Download presentation
Presentation is loading. Please wait.
Published byLee Butler Modified over 9 years ago
1
6 th Annual Workshop on the Teaching Computer Forensics 6 th Annual Teaching Computer Forensics Workshop Enhancing the Experience in Network Incident Investigations Dr. Jianming Cai (j.cai@londonmet.ac.uk), Ms. Angeliki Parianou (ANP0774@londonmet.ac.uk), and Ms. Bo Li (b.li@londonmet.ac.uk) Faculty of Computing London Metropolitan University
2
6 th Annual Workshop on the Teaching Computer Forensics 6 th Annual Teaching Computer Forensics Workshop Topics Network incident investigation Experiment in real world The experimental platform Platform test Forensic evidence collected/analysis Summary
3
6 th Annual Workshop on the Teaching Computer Forensics 6 th Annual Teaching Computer Forensics Workshop Network Incident Investigation Network Forensics: –network-centric for computing –growing popularity of the Internet at home –data available outside of the disk-based digital evidence Standalone investigation or alongside a computer forensics analysis (to reveal links between digital devices or to reconstruct how a crime was committed). Investigators have often to rely on packet filters, firewalls, and intrusion detection systems which were set up to anticipate breaches of security. Data is now more volatile and unpredictable. When investigating network intrusion the investigator and the attacker are often of similar skill level, compared with other areas of digital forensics where the investigator often is higher skilled.
4
6 th Annual Workshop on the Teaching Computer Forensics 6 th Annual Teaching Computer Forensics Workshop Experiment in Real World There is therefore an increasing demand for the graduates from Computer Forensics to enhance their experience in network incident investigations. Institution’s security policies restrict students from practising Network Forensics in real world. The experiment of Network Forensics has often to reply on the case studies extracted from textbooks. A platform, which enables students to practise network incident investigation in real-life case studies, is desirable.
5
6 th Annual Workshop on the Teaching Computer Forensics 6 th Annual Teaching Computer Forensics Workshop The Experimental Platform The platform we developed is composed of a low- interaction honeypot and a rule-based IDS. The software packages, namely Honeyd and Snort, are employed. Based on this platform, students can analyze malicious activities, collect evidence, and launch incident investigations.
6
6 th Annual Workshop on the Teaching Computer Forensics 6 th Annual Teaching Computer Forensics Workshop Network Topology of the Platform The “Network Forensics” Lab The Institutional Network
7
6 th Annual Workshop on the Teaching Computer Forensics 6 th Annual Teaching Computer Forensics Workshop Advantages of the Platform Relatively independent of institution’s network server, which does not have issues with institution’s network security and admin policies. Gathering network forensic information, investigating into real life cases, and collecting the evidence needed for apprehension and prosecution of network intruders. The software employed in this platform are freely available for student’s home use, i.e. it is low cost and flexible in practice.
8
6 th Annual Workshop on the Teaching Computer Forensics 6 th Annual Teaching Computer Forensics Workshop The Deployed Honeyd with eight virtual honeypots) The Deployed Honeyd (with eight virtual honeypots) Arpd: a daemon that listens to ARP (Address Resolution Protocol) requests and answers for IP addresses that are unallocated.
9
6 th Annual Workshop on the Teaching Computer Forensics 6 th Annual Teaching Computer Forensics Workshop The Deployed Honeyd (Cont.) The virtual honeypots deployed includes: –A Linux honeypot with the personality “Linux kernel 2.4.20” –A Windows honeypot with the personality “Microsoft XP Pro SP1” –A Router honeypot with the personality of “ Cisco IOS11.3- 12.0(11)” –A Server honeypot with the personality of “ Microsoft Server 2003” –A Mydoom Vulnerable honeypot with the personality of “Microsoft XP Pro SP1” –A Mail Relay Server honeypot with the personality of “Sun Solaris 9”
10
6 th Annual Workshop on the Teaching Computer Forensics 6 th Annual Teaching Computer Forensics Workshop The Deployed Honeyd (Cont.) It creates various virtual hosts with different operating systems in order to attract a wider range of suspicious activity. In addition a NIDS, namely Snort, is employed to monitor the network traffic for any known attacks and vulnerabilities. Malicious network traffic are being monitored, recorded, and analysed. The output of the Snort is sent to a Mysql database. The traffic captured by Snort tool is then presented by BASE (Basic Analysis and Security Engine) version 1.4.5.
