Laureate Online Education Computer Forensics © All rights reserved 2005-2012. The Computer Forensics module, in all its parts: syllabus, guidelines, lectures, discussion questions, technical notes, images, projects and any additional material is copyrighted by Laureate Online Education B.V. Computer Forensics Seminar for Week 6: Network Forensics I In this and the next seminars, we will learn the network basics and techniques for digital investigations. Our society has become network centered, and more and more people rely on emails, ecommerce, and other networked services in their daily lives. Meanwhile, computer crimes are also becoming more network centered and internationalized. Thus, digital evidence investigators must master skills to follow cyber-trails and to find digital evidence on the public Internet, private networks, and other commercial systems. In addition to the traces that criminals leave on the host computers, as discussed previous seminars, other sources of digital evidence on networks include contents on network devices and traffic on both wired and wireless networks. Knowledge of networking technology helps network investigations in the network forensic AAA process. Though it is impractical to expect all network forensic professionals to be network experts, digital investigators need a basic understanding of networks in order to interpret digital evidence found on networked computers. In this seminar, we assume that you are familiar with basics of the TCP/IP protocols (e.g., you may have acquired this background from the CC module) and basic network applications such as telnet, ftp, World Wide Web, and emails. Applying AAA Principles to Networks Network forensic investigation must also follow the AAA procedures that we discussed in earlier weeks. It is relatively more challenging to deal with network evidence compared with processing a single computer or a single hard drive. In the networked environments, digital investigators often face unpredictable challenges. It is more difficult to take a snapshot of a network for a specific time point. In particular, it is not feasible to shut down a network for investigation, which we do for some single-computer investigations. To make things more complicated, a networked criminal can appear from anywhere in the world and at any time. It is often difficult to follow the exact AAA principles in the investigation of networked crimes. Thus, it is often necessary to apply these principles with some adaptation. In particular, the AAA process for evidence discovery, preparation, authorization, and documentation is similar to that in a single-computer investigation. Other AAA processes, such as evidence collection and preservation, for a single-computer investigation apply to networks with some adaptation. In the following paragraphs, we briefly discuss these adapted AAA processes for network forensic investigation. Network digital evidence acquisition: Network crimes often involve several computer systems and network devices in different administrative domains. The first challenge for network evidence acquisition is to get cooperation from all involved network administrators (who may be from different countries with different legal systems). Even if all administrators are cooperative, the collected evidence may not meet the requirements and standards for legal actions against the criminal. For example, several involved network domains may not preserve these data according to the required legal standards (e.g., though the United States requires medical professionals to keep records for electronic healthcare transactions and code sets according to the HIPAA law, other countries may not have similar laws), and others may not disclose all required data (e.g., if they are legally forbidden). The commonly collected evidences from network domains include purchase orders, security audit reports, email headers, and log files. The evidence acquisition process also includes scanning a system remotely and searching the Web, Usenet, DNS, and other Internet resources for revealing details. Before conducting a network crime investigation, digital investigators should obtain permission for any action taken during the process of data acquisition. For example, the process of scanning a target system for potential evidence (e.g., to prove whether the target system is vulnerable for Seminar 6: Network Forensics I 2 certain attacks that are related to the case) may be considered a malicious attack by the target system owner—in particular, when the process may disrupt their system. As we have learned during the first two weeks of this course, different countries have different privacy laws (e.g., the European community generally has more strict rules on data related to individual privacy). Thus, it could be difficult to obtain authorization to gather network evidence such as email, email server logs, network communications, and other data on networks. When digital evidence from more than one jurisdiction must be obtained, it is advisable to seek a search warrant for each location whenever possible. In addition, passwords obtained during investigation should not be used to access remote sources of digital evidence if you do not have the additional authorization to do so. Similar to the practice that we have discussed in previous weeks, a search warrant should specify all desired digital evidence. During the investigation of networked fraud cases in which the network was only used to store relevant documents, the network administrators may prefer to release only the relevant documents but not the network log files or other sources of evidence on the network. However, it is important to collect