Presentation is loading. Please wait.

Presentation is loading. Please wait.

Whodunit? Beginning the cyber investigation. Addresses MAC address Network card (NIC interface card) Identifies a physical device.. The card!!! This is.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Whodunit? Beginning the cyber investigation. Addresses MAC address Network card (NIC interface card) Identifies a physical device.. The card!!! This is."— Presentation transcript:

1 Whodunit? Beginning the cyber investigation

2 Addresses MAC address Network card (NIC interface card) Identifies a physical device.. The card!!! This is how a packet is delivered on a local network Network (IP) address Logical address Associated with a MAC address Identifies a LOGICAL device MAC address Network card (NIC interface card) Identifies a physical device.. The card!!! This is how a packet is delivered on a local network Network (IP) address Logical address Associated with a MAC address Identifies a LOGICAL device

3 MAC address Series of six hexadecimal digits 00-3E-42-A6-51-0E “burned in” by manufacturer In reality, can be changed in many cases Series of six hexadecimal digits 00-3E-42-A6-51-0E “burned in” by manufacturer In reality, can be changed in many cases

4 IP address “Dotted decimal” or “dotted quad” 32 bits (4 octets) Each octet has a value from 0 thru 255 192.168.0.1 Each IP address has a Prefix Identifies a network Suffix Identifies a host (device) on that network “Dotted decimal” or “dotted quad” 32 bits (4 octets) Each octet has a value from 0 thru 255 192.168.0.1 Each IP address has a Prefix Identifies a network Suffix Identifies a host (device) on that network

5 IP addresses IP “prefixes” must be unique on a global basis The suffixes must be unique on the local level IP “prefixes” must be unique on a global basis The suffixes must be unique on the local level

6 IP delivery IP address is used to deliver a message Comparison using subnet mask determines if: Local network A lookup is performed for the MAC address matching the destination IP Remote network Packet is sent to the ‘gateway’ / router Router decides the next hop to send packet to the destination network (determined by prefix) Arrival at remote network A lookup is performed for the MAC address matching the destination IP IP address is used to deliver a message Comparison using subnet mask determines if: Local network A lookup is performed for the MAC address matching the destination IP Remote network Packet is sent to the ‘gateway’ / router Router decides the next hop to send packet to the destination network (determined by prefix) Arrival at remote network A lookup is performed for the MAC address matching the destination IP

7 IP addresses Prefix part identifies a class A,B,C range Auses the last 3 octets to identify a host Buses the last 2 octets Cuses the last octet If the octet identifying the host is “0” Means the entire network 192.168.1.0 (means the entire 192.168.1 network) If the suffix octet is 255 (all binary 1’s) Broadcast address for that network 192.168.1.255sending to all on the 192.168.1 net Prefix part identifies a class A,B,C range Auses the last 3 octets to identify a host Buses the last 2 octets Cuses the last octet If the octet identifying the host is “0” Means the entire network 192.168.1.0 (means the entire 192.168.1 network) If the suffix octet is 255 (all binary 1’s) Broadcast address for that network 192.168.1.255sending to all on the 192.168.1 net

8 CIDR Classless Inter-Domain Routing

9 Rationale Class “C” addresses need entries in network routing tables Too many unique entries Affects the performance of the router Develop a different “network identifier” Allocate number of bits to identify the network C class uses 24 bits for the network and remaining 8 bits for the host on the network Class “C” addresses need entries in network routing tables Too many unique entries Affects the performance of the router Develop a different “network identifier” Allocate number of bits to identify the network C class uses 24 bits for the network and remaining 8 bits for the host on the network

10 Routing Network mask needs to determine the network identifier in the IP address Routing can be done using contiguous blocks of class C addresses represented by a single entry in the routing table Improves scalability of routing system Network mask needs to determine the network identifier in the IP address Routing can be done using contiguous blocks of class C addresses represented by a single entry in the routing table Improves scalability of routing system

11 Supernet Arbitrary sized network Create a network from a contiguous block of “C” addresses Criteria Consecutive address ranges 192.168.6.0 192.168.7.0 Third octet of the first address range must be divisible by 2 192.168.6.0 New network can have up to 512 unique hosts New netmask is 255.255.254.0 9 bits available for the host address Arbitrary sized network Create a network from a contiguous block of “C” addresses Criteria Consecutive address ranges 192.168.6.0 192.168.7.0 Third octet of the first address range must be divisible by 2 192.168.6.0 New network can have up to 512 unique hosts New netmask is 255.255.254.0 9 bits available for the host address

