1. Practical Investigative Strategies
Hyungjin Im

2. Table of Contents Real-world Cases Footprints
Concepts in Digital Evidence
Challenges Relating to Network Evidence
Network Forensics Investigative Methodology
Conclusion

3. Real-World Cases (1/6)
Presenting three cases from different industries in order to give you some examples of how network forensics is used to support investigations in the real world.
Hospital Laptop Goes Missing
A doctor reports that her laptop has been stolen from her office in a busy U.S. metropolitan hospital. The computer is password-protected, but the hard drive is not encrypted.
Potential Ramifications
This could cause significant damage to the hospital’s reputation, and also cause substantial financial loss, particularly if the hospital were held liable for any damages caused due to the breach.
Questions
1. Precisely when did the laptop go missing?
2. Can we track down the laptop and recover it?
3. Which patient data was on the laptop?
4. How many individuals’ data was affected?
5. Did the thief leverage the doctor’s credentials to gain any further access to the hospital network?
네트워크 포렌식 조사관은 다양한 국가의 낯선 사람과 일해야 하며 독특한 장비 사용법을 익혀야 하고 아주 잠깐이면 사라질 증거를 수집해야 할 수도 있다.
다음은 세가지의 사례들을 보여준다 실제 세계에서 어떻게 네트워크 포렌식이 도움이 되는지에 대한
노트북이 사라진 건 언제인가
2. 노트북을 추적하여 되찾을 수 있는가.
3. 어떤 환자의 정보가 노트북에 존재하는가.
얼마나 많은 고객정보가 영향을 받는가
절도범이 의사의 계정으로 네트워크에 추가적 접근을 한적이 있나.

4. Real-World Cases (2/6) Technical Approach Results
Establishing the time that the laptop was last in the doctor’s possession also gave the investigative team a starting point for searching physical surveillance footage and access logs.
The team also reviewed network access logs to determine whether the laptop was subsequently used to connect to the hospital network after the theft and, if so, the location that it connected from.
Enterprise wireless access point (WAP) logs can be especially helpful for determining the physical location
Network operators can view which mobile devices were connected to specific access points throughout the building
The hospital’s server would have copies of all of the doctor’s s, which would help investigators gather a list of patients likely to have been affected by the breach
Results
Leveraging wireless access point logs, the investigative team was able to pinpoint the time of the theft and track the laptop through the facility out to a visitor parking garage.
The investigative team carefully reviewed VPN logs and operating system logs stored on the central logging server and found no evidence that the doctor’s laptop was used to attempt any further access to hospital IT resources.
In response to the incident, the hospital implemented full-disk encryption for all laptop hard drives, and deployed physical laptop locking mechanisms.
기술적 접근
의사가 노트북을 사용했던 시간을 확정함으로써 조사팀은 감시카메라와 출입기록을 조사할 시작 시점을 알게되었다.
조사팀은 네트워크 접근 기록을 통해 사라진 시간 이후 노트북이 병원 네트워크에 접속한 기록이 있는지 접속 위치는 어디인지 검토했따.
무선 인터넷 접근점 기록은 무선 장비가 최근에 접속되거나 마지막으로 접속된 물리적 위치를 찾는데 도움이된다.
네트워크 운영자는 어떤 무선장비가 건물 내의 특정 접근점을 통해서 접속되었는지 확인할 수 있음.
또한 병원 이메일 서버는 의사의 이메일 사본을 가지고 있으므로 이를 통해서 예상되는 누출 피해를 산정할 수 있었음. 결론
WAP로그를 통해서 조사자 팀은 도둑당한 시간과 위치를 찾아내서 주차장까지의 이동경로를 확인하였다.
조사자 팀은 VPN 로그와 의사의 랩탑에 접근한 시도가 없을 것을 보고 확인하였다.
이후 풀 디스크 암호화를 시행했다.

