Network & Internet Forensics
UNIT - 2
Overview of OSI Model
Introduction to NAT
• NAT (Network Address Translation) is a mechanism where a device performs modifications to the
TCP/IP address/port number of a packet and maps the IP address from one realm to another (usually
from private IP address to public IP address and vice versa).
• This works by the NAT device allocating a temporary port number on the public side of the NAT upon
forwarding outbound packet from the internal host towards the Internet, maintaining this mapping for
some predefined time, and forwarding the inbound packets received from the Internet on this public
port back to the internal host.
• NAT devices are installed primarily to alleviate the exhaustion of IPv4 address space by allowing
multiple hosts to share a public/Internet address.
• Also due to its mapping nature (i.e. a mapping can only be created by a transmission from an internal
host), NAT device is preferred to be installed even when IPv4 address exhaustion is not a problem (for
example when there is only one host at home), to provide some sort of security/shield for the internal
hosts against threats from the Internet.
• Despite the fact that NAT provides some shields for the internal network, one must distinguish NAT
solution from firewall solution. NAT is not a firewall solution. A firewall is a security solution designed
to enforce the security policy of an organization, while NAT is a connectivity solution to allow multiple
hosts to use a single public IP address.
• Understandably both functionalities are difficult to separate at times, since many (typically consumer)
products claims to do both with the same device and simply label the device a “NAT box”. But we do
want to make this distinction rather clear, as PJNATH is a NAT traversal helper and not a firewall bypass
solution (yet).
Network Information-Gathering Tools
• Nmap Tool. Nmap is an open-source network scanner that is used to
recon/scan networks.
• ZenMAP. It is another useful tool for the scanning phase of Ethical
Hacking in Kali Linux.
• whois lookup. whois is a database record of all the registered domains
over the internet.
• SPARTA.
• nslookup.
• Osintgram.
https://www.geeksforgeeks.org/kali-linux-information-gathering-tools/
Monitoring User Activity
• Sometimes called user activity tracking, user activity monitoring is a
form of surveillance, but serves as a proactive review of end user
activity to determine misuse of access privileges or data protection
policies either through ignorance or malicious intent.
Investigating Routers
• The basics of router forensics are collecting data from the device that
can act as evidence. The standard process involves using issuing
the "show" commands and collecting data such as logs and network
activity
data.
Core Analysis
• main memory,
• IO memory, and.
• the PCI memory (if used).
Continue…
• The basics of router forensics are collecting data from the device that can act as evidence. The standard process involves using
issuing the "show" commands and collecting data such as logs and network activity data. Some of this information is detailed
below.
• Show Commands
• Most of the required information to be collected from the router will be obtained using the Cisco "show" commands. The main
commands that you need to become familiar with are:
• show clock detail
• show version
• show running-config
• show startup-config
• show reload
• show ip route
• show ip arp
• show users
• show logging
• show ip interface
• show interfaces
• show tcp brief all
• show ip sockets
• show ip nat translations verbose
• show ip cache flow
• show ip cef
• show snmp user
• show snmp group
• show clock detail
Show audit
The Router Security Audit Logs feature allows for the creation of audit
trails. If these are configured, they may be used to track changes that
have been made to a router that is running Cisco IOS software.
• The "show audit" command displays the contents of an audit file. The
syntax of the command is: Show audit [filestat]
• The option, "filestat" is used to displays the rollover counter for the
circular buffer and the number of messages that are received. The
rollover counter, which indicates the number of times circular buffer
has been overwritten, is reset when the audit file size is changed (via
the audit filesize command). This command runs from the privileged
exec mode. This command will create a hash of the information from
the "show version" command.
https://www.sans.org/blog/cisco-router-forensics/
Hacking Routers
• Router scanning is a sort of hybrid attack method on both LAN and wireless
(added later) routers that scans organization subnets and then attacks routers it
finds.
