Section 1.1 Network Forensics TRACKING HACKERS THROUGH CYBERSPACE TECHNICAL FUNDAMENTALS.

Slides:



Advertisements
Similar presentations
20.1 Chapter 20 Network Layer: Internet Protocol Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Advertisements

Cisco 2 - Routers Perrine. J Page 14/30/2015 Chapter 10 TCP/IP Protocol Suite The function of the TCP/IP protocol stack is to transfer information from.
1 Version 3 Module 8 Ethernet Switching. 2 Version 3 Ethernet Switching Ethernet is a shared media –One node can transmit data at a time More nodes increases.
Presented by Serge Kpan LTEC Network Systems Administration 1.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
1 Version 3.0 Module 9 TCP/IP Protocol and IP Addressing.
Computer Networks & Security
Data Networking Fundamentals Unit 7 7/2/ Modified by: Brierley.
INTRODUCTION TO COMPUTER NETWORKS Navpreet Singh Computer Centre Indian Institute of Technology Kanpur Kanpur INDIA (Ph : ,
Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.
Network Layer (Part IV). Overview A router is a type of internetworking device that passes data packets between networks based on Layer 3 addresses. A.
1.  A protocol is a set of rules that governs the communications between computers on a network.  Functions of protocols:  Addressing  Data Packet.
Wireshark and TCP/IP Basics ACM SIG-Security Lance Pendergrass.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
IP Network Basics. For Internal Use Only ▲ Internal Use Only ▲ Course Objectives Grasp the basic knowledge of network Understand network evolution history.
OSI Model Routing Connection-oriented/Connectionless Network Services.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.
1/28/2010 Network Plus Security Review Identify and Describe Security Risks People –Phishing –Passwords Transmissions –Man in middle –Packet sniffing.
Chapter 4: Managing LAN Traffic
COEN 252 Computer Forensics
Network Protocols. Why Protocols?  Rules and procedures to govern communication Some for transferring data Some for transferring data Some for route.
NetworkProtocols. Objectives Identify characteristics of TCP/IP, IPX/SPX, NetBIOS, and AppleTalk Understand position of network protocols in OSI Model.
Presentation on Osi & TCP/IP MODEL
What is FORENSICS? Why do we need Network Forensics?
Introduction to Networking. Key Terms packet  envelope of data sent between computers server  provides services to the network client  requests actions.
Common Devices Used In Computer Networks
ACM 511 Chapter 2. Communication Communicating the Messages The best approach is to divide the data into smaller, more manageable pieces to send over.
Operating Systems Lesson 10. Networking Communications protocol is the set of standard rules for ◦ Data representation ◦ Signaling ◦ Authentication ◦
1/28/2010 Network Plus Network Device Review. Physical Layer Devices Repeater –Repeats all signals or bits from one port to the other –Can be used extend.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
1 Review - OSI Model n OSI Reference Model u represents the communications process. u 7 layers: physical, data link, network, transport, session, presentation.
1 Version 3.0 Module 11 TCP Application and Transport.
Chapter Three Network Protocols By JD McGuire ARP Address Resolution Protocol Address Resolution Protocol The core protocol in the TCP/IP suite that.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
NETWORKING COMPONENTS AN OVERVIEW OF COMMONLY USED HARDWARE Christopher Johnson LTEC 4550.
CCNA 1 v3.0 Module 9 TCP/IP Protocol Suite and IP Addressing.
First, by sending smaller individual pieces from source to destination, many different conversations can be interleaved on the network. The process.
Data Networking Fundamentals Chapter 7. Objectives In this chapter, you will learn to: Discuss basic networking concepts, including the elements common.
INTRODUCTION TO NETWORKS 8/2/2015 SSIG SOUTHERN METHODIST UNIVERSITY.
Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.
CCNA 1 v3.0 Module 9 TCP/IP Protocol Suite and IP Addressing
Security fundamentals Topic 6 Securing the network infrastructure.
NETWORKING FUNDAMENTALS. Network+ Guide to Networks, 4e2.
Security fundamentals Topic 10 Securing the network perimeter.
CSC 116 – Computer Networks Fall 2015 Instructor: Robert Spengler.
CTC 228 – Computer Networks Fall 2015 Instructor: Robert Spengler.
Page 12/9/2016 Chapter 10 Intermediate TCP : TCP and UDP segments, Transport Layer Ports CCNA2 Chapter 10.
Voice Over Internet Protocol (VoIP) Copyright © 2006 Heathkit Company, Inc. All Rights Reserved Presentation 5 – VoIP and the OSI Model.
Role Of Network IDS in Network Perimeter Defense.
CSC 116 Nov Administrative Required 2 nd exam will be next week on Wed  Nov 18th It will be short (10 questions) It will only cover chapters.
TCP/IP Protocol Suite and IP Addressing Presented By : Dupien AMS.
PART1: NETWORK COMPONENTS AND TRANSMISSION MEDIUM Wired and Wireless network management 1.
NT1210 Introduction to Networking
IST 201 Chapter 11 Lecture 2. Ports Used by TCP & UDP Keep track of different types of transmissions crossing the network simultaneously. Combination.
Security fundamentals
CompTIA Security+ Study Guide (SY0-401)
Link Layer 5.1 Introduction and services
Networking Devices.
Lec 2: Protocols.
Data Networking Fundamentals
Ken Gunnells, Ph.D. - Networking Paul Crigler - Programming
CompTIA Security+ Study Guide (SY0-401)
Topic 5: Communication and the Internet
Module 9: TCP/IP Protocol Suite and IP Addressing
TCP/IP Protocol Suite: Review
Network Architecture for Cyberspace
Computer Networks Protocols
Presentation transcript:

