Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 9: Internet and Network Forensics and Intrusion Detection
© Pearson Education Computer Forensics: Principles and Practices 2 Objectives Explain the operation of intrusion detection systems (IDSs) Discuss the value of using a network forensic analysis toolkit (NFAT) Identify the components of an NFAT
© Pearson Education Computer Forensics: Principles and Practices 3 Objectives (Cont.) List the different areas from which data can be extracted Understand how to use an NFAT to capture physical and logical network data Identify the most common NFAT systems
© Pearson Education Computer Forensics: Principles and Practices 4 Introduction Network forensic analysis has been around for some time. Intrusion detection systems (IDSs) work hand in hand with network forensic analysis toolkits (NFAT) and are addressed in this chapter. Limitations, both legal and technical, are also discussed.
© Pearson Education Computer Forensics: Principles and Practices 5 Intrusion Detection Systems Development of IDSs was the first attempt to address increasing numbers of network attacks An IDS looks for anomalies that differ from an established baseline IDSs categorized as Signature-based Anomaly-based
© Pearson Education Computer Forensics: Principles and Practices 6 Intrusion Detection Systems (Cont.) Common IDS solutions available today: Cisco Secure IDS Enterasys™ Dragon ® Elm 3.0 GFI LANguard S.E.L.M Intrust Event Admin Snort ® Tripwire eTrust ®
© Pearson Education Computer Forensics: Principles and Practices 7 Reactive and Active Systems An IDS is a reactive security system Can tell you someone has broken in and where, but cannot record how burglary is taking place Cannot gather forensic evidence admissible in court of law For more active sensing, an NFAT system is required NFATs enable an investigator to replay, isolate, and scrutinize an intrusion
© Pearson Education Computer Forensics: Principles and Practices 8 Reactive and Active Systems (Cont.) NFAT developers faced a number of challenges: Lack of infrastructure for forensic data collection, storage, and dissemination Rapid growth in network traffic Labor-intensive forensics processes that span multiple administrative domains Current logging mechanisms that prevented forensic analysts from exploring networks incrementally
© Pearson Education Computer Forensics: Principles and Practices 9 Real-Time NFAT Analysis An NFAT should be able to: Forensically capture complete and correct e- evidence Keep up with ever-increasing network speeds Store captured e-evidence for long periods of time for extended investigations Keep the e-evidence secure to preserve the integrity of collected e-evidence
© Pearson Education Computer Forensics: Principles and Practices 10 Real-Time NFAT Analysis (Cont.) The newest NFAT systems show an entire network in GUI format Real-time means being able to counter an attack while it is taking place Military refers to this as “cyberwarfare” Example systems: Carnivore eTrust
© Pearson Education Computer Forensics: Principles and Practices 11 Inside Threats A company’s worst enemy could be inside the network Employees have access to sensitive proprietary information that needs to be secured
© Pearson Education Computer Forensics: Principles and Practices 12 FYI: FBI’s Carnivore— a Network Forensics Tool Carnivore was an Internet packet sniffer designed to capture messages and reconstruct Web pages Ability to capture such data without a warrant raised civil liberties issues
© Pearson Education Computer Forensics: Principles and Practices 13 Real-Time NFAT Analysis (Cont.) Newer NFAT systems now allow the user to take an image of a host computer connected to a network without the knowledge of the user This capability can save incident response hours but raises ethical questions
© Pearson Education Computer Forensics: Principles and Practices 14 Network Forensics Abuse With an NFAT system anyone can: Spy on users’ Capture passwords Know what Web pages were viewed Covertly see the contents of a customer’s shopping cart
© Pearson Education Computer Forensics: Principles and Practices 15 Components of an NFAT System Common components include: Agents—software modules used to monitor, retrieve, or intercept network data Server—centralized computer or computers that hold the data collected from the network Examiner computer—computer where the forensic/security examiner does the analysis of data
© Pearson Education Computer Forensics: Principles and Practices 16 Using an NFAT to Capture Data Catch it as you can This method captures everything coming across the network Typically not used as a proactive method Stop, look, and listen Filtering method Processor speed and buffer memory size are critical Analysis is done in real-time
© Pearson Education Computer Forensics: Principles and Practices 17 Data Sources on a Network Host computers—a major source of forensic data Firewalls—basic logging enabled to document failed or denied connections Firewalls categorized according to functions Network layer firewall—acts like an IP filter Application layer firewall—works at the application layer to permit or deny packets Proxy firewall—acts as a mediator between internal hosts/applications and external connections
