Laureate Online Education Computer Forensics © All rights reserved 2005 - 2012. The Computer Forensics module, in all its parts: syllabus, guidelines, lectures, discussion questions, technical notes, images, projects and any additional material is copyrighted by Laureate Online Education B.V. Computer Forensics Seminar for Week 7: Network Forensics II In the last seminar, we learned how to apply AAA principles to network forensic practices and network forensic investigations at physical and data link layers. In this seminar, we will discuss network forensic investigations at network, transport, session, presentation, and application layers. Network and Transport Layers Forensic Investigation An Internet IP address consists of a network address and a host address. The network address is unique among the entire Internet; the host address is unique within the local area network that the device is connected to. Thus, each IP address is uniquely identifiable on the Internet. Each network gets its network address from the Internet Assigned Numbers Authority (IANA), and each device gets the host portion of its IP address from the network owner. Thus, a network address ends with 0’s (e.g., 192.168.0.0). IP addresses ending with 255 are used to denote broadcast addresses (e.g., 192.168.0.255). The IANA has reserved the following three blocks of the IP address space for private internets (local networks): 10.0.0.0-10.255.255.255 172.16.0.0-172.31.255.255 192.168.0.0-192.168.255.255 Note that private networks use the above private IP addresses that are unique within their networks, but any two private networks can use the same “address space” as long as they are not directly connected to each other (they may be connected to each other via the Internet using Network Address Translators, or NAT). Also, IP addresses in the range of 169.254.0.0- 169.254.255.255 are reserved for Automatic Private IP Addressing (APIPA). For example, Microsoft Windows has an APIPA feature that will automatically assign an IP address to a computer on which it is installed. This occurs when the TCP/IP protocol is installed and set to obtain its IP address automatically from a Dynamic Host Configuration Protocol (DHCP) server, and when there is no DHCP server present or the DHCP server is not available. After the network adapter has been assigned an automatic IP address, a computer can communicate with any other computers on the local network that are also configured by APIPA or have static IP addresses manually set to the 169.254.xxx.yyy address range with a subnet mask of 255.255.0.0. Domain Name Service: Devices on the Internet are referred by their IP addresses. But humans are generally not good at remembering numbers and prefer to use memorable names such as http://www.yahoo.com. The Domain Name Service (DNS) was developed to solve this problem. DNS is a distributed global database that is accessible from anywhere on the Internet for mapping human-readable names such as http://www.tcpdump.org to its corresponding numeric IP address. The DNS database is managed and controlled by the Internet Corporation for Assigned Names and Numbers (ICANN) through accredited registrars. The owner of each domain is responsible for updating its name services for mapping memorable addresses to their corresponding numeric IP addresses. Most name servers also support reverse lookups (i.e., to map numeric IP addresses to human memorable addresses). In Windows or UNIX environments, one can use the command “nslookup”1 to map IP addresses and domain names (it can also do 1 Please note that these utilities are run under the DOS facility in Windows. Seminar 7: Network Forensics II 2 reverse lookups). Another tool for querying DNS is called “dig” (Domain Information Groper), available on UNIX systems and in the NetScanTools for Windows. The following servers are often useful for gaining further information about IP addresses: 1. http://www.arin.net/ for North American addresses 2. http://www.ripe.net/perl/whois for European addresses 3. http://www.apnic.net/ for Asian-Pacific addresses 4. http://www.nic.mil/ for USA military addresses 5. http://www.dotgov.gov/ for USA government addresses 6. http://www.networksolutions.com/whois/index.jhtml for general search It should be noted that the above servers can be used to obtain the contact information of a specific domain. However, this information is furnished by the person who provided the registration information. It is not verified for accuracy, and it is possible to register an address and include inaccurate or totally false contact names, addresses, and phone numbers. Another useful tool for IP address tracing is “traceroute” in UNIX and tracert1 in Windows. This tool can be used to see what route the packets are taking to get to their destination. These tracing techniques can list all the hops on the route for your packet to arrive at the target computer. If you want to trace the route between two other computers that are not located in your place, you may use other traceroute servers available from (trace routes). Since traceroute tools need to send packets to the computer that you are examining, the suspect may get warned by your packet. Thus, if you do not want to tip off the suspect, you should not use this investigation method. The investigative results from traceroute can be used to confirm or question the contact information obtained from the DNS database (e.g., from the whois application or the above servers). For example, if a suspect site’s contact information from the DNS database is in Germany but traceroute tells us that the route stops in Russia, it is reasonable to suspect that something is wrong. But we should also be aware that many corporations outsource their web sites to a