Published on February 26, 2014
PURDUE UNIVERSITY TECSUP NETWORK FORENSICS AN INTRODUCTION 7.11.2013 Jake Kambic M.S. Student CNIT Cyber Forensics / Network Security
PREFACE THE BASICS AND BACKGROUND
WHO AM I? AND WHY SHOULD YOU LISTEN TO ME?
OVERVIEW PURPOSE Today’s lessons are intended to give you an introduction to elementary and intermediate techniques in network forensics. We are only scratching the surface, but it should be rewarding. Please stop me at anytime to ask questions, or ask me to slow down!
OVERVIEW (CONT’D) TOPICS What is DFIR? What is Network Forensics? Digital Forensics vs. Incident Response The Forensic Process (Abridged) Quick Review: General Forensics Quick Review: Fundamental Computing Quick Review: Networking Where does potential evidence exist? What evidence are we looking for? Environment Factors Anti-Network Forensics Acquisition Wireshark Basics Analysis Exercise 1: Capturing browser traffic Exercise 2: Ann and the Apple TV Exercise 3: 10 Minutes of Internet Exercise 4: Bad Actors and Bad Habits
WHAT IS DFIR? Digital Forensics – More accurately Forensic Cybernetics Forensic – "pertaining to or suitable for courts of law” Cybernetics – “The field of study concerned with communication and control systems in living organisms and machines.” Cyber Forensics is then the investigation of the man-machine interface to a degree of integrity and certainty that is suitable for a court of law. Incident Response – the preparation and response to an emergency / emergent threat
DIGITAL FORENSICS VS. INCIDENT RESPONSE Cyber Forensics Incident Response Sub-discipline of law Sub-discipline of disaster recovery “Post-mortem” Post or concurrent to incident Typically independent analysis Working closely with IT to control situation Must adhere to rules of evidence [federal, daubert, etc.] Must only be as reliable as necessary to determine a course of action End Goal: Determine sequence of events, attest. End Goal: determine threat extent, mitigate threat
DF V. IR (CONT’D) WHY HIGHLIGHT THESE DISTINCTIONS? We are going to speak today about techniques from the perspective of a Forensic Investigator. However, the transient nature of network forensics means that, many times, it is not possible to perform an acquisition of evidence that adheres to current standards of evidence. In this capacity, we will also look at things relevant to IR.
THE FORENSIC PROCESS (ABRIDGED) THE QUICK AND DIRTY RUNDOWN Remember the 3 A’s Acquire Today we will be discussing acquisition and analysis techniques for network forensics Analyze Attest • Document All Steps • Establish Chain of Custody • Authenticate Acquisition • Document All Steps • Follow a repeatable, explainable process • Seek independence/exculpatory evidence • Report Documented Findings • Back Assertions with Evidence • Inter-subjective conclusions
QUICK REVIEW: GENERAL FORENSICS LIGHTNING TALKS Locard’s Principle of Exchange – “the perpetrator of a crime will bring something into the crime scene and leave with something from it.” This holds true in cyber forensics as well. The change, or what is left, may be lower than we typically look (disturbing of electrons) and may be temporal, but in the majority of incidents if you have been called in as an investigator, then there is already suspicion of malign activity that careful yet rapid acquisition will reveal.
QUICK REVIEW: GENERAL FORENSICS (CONT’D) LIGHTNING TALKS Rules of Evidence – standards (such as the Daubert criteria) set guidelines for admissibility. These “standards” vary across all levels of government, and many disparate standards exist. Situational awareness of this is paramount. Importantly, these standards typically dictate a scientific, repeatable, method of acquisition against the same data set. In the case of networking, volatile memory, and certain flash storage, this can be practically impossible.
QUICK REVIEW: GENERAL FORENSICS (CONT’D) LIGHTNING TALKS Our Mission as a forensic investigator – To understand and describe an event, collection of events, or system in the most accurate and detailed manner possible given all of the available information. To maintain the integrity of the evidence and scene to ensure that accuracy. Sometimes, we must admit that there isn’t a conclusion that can be accurately drawn based on the evidence. Our mission is not to convict someone, nor to inject/assert conjecture as fact.