11
6 th Annual Workshop on the Teaching Computer Forensics 6 th Annual Teaching Computer Forensics Workshop Platform Test The implemented Honeyd was put on the Internet for about one month, which recorded every piece of traffic targeted at those eight virtual honeypots. The results of the experiment were recorded in various log files, generated by the Honeyd and the logs of Snort retained in the Mysql database. In addition, the web.log was also used to record connection attempts towards these emulated Web services.
12
6 th Annual Workshop on the Teaching Computer Forensics 6 th Annual Teaching Computer Forensics Workshop Part of the Test Results Packet Protocol Types
13
6 th Annual Workshop on the Teaching Computer Forensics 6 th Annual Teaching Computer Forensics Workshop Part of the Test Results (Cont.) Top 10 IP Addresses/Countries Attempted Connections
14
6 th Annual Workshop on the Teaching Computer Forensics 6 th Annual Teaching Computer Forensics Workshop Part of the Test Results (Cont.) The List of Packet Destination IP Address
15
6 th Annual Workshop on the Teaching Computer Forensics 6 th Annual Teaching Computer Forensics Workshop Part of the Test Results (Cont.) The List of Packet Destination Ports
16
6 th Annual Workshop on the Teaching Computer Forensics 6 th Annual Teaching Computer Forensics Workshop Part of the Test Results (Cont.) Source Countries of the Relay Virtual Server
17
6 th Annual Workshop on the Teaching Computer Forensics 6 th Annual Teaching Computer Forensics Workshop Destination IP addressOperating System Number of Connection Attempts Number of Source IP addresses 1195.251.161.181Cisco Router IOS 11.3-12.0334 (28%)194 2195.251.161.185 Sun Solaris – Open relay server 213 (17%)158 3195.251.161.186Linux Kernel 2.4.20187 (15%)88 4195.251.161.182Linux Kernel 2.4.20158 (13%)53 5195.251.161.187 Microsoft Windows server 2003 79 (6.6%)29 6195.251.161.184 Microsoft Windows XP Pro SP1 79 (6.6%)27 7195.251.161.180 Microsoft Windows XP Pro SP1 70 (5.8%)21 8195.251.161.183 Microsoft Windows XP Pro SP1 – Mydoom vulnerable 69 (5.8%)25 Destination IPs Attacked and Detected by the Snort Part of the Test Results (Cont.)
18
6 th Annual Workshop on the Teaching Computer Forensics 6 th Annual Teaching Computer Forensics Workshop Top 10 Source IPs Attempted Connection and Detected by the Snort NumberSource IP addressNumber of Connection Attempts 1 61.128.110.96110 2 122.225.100.154104 3 219.150.223.25393 4 219.149.194.24545 5 211.143.198.235 6 41.238.62.21416 7221.130.140.1816 8 83.219.146.18014 9 41.130.16.3714 10188.17.215.23914 Part of the Test Results (Cont.)
19
6 th Annual Workshop on the Teaching Computer Forensics 6 th Annual Teaching Computer Forensics Workshop Signature Classification Total Sensor Source Address Dest. Address First Last 1 SQL version overflow attempt attempted- admin 486 (40.8%) 141826/07/1025/08/10 2unclassified 450 (37.8%) 1190826/07/1013/08/10 3PSNG_TCP_PORTSWEEP attempted- recon 214 (17.9%) 1208701/08/1016/08/10 4SQL ping attemptmisc-activity18 (1.5%)19811/08/1012/08/10 5PSNG_TCP_PORTSCAN attempted- recon 18 (1.5%)12513/08/1014/08/10 6 TELNET Solaris login environment variable authentication bypass attempt attempted- admin 3 (0.2%)13123/8/1025/08/10 7 SQL Worm propagation attempt Misc-attack3 (0,2%)13224/8/1025/8/10 Unique Alerts Generated by the Snort Part of the Test Results (Cont.)