5. Real-World Cases (3/6) Catching a Corporate Pirate
Central security staff notice an alert for peer-to-peer (P2P) filesharing, and on closer inspection see filename references to movies that are still in theaters.
Potential Ramifications
This case occurred in 2003, at the height of Digital Millennium Copyright Act (DMCA) fervor, and it was assumed that if an individual within the company was illicitly trading pirated music or movies, then it could place the company at risk of costly legal battles.
Questions
1. Where is the source of the P2P traffic physically located?
2. Which user is initiating the P2P traffic?
3. Precisely what data is being shared?
Technical Approach
Using the IP address from the IDS alerts, investigators identified the physical site that was the source of the traffic
Began capturing all of the P2P-related packets involving the IP address in question
This IP address was part of a local DHCP pool on the wired local area network (LAN).
DHCP lease assignment logs for relevant time periods
Recovered the media access control (MAC) address associated with the suspicious activity.
P2p파일 공유에대한 파일 공유 정보를 확인하고 파일 이름이 현재 상영중인 영화와의 연관성을 검토한다
잠재적 여파.
글로벌 콥의 경영진은 직원이 불법적으로 지적 재산을 매매하기 위해 회사 네트워크를 사용하는 사실에 크게 우려했다.
디지털 밀레니엄 저작권법이 한창 열정적일 당시 회사내의 개인이 불법 복제된 음악이나 영화를 거래한다면 회사는 손실이 큰 법적 싸움을 할 수도 있다고 생각함. 질문
1 P2p 트래픽 근원의 물리적 위치
2 어떤 사용자에 의해 p2p 트래픽이 시작되었는가
3 정확하게 어떤 데이터가 공유되는가?

6. Real-World Cases (4/6) Technical Approach Result
In order to trace the IP address to a specific office, local networking staff logged into switches and gathered information mapping the IP address to a physical port
Local networking staff took caution to communicate out-of-band while coordinating the
remainder of the investigation
Result
Network forensic analysts examined full packet captures grabbed by the IDS, and were ultimately able to carve out video files and reconstruct playable copyrighted movies that were still in theaters.
Hard drive analysis of the correct desktop produced corroborating evidence that the movies in the packet capture had been resident on the hard drive.
The hard drive also contained usernames and addresses linking the hard drive and associated network traffic with the suspect.
기술적 접근
IP주소를 추적하기 위해 현지 네트워크 담당자는 스위치에 로그인하고 물리적 ㅍ ㅗ트에 연결된 IP주소 정보를 수집했다. 결과
IDs에 의해 탐지된 패킷을 검사했고 비디오 카빙하여 영화로 재구성하였따. 하드디스크 분석을 통해 패킷에 있던 영화가 하드디스크에 존재햇던 증거를 찾음. 하드디스크와 트래픽에서 용의자의 이름과 메일이 함께 포함되어있었음

7. Real-World Cases (5/6) Hacked Government Server
During a routine antivirus scan, a government system administrator was alerted to suspicious files on a server. The files appeared to be part of a well-known rootkit.
Questions
Was the server in question truly compromised?
If so, how was the system exploited?
Were any other systems on the local network compromised?
Was any confidential information exported?
Tchnical Approach
The rootkit files were found in the home directory of an old local. administrator account that staff had forgotten even existed.
Investigators found that the local authentication logs had been deleted
All servers on the subnet were configured to send logs to a central logging server
investigators reviewed Secure Shell (SSH) logs from the central logging server that were associated with the account. From the SSH logs, it was clear that the account had been the target of a brute-force password-guessing attack.
Investigators analyzed firewall logs and found entries that corroborated the findings from the SSH logs.
There were no records of logins using the hacked account on any other servers. Extensive analysis of the firewall logs showed no suspicious data exportation from any servers on the local subnet.
안티 바이러스 검사 중에 서버에 있는 의심 파일 경고 메시지를 받았다. 확인해보니 루트킷이였따
질문-
침해 의심 서버가 정말 침해 당했는가
어떻게 공격당했는가
내부네트워크의 다른 시스템도 침해당했는가
비밀 정보가 유출 되었는가.

8. Real-World Cases (6/6) Results
In addition, staff removed the old administrator account and established a policy of auditing all server accounts (including privileges and password strength) on a quarterly basis.

9. Footprints
When conducting network forensics, investigators often work with live systems that cannot be taken offline
In hard drive forensics, investigators are taught to minimize system modification when conducting forensics.
In network forensics, investigators also work to minimize system modification due to forensic activity. However, in these cases investigators often do not have the luxury of an offline copy.
Moreover, network-based evidence is often highly volatile and must be collected through active means that inherently modify the system hosting the evidence.
We use the term “footprint” throughout this book to refer to the impact that an investigator has on the systems under examination.
포렌식에서 오프라인 상태로 변경하지 못하는 라이브 시스템을 다룬다. 하드 포렌식
네트워크 포렌식도 포렌식 활동 때문에 시스템의 변경이 일어나는 것을 최소화 하여야 한다.
하지만 종종 오프라인 복사본을 생성할 여유가 없다.
네트워크 기반 증거는 사라지기 쉽기 때문에 증거가 존재하는 원본 시스템을 변경하는 능동적인 수단을 통해 증거를 수집해야한다.
조사관이 조사를 수행하면서 시스템에 생기는 영향을 이 책에서는 풋 프린트라고 표현한다.