QUICK REVIEW: FUNDAMENTAL COMPUTING LIGHTNING TALKS Computing Processing, Storage, and Transmission [I/O] Systems of Systems Information Has both Content and Context that we are interested in Content – things the user/entity/protocol directly creates, accesses, or modifies Context – metadata that frames the content, providing a point of reference & relativity Cyber The man-machine interface – adding people to the mix
QUICK REVIEW: NETWORKING Networking – “To link together to allow the sharing of data, interactive operation, and efficient utilization of resources” EXAMPLES OF NETWORK ARCHITECTURES IMPORTANT TAKE-AWAYS (organized by protocol/suite) TCP/IP Control System SCADA/ICS ModBus, DNP3 CAN CanBus, MilCAN USB/Firewire protocols Bluetooth PCI/PCIe Bus Many more, including technologies like Ethernet and 802.11 suite Systems must use transmission to acquire/share information. If it is in the browser, it came over the network, and can be reconstructed* All malware that was not built into a system or physically added via hardware alteration must have traversed a network to infect that system.
QUICK REVIEW: NETWORKING (CONT’D) TCP/IP NETWORKING AND THE OSI MODEL For today’s exercises, we are only looking at Ethernet/TCP/IP Several different models exist for defining these networking layers logically – we are going to focus on the Open Systems Interconnection (OSI) model (slightly modified) Why does this matter? [ Logically grasping a unified model of internetworking fundamentally shapes your process for searching, identifying, acquiring, and understanding evidence, and your interactions with the tools used to acquire and analyze that evidence. ]
QUICK REVIEW: NETWORKING (CONT’D) The OSI Model of networking for the Internet [Layer 8] – Human Layer 7 – Application e n c a p s u l a t i o n Layer 6 – Presentation Layer 5 – Session Layer 4 - Transportation Layer 3 – Network Layer 2 – Data-link Layer 1 – Physical [Layer 0] – Media The OSI Model is typically composed of 7 layers, with each upper layer being encapsulated in the subsequent layer below it (or the next lowest layer to it). We’ve modified the OSI model to meet our needs by adding 2 layers. “Layer 8” is a concept out of Social Engineering, but also applies to Forensic investigations. “Layer 0” is the physical media and can hold traditional forensic evidence like latent fingerprints, but can also tell us about unique constraints.
QUICK REVIEW: NETWORKING (CONT’D) The OSI Model of networking for the Internet and common protocols at each level [Layer 8] – Human Layer 7 – Application e n c a p s u l a t i o n Layer 6 – Presentation Layer 5 – Session Layer 4 - Transportation Layer 3 – Network Layer 2 – Data-link Protocol Highlights HTTP, DHCP, DNS, SMB, OSPF…lots more MIME SSL/TLS, NetBIOS, SAP, PPTP, RTP TCP, UDP IP, ICMP, IPSec, IGMP, IPX ARP, PPP, L2TP, Frame Relay Layer 1 – Physical Ethernet, USB, FireWire, RS-232, 802.11 Layer 0 – Media RJ45 ethernet cables, 2.4-5Ghz spectrum
QUICK REVIEW: NETWORKING (CONT’D) The OSI Model of networking for the Internet [Layer 8] – Human Layer 7 – Application e n c a p s u l a t i o n Layer 6 – Presentation Layer 5 – Session Layer 4 - Transportation Layer 3 – Network Layer 2 – Data-link Layer 1 – Physical [Layer 0] – Media Content can be found mainly at the application and transport layers, although technically could exist anywhere via obscure/custom protocols (such as the use of covert channels).
QUICK REVIEW: NETWORKING (CONT’D) The OSI Model of networking for the Internet [Layer 8] – Human Layer 7 – Application e n c a p s u l a t i o n Layer 6 – Presentation Layer 5 – Session Layer 4 - Transportation Layer 3 – Network Layer 2 – Data-link Layer 1 – Physical [Layer 0] – Media Context can be found at every level of the OSI model, however the most useful context is typically: Layer 2 – MAC addresses to ID devices Layer 3 – IP Addresses, ICMP response flags (OS Finger Printing) Layer 4 – Timing/sizing information (OS Finger Printing) Layer 7 – Meta data provided by HTTP, NBNS, and Routing protocols Layer 8 – naming conventions and other indicative habits/patterns
WHERE DOES POTENTIAL EVIDENCE EXIST? What sources are we trying to acquire?
