Toriality's Blog

COMPUTER FORENSICS - 04

created_at:

June 4, 2024 at 5:35 PM

last_updated:

July 15, 2024 at 8:11 PM

COMPUTER FORENSICS STUDY - 04 SOURCES: INFOSECINSTITUTE.COM

NETWORK FORENSICS

INTRODUCTION:

Devices connected to network continue to proliferate: computers, smartphones, tablets, etc. As the number of attacks against networked systems grow, the importance of network forensics has increased and become critical. To deploy immediate response in case of an attack, network clerks should be able to discover and understand what attackers did so far and do this by investigating and analyzing the network traffic data.

WHAT IS NETWORK FORENSICS?:

Capture, recording and analysis of network packets in order to determine the source of network security attacks. The major goal of network forensics is to collect evidence. It tries to analyze network traffic data, which is collected from different sites and different network equipment, such as firewalls and IDS. In addition, it monitors on the network to detect attacks and analyze the nature of the attackers. Network forensic is also the process of detecting intrusion patterns, focusing on attacker activity.

STEPS OF A GENERIC NETWORK FORENSIC EXAMINATION:

Identification, preservation, collection, examination, analysis, presentation and Incident Response are the steps of a generic network forensic examination.
IDENTIFICATION: 
    Recognizing and determining an incident based on network indicators. This step is significant since it has an impact in the following steps.
    
PRESERVATION:
Securing and isolating the state of physical and logical evidence from being altered, such as, for example, protection from electromagnetic damage or interference. 
    
COLLECTION:
Recording the physical scene and duplicating digital evidence using standardized methods and procedures. 
    
EXAMINATION:
    
    In-depth systematic search of evidence relating to the network attack. This focuses on identifying and discovering potential evidence and building detailed documentation for analysis.
    
ANALYSIS:
Determine significante, reconstruct packets of network traffic, data and draw conclusions based on evidence found. 
    
PRESENTATION:
Summarize and privde explanation of drawn conclusions. 
    
INCIDENTE RESPONSE:
The response to attack or intrusion detected is initialized based on the information gathered to validate and asses the incident. 
    
Network forensic analysis, like any other forensic investigaton, presents many challenges. The first challenge is related to traffic data sniffing. Depending on the network configuration and security measure where the sniffer is deployed, the tool may not capture all desired traffic data. To solve this issue, the network administrator should use a span port on network devices in multiple places of network.
One tedious task in the network forensic is the data correlation. Data correlation can be either causal or temporal. 
An attacker may encrypt the traffic, usually using an SSL VPN connection. For a network investigator, the address and port are still visible, however, the data stream is not available. More logging and additional sleuthing should be perforrmed in order to determined the infiltrated data.

TRAFFIC PROTOCOLS AND NETWORK LAYERS ANALYZED IN NETWORK FORENSICS:

DATA-LINK AND PHYSICAL LAYER (ETHERNET):
Methods are achieved with eavesdropping bit streams on the Ethernet layer of the OSI model. This can be done using monitoring tools or sniffers such as Wireshark or Tcpdump, both of which capture traffic data from a network card interface configured in promiscuous mode. Those tools allow investigator to filter traffic and reconstruct attachments transmitted over the network. In addition, protocols can be consulted and analyzed such as the Address Resolution Protocol (ARP) or any higher level protocols. However, this can be averted with encription. Encryption might indicate that the host is suspicious since the attacker uses encryption to secure his connection and bypass eavesdropping. The disadvantage of this method is that it requires a large sotrage capcity. 
    
TRANSPORT AND NETWORK LAYER (TCP/IP):
This layer provides router information based on the routing table present on all routers and also provides authentication log evidence. Investigating this information helps determine compromised packets, identifying source and reverse routing and tracking data. 
    
TRAFFIC EXAMINED BASED ON THE USE CASE (INTERNET):
The internet provides numerous services such as WWW, email, chat, file transfer, etc, which makes it rich with digital evidence. This is achieved by identifying the logs of servers deployed on the internet. Servers include web servers, email servers, internet relay chat (IRC), and other types of traffic and communication. These servers collect useful log information such as browsing history, email accounts (except when email headers are faked), user account information, etc. 
    
