Presentation is loading. Please wait.

Presentation is loading. Please wait.

Section 3.2 Network Forensics TRACKING HACKERS THROUGH CYBERSPACE CASE STUDY : ANN’S RENDEZVOUS.

Published byLinda Daniels Modified over 9 years ago

Similar presentations

Presentation on theme: "Section 3.2 Network Forensics TRACKING HACKERS THROUGH CYBERSPACE CASE STUDY : ANN’S RENDEZVOUS."— Presentation transcript:

1 Section 3.2 Network Forensics TRACKING HACKERS THROUGH CYBERSPACE CASE STUDY : ANN’S RENDEZVOUS

2 THE MISSION The case: After being released on bail, Ann Dercover disappears! Fortunately, investigators were carefully monitoring her network activity before she skipped town. “We believe Ann may have communicated with her secret lover, Mr. X, before she left,” says the police chief. “The packet capture may contain clues to her whereabouts.” Challenge: You are the forensic investigator. Your mission is to analyze the packet capture and gather information about Ann’s activities and plans. The following questions will help guide your investigation: Provide any online aliases or addresses and corresponding account credentials that may be used by the suspect under investigation. Who did Ann communicate with? Provide a list of email addresses and any other identifying information. Extract any transcripts of Ann’s conversations and present them to investigators. If Ann transferred or received any files of interest, recover them. Are there any indications of Ann’s physical whereabouts? If so, provide supporting evidence.

3 THE MISSION CONTINUED Network: Internal network: 192.168.30.0/24 DMZ: 10.30.30.0/24 The “Internet”: 172.30.1.0/24 [Note that for the purposes of this case study, we are treating the 172.30.1.0/24 subnet as “the Internet.” In real life, this is a reserved nonroutable IP address space.] Evidence: Investigators provide you with a packet capture from Ann’s home network, “evidence-packet-analysis.pcap.” They also inform you that in the course of their monitoring, they have found that Ann’s laptop has the MAC address 00:21:70:4D:4F:AE. Pg. 135

4 ANALYSIS: PROTOCOL SUMMARY Begin by taking a high-level look at the packet Wireshark > Statistics > Protocol Hierarchy Notice the presence of “Bootstrap Protocol” Used for DHCP request and response

5 DHCP TRAFFIC Examine using Wireshark Display Filter “eth.addr == 00:21:70:4d:4f:ae and bootp Wireshark automatically looks up the registered OUI, “00:21:70,” and displays the corresponding manufacturer, Dell. Can be verified using IEEE Request address is 192.168.30.108 Host name matches Ann Router 192.168.31.10 DNS 10.30.30.20

6 DHCP CONTINUED Router 192.168.31.10 DNS 10.30.30.20 Renewal Time Value of 30 minutes

7 KEYWORD SEARCH Matches seven packets Three contain a conversation with 64.12.168.40 TCP port 587 (SMTP) Four contain a conversation with 205.188.58.10 TCP port 143 (IMAP)

8

9 EXAMINE SMTP Use Wireshark’s “Follow TCP Stream” to isolate packets beginning with 2011/05/17 13:33:07.203874

10 EXAMINATION CONTINUED Notice Ann’s authentication is in plain text: Her credentials are only Base-64-encoded, not encrypted Take note of the sender and receiver: Look at the body of the email: Next look at the SMTP packet 2011/05/17 13:34:16.481132 User: sneakyg33ky@aol.com Receiver: d4rktangent@gmail.com

11 EXAMINATION CONTINUED AGAIN Examination of the third packet matching SMTP using command line Look at the content from 192.168.30.108 (Ann’s computer) to remote server 64.12.168.40 We are interested in the outbound content reconstruction Notice the From: ID, the To: ID and the body of the email As the message suggests there is an attachment

12 SMTP ANALYSIS – ATTACHMENT FILE CARVING $ bless 192.168.030.108.01689 -064.012.168.040.00587 Cut the SMTP and MIME protocol information Attachment of greatest interest is labeled Start carving After set of 0x0D & 0x0A CRLF Carriage-return/linefeed Finish carving Just before the second set Save file as “evidence-packet-analysis-smtp3-attachment”

13 ATTACHMENT FILE CARVING CONTINUED We need to remove the line breaks before decoding the Base64 encoding Use “fromdos” which is part of the “tofrodos” Debian package $ fromdos -b evidence -packet -analysis -smtp3 –attachment Decode $ base64 -d evidence -packet -analysis -smtp3 -attachment > secretrendezvous.docx Check file type $ file secretrendezvous.docx secretrendezvous.docx: Zip archive data, at least v2.0 to extract Make cryptographic checksums

14 VIEW THE ATTACHMENT Always work with a copy

15 MORE CARVING Lets carve the image out of the.docx file Start by unzipping the file Notice the.png file Take the cryptographic checksum View a copy of the image

16 FINDING ANN THE EASY WAY Use NetworkMiner

17 EASY WAY CONTINUED “NetworkMiner automatically parses headers and displays them along with the body of each SMTP message. It can also show other types of messages, such as IMs.” Pg 151 “The “Files” tab displays files that NetworkMiner automatically carved out of the packet capture.” Pg 151