WHERE DOES POTENTIAL EVIDENCE EXIST? What sources are we trying to acquire? [ It is paramount to understand that this is not a discrete question – these are SYSTEMS of systems that are interdependent. A pcap alone is not the extent of network forensics. ]
WHERE DOES POTENTIAL EVIDENCE EXIST? EVIDENCE PROVIDERS FOR A SINGLE SYSTEM OF A SERVER/CLIENT DEVICE Network Transmissions Volatile [Main] Memory Persistent [Secondary] Memory
WHERE DOES POTENTIAL EVIDENCE EXIST? For Your Situational Awareness: Be aware that modern malware can do interesting things like network through high-frequency sounds and hide in firmware/BIOS Understand that your investigation is limited by what evidence providers you collect from, and document such limitations in your analysis
WHAT POTENTIAL EVIDENCE EXISTS? EXAMPLE NETWORK ARTIFACTS IN STORAGE MEDIA [NON-EXHAUSTIVE] Volatile (Primary/Main) Memory (this includes buffers on NICs) open/prior connections, paired with processes that initiated them recently used/downloaded programs and temporary files recently run command output (ping/tracert/etc) DNS cache routing/arp table information packets (buffered in memory) Persistent (Secondary) Memory recently run network programs (prefetch on Windows >= XP for instance) logs/event records recently visited URLs IP addresses in email headers, configuration files, etc Network captures (did the person have packet captures on their machine?)
WHAT POTENTIAL EVIDENCE EXISTS? EVIDENCE PROVIDERS FOR ENTERPRISE SYSTEM NETWORK FORENSICS There is overlap between these mediums. This is good: Convergent sources of evidence means more support for that evidence, which can be critical in court. The more ways to verify an event, the better. Remember: Network communications are a conversation. Evidence on one side of this conversation means evidence may exist on the other side as well. (and anywhere in between too)
WHAT ARE WE INTERESTED IN? “IT DEPENDS” What Evidence are we looking for? It depends on: Scope Threat source (human intelligence vs. malware) A multitude of other factors Content: Exists largely at the Application/Transportation Layer Could be executables, documents, conversations, media (images/video/audio) proof of transactions (CCNs, web URLs, etc.) Context: Timeline & Statistics (Sessions/Hosts/Ports/Protocols/Sizes) Network Topology/Connected Devices Historical Data (baselines/anomalies, previously connected to networks/keys, etc.)
THE ENVIRONMENT “NO REALLY, IT DEPENDS” Whether doing Cyber Forensics or Incident Response, network transmissions are temporal. It may not be possible to personally collect the data that will be analyzed in a timely, cost effective manner. This may necessitate instructing others in this process. You can only hope that there is an IDS/NSM solution. It’s difficult to be long range tech support and guarantee a forensically sound collection process, or that the desired evidence is even collected (chain of custody can also be an issue). Be cognizant of this possibility and be able to define and explain your steps to others.
ANTI-NETWORK FORENSICS THE 60,000 FT. VIEW Largely these can be grouped into active/passive or exploitation vs. obfuscation Obfuscation: Spoofing (IP/MAC or IP Stack/User Agent strings to hide OS/Browser type) Encryption (including TLS, Tor, custom) Packing/compression of executables/files (Metasploit Stage 2 encoding) Steganography : ( Covert channels (IP in DNS is a popular derivative, also Telex project) Fragmentation/Order fuzzing (tools like SniffJoke) Exploitation Attacks against investigator/IDS tools (a la CVE-2011-1591) Active detection of network monitoring (e.g. detecting promiscuous mode by setting the MAC to illegal value and sending TCP SYN packet)
APPLIED KNOWLEDGE TAKING THEORY AND PUTTING IT TO PRACTICE
ACQUISITION THE RIGHT TOOL FOR THE JOB For our lab purposes we will be looking at relatively small data sets. Enterprise networks have voluminous throughput -- possibly terabytes/petabytes a day at multiple gigabits per second depending on the size of the organization. The tools we use today, such as Wireshark, are often not capable of capturing this amount of data without dropping packets/other degradation. Even command line tools like tshark may have issues (they are also hardware/topology constrained). There are open-source tools such as argus and ntop which can capture this kind of data, but these are outside the scope of this lecture. We will be manually analyzing packet data, but an automated solution may be required in order to be successful and efficient within the time and resource constraints that are present in “big data” situations.