• Router Scan by Stas’M is a hacking tool that allows hackers to perform router
scanning and has the capability to pull important information about the wireless
router, including access point name (SSID), access point key (password) and even
what encryption method is used by the wireless router.
• This information is gathered two ways— it uses a list of standard passwords to
guess the router password and uses router model-specific vulnerabilities to either
gather the information above or even bypass authorization altogether. Ethical
hackers can use this program to test how attack-ready their password is, get a
better idea of the vulnerabilities of the router model they use and to better
understand how attackers act when using this method to attack their router.
Internet & World wide web threats
• Web threats definition
• Web-based threats, or online threats, are a category of cybersecurity risks that may
cause an undesirable event or action via the internet.
• Web threats are made possible by end-user vulnerabilities, web service
developers/operators, or web services themselves. Regardless of intent or cause, the
consequences of a web threat may damage both individuals and organizations.
• This term typically applies to — but is not limited to — network-based threats in the
following categories:
• Private network threats - impact sub-networks connected to the wider global internet.
Typical examples can include home Wi-Fi or ethernet networks, corporate intranets, and
national intranets.
• Host threats - impact specific network host devices. The term host often refers to
corporate endpoints and personal devices, such as mobile phones, tablets, and
traditional computers.
• Web server threats - impact dedicated hardware and software that serve web
infrastructure and services.
What are web threats?
• Internet-based threats expose people and computer systems to harm online. A broad scope of dangers fits into this category, including
well-known threats like phishing and computer viruses. However, other threats, like offline data theft, can also be considered part of
this group.
• Web threats are not limited to online activity but ultimately involve the internet at some stage for inflicted harm. While not all web
threats are created deliberately, many are intended — or have the potential — to cause:
• Access denial. Prevention of entry to a computer and/or network services.
• Access acquisition. Unauthorized or unwanted entry into a private computer and/or network services.
• Unauthorized or unwanted use of computer and/or network services.
• Exposing private data without permission, such as photos, account credentials, and sensitive government information.
• Unauthorized or undesired changes to a computer and/or network services.
• In recent years, the landscape of web threats has grown significantly. Technologies like smart devices and high-speed mobile networks
have allowed for an always-connected vector of malware, fraud, and other complications. Also, web adoption in areas like
communications and productivity via the Internet of Things (IoT) has outpaced user security awareness.
• As we continue to rely more on the web for daily living, it will keep exponentially rising as an attractive attack option for malicious
parties. Convenience and a lack of caution around web use are among the top concerns that continue to pose new risks to privacy and
security.
• While targets are typically computer-based, human victims ultimately experience the lasting effects of a web threat.
How do web threats work?
• When a web threat arises, certain circumstances align to make it a point-of-concern.
• Namely, there are a few basic components to any web threat:
• Threat motives give an intentional threat agent a reason or goal to cause harm. Some
threat agents don’t act intentionally or act autonomously and may, therefore, be absent
of motive.
• Threat agents are anything or anyone that can negatively impact — with the internet
either as a threat vector or a target itself.
• Vulnerabilities include any human behavior weakness, technology systems, or other
resources that can lead to a damaging exploit or incident.
• Threat outcomes are the negative results of a threat agent acting against one or more
vulnerabilities.
• As these components interact, a threat becomes an attack on computer systems. Threat
motives can include any of the following: financial, surveillance, information, retaliation,
sabotage, and more.
• Threat agents are typically people with malicious intent. By extension, agents may also be anything that is
manipulated into acting in favor of the original threat agent. However, some threat agents
— such as destructive nature events — act entirely without human intervention.
• The types of threat agents include:
• Non-human agents: Examples include malicious code (viruses, malware, worms, scripts), natural disasters
(weather, geological), utility failure (electrical, telecom), technology failure (hardware, software), and
physical hazards (heat, water, impact).
• Intentional human agents: Based on malicious intent. Can be internal (employees, contractors, family,
friends, acquaintances) and external (professional and amateur hackers, nation-state actors and agencies,
competitor corporations)
• Accidental human agents: Based on human error. Similar to intentional threats, this type can include
internal and external agents.