WIRELESS:
This is achieved by collecing and analyzing traffic from wireless network and devices such as mobile phones. This extends normal traffic data to include voice communications.. Phone location can also be determined. The analysis of methods of wireless traffic are similar to wired network traffic, but different security issues should be taken in consideration.

TYPES OF SYSTEMS USED TO COLLECT NETWORK DATA AND TRAFFIC:

"CATCH-IT-AS-YOU-CAN":
All packets are sent through a traffic point where they are stored in a database. After that, analysis is performed on stored data. Analysis data tis also stored in the database. The saved data can be saved for future analysis. It should be noted, though, that this type of system requires a large storage capacity. 
"STOP, LOOK AND LISTEN":
This system is different from the "Catch-it-as-you-can" system, since only data required for analysis is saved into database. The incoming traffic is filtered and analyzed in real-time memory, which means this system requires less storage but a much faster processor. 
    
While the 2 systems require generous storage capacity, privacy concerns with the "catch-it-as-you-can" system should be weighed and considered. User data is also captured using this system; however, ISPs are forbidden from intercepting or disclosing content without user permission.

POPULAR NETWORK FORENSICS TOOLS & RESOURCES:

Network Forensic Analysis Tools (NFATs) allow network investigators and network administrators to monitor networks and gather all information about anomalous or malicious traffic. These tools synergize with network systems and network devices, such as firewalls and IDS, to make preserving long-term record of network traffic possible. NFATs allow a quick analysis of patterns identified by network security equipments.
FEW FUNCTIONS OF A NETWORK FORENSIC ANALYSIS TOOL: 
    - Network traffic capturing and analysis;
    - Evaluation of network performance;
    - Detection of anomalies and misuse of resources;
    - Determination of network protocols in use;
    - Aggregating data from multiple sources;
    - Security investigations and incident response;
    - Protection of intellectual property.
    
GENERAL PURPOSE TOOLS:
  • DUMPCAP, PCAPDUMP, NETSNIFF-NG: Examples of packet sniffers, which records packets from the network and store them on files.
  • TCPDUMP, WIRESHARK/TSHARK AND TSTAT: Are popular protocol analyzers. These tools are used to inspect recored traffic. They can be either packet-centric or session-centric.

  • XPLICO AND NETWORKMINER: Are network forensic analysis tools (NFAT). These tools are data-centric which analyze the traffic content.

    SPECIIFIC TASKS TOOLS:

  • SNORT, SURICATA, BRO: Intrusion detection.

  • NGREP: Match regular expressions.
  • NFEX: Extract files

  • DRIFTNET: Extract pictures.

  • DSNIFF, FIRESHEEP, ETTERCAP, CREDS: Sniff passwords or HTTP sessions.
  • MAILSNARF, SMTPCAT: Extract emails.
  • NTOP, TCPSTAT, TSTAT: Print network/packet statistics.
  • SSLDUMP: Extract SSL information.

  • TCPFLOW, TCPICK: Reconstruct TCP flows.

  • P0F, PRADS: Fingerprinting.

    LIBRARIES AND FRAMEWORKS:

    LIBPCAP, SCAPY: Python libraries.

ENSICS TOOLS AND TECHNIQUES.

ENCRYPTION:

Encryption is the act of turning data (or other information) into code, intended to prevent access from unauthorized users. Many tools aid with this, some of which reside right on a new version of Windows. Some of these tools include VeraCrypt, AxCrypt, BitLocker and GNU Privacy Guard.
The history of encryption spans many hundred of years and will likely require more study than can be compiled here. Some of the classical cryptography that may ybe seen on the CCFE include the Caesar Cipher and Vigenere Cipher. The first revolves around shifting letters to the left or right a set of number of times. The latter involves a cipher and lining up two letters to get the third one. 
Modern cryptography uses many different methods to break encryption. Data Encryption Standard (DES) is one that is often seen on the CCFE, along with Advanced Encryption Standard (AES), RSA and DSA. These include both symmetric and asymmetric encryption. The main difference between these two is that a symmetric algorithm uses a single key for encryption and decryption, while asymmetric algorithms use two different keys.