10. Concepts in Digital Evidence (1/5)
evidence (noun) – The compact oxford english dictionary
Information or signs indicating whether a belief or proposition is true or valid.
Information used to establish facts in a legal investigation or admissible as testimony in a law court.
Within this system there are a few categories of evidence that have very specific meanings:
Real
Best
Direct
Circumstantial
Hearsay
Business Records
Digital
Network Based Digital
In this book, our discussion of evidence is based on the United States common law system and the U.S. Federal Rules of Evidence (FRE).
믿음이나 명제가 진실인지 거짓인지를 인지하는 정보나 흔적
합법적 조사에서 사실 입증을 위해 사용되었거나 ㅈ법정에서 증언으로 채택할 수 있는 정보
증거의 몇가지 카테고리가 있음.
실제 증거
최거 증거
직접 증거
정황증거
전문 증거
업무기록

11. Concepts in Digital Evidence (2/5)
Real Evidence
Real evidence is roughly defined as any physical, tangible object that played a relevant role in an event that is being adjudicated. It is the knife that was pulled from the victim’s body. It is the gun that fired the bullet. It is the physical copy of the contract that was signed by both parties. In our realm it is also the physical hard drive from which data is recovered, and all the rest of the physical computer components involved.
Best Evidence
“Best evidence” is roughly defined as the best evidence that can be produced in court. If the original evidence is not available, then alternate evidence of its contents may be admitted under the “best evidence rule.” For example, if an original signed contract was destroyed but a duplicate exists, then the duplicate may be admissible.
Examples of “best evidence” include:
A photo of the crime scene
A copy of the signed contract
A file recovered from the hard drive
A bit-for-bit snapshot of a network transaction
믿음이나 명제가 진실인지 거짓인지를 인지하는 정보나 흔적
합법적 조사에서 사실 입증을 위해 사용되었거나 ㅈ법정에서 증언으로 채택할 수 있는 정보
증거의 몇가지 카테고리가 있음.
실제 증거
최거 증거
직접 증거
정황증거
전문 증거
업무기록

12. Concepts in Digital Evidence (3/5)
Direct Evidence
“Direct evidence” is the testimony offered by a direct witness of the act or acts in question.
Examples of “direct evidence” can include:
“I watched him crack passwords using John the Ripper and a password file he shouldn’t have.”
“I saw him with that USB device.”
Circumstantial Evidence
In contrast to “direct evidence,” “circumstantial evidence” is evidence that does not directly support a specific conclusion. Rather, circumstantial evidence may be linked together with other evidence and used to deduce a conclusion.
Examples of “circumstantial evidence” can include:
An signature
A file containing password hashes on the defendant’s computer
The serial number of the USB device
정황증거는 직접 증거와 달리 다른 증거들과 연관 되어 있을지 모르며 결론을 추론할 때 사용된다.

13. Concepts in Digital Evidence (4/5)
Hearsay Evidence
“Hearsay” is the label given to testimony offered second-hand by someone who was not a direct witness of the act or acts in question.
The U.S. Department of Justice cites “a personal letter; a memo; bookkeeping records; and records of business transactions inputted by persons” as examples of digital evidence that would be classified as hearsay.
However, digital evidence that is generated by a fully automated process with no human intervention is generally not considered heresay. The Department of Justice explains.
Business Records
Business records can include any documentation that an enterprise routinely generates and retains as a result of normal business processes, and that is deemed accurate enough to be used as a basis for managerial decisions.
Examples of “business records” can include:
Contracts and other employment agreements
Invoices and records of payment received
Routinely kept access logs
/var/log/messages
전문 증거는 목격자가아닌 제 삼자로부터 전해들은 증언을 의미한다.
개인적 서한 메모 부기기록 업무 거래 내역을 전문 증거로 분류할 수 있음 하지만 사람의 개입이 없는 완전히 자동화된 프로세스에 의해 생성된 디지털 증거는 전문 증거로 간주되지 않는다.
업무 기록은 회사가 정기적으로 askemf고 정상적인 비즈니스의 결과로 보존하는 모든 문서를 포하며 의사 결정을 위한 근거로 사용될 만큼 충분히 정확한 것으로 간주된다.
계약서, 고용계약서
송장과 수납기록
정기적으로 저장한 액세스로그

