Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Distributed firewall wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Computer network wikipedia , lookup
Network tap wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Airborne Networking wikipedia , lookup
List of wireless community networks by region wikipedia , lookup
CSCD 496 Computer Forensics Lecture 19 Network Forensics Winter 2010 1 Network Forensics Overview • Introduction to Network Forensics • Techniques for Network Forensics • Sources of Data – Location of potential data • Challenges of Network Forensics • Host Log Files – Example 2 Your Thoughts • Do you think Networks and outlying computers/servers can be an important source of digital evidence? • What are some sources of digital evidence from network sources? 3 Introduction • Yes. Networks do contain digital evidence can establish – Crime committed or – Provide evidence useful to an investigation • Evidence on a network is not as welldefined as on a single host • Network data is more dynamic and volatile – Difficult to take a snapshot of a network at a given instant in time 4 Introduction • Often can’t shut down a network to obtain evidence – Need to stay up and running for business purposes • Suspect may leave evidence in many places – Think about the yellow tape of crime scene – Much harder to isolate a crime scene when it includes a network!! 5 Investigative Authorization • Before conducting on-line investigation law enforcement and investigators need to obtain permission • Difficulty of obtaining authorization to search e-mail, network communications, and other data. Depends on –Situation, type of data and country –Monitoring network traffic is considered highly invasive of privacy –Search of recent or un-read e-mail considered more invasive than old e-mail 6 Investigative Authorization • If data exist in two or more places in US – Need to obtain additional warrants for each location • Using passwords obtained during an investigation to access remote sources of digital evidence – Requires additional authorization 7 Authorization Problems • Examples – In 2002, legal action was brought against an investigator for gaining remote access to suspect computer and collecting evidence over Internet – In 2000, FBI lured two Russian computer intruders to the United States for a fictitious job interview and used Winwhatwhere to capture passwords to suspects systems in Russia. • Investigators used passwords to collect incriminating evidence remotely from suspects computers • Russian government initiated criminal proceedings against one FBI agent for unauthorized access to computers in Russia 8 Network Data Request • When drawing up affidavit for a warrant, important to mention all desired evidence • Especially if want network records – Otherwise may miss important evidence – Also recommended to include explicit examples of records to be seized • And form of seizure, digital and paper 9 Network Data Request • Example of request – John Doe All records associated with the Subscriber and Account, including: • Screen names and/or account names, phone numbers, addresses, credit card numbers used to establish the account, • Connection records, to include logon dates and times, • IP addresses assigned for each session, origination information for each call, phone number used for access to the system, • Newsgroups logs, e-mail logs ... credit and billing information for any and all accounts held in the name of John Doe • and the addresses 192.168.12.14 and 192.168.12.16 and [email protected] • for the period of (date and time conform to the period of suspect criminal activity) 10 Network Data Request • Comments – Prior request is example of dispersed nature of network forensics data – Did not specify email contents just e-mail logs • Harder to obtain warrants for email contents – Some organizations, Ebay – is one • Do not need court order to provide name and address • User agreement permits disclosure to law enforcement 11 Documentation, Collection and Preservation of Data • Advice for Network Forensics data collection – Follow standard operating procedure • Same principles as for single host!! – Retain log of actions taken during collection process • Print screens of important actions – Document which server contains evidence • May be multiple servers involved – Calculate MD5/SHA1 values for all evidence prior to transfer and after transfer 12 Documentation, Collection and Preservation of Data • Example Procedure: – Several cases, investigators gained remote access to host that computer intruder was using to launch attacks – They e-mailed themselves evidence they had gathered • Why shouldn’t they have done that? 13 Documentation, Collection and Preservation of Data • Problem with e-mail of data to themselves – Complicates chain of custody – More difficult to confirm integrity of evidence • E-mail can be forged – What if e-mail were not delivered – Email is stored on intermediary servers – Sometimes many servers traversed 14 Investigative Reconstruction • Fundamentals of Investigative Reconstruction – Don’t change when networks are involved – Just gets harder!!!! – Criminal can be several places on a network at any given time • Example: Network Intruder – Sharing information with accomplices on IRC – Same time, breaking into multiple computers elsewhere 15 Investigative Reconstruction • Suspect can use Internet to conceal actual location • How can they do this? 16 Difficulties with Network Identity • How to Hide on the Internet Anonymous Network Uses encryption and moves data between computers http://freenetproject.org/ Proxies http://www.all-nettools.com/toolbox/privacy.htm http://www.inetprivacy.com/ http://anon.inf.tu-dresden.de/index_en.html Encryption - email http://www.hushmail.com http://www.zixcorp.com/ 17 Importance of Log Files • Log files contain messages about system, including kernel, services, and applications running on it • Log files can be very useful when looking for unauthorized login attempts to the system • Linux/Unix Example – Some log files are controlled by daemon syslogd – List of log messages maintained by syslogd – Found in the /etc/syslog.conf configuration file 18 Location of Log Files • Most log files are located in the /var/log directory • Some applications such as httpd and samba have a directory within /var/log for their log files • Notice multiple files in log file directory with same name but