STEGANOGRAPHY:

Steganography is the act of concealing secret information or messages in non-secret data or text. One of the most common ways to do this is via image, where a particular section is changed but in a way that is not evident. These files appear inconsequential, which is why they can be overlooked.
The process of steganography goes back centuries to a time when messages might be hidden on the scalp of messengers or hidden behind wax writing tables. Technical steganography uses scientific methods to cover up the message, by use of things like microdots or invisible ink. Linguistic steganography hides the message in the original carrier and can be categorized as an open code. Virtually any digital medium will work, allowing messages and even entire files to be hidden in "plain sight" within pictures, video files, audio files and virtual anything else. 
Tools that help with steganography include Xiao Steganography, Image Steganography, Steghide, Crypture, SteganographX-Plus, rSteg and SSuite Picse. Other tools: EnCase or ILook Investigator.

CHANGING METADATA/TIMESTAMPS:

Metadata and timestamps can be manipulated to an attacke's benefit. Metadata spoofing can fool web service clients by providing false WSDL files and WS-Security-Policy data. Changing timestamps can remove signs that forensic examiners use to determine possible areas of activity in a system if the time of activity is known.

TUNNELING:

Tunneling, which is also called port fowarding, allows private comunication to be sent over a public network by a process called encapsulation. This ensure data packets appear public, enabling them to pass through with little to no judgment. A common way to utilize tunneling is through a VPN (Virtual Private Network) which encrypts data to keep away any security measures.
Constant monitoring of encrypted connections can help alert organization to the possibility of this type of attack. Some such as CryptoAudito, can be used to stop these attacks as well.

ONION ROUTING:

Onion Routing is a mode of sending messages encrypted in layers, which correspond to layers in an onion. This data is trasmitted through many network nodes (onion routers) and a layer of encryption is removed at each. When the final layer is peeled off, the message heads to the destination. As such, it is anonymous because nobody in the chain knows more than a few links in the chain, the ones before and after their own. This method of routing is used by the highly popular Tor networks.
Truly, the only way to defeat onion routing is to break through each successive router in reverse order, beginning with the exit node. This is exceptionally time consuming, but it can be accomplished.

WIPING A DRIVE:

The process of wiping hard drive seeks to make data unreadable. Reformatting a drive or deleting files does not erase those files, the data remains. Using a program that overwrites the information is common, as the more times data is overwritten, the less readable the previous data becomes.
More skilled criminals may go further by using the Linux dd command to wipe the drive forensically. Some may also engage in degaussing, which is a procedure in which a hard drive is exposed to a powerful magnet to erase a drive. This can cause complete deletion of all files, which cannot be recovered in the future. 
Forensic examiners can be helped by the existence of file fragments, as well as seemingly unrelated data. For instance, a chatsync folder could help to recover wiped Skype conversations even if the Skype database has been wiped/deleted.

DISABLED LOGGING:

Computers and other devices log all or most of the events that occur on them. For a criminal, this leaves a trail of evidence, which they then want to eliminate. There are different options for doing this. They can delete the log, which will leave a gap of knowledge.
As far as more technical tools, Auditpol is a tool that allows for turning auditing off and back on again, but this can easily be noticed by forensic analysts. The final, and best, tool is Winzapper. It allows the attacker to delete whatever they want from the log. This can be very hard, and sometimes impossible, to detect. A live RAM analysis can sometimes help a forensic investigator, as can anlyzing sawp and hibernation files.

SPOOFING:

Spoofing is an act where someone attempts to gain acces to someone's system or information by pretending to be someone he or she is not. The literal meaning of the word is "to trick". There are vairous ways to spoof, but the most common are IP and MAC spoofing, so understanding the difference is integral when studying for the CCFE.
IP Spoofing is the easiest and most common means of spoofing. With IP spoofing, an individual prevents tracing to their computer by using a different IP address. This can be done manually or with the assistance of tools. This type of spoofing is commonly used in distributed denial of service attack (DDoS). 
    
    MAC Spoofing is a bit more involved, making it less common. A MAC address is set in the factory, and it cannot be changed. However, there are ways to cause your computer to broadcast a fake MAC address. This type of spoofing is harder for forensic analysts to counter.
    
    Email spoofing is a common occurrence that involves sending messages by faking the email address that is sending the mail. As such, people can be convinced the email is from legitimate person or company, allowing them to fall victim to scams.
    
Forensic investigators can use several techniques to identify spoofing, including detecting forged email headers (email spoofing), examining wireless acces point activity (MAC spoofing) and more.