• Negligence-based human agents: Based on careless behaviors or safety oversights. Again, this category can
also include internal and external agents.
• Vulnerabilities may be points of weakness where someone or something can be manipulated. Vulnerabilities
can be considered a web threat and a concern that enables other threats. This area typically includes some
form of human or technical weakness that can lead to penetration, misuse, or destruction of a system.
• Threat outcomes may lead to disclosed private info, deceived users, disrupted computer system use, or seized access privileges. Web
threats often result in, but are not limited to, causing:
• Reputation damage: Loss of trust from clients and partners, search engine blacklisting, humiliation, defamation, etc.
• Operations disruption: Operational downtime, access denial to web-based services such as blogs or message boards, etc.
• Theft: Financial, identity, sensitive consumer data, etc.
• Cybercriminals will use almost any vulnerability within an operating system (OS) or an application to conduct an attack. However,
most cybercriminals will develop web threats that deliberately target some of the most common operating systems/applications,
including:
• Java: Because Java is installed on over 3 billion devices (that are running under various operating systems) exploits can be created to
target specific Java vulnerabilities on several different platforms/operating systems.
• Adobe Reader: Although many attacks have targeted Adobe Reader, Adobe has implemented tools to protect the program against
exploit activity. However, Adobe Reader is still a common target.
• Windows and Internet Explorer: Active exploits still target vulnerabilities that were detected as far back as 2010 – including MS10042 in Windows Help and Support Center, and MS04-028, which is associated with incorrect handling of JPEG files.
• Android: Cybercriminals use exploits to gain root privileges. Then, they can achieve almost complete control over the targeted device.
How do internet web threats spread?
• The most concerning internet threats travel the web to attack more systems.
These threat agents often use a mix of human manipulation and technical
commands to reach their targets.
• Web threats of this nature use the internet's many communications channels to
spread. Larger threats use the global internet to respond to threats, while more
targeted threats may directly infiltrate private networks.
• Typically, these threats are distributed through web-based services. Malicious
actors prefer to place these threats in locations where users will often engage
with them. Public websites, social media, web forums, and email are often ideal
for spreading a web threat.
• Users are affected when they engage with malicious URLs, downloads, or provide
sensitive info to websites and message senders. This engagement may also
trigger infection and spread of web threats to other users and networks. It’s not
uncommon for innocent users to unknowingly become threat agents themselves.
How to spot web threats
• Despite the unending scope of web-based dangers, it is possible to spot some general
traits of web threats. However, spotting a web threat requires a vigilant eye to catch
subtle details.
• Some web threats are clearly of concern to web infrastructure hardware, such as water
and heat. While those are easier to spot, others require careful attention. Any time you
are browsing websites and receiving digital messages are when you should be most
cautious.
• Here are some tips to guide you:
• Grammar: Malicious actors may not always carefully craft their messages or web content
when assembling an attack. Look for typos, odd punctuation, and unusual phrasing.
• URLs: Harmful links can be masked under decoy anchor text — the visible text that’s
displayed. You can hover over a link to inspect its true destination.
• Poor quality images: The use of low-resolution or unofficial images may indicate a
malicious webpage or message.
Types of web security threats
•
As mentioned previously, web threats typically include human and technical manipulation in order to attack. Be aware there tends to be overlap between web
threats, and some may occur simultaneously. Some of the most common web threats may include the following.
•
Social engineering
•
Social engineering involves deceiving users to act unknowingly against their own best interests. These threats usually involve gaining the trust of users to deceive
them. Manipulating users in this way can include:
•
Phishing: Posing as legitimate institutions or people to get them to divulge personal details.
•
Watering hole attacks: Exploiting popular websites to fool users into exposing themselves to harm.
•
Network spoofing: Fraudulent access points that mimic legitimate ones.