third party, so it is not necessarily wrong that corporate contact information is different from its website location. When more than one application services run on a single computer (with one IP address), they are distinguished by the port numbers. For example, web service normally runs on the port 80 (of course, you can set the port to a different number, but then the client needs to know your web port). The link [TCP/UDP ports] contains frequently used TCP/UDP ports. A modem or cable connection often assigns a dynamic IP address. Thus, each time you connect to the Internet via a modem or cable, you may get a different IP address. This makes it impossible for you to have a human-memorable and to run a server on your home computer if you do not have a fixed IP address. Dynamic DNS is a technique used to solve this problem. In other words, dynamic DNS techniques allow anyone to associate a friendly, easy-to-remember domain name with an Internet-connected computer, even if its Internet connection uses dynamic IP address assignment. Attacks on TCP/IP and TCP/IP-related digital evidence: Let us first review the three-step handshake protocol for TCP connection establishment. If a device Alice wants to establish a TCP connection with a device Bob, Alice will first send a request packet “SYN sequence number x” to Bob. After Bob receives this packet, it will send a packet “SYN sequence number y, ACK x+1” to Alice. Alice then needs to send a packet “FIN: ACK y+1” to Bob. After these three steps, a TCP connection between Alice and Bob is established. One of the well-known attacks on TCP/IP protocol is IP spoofing. In this attack, Carol wants to impersonate Alice and establish a TCP connection with Bob. That is, Carol pretends to be Alice and get connected with Bob. In order for Carol to be successful, she needs to finish the above three-step handshake protocol. For the first message, Carol can easily claim Alice’s IP address in her first packet. However, Bob will then send the second message to Alice’s IP address. Since Alice has not initiated the first message, Alice may just ignore this packet or send an error message to Bob. Carol can only be successful if she can complete the following: Seminar 7: Network Forensics II 3 1. Stop Alice from responding to Bob. This can be achieved by Carol via a denial of service attack on Alice’s machine, and it is always possible. 2. Send a packet “FIN: ACK y+1” to Bob. Carol will be successful in this case only if she knows the value of y. So it is essential for Carol to get the value of y. This kind of IP spoofing attack remained primarily a theoretical academic claim until Robert Morris, whose son wrote the first Internet Worm, discovered a security weakness in earlier implementations of the TCP protocol. That is, when Bob replies to Alice, the reply sequence number y is always chosen in predictive way. In other words, Carol can predict the value of y with high probability (and thus be successful in IP spoofing attacks). More discussion on this topic can be found in Bellovin (1989). Fortunately, recent versions of TCP implementation use relatively strong random generators to generate the value y, thus avoiding IP spoofing attacks based on sequence number prediction. TCP/IP protocol plays a central role in networks, and it is central for a digital investigator to find and exploit TCP/IP-related data during network crime investigations. Network traffics are volatile, and it is impossible to capture all network traffics in all networks. Thus, log files become the most important source for investigations. In particular, network-related log files can help an investigator to gain an initial understanding of what occurred and which hosts were involved. The major log files that can be used for this purpose include authentication log, application logs, and operating systems logs. Log and authentication log files generally contain information about which user logged in the system from which IP address or phone number. It may also contain failed logs. For example, in the seminar 5 assignment, we used the utmp and wtmp log files on Linux machines to investigate the activities of your colleagues on the Laureate Linux server machine. In addition to authentication logs, most applications (e.g., server software) log users’ activities on a network. For example, the FTP server transfer logs (“xferlog”) contain the information about which user deleted which files on the server and which IP address the user is logged from. Similarly, web servers log “timestamp, data requested by client, client IP address” when receiving a request from a client. Some web pages may also place cookies on clients’ machines, which can be used to link acquired digital evidence. Web bugs have been used by many marketing companies to examine the web pages that a particular individual views and to learn about his/her interests. This same approach can be useful in an investigation for determining who was using a specific computer at a certain time. However, the offenders may use anonymous services such as anonymizer, Anonymity 4 Proxy, JAP, and findnot service to hide their IP addresses. Most operating systems log important events such as system reboots, errors, modem usage, and network interface cards being put into promiscuous mode by a sniffer. In particular, UNIX was designed with networks in mind; log files on UNIX systems generally retain more TCP/IP-related information than Windows event logs. Though server computers and desktop computers can store sufficient network log information, and constraint network devices (e.g., routers and switches) have limited memory space to store logs, these network devices are usually configured to send a copy of their logs to a remote log server. In addition