multiple, independent sources of digital evidence to corroborate important events and to establish the continuity of offense. Thus, a search warrant should be requested to include all these potential items. It is too late to request an additional search warrant after being rejected for searching these items. There are huge amounts of information in the Internet (or even a small local network), and you cannot collect all of them for your case. It is necessary for digital investigators to plan quickly which information to obtain. When a case is set up, it is recommended to begin the search with end-point computers and network devices (e.g., switches, routers, proxies) between the end-point computers that are involved in the case. The information contained in these systems can help to establish an entire picture of the offense and understand more about the crime. For example, the log files on SMTP servers could contain the information about who sent an email at which specific time from which host. One can use this information to identify other computers that may be involved in the case and finally to recover the entire scene of criminal activities on the network. In addition, if the examination of a suspect’s computer shows that the computer has connected to a specific ISP, then one may need to request additional information from the ISP to track the crime scene. Thus, network forensic investigation is an adaptive process. Since the evidence from other sources can be damaged if not requested in time, it is necessary to analyze acquired evidence immediately in order identify other sources of evidence so that timely preservation of these evidences can be achieved. However, in many cases, there are not enough investigators to analyze the evidence first before acquiring additional evidence. In these scenarios, it is recommended to collect already-identified evidence first and then conduct initial analysis on the acquired evidence to see whether further sources of evidence need to be identified and collected. One of the best practices for computer system evidence acquisition is to make a bitstream copy of the data. However, bitstream copy of evidences is often not possible in networked environments. For example, evidences such as IRC chat sessions or intrusion activities can only be collected from logging files. In cases in which bitstream copy of digital evidence is impossible, digital investigators must use some creative approaches to acquire and preserve digital evidence and establish the chain of custody. The process must follow the AAA principles discussed previously. Similarly, a detailed record of the entire collection process should be maintained in authenticated digital or written form so that the evidence can be presented in court in an authentic way. The record document should follow the guidelines discussed in previous seminars. Given the fact that Internet content is dynamic and there are many potentially related sources of digital evidence, it can be very challenging to collect even relatively static digital evidence such as web pages and Usenet messages. In particular, it may be impossible to obtain the date-time stamps of the associated files on the remote system. Thus, investigators should try their best to document the steps of how evidence from a remote computer was acquired. When possible, a screenshot indicating the system time and location should be added to the document to serve as partial date-time stamps. Seminar 6: Network Forensics I 3 Some Internet content is archived at sites such as the Way Back Machine and Google cache. The information at these archive sites is not complete, and it is not clear whether information obtained from these sites is legally acceptable in courts. Network evidence processing: The network evidence acquisition process often results in a large amount of data, much of which is unrelated to the case under investigation. The collected data may also contain confidential information that should be removed as required by the law (e.g., by privacy laws) or for other reasons (e.g., when the evidence is related to an intellectual property such as trade secrets). Therefore, acquired data should go through the initial filtering and reduction process before being used for further analysis or as evidence. A report from CNN mentioned the following: ?The changing world of technology is challenging courts to keep pace with new laws addressing potential evidence and preserving privacy? (see (CNN, 2005)). During this process, investigators should pay special attention to the chain of custody of digital evidence. Data recovery and evidence reconstruction are essential procedures for digital investigation. However, network digital evidence recovery (e.g., deleted network log files from a server computer) is possible only if one has physical access to these server machines or a bit-by-bit image of attached storage systems of the server computers (which is not true in many cases). The recovery method is the same as what we have discussed in previous seminars. For network traffics, the Ethereal that we will discuss later in this seminar can be used to intercept and analyze network packets. Other tools such as NetIntercept or NetDetector provide more analysis features and effective capabilities of reconstructing and displaying data from packets in network traffic. For example, it provides an image or web page views when corresponding data are extracted from network traffic. Digital evidence reconstruction techniques (relational analysis, temporal analysis, and functional analysis) discussed in earlier seminars apply to network digital evidence reconstruction. Several case examples are analyzed using these evidence