12 Supernet Combination of more than two class C networks Done in powers of 2 Third octet must be divisible by the number of networks you’re combining 192.168.16.0 192.168.17.0 …… 192.168.24.0 8 networks combined Netmask 255.255.248.0 21 bits used for the host 192.168.19.45/21 IP address, first 21 bits identify the network Combination of more than two class C networks Done in powers of 2 Third octet must be divisible by the number of networks you’re combining 192.168.16.0 192.168.17.0 …… 192.168.24.0 8 networks combined Netmask 255.255.248.0 21 bits used for the host 192.168.19.45/21 IP address, first 21 bits identify the network

13 Ports TCP and UDP Ports identify ‘processes’ running Numbered 1 to 65535 “well known ports” Associated with services 80HTTP 20,21FTP 443HTTPS 110POP3 23TELNET 25SMTP TCP and UDP Ports identify ‘processes’ running Numbered 1 to 65535 “well known ports” Associated with services 80HTTP 20,21FTP 443HTTPS 110POP3 23TELNET 25SMTP

14 Private Network

15 Cable Modem

16 Private Network thru Cable Modem

17 Tools Connection properties arp ping ipconfig pathping nslookup Enable/Disable/Repair Connection properties arp ping ipconfig pathping nslookup Enable/Disable/Repair

18 TCP/IP properties Control Panel Network connections Locate the connection (typically Local Area Network) Right click Find the ‘properties’ tab Client for Microsoft networks File/printer sharing Internet Protocol (TCP/IP) Control Panel Network connections Locate the connection (typically Local Area Network) Right click Find the ‘properties’ tab Client for Microsoft networks File/printer sharing Internet Protocol (TCP/IP)

19 Properties of TCP/IP DHCP Look for my IP address using a DCHP server which assigns it to me Should also retrieve the settings for Gateway (way out of network) DNS (lookup service for URL to IP) Network (subnet) mask Alternative Specify the IP yourself Make sure it’s not already assigned Specify your own netmask, DNS, gateway DHCP Look for my IP address using a DCHP server which assigns it to me Should also retrieve the settings for Gateway (way out of network) DNS (lookup service for URL to IP) Network (subnet) mask Alternative Specify the IP yourself Make sure it’s not already assigned Specify your own netmask, DNS, gateway

20 Properties of TCP/IP Need to talk between local devices No need for gateway in general Unless you’re looking up URLs, no need for DNS Network mask should be consistent with IP address pattern on that network segment ‘mismatch’ will cause the packet to be sent to the router (gateway) Thinks the address is not local ‘mismatch’ may believe that a foreign address is on your local network Will not be routed Need to talk between local devices No need for gateway in general Unless you’re looking up URLs, no need for DNS Network mask should be consistent with IP address pattern on that network segment ‘mismatch’ will cause the packet to be sent to the router (gateway) Thinks the address is not local ‘mismatch’ may believe that a foreign address is on your local network Will not be routed

21 Toolbox Applying your knowledge

22 Tools ipconfig / ifconfig ping pathping tracert / traceroute arp netstat nslookup dig whois host ipconfig / ifconfig ping pathping tracert / traceroute arp netstat nslookup dig whois host

23 So many tools… So little time… Live incident or autopsy Volatile information first Disturbing the system Durable / non-volatile information So little time… Live incident or autopsy Volatile information first Disturbing the system Durable / non-volatile information

24 Windows Volatile Information Going, Going……

25 Volatile Information residing in memory Temporary nature Gone on shutdown Time sensitive Gone before shutdown What do you go for first??? Minimize the footprint you leave as you collect the data Information residing in memory Temporary nature Gone on shutdown Time sensitive Gone before shutdown What do you go for first??? Minimize the footprint you leave as you collect the data

26 Order of Volatility Registers and cache Routing table, arp tables, process table, kernel statistics, connections Temp file systems Hard disk / non-volatile storage systems Remote / offsite logging and monitoring data Physical configuration and network topology Archival media Registers and cache Routing table, arp tables, process table, kernel statistics, connections Temp file systems Hard disk / non-volatile storage systems Remote / offsite logging and monitoring data Physical configuration and network topology Archival media