to log files, most network devices maintain state tables about the current or very recent state of connections between computers. For example, the command “show conn detail” on Cisco PIX firewall will list all recent connections. As we have noted, the ARP table in computers and switches contains recently used (IP, MAC address) pairs. TCP/IP-related data may also be found in RAM on servers and network devices. The content of RAM may contain IP addresses and other useful data relating to network activities. Some of the RAM content may only be acquired RAM dumping, since they are not available from the command line. Some forensic tools can be used to capture these volatile network-related data. For example, EnCase Enterprise Edition has the function to immediately capture a snapshot of volatile data that exist in the RAM memory of a server or workstation and account for time zones Seminar 7: Network Forensics II 4 and clock synchronization. These data include users on a system, TCP and UDP port information, open files, running processes and applications, live Windows registry, network interface details, and system resources. Though log files contain sufficient information for forensic investigation, attackers have always tried their best to avoid the recording of their activities or to delete the log files. We mentioned in seminar 6 that the first step for an attacker to intrude into a system is to identify the target. In this step, port-scanning tools such as nmap are generally used. Most operating systems will log all activities related to port scanning. However, the attacker may try to avoid leaving traces by using stealth or proxy scans. Examples of stealth port scanning include TCP SYN, TCP FIN, and IP header fragmentation. An example of proxy port scan is FTP proxy bounce attack. The TCP SYN (half-open) port scanning works as follows: 1. The scanner sends a SYN packet to a target port (i.e., the first message in the TCP handshake protocol). 2. If a “SYN y ACK x+1” is received, this indicates the port is listening (i.e., the target sends the second message in the TCP handshake protocol). 3. If a RST is received, this indicates the port is not listening. 4. If “SYN y ACK x+1” is received, the scanner breaks the connection by sending an RST (reset) packet. Since few sites log incomplete TCP connections, this kind of port scanning generally leaves no traces on the server machine. In a TCP FIN port-scanning process, the attacker does not initiate a regular three-step TCP handshake protocol. Instead, the attack ignores the first two messages and directly sends the third message “FIN ACK y+1” to the target machine with a random y value. The idea for TCP FIN port scanning is that closed ports tend to reply to FIN packet with the proper RST, and open ports, on the other hand, tend to ignore the packet in question (this is required TCP behavior). However, some systems (in particular, Microsoft systems) do not follow this rule. They send RST regardless of the port state; thus, they are not vulnerable to this type of scan. This method is often used to discriminate between a UNIX server and an NT server. Since TCP FIN port scanning is not a complete TCP connection, most servers will have no log files for this kind of scanning. More details about TCP FIN port scanning can be found at Uriel Maimon (P49). In a fragmentation scanning, instead of just sending the scanning packet, the attacker breaks the scanning packet into a couple of small IP fragments. In this way, the TCP header is also split into several packets. Thus, it is hard for the packet filter loggers to record what is going on. In particular, the attacker may use overlapping fragment attacks to record confusing log information at the filtering devices [overlapping attacks]. Before we describe the FTP bounce attacks, we briefly review the FTP protocol. In the FTP protocol (see [FTP protocol]), the client Alice first establishes a TCP connection with the server Bob at port 21. This 21 channel is normally called the command channel. In order for Alice (client) and Bob (server) to transfer non-command data (e.g., files), Alice chooses a free port on her machine (e.g., 5001) and sends the packet “IP address, port (e.g., 5001)” to Bob. After Bob gets this packet, Bob will initiate a TCP connection from his port 20 to the above IP address at above port (e.g., 5001). Note that normally, Alice gives Bob her own IP address, but Alice has the choice to give other IP addresses. This feature is called “proxy” ftp connection. In other words, by using this feature, you can connect from evil.com to ftp.target.com, and ask ftp.target.com to establish a connection with victimmachine.com. The FTP bounce attack–based port scanning works as follows: 1. The scanner connects to an FTP server: ftp.some.com. 2. The scanner requests ftp.some.com to initiate a data transfer process to victimmachine.com at port xxx using the PORT FTP command. Seminar 7: Network Forensics II 5 3. The scanner uses the LIST FTP command to try to list the current directory. The result is sent over the server data transfer process channel to target.com. 4. If the victimmachine.com is listening on the port xxx, the transfer will be successful (generating a 150 and a 226 response). 