14. Concepts in Digital Evidence (5/5)
“Digital evidence” is any documentation that satisfies the requirements of “evidence” in a proceeding, but that exists in electronic digital form.
In other cases, digital evidence may be charges held in volatile storage, which dissipate within seconds of a loss of power to the system.
Examples of “digital evidence” include:
s and IM sessions
Invoices and records of payment received
Routinely kept access logs
/var/log/messages
Network-Based Digital Evidence
“Network-based digital evidence” is digital evidence that is produced as a result of communications over a network.
The requirements for admissibility of network-based digital evidence are murky. Often, the source that generated the evidence is not obtainable or cannot be identified. When the evidence is a recording of a chat log, blog posting, or , the identity of the parties in the conversation (and therefore the authors of the statements) may be difficult to prove.
디지털 증거는 증거로서의 효능을 갖고 있는 디지털 증거를 의미함.
휘발성 장치에 존재할 수 있는데 몇 초의 시스템의 전력 공급 중단에도 데이터가 소멸될 수 있다.
이메일, 운송장, 정기적으로 사용된 접근 로그

15. Challenges Relating to Network Evidence
Acquisition
It can be difficult to locate specific evidence in a network environment.
Networks contain so many possible sources of evidence
Content
Usually, only selected metadata about the transaction or data transfer is kept instead of complete records of the data that traversed the network
Storage
Network devices commonly do not employ secondary or persistent storage. As a consequence, the data they contain may be so volatile as to not survive a reset of the device.
Privacy
Depending on jurisdiction, there may be legal issues involving personal privacy that are unique to network-based acquisition techniques.
Seizure
Seizing a network device can be much more disruptive. In the most extreme cases, an entire network segment may be brought down indefinitely. Under most circumstances, however, investigators can minimize the impact on network operations.
Admissibility
Filesystem-based evidence is now routinely admitted in both criminal and civil proceedings
There are sometimes conflicting or even nonexisting legal precedents for admission of various types of network-based digital evidence.
증거 수집 – 네트워크 환경에서 구체적인 증거를 찾기 어려울 수도 있음
콘텐츠 – 네트워크를 통과하는 데이터의 전체 기록 대신 트랜젝션과 데이터 존성에 대한 선택된 메타데이터만 저장
저장장치- 영구적 저장장치로 사용될 가능성이 적음
개인정보-네트워크 기반 수집 기법 별로 개인정보에 대한 고유한 법률 문제가 생기곤 한다
압수- 네트워크장비를 압수하는 것은 치명적이다. 네트워크 세그먼트가 사라질 수 있다. 네트워크 운영에 미치는 영향을 최소화 할 수 있음
증거 허용 범위 파일- 시스템은 범죄 증거로 인정 되고 있지만 네트워크는 인정 판례가 많지만 상반되거나 존재하지 않는다.

16. Network Forensics Investigative Methodology (OSCAR)
Like any other forensic task, recovering and analyzing digital evidence from network sources must be done in such a way that the results are both reproducible and accurate.
The overall step-by-step process recommended in this book is as follows:
Obtain information
Strategize
Collect evidence
Analyze
Report
포렌식과 마찬가지로 네트워크 정보에서 디지털 증거를 복구하고 분석할 때 재현 가능하고 정확한 결과가 나오도록 수행해야 한다.
정보 수집
전략수집
증거수집 분석
보고서

17. Network Forensics Investigative Methodology (OSCAR)
Obtain Information
Always need to do two things at the beginning of an investigation: obtain information about the incident itself, and obtain information about the environment.
The Incident
Usually you will want to know the following things about the incident:
• Description of what happened (as is currently known)
• Date, time, and method of incident discovery
• Systems and data involved
• Actions taken since discovery
• Incident manager and process
• Legal issues
• Time frame for investigation/recovery/resolution
• Goals
The Environment
The information you gather about the environment will depend on your level of familiarity with it.
Want to know the following things about the environment:
• Business model
• Network topology (request a network map, etc. if you do not have one)
• Available sources of network evidence
• Organizational structure
• Incident response management process/procedures
E조사자는 두가지를 점검해야 함 사건 자체의 정보 수집과 주변 환경에 대한 정보 수집
보통 사건에 대해 알고 싶어 하는 것들은 다음과 같다.
어떤일이 일어났는지에 대한 묘사
사건 발견 날짜 시간 방법
사건 연루자
관련 시스템과 데이터
사건 발견 이후 조치
사건에 대한 내부 의견 개요
사건의 처리 과정과 담당자
법적 문제
조사/복구/해결에 걸리는 기간 목표