•
Malicious code
•
Includes malware and harmful scripts (lines of computer programming commands) to create or exploit technical vulnerabilities. Where social engineering is the
human side of web threats, malicious code is the technical side. These threats can include but are not limited to:
•
Injection attacks: Insertion of harmful scripts into legitimate applications and websites. Examples include SQL injection and cross-site scripting (XSS).
•
Botnet: Hijacking a user device for remote, automated use in a network of similar “zombies.” These are used to accelerate spam campaigns, malware attacks, and
more.
•
Spyware: Tracking programs that monitor user actions on a computer device. The most common examples are keyloggers.
•
Computer worms: Scripts that run, replicate, and spread autonomously without the help of a related program.
•
Exploits
•
Exploits are intentional abuses of vulnerabilities that may lead to an undesirable incident.
•
Brute force attacks: Manual or automated attempts to breach security “gates” and vulnerabilities. This may typically involve generating all possible passwords to a
private account.
•
Spoofing: Masking a real identity to manipulate legitimate computer systems. Examples include IP spoofing, DNS spoofing, and cache poisoning.
• Cybercrime
• Cybercrime refers to any unlawful activity conducted via computer systems. These threats often use the web to enact their plans.
• Cyberbullying: Mental abuse of victims using threats and harassment.
• Unauthorized data disclosure involves the release of private information, such as email leaks, intimate photos, and significant corporate data leaks.
• Cyber libel: Also known as online defamation, this can involve attacking individuals or organizations' reputations. This can be done through
disinformation (deliberate distribution of inaccurate information) or misinformation (mistaken distribution of inaccurate information).
• Advanced Persistent Threats (APTs): Malicious actors gain access to a private network and establish ongoing access. They combine social
engineering, malicious code, and other threats to exploit vulnerabilities and gain this access.
• Typically, web threats refer to malware programs that can target you when you're using the internet. These browser-based threats include a range of
malicious software programs that are designed to infect victims’ computers. The main tool behind such browser-based infections is the exploit pack –
which gives cybercriminals a route to infecting computers that either:
• Do not have a security product installed
• Contain a commonly used operating system or application that is vulnerable – because the user hasn’t applied the latest updates, or a new patch has
yet to be issued by the software vendor
• Kaspersky’s Internet security experts have identified the most active malicious software programs involved in web threats. The list includes the
following types of online threats:
• Malicious websites. Kaspersky identifies these websites by using cloud-based heuristic detection methods. Most malicious URL detections are for
websites that contain exploits.
• Malicious scripts. Hackers inject malicious scripts into the code of legitimate websites that have had their security compromised. Such scripts are
used to perform drive-by attacks – in which visitors to the website are unknowingly redirected to malicious online resources.
• Scripts and executable PE files Generally, these either:
•
•
Download and launch other malicious software programs
Carry a payload that steals data from online banking and social network accounts or steals login and user account details for other services
• Trojan-Downloaders. These Trojan viruses deliver various malicious programs to users’ computers.
• Exploits and exploit packs. Exploits target vulnerabilities and try to evade the attention of Internet security software.
• Adware programs. Often, the adware will simultaneously install when a user starts to download a freeware or shareware program.
Examples of web threats
• Among the many examples of web threats, here are some of the more well-known
examples:
• WannaCry ransomware
• In May 2017, the WannaCry ransomware spread to many networks and locked down
countless Windows PCs. This threat was particularly dangerous because of its worm
functionality, allowing it to spread completely autonomously. WannaCry exploited a
native communication language within Windows to spread this malicious code.
• Celebrity iCloud phishing
• A spear-phishing attack led to the breach of numerous celebrity iCloud accounts. This
breach ultimately resulted in the unauthorized leak of countless private photos from
these accounts.
• While the attacker was eventually located and prosecuted, the victims are still suffering
from their intimate photos being made public — without their permission. This has
become one of the most well-known phishing attacks of the decade.