reconstruction techniques in the textbook (see pp. 409–415). After the evidence is identified, it needs to be reported. The principle for reporting investigation results is the same as that discussed in seminar 2. Criminal profiling and network penetration process: Before concluding our general discussion on network forensics, we briefly discuss network criminal profiling. It is important to keep in mind that cyber-crimes involve human activities and investigators are trying to reconstruct associated behavior and intent. A clear understanding of the suspect’s behavior profiling will help an investigator to quickly identify and collect the digital evidence when the event has happened. For example, when an individual or a group of individuals has successfully launched an attack (i.e., penetration) on the network and has compromised a computer, the investigator should be able to determine what the criminals’ next steps were. Those next steps can, to a great extent, determine where the potential digital evidence can be collected as well as the extent of damage to the evidence. Thus, it is recommended that digital investigators spend some time learning criminal profiling techniques. One good source for such techniques is chapter 16, entitled ?Profiling? (see Chapter 16 of (KYE)), of the Know Your Enemy book; the honeynet program provides a detailed discussion on hackers’ profiling from the following aspects: 1. Motives within the hacking community: Motivation is one of the most crucial elements in gaining an understanding of why individuals within the computer community do what they do. The six motivations in relation to the hacker community are Money, Entertainment, Ego (the satisfaction comes from overcoming technical obstacles and creating an innovative solution to a problem), Cause or ideology (this is often shaped from different factors such as geopolitical orientation, cultural influences, religion, historical events, and views on current social issues), Entrance into social group, and Status—these form the allegorically appropriate acronym MEECES. 2. The social structure of the ?white hat/black hat? community. 3. ?A bug’s life?: the birth, life, and death of an exploit. 4. Intelligence-based information security: profiling and much more. Seminar 6: Network Forensics I 4 It is also important to learn what kinds of hackers exist in the Internet society and the general process hackers use to penetrate into a system. Generally, there are four kinds of Internet attackers: 1. Clueless: virtually no skills. 2. Script kiddies: use ready-made exploit scripts on the Internet and run them following route instructions. 3. Guru: equivalent to an experienced system administrator. 4. Wizard: intimate knowledge of computer systems. Before an attack happens, the hacker needs first to identify a potential victim. There are many scanning tools on the Internet that allow the hacker to find vulnerable targets with little effort. One of the best tools is the nmap, which can carry out a variety of regular scans and stealth scans. In particular, the stealth scans try to evade or minimize their chances of detection by avoiding recording log files on victims’ computers. Thus, little evidence can be recovered for these kinds of scans. Examples of stealth scans include TCP SYN, TCP FIN, and IP header fragmentation (we will discuss these techniques with forensic impact in the next seminar). When a vulnerable target is identified, the vulnerabilities (e.g., buffer-over flow problems) in the target machine are used by the hacker to gain administrative or regular user access permission to the victim (passwordguessing techniques may also be employed here). If the hacker has only gained a command prompt with regular user privilege, the hacker may attempt privilege escalation by exploiting wellknown vulnerabilities that can lead to root access. When the hacker gets the root prompt, the hacker may then perform her own forensic examination since she wants to know whether her activity could be captured or whether it is worthwhile for her to continue the system compromise. The hacker’s forensic examination process includes the following activities: checking whether logging is taking place and, if so, where the logs are stored; looking for security programs to subvert; and finding out the habits of the system administrators (since the hacker does not want to log into the system simultaneously with the system administrator). After the hacker finishes her own forensic examination, she may decide to come back, undetected, in the future. This can be done by deleting related system log files and creating a back door. In UNIX systems, hackers can create a hidden copy of the command shell with SUID root. To automatic the intrusions, rootkits are normally used by Internet hackers. Rootkits normally contain cleaning tools (to hide evidence of the intrusion), data collection tools (to find information useful in extending the attack), and trojanized binaries (the hostile version of original executables). Internet Fundamentals for Digital Investigators In the following paragraphs, we briefly revisit Internet fundamentals for forensic investigators. Most existing networks run the TCP/IP protocol suite. TCP/IP stands for Transmission Control Protocol/Internet Protocol, which was developed by a Department of Defense research project to connect a number of different networks designed by different vendors into a network of networks (the "Internet"). TCP/IP normally refers to a set of related network protocols such as User Datagram Protocol (UDP), File Transfer Protocol (FTP), Hypertext Transfer Protocol (HTTP), Simple Mail Transfer Protocol (SMTP), and many others. Currently, the Internet