numbers after them • Created when the log files are rotated – Log files rotated so their file sizes don’t become too large – Cron task that automatically rotates log files according to the /etc/logrotate.conf configuration file and the configuration files in the /etc/logrotate.d directory – By default, it is configured to rotate every week and keep four weeks worth of previous log files 19 Example of Logs Kept -rw-r----- 1 syslog -rw-r----- 1 syslog -rw-r----- 1 syslog -rw-r----- 1 syslog -rw-r----- 1 syslog -rw-r----- 1 syslog ... -rw-r----- 1 syslog -rw-r----- 1 syslog -rw-r----- 1 syslog -rw-r----- 1 syslog -rw-r----- 1 syslog -rw-r----- 1 syslog -rw-r----- 1 syslog -rw-r----- 1 syslog adm adm adm adm adm adm 859075 2010-03-01 05:26 messages.0 158966 2010-02-22 06:20 messages.1.gz 135613 2010-02-15 10:49 messages.2.gz 142595 2010-02-08 07:11 messages.3.gz 212676 2009-10-07 05:44 messages.4.gz 139323 2009-04-24 11:25 messages.5.gz adm 89361 2010-03-01 11:32 syslog adm 159357 2010-03-01 05:26 syslog.0 adm 14253 2010-02-28 08:32 syslog.1.gz adm 15926 2010-02-27 09:52 syslog.2.gz adm 28826 2010-02-26 09:11 syslog.3.gz adm 73396 2010-02-25 10:12 syslog.4.gz adm 46112 2010-02-24 06:42 syslog.5.gz adm 97564 2010-02-23 09:48 syslog.6.gz 20 What to Check • /var/log/messages and /var/log/syslog: – Messages and syslog files contain all systemlevel and system process logging – Include services such as NIS, sendmail, and rpc /var/log/messages also contains failed login and su attempts to other accounts on your system • /var/log/sulog: – The su log is a log of all successful attempts by somebody using the su function to login as a different user 21 What to Check • /var/log/wtmp or utmp: – wtmp/utmp you parse with the command, last – /var/adm/wtmp shows you when, where, and how long a user was logged onto your system • /var/adm/acct or pact: – The process accounting logs (started by the acct command) are logs you parse with the command, spar – These logs show you the commands users ran and how long the processes ran for. 22 What to Check • What do you look for in the logs • Unusual activity – Date-time anomalies – people who should not be logged in on that date or at that time (1:00 am on Sat.) – A lot of activity from users who normally don’t generate that much activity – Unusual tasks – messing with network connections or security features of system – Failed Su commands – normal user trying to become root • Missing Logs – log files are deleted or empty • Tampered Logs – harder to detect, there are tools that allow others to mess up your log files so you are less 23 alarmed to their presence Investigative Reconstruction • Might need to analyze all available log files – Logs from routers, – Firewalls, – Int. Detection Systems, or other sources • Might reveal a pattern of compromise – Example: Intrusion Captured in Log Files • FTP Server was compromised • Computer intrusion first detected by Tripwire • What does Tripwire do? – It calculates and stores hashes of system files and notes when file changes 24 Example Investigative Reconstruction • Example continued – Tripwire was first alert – Several system components were replaced through a rootkit (/bin/login, /usr/bin/du, /usr/bin/top, /usr/bin/find, /usr/bin/killall) – Following entry in /var/log/secure showed a connection to the FTP server: Apr 24 22:50:34 ftpserver in.ftpd[2103]: connect from 62.30.247.138 25 Investigative Reconstruction • Example continued • Another entry in /var/log/wtmp ftp ftp pc-62-3-247-138-do.blueyonder.co.uk [62.30.247.138] Tue Apr 24 22:50-22:50 (00:00) Unauthorized connection partially supported by Entry in /var/log/messages – Only difference is time stamp Apr 25 02:50:40 ftpserver in.ftpd[2103]: ANONYMOUS FTP LOGIN FROM pc-62.30.247.138-do.blueyonder.co.uk [62.30.247.138], [email protected] 26 Investigative Reconstruction • Example Continued Investigators checked Intrusion detection system logs for a corresponding entry but didn’t find one. They did find an entry for a different time and source [**] FTP-site-exec [**] 04/25-02:48:44 04/25-02;49:37 63 62.122.10.221 -> 192.168.2.6S: 4158 D:21 Why might host logs differ from network logs? 27 Investigative Reconstruction Next, searched Netflow logs (cisco router logs) for all connections to and from compromised computer Found original connection from blueyonder.co.uk at 22:50:34 was part of a broader scan of FTP Servers which was not logged by the Intrusion detection system Netflow logs also showed actual intrusion occurred at 02:47:12 from 62-122-10-221.flat.galactica.it and that intruder downloaded a patch from RPMfind and fixed vulnerability. 28 Investigative Reconstruction IDS logs and Netflow logs provided more reliable evidence than tampered logs of the compromised host So, instead of the intrusion coming from United Kingdom, intrusion actually originated in Italy! 29 Behavioral Analysis • When looking at digital evidence on a network – Keep in mind looking at effects of human activities • Trying to figure out associated behavior and intent – Log files can be great sources of behavioral evidence • Record a lot of activities • Can often determine what a person did and was trying to achieve 30 Behavioral Analysis • Log file analysis can often reveal patterns – Can indicate whether it was the same intruder • Example – On-line sexual predator – Have extensive communication with victims • Trying to gain their trust • A lot of evidence will have accumulated 31 Behavioral Analysis • Activities can reveal intruder knowledge and skill level – Focused attack • Only attack certain machines – ones with sensitive database of financial data • Reveals intruder knew network and which machines to target – Time patterns • Track how long intruder took to commit the compromise – Might even suggest insiders vs. outsider involvement 32 Conclusion • More challenging to piece together evidence trail when it covers multiple machines in distant locations • Need to pay attention to authorization in collecting network data or could be liable for violating intruder’s rights • Need to know how networks function, and where evidence occurs in a networked environment • Also need to understand network tools that can assist with collection and preservation of distributed evidence 33 Resources Digital Evidence and Computer Crime by Eoghan Casey Elsevier Academic Press, 2004 34 End • Next time – Lab – Guest speaker on Wed., Dale Lindekugel, Criminal Justice 35