Section 1.1 Network Forensics TRACKING HACKERS THROUGH CYBERSPACE TECHNICAL FUNDAMENTALS

SOURCES OF NETWORK-BASED EVIDENCE Network environments are usually varied and unique, but they all have similarities. There are many sources of evidence in a network. On the Wire In the Air Switches Routers DHCP Server Name Servers Authentication Server Network Intrusion Detection / Prevention Systems Firewalls Web Proxies Application Server Central Log Server

ON THE WIRE Physical cabling carries data over the network Typical network cabling; Copper : twisted pair or coaxial cable Fiber-optic lines Forensic Value: Wire tapping can provide real-time network data Tap types “Vampire” tap – punctures insulation and touches cables Surreptitious fiber tap – bends cable and cuts sheath, exposes light signal Infrastructure tap – plugs into connectors and replicates signal

IN THE AIR Wireless station – to – station signals Radio frequency (RF) Infrared (IR) – not very common Forensic Value: Can be trivial as information is often encrypted, however valuable information can still be obtained Management and controls frames are usually not encrypted Access points (AP) advertise theirs names, presence and capabilities Stations probes for APs and APs respond to probes MAC addresses of legitimate authenticated stations Volume-based statistical traffic analysis

SWITCHES “Switches are the glue that our hold LANs together” (Davidoff & Ham, 2012) Multiport bridges that physically connect network segments together Most networks connect switches to other switches to form complex network environments Forensic Value: Content addressable memory (CAM) table Stores mapping between physical ports and MAC addresses Platform to capture and preserve network traffic Configure one port to mirror traffic from other ports for capture with a packet sniffer

ROUTERS Connect traffic on different subnets or networks Allows different addressing schemes to communicate MANs, WANs and GANs are all possible because of routers Forensic Value: Routing tables Map ports on the router to networks they connect Allows path tracing Can function as packet filters Logging functions and flow records Most widely deployed intrusion detection but also most rudimentary

DHCP SERVERS Dynamic Host Configuration Protocol Automatic assignment of IP addresses to LAN stations Forensic Value: Investigation often begins with IP addresses DHCP leases IP addresses Create log of events IP address MAC address of requesting device Time lease was provided or renewed Requesting systems host name

NAME SERVERS Map IP addresses to host names Domain Name System (DNS) Recursive hierarchical distributed database Forensic Value: Configured to log queries Connection attempts from internal to external systems EX: websites, SSH servers, external mail servers Corresponding times Create timeline of suspect activities

AUTHENTICATION SERVERS Centralized authentication services Streamline account provisioning and audit tasks Forensic Value: Logs Successful and/or failed attempts Brute-force password attacks Suspicious login hours Unusual login locations Unexpected privileged logins

NETWORK INTRUSION DETECTION / PREVENTION SYSTEMS NIDSs and NIPSs were designed for analysis and investigation Monitor real time network traffic Detect and alert security staff of adverse events Forensic Value: Provide timely information In progress attacks Command – and – control traffic Can be possible to recover entire contents of network packets More often recovery is only source and destination IP addresses, TCP/UDP ports, and event time

FIREWALLS Deep packet inspection: forward, log or drop Based on source and destination IP, packet payloads, port numbers and encapsulation protocols Forensic Value: Granular logging Function as both infrastructure protection and IDSs Log Allowed or denied traffic System configuration changes, errors and other events

WEB PROXIES Two uses: Improve performance by caching web pages Log, inspect and filter web surfing Forensic Value: Granular logs can be retained for an extended period of time Visual reports of web surfing patterns according to IP addresses or usernames (Active Directory logs) Analyze phishing successes Inappropriate web surfing habits Web –based malware View end-user content in cache

APPLICATION SERVERS Common types: Database Web Chat VoIP / voic Forensic Value: Far too many to list!

CENTRAL LOG SERVER Combine event logs from many sources where they can be time stamped, correlated and analyzed automatically Can vary enormously depending on organization Forensic Value: Designed to identify and respond to network security events Save data if one server is compromised Retain logs from routers for longer periods of time then routers offer Commercial log analysis products can produce complex forensic reports and graphical representations of data

A QUICK PROTOCOL REVIEW Why know internet protocol? “Attackers bend and break protocols in order to smuggle covert data, sneak past firewalls, bypass authentication, and conduct widespread denial-of-service (DoS) attacks.” (Davidoff & Ham, 2012) OSI model for web surfing

INTERNET PROTOCOL SUITE REVIEW Forensic investigators must know TCP / IP very well, including key protocols and header fields. Must have a clear understanding of protocol including flow record analysis, packet analysis and web proxy dissection Designed to handle addressing and routing IP operates on layer 3 (network layer) Connectionless Unreliable Includes a header but no footer Header plus payload is called an IP packet

32-bit address space 2 32 (approx. 4.3 billion) possible addresses 128-bit address space (340 undecillion possible addresses) IPv4 VS IPv6

Transmission Control Protocol Reliable Handles sequencing Connection – oriented Port range 0 – Header but no footer Header plus payload – TCP segment User Datagram Protocol Unreliable Connectionless Port range 0 – Header but no footer Header plus payload – UDP datagram TCP VS UDP

Works Cited Davidoff, S., & Ham, J. (2012). Network Forensics Tracking Hackers Through Cyberspace. Boston: Prentice Hall.