ACQUISITION (CONT’D) THE RIGHT TOOL FOR THE JOB today we will use and discuss: Wireshark/tshark for network acquisition (argus/nfcapd will be discussed for flow acquisition) foremost (compiled for Windows) for carving data out of TCP streams in the pcap (winpmem/LiME will be discussed for volatile memory acquisition) (dd will be discussed for persistent memory acquisition) and for analysis we will be using: Wireshark (network capture analysis) (chaosreader/SiLK will be discussed for automated packet capture extraction/analysis) Volatility/NAFT (volatile memory analysis) (Bulk Extractor will be discussed for persistent memory analysis)
WIRESHARK BASICS FRAMES, STREAMS, AND FILTERS OH MY! Open Wireshark, and follow along with me Notice OSI structure for packet dissectors Color represents level of OSI model/unique protocols Display filters (including auto-generation of filter) Following TCP streams (okay, so it’s still a display filter) Resource for Display filters: http://www.firstdigest.com/2009/05/wiresharks-most-usefuldisplay-filters/
EXERCISE 1 CAPTURING BROWSER TRAFFIC JOINT ACTIVITY:10 MINUTES Summary: Start a network capture with Wireshark, note the initial traffic, open a web browser, note the traffic generated by this action, browse to a webpage, stop the capture, and use Wireshark to extract file artifacts from the HTTP/TCP streams.
CASE STUDY: ANN AND THE APPLE TV This is a challenge provided by the network forensic puzzle contest. The pcap and questions can be downloaded from http://forensicscontest.com/2009/12/28/anns-appletv It’s included to highlight the fact that over the past decade, unique sources of evidence in the form of embedded devices and appliances have crept into the consumer world, offering additional, potentially useful, information about a suspects habits, anomalous activities, and whereabouts.
EXERCISE 2 ANN AND THE APPLE TV JOINT ACTIVITY: 20MIN Summary: Given a pcap of an individual’s interactions with an AppleTV, answer the associated questions. Questions: 1. What is the MAC address of Ann’s AppleTV? 2. What User-Agent string did Ann’s AppleTV use in HTTP requests? 3. What were Ann’s first four search terms on the AppleTV (all incremental searches count)? 4. What was the title of the first movie Ann clicked on? 5. What was the full URL to the movie trailer (defined by “preview-url”)? 6. What was the title of the second movie Ann clicked on? 7. What was the price to buy it (defined by “price-display”)? 8. What was the last full term Ann searched for?
SOLUTIONS: ANN AND THE APPLE TV WIRESHARK FILTERS TO FIND SOLUTIONS 1) What is the MAC address of Ann’s AppleTV? 1) eth.addr == 00:25:00:fe:07:c4 2) What User-Agent string did Ann’s AppleTV use in HTTP requests? 1) http.user_agent == "AppleTV/2.4" 3) What were Ann’s first four search terms on the AppleTV (all incremental searches count)? 1) http.request.uri contains "/MZSearch.woa/wa/incrementalSearch" 4) What was the title of the first movie Ann clicked on? 1) http.request.uri contains "viewMovie?" 5) What was the full URL to the movie trailer (defined by “preview-url”)? 1) http.request.uri contains "viewMovie?" 6) What was the title of the second movie Ann clicked on? 1) http.request.uri contains "viewMovie?" 7) What was the price to buy it (defined by “price-display”)? 1) http.request.uri contains "viewMovie?" 8) What was the last full term Ann searched for? 1) http.request.uri contains "/MZSearch.woa/wa/incrementalSearch"
INTERMISSION TIME FOR LUNCH! INDIVIDUAL OR JOINT ACTIVITY Summary: om nom nom.
PRACTICE MAKES NEAR-PERFECT MOOOOOOOOOAR WIRESHARK Now that you’ve been exposed to display filters, content extractors, and the dissectors within Wireshark, we are going to take a deeper dive. The next exercise will familiarize you with some of Wireshark’s other features
EXERCISE 3 10 MINUTES OF INTERNET INDIVIDUAL ACTIVITY: 30 MINUTES Summary: You’ve been provided with a slice of an enterprise network capture. You are charged with identifying different network segments, and extracting data from different protocols within the capture using Wireshark. There is not a right/wrong answer: this is exploratory. Hint: Follow the TCP streams, and remember that not everything worth extracting is a file.