20
6 th Annual Workshop on the Teaching Computer Forensics 6 th Annual Teaching Computer Forensics Workshop Honeyd Source IP Address Source IP DNS ResolutionSnort Alert Number of Connection Attempts 161.128.110.96 CNINFONET Xingjiang province network SQL version overflow attempt110 261.176.216.44CHINA Unicom province networkPSNG_TCP_PORTSWEEP5 3222.191.251.183CHINANET province networkPSNG_TCP_PORTSWEEP1 4122.225.100.154CHINANET – Zhu ZhenhuaSQL version overflow attempt104 5219.150.223.253 Telecom CHINANET province network SQL version overflow attempt93 6219.149.194.245CHINANET PROVINCE NETWORK SQL version overflow attempt - SQL Worm propagation attempt 46 7211.143.198.2 China Mobile Communications Corporation - fujian SQL version overflow attempt35 8 213.160.136.96 Prosto Internet SQL version overflow attempt - SQL Worm propagation attempt 1 993.114.238.38SC Gliga SRL,SQL version overflow attempt1 10201.240.30.46 Latin American and Caribbean IP address Regional Registry, PSNG_TCP_PORTSWEEP2 Cross-referenced Source IP Addresses by Virtual Honeypots and the Snort Part of the Test Results (Cont.)
21
6 th Annual Workshop on the Teaching Computer Forensics 6 th Annual Teaching Computer Forensics Workshop Summary An increasing demand for the graduates from Computer Forensics to enhance their experience in network incident investigations. The platform developed to enable students to practise network incident investigation in real-life case studies. Although the evidence collected from the honeypot system may or may not be deemed admissible in court, the platform is intended for students to enhance the skills of Network Forensics.
22
6 th Annual Workshop on the Teaching Computer Forensics 6 th Annual Teaching Computer Forensics Workshop Reference 1.Casey, Eoghan, Digital Evidence and Computer Crime, 2nd Edition. Elsevier. ISBN 0-12- 163104-4, 2004 2.A. Obied, “Honeypots and Spam, Available online at: ahmed.obied.net/research/papers/honeypots_spam.pdf, [Accessed:3/7/2010] 3.J. Kloet, “A Honeypot Based Worm Alerting System”, SANS Institute, 2005, Available online at: http://www.sans.org/reading_room/whitepapers/detection/honeypot-based- worm-alerting-system_1563, [Accessed: 3/6/2010] 4.Lai-Ming Shiue and Shang-Juh Kao. Countermeasure for detection of honeypot deployment. In ICCCE 2008: International Conference on Computer and Communication Engineering, pages 595–599, May 2008. 5.The honeynet project, http://www.honeynet.org, [Accessed: 28/6/2010] 6.HoneyTrap, http://honeytrap.carnivore.it, [Accessed: 29/6/2010] 7.Intrusion Detection, Honeypots and Incident Handling Resources http://www.honeypots.net/honeypots/products, [Accessed: 29/6/2010] 8.L. Spitzner, Honeypots: Tracking Hackers. Pearson Education Inc, 2002 9.Intrusion Detection, Honeypots and Incident Handling Resources, http://www.honeypots.net, [Accessed: 20/7/2010] 10.P. Defibaugh-Chavez, R. Veeraghattam, M. Kannappa, S. Mukkamala, and A. Sung, “Network Based Detection of Virtual Environments and Low Interaction Honeypots,” 2006 IEEE Information Assurance Workshop, West Point, NY:, pp. 283-289.
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.