How to protect yourself against web threats
•
•
•
•
•
•
•
•
•
•
Most threats are successful due to two main weaknesses:
Human error
Technical error
Full protection from web threats means you will need to find ways to cover these weak points.
General tips to follow for both end-users and web service providers include:
Always create backups: All valuable data should be copied and stored safely to prevent data loss in case of
an incident. Websites, device drives, and even web servers can be backed up.
Enable multi-factor authentication (MFA): MFA allows for additional layers of user authentication on top of
traditional passwords. Organizations should enable this protection for users, while end-users should be
sure to make use of it.
Scan for malware: Regular scans for infections will keep your computer devices secured. Personal devices
can all be covered through an antivirus solution like Kaspersky Total Security. Enterprise endpoint machines
and computer networks should use this protection as well.
Keep all tools, software, and OS up to date: Computer systems are more vulnerable when they’ve been
unpatched against undiscovered holes in their programming. Software developers regularly probe for
weaknesses and issue updates for this purpose. Protect yourself by downloading these updates.
Service providers like website owners and server operators are where true comprehensive security starts.
These parties will need to take precautions for better protection. They can do this by:
• Monitoring web traffic to gauge for normal volumes and patterns.
• Implementing firewalls to filter and restrict unpermitted web connections.
• Network infrastructure distribution to decentralize data and services. This includes aspects like
backups for various resources and geo server rotations.
• Internal probing to investigate for unpatched vulnerabilities. This might, for example, involve selfattacking with SQL injection attack tools.
• Proper security configuration for access rights and session management.
• Users should protect themselves by doing the following:
• Scan downloads for malware.
• Vet links before clicking, only clicking links if you are positive the destination is safe and trusted.
• Make strong, secure passwords, and avoid duplicates. Use a secure Password Manager to help
manage all of your accounts and passwords.
• Throttle login attempts by triggering account lockdown after a limited number of tries.
• Look out for phishing red flags in texts, email, and other communications.
Messenger Forensics: AOL
• https://flylib.com/books/en/3.210.1.56/1/
• https://www.tmeic.com/use-cookies-and-access-analysis-tools
• https://www.foxtonforensics.com/blog/post/web-pagereconstruction-for-forensic-analysis
Important Tools
• SNORT
• Snort is the foremost Open Source Intrusion Prevention System (IPS)
in the world. Snort IPS uses a series of rules that help define malicious
network activity and uses those rules to find packets that match
against them and generates alerts for users.
• Snort can be deployed inline to stop these packets, as well. Snort has
three primary uses: As a packet sniffer like tcpdump, as a packet
logger — which is useful for network traffic debugging, or it can be
used as a full-blown network intrusion prevention system. Snort can
be downloaded and configured for personal and business use alike.
• https://www.snort.org/downloads
TCPdump
• tcpdump is a data-network packet analyzer computer program that runs
under a command line interface. It allows the user to display TCP/IP and
other packets being transmitted or received over a network to which the
computer is attached. Distributed under the BSD license, tcpdump is free
software.
• Tcpdump
works
on
most
Unix-like
operating
systems:
Linux,
Solaris,
FreeBSD,
DragonFly
BSD, NetBSD, OpenBSD, OpenWrt, macOS, HP-UX 11i, and AIX. In those
systems, tcpdump uses the libpcap library to capture packets. The port of
tcpdump for Windows is called WinDump; it uses WinPcap, the Windows
version of libpcap.
• https://www.tcpdump.org/
Live Acquisition of Network Traffic
• https://pratum.com/blog/454-why-consider-live-acquisition-for-your-nextdigital-forensics-case
• Domain Name Owner
• Who is the domain owner? Domain names are owned by whoever first
registered the web address with an accredited registrar, such as
Domain.com. In order for that person to maintain ownership, they have to
pay registration fees and ensure that all of their contact details are up to
date.
• https://who.is/
• https://www.domain.com/blog/find-a-domain-name-owner/