Engineering Task Force takes the responsibility for defining the protocols for the TCP/IP family. When we communicate with another computer on the Internet, two different addresses (MAC address and IP address) are involved in the communication, each within a different network layer. Every network interface (e.g., Ethereal Adapter Card) has a unique hardware address associated with it during the manufacturing process. This address is called the MAC (media access control) address. When the device is connected to the Internet, it needs a numeric IP address assigned to it either statically or dynamically. An IP address usually looks like this: 198.168.9.100. When our computer sends a data packet to another computer, it includes the target computer IP address in the data packet. When the packet arrives at the destination network, it needs to translate this IP address to the destination computer’s MAC address. Address Resolution Protocol (ARP) is used for this purpose. All network devices have an ARP table that contains all the IP address and MAC address pairs the device has already obtained. The ARP table ensures that the device does not have to repeat ARP requests for devices it has already communicated Seminar 6: Network Forensics I 5 with. The ARP table on Windows or UNIX computers can be viewed using the command ?arp –a?. Note that you need to use the command line console in Windows in order to experiment with this command. It is important for forensic examiners to understand how TCP/IP works. To understand TCP/IP networks, it is useful to think in terms of the OSI seven layers reference model (OSI model): 1. Layer 1: Physical Layer transmits bitstream on physical medium. 2. Layer 2: Data Link Layer provides transfer of units of information to the other end of physical link. It provides physical addressing, network topology, line discipline, error notification, orderly delivery of frames, and optional flow control. 3. Layer 3: Network Layer switches and routes information units. It provides the function to exchange data by devices that are not directly connected by the same ?wire?. Routers operate at this layer. 4. Layer 4: Transport Layer provides end-to-end data transmission integrity. The protocols in this layer include TCP, UDP, and IPX Service Advertising Protocol. 5. Layer 5: Session Layer establishes, maintains, and manages sessions. Examples include NFS, RPC, X Window System, and AppleTalk Session Protocol. 6. Layer 6: Presentation Layer provides data representation between systems. It translates between differing text and data character representations such as EBCDIC and ASCII. It also includes data encryption. Layer 6 standards include JPEG, GIF, MPEG, MIDI, and others. 7. Layer 7: Applications Layer provides specific services for applications. The protocols in this layer include FTP, TFTP (Trivial File Transfer Protocol), some X-Terminal system protocols, HTTP, SNMP (Simple Network Management Protocol), SMTP, and others. Layers 1 (Physical) and 2 (Data Link) Forensic Investigation Beneath the well-known TCP/IP layer are layer 1 (physical) and layer 2 (data link), which are a collection of dissimilar network technologies. The most popular technologies in these layers include: 1. ARCNET is a local area network (LAN) technology that uses a token-bus scheme for managing line sharing among the workstations and other devices connected on the LAN. ARCNET can use coaxial cable or fiber optic lines. 2. Ethernet is the most widely installed LAN technology. Specified in a standard, IEEE 802.3, Ethernet was originally developed by Xerox. An Ethernet LAN typically uses coaxial cable or special grades of twisted-pair wires. 3. Token Ring is a LAN technology in which all computers are connected in a ring or star topology and a bit- or token-passing scheme is used in order to prevent the collision of data between two computers that want to send messages at the same time. The Token Ring protocol is the second most widely used protocol on LANs after Ethernet. 4. FDDI (Fiber Distributed Data Interface) is a set of ANSI and ISO standards for data transmission on fiber optic lines in a LAN that can extend in range up to 200 km (124 miles). The FDDI protocol is based on the Token Ring protocol. FDDI is frequently used on the backbone for a wide area network (WAN). 5. ATM (Asynchronous Transfer Mode) is a dedicated-connection switching technology that organizes digital data into 53-byte cell units and transmits them over a physical medium using digital signal technology. 6. IEEE 802.11 (Wireless) is an evolving family of specifications for wireless LANs (WLANs) developed by a working group of the IEEE. All the 802.11 specifications use the Ethernet protocol and Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA) for path sharing. Seminar 6: Network Forensics I 6 7. Cellular Networks enable computers to connect to the Internet using a cellular telephone in much the same way that a modem is used to connect to Internet on wires. With the help of telephone companies, a forensic examiner can trace the location of a suspected cellular phone when it is connected to the network. 