18 SMTPDUMP Use smtpdump to: analyze SMTP flow #3 in the packet capture (-f 3) extract attachments (-x) print the MD5sum (-m) print authentication data (-A)

19 DOCXTRACT Use docxtract to: extract all images from the carved.docx attachment (-x -i) print the corresponding cryptographic checksum (-m)

20 FINDSMTPINFO.PY Can be used to : Print SMTP authentication information Extract all messages from the packet capture Extract all attachments from the messages Print the MD5 sums for each of the attachments Extract the files embedded within the.docx file Print the MD5 sums for each of the embedded files Produces reports suitable for professional forensic reports Pg. 152

21 FINDSMTPINFO.PY CONTINUED Example:

22 FINDSMTPINFO.PY CONTINUED AGAIN Tool will: automatically unzip attached.docx file Extract embedded files MD5sums

23 TIMELINE All times listed below occurred on May 17, 2011. 13:32:01.419886 —Packet capture begins 13:32:03.166396 —First DHCP Request from 00:21:70:4d:4f:ae (Ann’s computer) 13:32:03.167145 —DHCP ACK from 192.168.30.10 to Ann’s computer, assigning 00:21:70:4d:4f:ae the IP address 192.168.1.108 with a 1-hour lease time. 13:33:05.834649--13:33:07.847758 —First SMTP conversation. Email sent from Ann’s computer with sender sneakyg33ky@aol.com and recipient inter0pt1c@aol.com. 13:34:15.110657--13:34:17.204721 —Second SMTP conversation. Email sent from Ann’s computer with sender sneakyg33ky@aol.com and recipient d4rktangent@gmail.com. 13:35:15.504697--13:35:23.263802 —Third SMTP conversation. Email sent from Ann’s computer with sender sneakyg33ky@aol.com and recipient mistersekritx@aol.com. 13:35:23.263802 —Packet capture ends Pg 154

24 THE CASE THEORY Ann Dercover connected her laptop (“ann-laptop”) to the network on May 17, 2011, at 13:32:03. Her computer was probably manufactured by Dell. At 13:33:05, Ann sent email from her AOL account, sneakyg33ky@aol.com, to inter0pt1c@aol.com, asking the recipient, “Hey, can you hook me up quick with that fake passport you were talking about?” At 13:34:15, Ann sent email from her AOL account, sneakyg33ky@aol.com, to d4rktangent@gmail.com, informing the recipient, “Sorry—I can’t do lunch next week after all. Heading out of town. Another time!” At 13:35:15, Ann sent email from her AOL account, sneakyg33ky@aol.com, to mistersekritx@ aol.com, with the message, “Hi sweetheart! Bring your fake passport and a bathing suit. Address attached. love, Ann.” The email had a.docx attachment that contained an address and a map. Pg 155

25 CHALLENGE QUESTION RESPONSES Provide any online aliases or addresses and corresponding account credentials that may be used by the suspect under investigation. Based on our SMTP analysis, there are indications that Ann Dercover uses the email address sneakyg33ky@aol.com, and that her password is “s00pers3kr1t.” Who did Ann communicate with? Provide a list of email addresses and any other identifying information. We have seen that sneakyg33ky@aol.com sent emails to the following recipients: inter0pt1c@aol.com d4rktangent@gmail.com mistersekritx@aol.com

26 RESPONSES CONTINUED Extract any transcripts of Ann’s conversations and present them to investigators. Here is a quick summary of Ann’s conversations, sent via SMTP: SMTP Message #1 Sender: sneakyg33ky@aol.com Recipient: inter0pt1c@aol.com Date [beginning of SMTP conversation]: May 17, 2011 13:33:05 Subject: need a favor Message [formatting removed]: Hey, can you hook me up quick with that fake passport you were talking about? - Ann Attachments of interest: None Pg. 155

27 RESPONSES CONTINUED AGAIN SMTP Message #2 Sender: sneakyg33ky@aol.com Recipient: d4rktangent@gmail.com Date [beginning of SMTP conversation]: May 17, 2011 13:34:15 Subject: lunch next week Message [formatting removed]: Sorry—I can’t do lunch next week after all. Heading out of town. Another time! - Ann Attachments of interest: None SMTP Message #3 Sender: sneakyg33ky@aol.com Recipient: mistersekritx@aol.com Date [beginning of SMTP conversation]: May 17, 2011 13:35:15 Subject: rendezvous Message [formatting removed]: Hi sweetheart! Bring your fake passport and a bathing suit. Address attached. love, Ann Attachments of interest: secretrendezvous.docx Pg. 156

28 AND AGAIN If Ann transferred or received any files of interest, recover them. We recovered one Office Open XML Document (.docx) file, attached to Ann’s email to mistersekritx@aol.com. The MD5 checksum of the.docx file was: 9049b6d9e26fe878680eb3f28d72d1d2 The SHA256 checksum was: 24601c174587be4ddfff0b9e6d598618c6abfcfadb16f7dd6dbd7a24aed6fec8 The document began with the text, “Meet me at the fountain near the rendezvous point. Address below. I’m bringing all the cash.” This was followed by a PNG image of a map with an address. Pg 156