© Pearson Education Computer Forensics: Principles and Practices 18 Data Sources on a Network (Cont.) DHCP servers—dynamically assign IP ad- dresses when computers connect to network NFAT/IDS agents—collect information from host in response to NFAT/IDS server request IDS/network monitoring software—monitors network system performance to create baselines Packet sniffers—collect data straight from network media; also are protocol analyzers
© Pearson Education Computer Forensics: Principles and Practices 19 In Practice: Detecting Credit Card Fraud Credit card fraud in 2003 identified a company that provided electronic payment software to retail outlets Criminals gained access to data contained in magnetic stripe of credit cards Investigators found a backdoor and keystroke logger Investigators set a trap using packet sniffer, dummy files, and Tripwire
© Pearson Education Computer Forensics: Principles and Practices 20 Physical Aspects of Capturing Data Devices used to collect information: Switch port analyzer (SPAN) Test access port (TAP) Host inline device Hubs Wireless access points (WAPs)
© Pearson Education Computer Forensics: Principles and Practices 21 Logical Aspects of Capturing Data Agents Small programs located on a network host that allow the NFAT server to view, copy, or modify a host remotely Agent file is usually disguised to avoid detection Logs NFAT software can accept input from almost any device that generates a log file NFATs can sift through millions of log entries to extract important data
© Pearson Education Computer Forensics: Principles and Practices 22 Logical Aspects of Capturing Data (Cont.) Network data Collected through sniffers and stored for later analysis Data may be in raw format or in fields that can be queried NFAT software usually contains a query language such as SQL to extract information
© Pearson Education Computer Forensics: Principles and Practices 23 Examining Data Verifying the integrity of the data There are guidelines that can help ensure the integrity of network data: Logs Time/date stamps IDS alerts Database integrity
© Pearson Education Computer Forensics: Principles and Practices 24 Examining Data (Cont.) Analyzing the data for attacks NFATs can use real-time analysis to detect intrusions Use forensic features of NFAT to image suspect hosts and store data for future analysis Pattern analysis Uses baselines to determine what is normal for a system Patterns in data traffic signal changes in network
© Pearson Education Computer Forensics: Principles and Practices 25 Examining Data (Cont.) Content analysis Also known as deep packet inspection Used for real-time analysis of content such as e- mail or text documents Timeline sequencing analysis Used to construct an overview of events Playback analysis Used to replay specific network communications Can examine specific traffic while ignoring the rest
© Pearson Education Computer Forensics: Principles and Practices 26 NFAT Software Tools All applications discussed in this chapter offer the following features: Real-time network data capture Content analysis Forensic knowledge base Reporting
© Pearson Education Computer Forensics: Principles and Practices 27 NFAT Software Tools (Cont.) Computer Associates’ eTrust GUI visualization Pattern analysis Incident playback Communication sequencing
© Pearson Education Computer Forensics: Principles and Practices 28 NFAT Software Tools (Cont.) Guidance Software EnCase ® forensic software includes IDS and network forensic capabilities Software can also perform enterprise-wide keyword searches Enterprise edition also creates audit trail to ensure proper chain of custody and track abuses
© Pearson Education Computer Forensics: Principles and Practices 29 NFAT Software Tools (Cont.) Paraben ® software P2 ® Enterprise software preserves data integrity using encryption from agent to server and examiner’s station to server P2 can record information coming across a network for real-time analysis or to review later Can take a “snapshot” of a host machine and archive results
© Pearson Education Computer Forensics: Principles and Practices 30 Summary IDSs of the past are being tailored as the input systems for NFAT systems NFAT software can be used to overcome data integrity issues Several data sources are available in networks
© Pearson Education Computer Forensics: Principles and Practices 31 Summary (Cont.) NFAT systems utilize two different data collection methods Catch it as you can Stop, look, and listen Common NFAT systems were also discussed The area of network forensics is just beginning to mature to the point of acceptance of evidence in court
© Pearson Education Computer Forensics: Principles and Practices 32 Summary (Cont.) Only surface possibilities and uses of forensic software have been touched upon in this chapter Data collection is becoming easier for forensic purposes Technology is available to ease the burden of data collection