8. A satellite Internet connection is an arrangement in which the upstream (outgoing) and downstream (incoming) data are sent from, and arrive at, a computer through a satellite. Each subscriber's hardware includes a satellite dish antenna and a transceiver (transmitter/receiver) that operates in the microwave portion of the radio spectrum. MAC address plays an essential role in the communication at layer 1 and layer 2. Indeed, MAC address is used by many organizations/universities for the registration system to ?authenticate? network devices. For example, the DHCP server will only allocate an IP address to devices with registered MAC addresses. If a crime is traced back to a specific IP address from that organization, the organization may use the DHCP log files to find out the specific MAC address and, thus, to find the device that is responsible for this crime. However, this logic will certainly not work and could not be used for forensic purposes. The case example in the textbook (pp. 374– 375) uses further examination of the computer to confirm that the computer with the suspected MAC address has committed the crime. The following example defeats this ?authentication? system completely. Fake MAC address: Assume that I get a new machine with Windows XP installed on it and want to connect to a university’s network to commit a crime. I can easily walk into any classroom and connect to the network port there. If the university’s LAN is protected, and since my machine does not have a registered MAC address, I could not get an IP address from the DHCP server and could not connect to the Internet. However, I can download a copy of the software Ethereal (which is the software package used in the CC module) and have a look at existing machines on the network. When I run it, I get the following screen in Figure 1. From which I learn that a computer with MAC address 00:08:DC:03:0E:98 is looking for a DHCP server. I can reasonably assume that this is a registered MAC address, which I can borrow for a while. The next thing I need to do is change the MAC address of my computer to this MAC address. I proceed as follows: 1. Type ?ipconfig /all? in the command line console to check my current MAC address. Let’s assume that it shows 02:00:4C:4F:4B:60. 2. Run ?regedt32?. 3. BACKUP of my registry. 4. Check the following registry to find the entry for tampering with: ?HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325- 11CE-BFC1-08002BE10318}\0000 (or 1, 2, 3, 4, 5, 6, …). 5. Check whether DriverDesc is the NIC (Network Interface Card); if yes, I found the correct entry. 6. Go to the right window and go to new --> String Value. 7. Create "Networkaddress" with the new MAC address 00:08:DC:03:0E:98. 8. Disable NIC and enable it. 9. Type ?ipconfig /all? in the command line console. It shows that I have a new MAC address 00:08:DC:03:0E:98. It also shows that I have an Internet connection! The above example shows that if the only authentication mechanism used in the organization is based on MAC address registration, the IP address/MAC address–based evidence cannot be used for forensic purposes. However, this example also tells us that we should not automatically assume that a piece of equipment is useless as evidence because its MAC is different from what we expected. The MAC we are seeking may have been changed through software or the NIC may have been changed. For Linux, the MAC address could be changed using the command ?ifconfig hw ?. For other operating systems, one can change the MAC addresses using the methods described in http://www.tech-faq.com/change-macaddress.shtml. Seminar 6: Network Forensics I 7 Figure 1. A screen from Ethereal (now known as Wireshark) Digital evidence on networks can be collected using Wireshark, tcpdump, or snoop (on Solaris). Modern switches will not broadcast packets on all ports. In order to eavesdrop packets on other ports of a switch, the Switched Port Analyzer (SPAN) feature of switches could be used. A SPANned port copies valid Ethernet packets from one port on the switch to another. There are also some other hardware tap devices such as those made by Finisar and NetOptics. Note that these devices are generally used for passive monitoring of networks. ARP tables contain MAC addresses that can be useful in an investigation. Some organizations log ARP information on their networks using tools like ARPwatch to detect suspicious activities such as an individual’s reconfiguring a host with another IP address to misdirect investigators or ARP table poisoning. If there are no such ARP logs, investigators might be able to obtain this kind of information from the ARP table on a router using a command such as ?show ip arp?. The ARP table on a router is very useful since it contains the (IP, MAC address) pairs for all hosts it has communicated with recently. However, this information is volatile. One may use screenshots or photographs to capture this real-time information. Another tool that the digital investigator should be aware of is the Ettercap. Ettercap is a suite of tools similar to Wireshark but with advanced functions such as sniffing of live connections, content filtering on the fly, launching man in the middle attacks on LAN, and many other interesting tricks. The Honeynet Project The Honeynet Project was developed to make information widely available in an attempt to thwart Internet and network hackers. Many people participate in this worldwide project. The Honeynet Project consists of honeypots and honeywalls at different locations around the world. A honeypot is a computer connected to the Internet that looks like a regular network server machine, but it lures the attacker to it so that we can take the honeypot offline and not affect the running of our network. Honeywalls are appliances (computers) used to monitor inbound and outbound connections. They also capture what attackers do without them realizing it. However, the evidence collected from honeynet computers cannot be used in court due to legality problems. But the results can certainly be used to determine how culprits are breaking in so that better Seminar 6: Network Forensics I 8 safeguards for networks can be designed. The Honeynet Project designed challenges that are useful for forensic training and experience