29 AND AGAIN Are there any indications of Ann’s physical whereabouts? If so, provide supporting evidence. The document that Ann sent to mistersecretx@aol.com indicates that she would like to meet him at the following address: Playa del Carmen 1 Av Constituyentes 1 Calle 10 x la 5ta Avenida Playa del Carmen, 77780, Mexico 01 984 873 4000 Of course, there is no guarantee that Ann and/or the email recipient ever traveled to this location. Perhaps Ann was trying to throw us off her trail! Pg 156

30 THE NEXT STEP Conduct further analysis on the packet capture to see if there are more emails, web traffic, etc. If there is sufficient evidence, a warrant might be in order to monitor Ann’s email account and / or open her account using her credentials and investigate her past email activity.

31 Works Cited Davidoff, S., & Ham, J. (2012). Network Forensics Tracking Hackers Through Cyberspace. Boston: Prentice Hall. Disclaimer: All information and data pulled directly from this book. Pages 135 - 157

Download ppt "Section 3.2 Network Forensics TRACKING HACKERS THROUGH CYBERSPACE CASE STUDY : ANN’S RENDEZVOUS."

Similar presentations

Section 3.1 Network Forensics TRACKING HACKERS THROUGH CYBERSPACE

Section 3.1 Network Forensics TRACKING HACKERS THROUGH CYBERSPACE
Using Outlook 2010. Benefits of Using Outlook Now – Better formatting of HTML mail (with bullets, fonts, etc.) – Great calendar, ability to send meeting.

Using Outlook Benefits of Using Outlook Now – Better formatting of HTML mail (with bullets, fonts, etc.) – Great calendar, ability to send meeting.
Case study : The curious mr. x

Case study : The curious mr. x
6 C H A P T E R © 2001 The McGraw-Hill Companies, Inc. All Rights Reserved1 Electronic Mail Electronic mail has revolutionized the way people communicate.

6 C H A P T E R © 2001 The McGraw-Hill Companies, Inc. All Rights Reserved1 Electronic Mail Electronic mail has revolutionized the way people communicate.
Network Services Networking for Home & Small Business.

Network Services Networking for Home & Small Business.
Section 2.1 Network Forensics TRACKING HACKERS THROUGH CYBERSPACE

Section 2.1 Network Forensics TRACKING HACKERS THROUGH CYBERSPACE
OR I know what you downloaded last night! By: GTKlondike.

OR I know what you downloaded last night! By: GTKlondike.
Chapter Extension 7 How the Internet Works © 2008 Prentice Hall, Experiencing MIS, David Kroenke.

Chapter Extension 7 How the Internet Works © 2008 Prentice Hall, Experiencing MIS, David Kroenke.
Chapter 29 Structure of Computer Names Domain Names Within an Organization The DNS Client-Server Model The DNS Server Hierarchy Resolving a Name Optimization.

Chapter 29 Structure of Computer Names Domain Names Within an Organization The DNS Client-Server Model The DNS Server Hierarchy Resolving a Name Optimization.
CIS101 Introduction to Computing

CIS101 Introduction to Computing
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Downloading and Installing AutoCAD Architecture 2015 This is a 4 step process 1.Register with the Autodesk Student Community 2.Downloading the software.

Downloading and Installing AutoCAD Architecture 2015 This is a 4 step process 1.Register with the Autodesk Student Community 2.Downloading the software.
Chapter 30 Electronic Mail Representation & Transfer

Chapter 30 Electronic Mail Representation & Transfer
August 15 click! 1 Email Basics Kitsap Regional Library.

August 15 click! 1 Basics Kitsap Regional Library.
Introduction to the Secure SMTP Server service. Secure SMTP server is a secure, reliable SMTP mail relay server for your outgoing mail. Secure SMTP service.

Introduction to the Secure SMTP Server service. Secure SMTP server is a secure, reliable SMTP mail relay server for your outgoing mail. Secure SMTP service.
Internet Basics.

Internet Basics.
The OSI and TCP/IP Models Last Update 2009.06.29 1.0.0 1Copyright 2009 Kenneth M. Chipps Ph.D. www.chipps.com.

The OSI and TCP/IP Models Last Update Copyright 2009 Kenneth M. Chipps Ph.D.
Wireshark and TCP/IP Basics ACM SIG-Security Lance Pendergrass.

Wireshark and TCP/IP Basics ACM SIG-Security Lance Pendergrass.
» Explain the way that electronic mail (e-mail) works » Configure an e-mail client » Identify e-mail message components » Create and send e-mail messages.

» Explain the way that electronic mail ( ) works » Configure an client » Identify message components » Create and send messages.
Guide to Computer Forensics and Investigations Fourth Edition Chapter 12 E-mail Investigations.

Guide to Computer Forensics and Investigations Fourth Edition Chapter 12 Investigations.

Similar presentations

Ads by Google