27 Types of Volatile Information System time Users on system Processes running Connections Status of the network Clipboard Command history Services and drivers System time Users on system Processes running Connections Status of the network Clipboard Command history Services and drivers

28 Common Errors No documentation on the baseline system Failing to document your collection process Shutdown or reboot of machine Closing down terminal or shell should also not be done Reliance on the suspect machine No documentation on the baseline system Failing to document your collection process Shutdown or reboot of machine Closing down terminal or shell should also not be done Reliance on the suspect machine

29 Methodology Preparation Document the Incident Policy Verification Volatile Data Collection Strategy Volatile Collection Setup Volatile Collection Process Preparation Document the Incident Policy Verification Volatile Data Collection Strategy Volatile Collection Setup Volatile Collection Process

30 Preparation Toolkit Guidelines Policies Toolkit Guidelines Policies

31 Documentation Profile How detected Scenario Time of occurrence Who/what reported Hardware and software involved Contacts for involved personnel How critical is suspicious system Collection Logbook Who is collecting History of tools used and executed commands Generated output and reports Timestamp of executed commands Expected system changes as you execute commands Forensics toolkit logbook Usage, output and affects Profile How detected Scenario Time of occurrence Who/what reported Hardware and software involved Contacts for involved personnel How critical is suspicious system Collection Logbook Who is collecting History of tools used and executed commands Generated output and reports Timestamp of executed commands Expected system changes as you execute commands Forensics toolkit logbook Usage, output and affects

32 Policy Verification Examine policies for violations of rights by your actions User signed policies Consent Establish your legal boundaries Examine policies for violations of rights by your actions User signed policies Consent Establish your legal boundaries

33 Volatile Data Collection Strategy Types of data to collect Tools to do the job Where is output saved? Administrative vs. user access Media access (USB, floppy, CD) Machine connected to network Types of data to collect Tools to do the job Where is output saved? Administrative vs. user access Media access (USB, floppy, CD) Machine connected to network

34 Volatile Collection Setup Trusted command shell Establish transmission and storage method Ensure integrity of forensic toolkit output MD5 hash Trusted command shell Establish transmission and storage method Ensure integrity of forensic toolkit output MD5 hash

35 Volatile Collection Process Collect uptime, time, date, command history Generate time/date to establish audit trail Begin command history to document your collection Collect all volatile information system and network information End collection with date/time and command history Collect uptime, time, date, command history Generate time/date to establish audit trail Begin command history to document your collection Collect all volatile information system and network information End collection with date/time and command history

36 System Time

37 Systeminfo.exe XP and 2003

38 Uptime Uptime from www.dwam.net/docs/aintx www.dwam.net/docs/aintx Psinfo from Sysinternals Uptime from www.dwam.net/docs/aintx www.dwam.net/docs/aintx Psinfo from Sysinternals

39 Users Psloggedon (Sysinternals) Netusers.exe (somarsoft) Two switches /llocal logged on /hhistory Net session Users Name / IP of client Client type Psloggedon (Sysinternals) Netusers.exe (somarsoft) Two switches /llocal logged on /hhistory Net session Users Name / IP of client Client type

40 Processes Identify Executable Command line used How long was it running? Security context Modules or dll it’s accessing Memory used Identify Executable Command line used How long was it running? Security context Modules or dll it’s accessing Memory used

41 Pslist Sysinternals

42 Task Manager

43 Pslist -t

44 ListDLLs Sysinternals

45 handle Sysinternals

46 Tasklist

47 PS Aintx

48 Cmdline DiamondCS www.diamondcs.com.au DiamondCS www.diamondcs.com.au

49 Process Memory Current state of processes Passwords Server addresses Remote connections Current state of processes Passwords Server addresses Remote connections

50 pmdump www.NTSecurity.nu

51 pmdump Option List Lists the PID’s Then… dump the PID pmdump ### Use another tool then to view the contents (“strings” from sysinternals) Option List Lists the PID’s Then… dump the PID pmdump ### Use another tool then to view the contents (“strings” from sysinternals)

52 Network Info Ipconfig

53 Promiscdetect www.netsecurity.nu Works on the local host Not remote www.netsecurity.nu Works on the local host Not remote

54 Netstat Lists connections

55 Nbtstat Net Bios connections

56 Fport Foundstone Maps ports to processes using them Foundstone Maps ports to processes using them Requires Administrator!