5. Otherwise, the scanner gets the message "425 Can't build data connection: Connection refused." This process is straightforward in that the victimmachine.com machine does not have any traces of the hacker’s machine. Instead, it only sees the connection from ftp.target.com and may log the ftp.some.com’s IP address. Since this attack scan TCP ports from a "proxy" ftp server, the attacker could connect to an FTP server behind a firewall, and then scan ports that are more likely to be blocked by the firewall. Note that some FTP servers have finally realized this problem and have disabled the proxy feature. But there are still numerous FTP servers that enable this feature for hackers to exploit. It should be noted that this protocol flaw “can also be used to post virtually untraceable mail and news, hammer on servers at various sites, fill up disks, try to hop firewalls, and generally be annoying and hard to track down at the same time”. Using NetBIOS protocol for investigation: NetBIOS protocol is used by Windows to provide file- and print-sharing services across a WAN. The tool nbtstat can be used to associate a user with an IP address. From a local investigative computer, we can run the following command against either the suspect's IP address or a specific machine name: nbtstat –a 192.168.100.001 nbtstat –A suspect.business.com If the machine is reachable, it will return the following information about the remote machine: the machine name, the Windows NT domain the computer is registered in, and the MAC address. Since the MAC address is unique (if the suspect has not modified it), this information can be used to identify a computer after it has been seized. There are also some commercial tools such as “Essential NetTools” from TamoSoft that will help us to do NetBIOS search and analysis. Internet Application Layer Forensic Investigation The Internet provides the infrastructure for many different application services that can be related to the crime case under investigation. Application software is used to access Internet services. For example, Netscape, Mozilla Firefox, and Internet Explorer are used to access web services; pine, elm, Lotus Notes, web browsers, Eudora, and Outlook are normally used to access email services. Although there are numerous Internet services, the major services are WWW services, email services, newsgroup services, online chat services, and peer-to-peer services. In the following paragraphs, we discuss forensic investigations in these services. Email: Two kinds of servers are involved for email communications: one for outgoing and one for incoming mail. An email client connects to a mail server to retrieve incoming emails using one of the three different mail access protocols: Post Office Protocol (POP), Internet Mail Access Protocol (IMAP), or Microsoft's Mail API (MAPI). Each individual has a mailbox on the mail server to hold all incoming emails. The email client can download and delete emails from her mailbox on the server using one of these email access protocols. Outgoing email uses a different protocol called Simple Mail Transfer Protocol (SMTP). SMTP protocol itself does not require any authentication. A user can just toss an outgoing message into a SMTP mail server, which will relay it to other mail servers that will again relay it to other servers until the mail reaches its final destination. Since SMTP is a simple protocol without authentication, anyone can telnet to a SMTP server at port 25 to send a message with a forged return address to anyone in the world. Forged emails can also be sent via simple configuration of regular email clients. For example, if you use Eudora as your daily email reader, you can use the following procedures to create a forged email: 1. Select Tools?Options. Seminar 7: Network Forensics II 6 2. Choose “Sending Mail” and modify the “Email address” field with the new value [email protected]. Alternatively, you can select the “Getting Started” and modify the “Real Name” and “Email address field” with your choice. 3. Create a message (e.g., to yourself) and send it. 4. Check your email box; you should receive an email with the faked return address. If you check the header information of the forged email that you have just received, you will find out that even if the message was from a spoofed address, your machine IP address is recorded in the originating host IP address field. When emails are relayed via different SMTP servers, SMTP-relaying servers keep track of the IP address of the system connecting to them and insert that IP address into the header of the message. Web-based free email is becoming increasingly popular, and the Internet browser is becoming one of the major email processing tools. Free email services are often used by offenders to hide their identities. Fortunately, some providers of free email service are including the originator's IP address in the header information. For example, the following is the header of a spam email that I have received: From : Danielle [email protected] Sent : Tuesday, August 23, 2005 9:01 PM To : Subject : look at theseHunnies! Received: from oihtbadocvny.com ([149.165.40.166]) by mc10-f3.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Tue, 23 Aug 2005 13:01:45 -0700 Received: from 178.97.38.107 by 34.158.156.36.oihtbadocvny.com (Postfix) with SMTP id 13663 X-Message-Info: HWvf2uiueYQn/EqvWvuBt5MAmXCn4Hr1XQNnGB9Q6wM= Return-Path: [email protected] X-OriginalArrivalTime: 23 Aug 2005 20:01:45.0946 (UTC) FILETIME=[7D4A33A0:01C5A81D] From this we know that the email was sent out from the IP address 178.97.38.107 (more information about this IP address can be found at http://ws.arin.net/whois, as mentioned earlier). Using this information, we can find out who sent this email by issuing a subpoena for the email provider (in this case, oihtbadocvny.com) in the email logs and a subpoena for the ISP that owns that IP address. Most email client programs hide the header information from the user. But generally we can find the header information with some effort. In most programs, if we click File then Properties, an option to view the header is displayed. For web-based email systems, we normally need to configure the mail display options. For example, for hotmail.com, we can click Options