VOLATILE MEMORY ANALYSIS FOR NETWORK ARTIFACTS We are going to use Volatility, an open source volatile memory analysis tool originally developed here at Purdue by Aaron Walters. A special thanks to Aaron and his team! Specifically, we are going to walk through the following network forensic steps on volatile memory: identifying network connections that were active at the time of the memory capture scanning processes which have had active connections for evidence of malware extracting a malicious DLL that was injected over the network, and comparing it to one carved from a packet capture that triggered on the same attack extracting packets from volatile memory and analyzing them for further evidence
VOLATILE MEMORY ANALYSIS FOR NETWORK ARTIFACTS Basic Usage Volatility –f <filename> <plugin> e.g. Volatility –f xp_infected.vmem pslist Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit ---------- -------------------- ------ ------ ------ -------- ------ ------ --------------------------------------0x865c6830 System 4 0 58 283 -----0 0x8647b020 smss.exe 544 4 3 19 -----0 2013-02-24 06:40:30 0x864db020 csrss.exe 616 544 12 371 0 0 2013-02-24 06:40:33 0x863adda0 winlogon.exe 640 544 18 514 0 0 2013-02-24 06:40:33 0x85fc1c90 services.exe 684 640 16 271 0 0 2013-02-24 06:40:33 0x86044ae0 lsass.exe 696 640 20 350 0 0 2013-02-24 06:40:33 0x860064f8 vmacthlp.exe 852 684 1 25 0 0 2013-02-24 06:40:33 0x862772c0 svchost.exe 868 684 20 198 0 0 2013-02-24 06:40:33 0x86098760 svchost.exe 952 684 9 268 0 0 2013-02-24 06:40:34 See: https://code.google.com/p/volatility/wiki/CommandReference23#Networking See also: https://blogs.sans.org/computer-forensics/files/2012/04/Memory-ForensicsCheat-Sheet-v1_2.pdf
EXERCISE 4 BAD ACTORS AND BAD HABITS INDIVIDUAL/JOINT ACTIVITY Summary: You’ve been provided with a pcap and a volatile memory capture that contain evidence of a network exploitation. Determine where the exploit occurred in the pcap, and extract the malicious executable. Then find network artifacts in the memory capture which correlate to the pcap and compare. Hint: https://code.google.com/p/volatility/wiki/CommandReference23#Networking Bonus Hint: The executable is also in memory :D do they match?
SUMMARY Network forensics can present problems with repeatability and rules of evidence when it comes to acquisition of the evidence because it is transient. The network forensic process is largely the same as that of a traditional digital forensic investigation. Network forensics is more than just packets on the wire. Network forensics spans transmission, volatile memory, and persistent memory. Use the right tools for the job – small packet captures can successfully be analyzed with Wireshark, large scale captures may need to be automatically parsed before narrowing down sections which can be further analyzed. Hopefully, you walk away with a little more hands-on experience
PARTING THOUGHTS You still have a lot to learn ( I still have a lot to learn ) Technology is constantly evolving, you need to stay current As they say, practice makes perfect (well….nobody’s perfect :D) If this topic interests you, speak to me later or research: Structured Traffic Analysis Network Security Monitoring (Richard Bejtlich just release a new book) Intrusion Detection Systems https://tools.netsa.cert.org https://www.enisa.europa.eu/activities/cert/support/exercise
COMMENTS AND WRAP-UP Thank you! Questions?
ADDENDUM IN CASE OF EXTRA TIME, BREAK EXERCISE Summary: Exercise05 involves using bulk_extractor to extract network “features”
Introduction and Course overview. What is network forensics . Sources of Network Data and Evidence. Forensically Sound Evidence Acquisition Techniques
Introduction to Security and Network Forensics: Network Forensics. It is Chapter 9 of the Introduction to Security and Network Forensics. There ...
This introduction to cloud forensics explores the challenges of collecting cloud network forensic data and finding a provider to support the process.
Title: Introduction To Security And Network Forensics Keywords: Introduction To Security And Network Forensics Created Date: 9/5/2014 2:54:56 PM
Tutorial: Introduction to Network Forensics - using Netflow and Nfsen as a forensic tool
Network Monitoring & Forensics Jim Irving 1. Network Forensics Usefulness Intro to forensic data types Working with PCAP data What it looks like How to.
Network Forensics Evasion: How to Exit the ... Mac OS updates, Phy Interaction updates, IRC, updated intro section, added SeizeD network connectivity ...
1 1 CSC 486/586 What is “Network Forensics”??? 2 Well….it depends! • “Regular” computer forensics performed in a network environment ...
Review of the book "Introduction to Security and Network Forensics" by William J. Buchanan CRC Press, Taylor & Francis Group, 2011 ISBN: 978-0-8493-3568-6