57 OpenPorts Ports mapped to process www.DiamondCS.com.au Administrator access not required Ports mapped to process www.DiamondCS.com.au Administrator access not required

58 With netstat option

59 With fport option

60 OpenFiles

61 Protected storage Used for storing information Private keys For using SSL and S/MIME Used for storing information Private keys For using SSL and S/MIME

62 Following the Leads

63

64 Ohio State University

65

66

Download ppt "Whodunit? Beginning the cyber investigation. Addresses MAC address Network card (NIC interface card) Identifies a physical device.. The card!!! This is."

Similar presentations

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
Resolving IP Connectivity Issues Lesson 2. Objectives 2.

Resolving IP Connectivity Issues Lesson 2. Objectives 2.
IST 201 Chapter 9. TCP/IP Model Application Transport Internet Network Access.

IST 201 Chapter 9. TCP/IP Model Application Transport Internet Network Access.
SYSTEM ADMINISTRATION Chapter 19

SYSTEM ADMINISTRATION Chapter 19
Chapter 13: Troubleshooting network connectivity Unit objectives Identify TCP/IP troubleshooting tools Discuss the Telnet utility and its functions Discuss.

Chapter 13: Troubleshooting network connectivity Unit objectives Identify TCP/IP troubleshooting tools Discuss the Telnet utility and its functions Discuss.
COEN 250 Computer Forensics Windows Life Analysis.

COEN 250 Computer Forensics Windows Life Analysis.
COEN 250 Computer Forensics Windows Life Analysis.

COEN 250 Computer Forensics Windows Life Analysis.
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 13: Troubleshoot TCP/IP.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 13: Troubleshoot TCP/IP.
TCP/IP Basics Alvin Kwan.

TCP/IP Basics Alvin Kwan.
Chapter 8 Administering TCP/IP.

Chapter 8 Administering TCP/IP.
Chapter 11: Networking with TCP/IP and the Internet Network+ Guide to Networks Third Edition.

Chapter 11: Networking with TCP/IP and the Internet Network+ Guide to Networks Third Edition.
TCP/IP TCP/IP Basics Alvin Kwan. TCP/IP What is TCP/IP?  It is a protocol suite governing how data can be communicated in a network environment, both.

TCP/IP TCP/IP Basics Alvin Kwan. TCP/IP What is TCP/IP?  It is a protocol suite governing how data can be communicated in a network environment, both.
1 Version 3.0 Module 9 TCP/IP Protocol and IP Addressing.

1 Version 3.0 Module 9 TCP/IP Protocol and IP Addressing.
Chapter 8: Configuring Network Connectivity. Installing Network Adapters Network adapter cards connect a computer to a network. Installation –Plug and.

Chapter 8: Configuring Network Connectivity. Installing Network Adapters Network adapter cards connect a computer to a network. Installation –Plug and.
Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 1 Internet Protocol (IP): Addressing and Forwarding Shivkumar Kalyanaraman Rensselaer Polytechnic.

Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 1 Internet Protocol (IP): Addressing and Forwarding Shivkumar Kalyanaraman Rensselaer Polytechnic.
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
TCP/IP Tools Lesson 5. Objectives Skills/ConceptsObjective Domain Description Objective Domain Number Using basic TCP/IP commands Understanding TCP/IP3.6.

TCP/IP Tools Lesson 5. Objectives Skills/ConceptsObjective Domain Description Objective Domain Number Using basic TCP/IP commands Understanding TCP/IP3.6.
Click to edit Master subtitle style Chapter 17: Troubleshooting Tools Instructor:

Click to edit Master subtitle style Chapter 17: Troubleshooting Tools Instructor:
Chapter 11: Networking with TCP/IP and the Internet.

Chapter 11: Networking with TCP/IP and the Internet.
IST 228\Ch3\IP Addressing1 TCP/IP and DoD Model (TCP/IP Model)

IST 228\Ch3\IP Addressing1 TCP/IP and DoD Model (TCP/IP Model)

Similar presentations

Ads by Google