first, then Mail Display Settings, and choose the Full choice for Message Headers. The header information for Outlook Express can be viewed by clicking File, then Properties, and then Details. To view the header information in Outlook, we can click on View and then Options. Then we get a list of submenus: Previous, Next, Encoding, Message Header, Options, and Toolbars. By clicking on Options, we get the Message Options window, which shows the Internet headers for the chosen message. Eudora hides the header information by default. The icon "Blah, Blah, Blah" in Eudora provides the information we need. We conclude our email discussion with an example. In 1999, 51-year-old Rocha registered an email account [email protected] from a Charlotte, North Carolina, public library and, using this email account, opened a bank account in the Paritate Bank in Riga, Latvia. Rocha then bombed Lowe's stores in Asheboro and Salisbury, North Carolina, and planted a third bomb at a Concord, North Carolina, store. Anonymous letters were sent to the Lowe’s stores, asking them to transfer US$250,000 to the bank account in the Paritate Bank so that the bombings could stop. After the money was transferred, the bombings stopped. During the investigation, the FBI obtained all log files relating to this email account from hotmail.com and traced the case to the computers in the library that were used by Rocha. When Rocha got the money, he was too happy to remember his normal practice and accessed the email account [email protected] with the computer in his Greensboro home. He was finally identified and caught. For more details, see [Low-Attack]. Seminar 7: Network Forensics II 7 News group postings: Usenet is a distributed bulletin board with topics that millions of people worldwide can contribute to and read. If you are not familiar with Usenet and have not configured a client such as “tin” in UNIX systems to read newsgroup postings, the best place to start is http://groups.google.com/. Similar to forged emails, it is relatively easy to post messages to newsgroups with forged identities. Usenet can provide a forum for people to publicly ask technical questions. Thus, it may contain information related to the suspects or organizations involved in the investigation. By searching a suspect’s name or involved organization names on a newsgroup archive such as http://groups.google.com, we may get valuable clues to further our investigation. Similar to email investigations, the headers of newsgroups postings play an important role in our investigation. In http://groups.google.com/, the header information for posts could be found by clicking “show options” and then clicking “Show original”. IRC and IM: IRC (Internet Relay Chat) is one of the largest chat networks. Anyone can access the IRC channels by installing an IRC client (see [IRChelp] for details). Most stolen credit card numbers and cracked passwords are traded in different IRC channels. There are different IRC networks such as Undernet, DALnet, Efnet, and IRCnet, and each individual can create his own chat room on one of these IRC networks. Many IRC chat rooms are created specifically for the discussion of unlawful activities and the exchange of illegal materials. To make things worse, IRC has the capability for direct client connection (DCC), which enables criminals to have a private conversation and exchange files without being seen by anybody else. Therefore, it is important to collect digital evidence from IRC channels. Law enforcement organizations focus on automatic IRC chat logs analysis (you cannot watch thousands of IRC channels manually) to identify potential criminals. If you have identified that your suspect uses IRC, you should begin to record his/her activities in IRC rooms. For example, when you identify a suspect in an IRC room, you may use the whois command in most IRC clients to get the suspect’s information such as IP address and other personal information (if she/he has provided it). If your suspect often uses one specific IRC channel, you should use an automated program that continuously monitors activity in that channel. A utility called DataGrab facilitates monitoring activities on IRC and gathers whois and DNS information. However, it may be necessary for you to get an appropriate authority before you can monitor a channel. Instant messages such as Hotmail messenger, Yahoo messenger, Google Talk, and Skype are becoming popular. It is also important for monitor these channels when necessary (with appropriate authority, of course). Peer-to-peer networks: A host on a peer-to-peer network simultaneously functions as server and client, downloading files from peers while allowing peers to download files from it. The most popular peer-to-peer networks are KaZaA, Gnutella, eDondey, and Freenet. Movies, images, music, and pirated software are exchanged on these sites. As an investigator, if you want to identify computers that are involved in exchanging an illegal document “PiratedVersion”, you may install the peer-to-peer client and search for this document. Then you can try to download it (please note that you may also need to get appropriate authority before you can do this). When the file is being transferred from a peer, the associated IP address can be viewed using netstat. However, some peer-to-peer clients can be configured to connect through a SOCK proxy to conceal the peer’s actual IP address, and other peer-to-peer clients may connect to the network using anonymous network services such as findnot. Since these services are generally provided by organizations that are under different jurisdiction, you will not be able to recover the identity of suspect. For example, most servers for the findnot anonymous service are located in Malaysia.