18. Network Forensics Investigative Methodology (OSCAR)
Strategize
It is crucial that early on you take the time to accurately assess your resources and plan your investigation. .
Here are some tips for developing an investigative strategy:
• Understand the goals and time frame of the investigation.
• List your resources, including personnel, time, and equipment.
• Identify likely sources of evidence.
• For each source of evidence, estimate the value and cost of obtaining it.
• Prioritize your evidence acquisition.
• Plan the initial acquisition/analysis.
• Decide upon method and times of regular communication/updates.
• Keep in mind that after conducting your initial analysis, you may decide to go back and acquire more evidence. Forensics is an iterative process.
조사를 계획하고 자원을 평가하기 위해 조기에 시간을 들여야 한다. 계획은 어떤 조사에서도 중요하지만 휘발성을 가지기 때문에 더 중요하다.
조사 목표와 기간을 이해하라
인원 사람 장비 등을 포함한 자원을 목록화 하라
증거의 출처를 명확히 해야함
각 증거를 수집하기 위한 가치와 비용을 계산
증거 수집의 우선순위를 정하라
초기 증거 수집과 분석 계획을 세워라
정기 적인 의사소통과 업ㄷ데이트 시간
재분석

19. Network Forensics Investigative Methodology (OSCAR)
Collect Evidence
In the previous step, “Strategize,” we prioritized our sources of evidence and came up with an acquisition plan.
Document—Make sure to keep a careful log of all systems accessed and all actionstaken during evidence collection. Your notes must be stored securely and may be
Capture—Capture the evidence itself. This may involve capturing packets and writing them to a hard drive, copying logs to hard drive or CD, or imaging hard drives of web proxies or logging servers.
Store/Transport—Ensure that the evidence is stored securely and maintain the chain of custody. Keep an accurate, signed, verifiable log of the persons who have accessed or possessed the evidence.
전략 단계에서 우선순위를 결정했고 수집 계획을 세웠따 이 계획을 바탕으로 증거를 수집한다.

20. Network Forensics Investigative Methodology (OSCAR)
Analyze
Of course the analysis process is normally nonlinear, but certain elements should be considered essential:
Correlation One of the hallmarks of network forensics is that it involves multiple sources of evidence. Much of this will be timestamped, and so the first consideration should be what data can be compiled, from which sources
Timeline Once the multiple data sources have been aggregated and correlated, it’s time to build a timeline of activities. Understanding who did what, when, and how is the basis for any theory of the case. Recognize that you may have to adjust for time skew between sources!
Events of Interest Certain events will stand out as potentially more relevant than others. You’ll need to try to isolate the events that are of greatest interest, and seek to understand how they transpired.
Corroboration Due to the relatively low fidelity of data that characterizes many sources of network logs, there is always the problem of “false positives.”
Recovery of additional evidence Often the efforts described above lead to a widening net of evidence acquisition and analysis. Be prepared for this, and be prepared to repeat the process until such time as the events of interest are well understood.
Interpretation Throughout the analysis process, you may need to develop working theories of the case. These are educated assessments of the meaning of your evidence, designed to help you identify potential additional sources of evidence, and construct a theory of the events that likely transpired.
전략 단계에서 우선순위를 결정했고 수집 계획을 세웠따 이 계획을 바탕으로 증거를 수집한다.

21. Network Forensics Investigative Methodology (OSCAR)
Report
Nothing you’ll have done to this point, from acquisition through analysis, will matter if you’re unable to convey your results to others.
The report that you produce must be:
• Understandable by nontechnical laypeople
• Defensible in detail
• Factual
전략 단계에서 우선순위를 결정했고 수집 계획을 세웠따 이 계획을 바탕으로 증거를 수집한다.

22. Conclusion
Network forensic investigations pose a myriad of challenges, from distributed evidence to internal politics to questions of evidence admissibility. To meet these challenges, investigators must carefully assess each investigation and develop a realistic strategy that takes into account both the investigative goals and the available resources. .
We began this chapter with a series of case studies designed to illustrate how network forensic techniques are applied in real life. Subsequently, we reviewed the fundamental concepts in digital evidence, as employed in the United States common law system, and touched upon the challenges that relate specifically to network-based digital evidence. Finally, we provided you with a method for approaching network forensics investigations.
For example, a temperature sensor might transmit its sensed value every 30 seconds

23. Q & A