • Domain Name Service – Translate IP addresses to named addresses or vice versa Guide to Computer Forensics and Investigations, 2e 6 Understanding Network Basics • Hardening networks – Applying latest patches – Layered network defense strategies • Protocols – TCP/IP – IPX/SPX • Network Address Translation – Translates IP addresses Guide to Computer Forensics and Investigations, 2e 7 Understanding Network Basics (continued) • DHCP – Dynamically assigns IP addresses to hosts • Attacks – Internal – External – Early and mid-1990s • 70% internal/30% external Guide to Computer Forensics and Investigations, 2e 8 Acquiring Data on Linux Computers • dd command – – – – – Disk-to-disk file Disk-to-image file Block-to-block copy Block-to-file copy Ext2fs, Ext3fs, NTFS, FAT, NTFS, HFS, HPFS • Gzip command to compress image files Guide to Computer Forensics and Investigations, 2e 9 Acquiring Data on Linux Computers (continued) • Linux boot disks – – – – – – – Knoppix MandrakeMove Fedora Rescue Gentoo Live F.I.R.E. Penguin Sleuth Kit Tom’s Root Boot Kit Guide to Computer Forensics and Investigations, 2e 10 Acquiring Data on Linux Computers (continued) Guide to Computer Forensics and Investigations, 2e 11 Acquiring Data on Linux Computers (continued) Guide to Computer Forensics and Investigations, 2e 12 Acquiring Data on Linux Computers (continued) • Steps for using dd – – – – Boot PC in Linux Create disk mounting points Mount all disks needed Create copies • For multiple volumes – Determine number of bytes per volume – Calculate number of segments you need to create Guide to Computer Forensics and Investigations, 2e 13 Acquiring Data on Linux Computers (continued) Guide to Computer Forensics and Investigations, 2e 14 Acquiring Data on Linux Computers (continued) • Linux dd script file – – – – Input source Output source Block size Number of blocks to save • Hash check original media – Linux md5sum command – Linux sha1sum command Guide to Computer Forensics and Investigations, 2e 15 Acquiring Data on Linux Computers (continued) • Image creation script example: • Image restore script example: Guide to Computer Forensics and Investigations, 2e 16 Understanding Network Forensics • Systematic tracking of incoming and outgoing traffic – Need to know normal traffic behavior • Intruders leave trace behind – Experimented intruders are harder to trace • Determine the cause of the abnormal traffic – Internal bug – Attackers Guide to Computer Forensics and Investigations, 2e 17 Approach to Network Forensics • Long, tedious process • Standard procedure – – – – – – Use image for machines on network Close any way in after an attack Acquire all compromised drives Make a bit-stream image of the drives Compare images to original images Optionally, store images on a server Guide to Computer Forensics and Investigations, 2e 18 Approach to Network Forensics (continued) • Computer forensics – Work from the image to find what has changed • Network forensics – Restore drives to understand attack • Work on an isolated system – Prevents malware from affecting other systems Guide to Computer Forensics and Investigations, 2e 19 Network Logs • Record ingoing and outgoing traffic – Network servers – Routers – Firewalls • Tcpdump tool for examining network traffic – Top 10 lists – Pattern • Attacks might include other companies – Distributed Denial of Service (DDoS) Guide to Computer Forensics and Investigations, 2e 20 Using Network Tools • PsTools suite – – – – – – RegMon shows Registry data in real time Process Explorer shows what is loaded Handle shows open files and processes using them PsExec runs processes remotely PsGetSid display SID PsKill kills process by name or ID Guide to Computer Forensics and Investigations, 2e 21 Using Network Tools (continued) • PsTools suite (continued) – – – – – – PsList lists details about a process PsLoggedOn shows who’s logged locally PsPasswd changes account passwords PsService controls and views services PsShutdown shuts down and restarts PCs PsSuspend suspends processes Guide to Computer Forensics and Investigations, 2e 22 Using Network Tools (continued) Guide to Computer Forensics and Investigations, 2e 23 UNIX/Linux Tools • Knoppix-STD tools – – – – – – – Dcfldd the U.S. DoD dd version Memfetch forces a memory dump Photorec grabs files from a digital camera Snort intrusion detection system Oinkmaster helps manage your snort rules John the Ripper Chntpw resets passwords on a Windows PC Guide to Computer Forensics and Investigations, 2e 24 UNIX/Linux Tools (continued) • Knoppix-STD tools (continued) – Tcpdum is a packet sniffer – Ethereal another packet sniffer • Packet sniffer – Devices or software that monitors network traffic – Most Work at layer 2 or 3 of the OSI model Guide to Computer Forensics and Investigations, 2e 25 UNIX/Linux Tools (continued) Guide to Computer Forensics and Investigations, 2e 26 UNIX/Linux Tools (continued) • The Auditor – Based on Knoppix – Contains more than 300 tools • • • • • • 20 for scanning 10 for network scanning Brute-force attack Bluetooh and wireless Autopsy and Sleuth Kit Word lists with more than 64 million entries Guide to Computer Forensics and Investigations, 2e 27 Network Sniffers • Operate at layers 2 or 3 of the OSI model • Most tools follow the PCAP format • Tools: – – – – – Tcpdump Tethereal Snort Tcpslice Tcpreplay Guide to Computer Forensics and Investigations, 2e 28 Network Sniffers (continued) • Tools (continued): – – – – – – – Tcpdstat Ngrep Etherape Netdude Argus Ethereal The Auditor Guide to Computer Forensics and Investigations, 2e 29 Network Sniffers (continued) Guide to Computer Forensics and Investigations, 2e 30 The Honeynet Project • Attempt to thwart Internet and network hackers – Provides information about attack methods • Honeypots – Normal looking computer that lures attackers to it • Honeywalls – Monitor outbound connections – Snort-inline intrusion prevention systems Guide to Computer Forensics and Investigations, 2e 31 The Honeynet Project (continued) Guide to Computer Forensics and Investigations, 2e 32 The Honeynet Project (continued) • Its legality has been questioned – Cannot be used in court – Can be used to learn about attacks • Scan of the month – Monthly challenge contest – Good as a learning experience Guide to Computer Forensics and Investigations, 2e 33 The Honeynet Project (continued) Guide to Computer Forensics and Investigations, 2e 34 Summary • Network forensics tracks down internal and external network intrusions • Most networks today use TCP/IP • Networks must be hardened by using good architecture • Each NOS has its own way of handling security, and you must become familiar with how yours operates Guide to Computer Forensics and Investigations, 2e 35 Summary (continued) • Tools such as PsTools, Knoppix-STD, and others can be used to monitor what’s happening on your network • The Honeynet Project is designed to help people learn the latest intrusion techniques that hackers are using Guide to Computer Forensics and Investigations, 2e 36
