network forensics midterm

Network Forensics or packet mining, packet forensics

capturing, storing, and analyzing network data.

Network Forensics can be obtained from

OS and disk then a network investigator collects the data from the attack, can provide info such as firewall and logs from apps and antivirus.

Digital Forensics

investigations from computers, digital media, and communications for potential artifacts indicated by an object of intrest

Incident response specialist

in charge of using digital forensics and investigates suspicious activity

Cryptographic hashes

methods used to demonstrate that evidence has not changed from the point of acquisition

hashing algorithms

are a 1 way function

key property of hashing algorithms: Deterministic

same input -> same output

key property of hashing algorithms: Fixed size

output size is constant e.g. SHA-256=256bits

key property of hashing algorithms: Fast to compute

efficient calculation even for large data

key property of hashing algorithms: Irreversibility resistance

hard to reverse, find the original input from the hash

key property of hashing algorithms: Collision resistance

hard to find 2 different inputs that produce the same hash

key property of hashing algorithms: Avalanche effect

small change in input -> drastic change in output

MD5

generally accepted ensures file has not been altered

SHA

verify integrity and accepted for large values

anytime you obtain a file, packet capture, or log file

generate a has value for it

MD5 hash value is 2583a3fab8faaba111a567b1e44c2fa4

considered non-linear, only has 128 bits

protocols

standard of communication, generally placed into stacks

two conceptual ideas for thinking about layers of network protocols:

the Open Systems Interconnect (OSI) model, & the Transmission Control Protocol/Internet Protocol (TCP/IP) suite

OSI model:

seven layers, a generic model, used by internet service providers and the network equipment vendors

TCP/IP:

four layers, operational model,

important:

every layer only talks to its own layer on the other side

encapsulation concept:

communication stacks, data passes from one layer to another, these layers make themselves unique by applying some data associated with their layer before passing it to the other layer.

de-encapsulation concept:

receiving end, headers are removed, before the data is sent to the next layer up the stack

OSI layers:

physical, data link, network, transport, session, presentation, application

OSI Layers: Physical

includes all tangible components such as cabling, network interfaces, and signaling medium (light or electrical)

OSI Layers: Data link

how systems on the same physical network communicate, MAC address attached to network interface

OSI Layers: Network

devices not on the same physical layer can communicate, requires the router to pass messages from one network to another, IP and IPX

OSI Layers: Transport

first layer where the message has fully arrived at the host.

OSI Layers: Session

the layer where communication streams between two hosts is managed; it determines how communication will happen, like one-way traffic

OSI Layers: Presentation

handles the conversion between network communication and the application; any data encoding, decoding, data formatting, and encryption/decryption would be done at this layer.

OSI Layers: Application

any application programming interfaces (APIs) would exist, where the user interface occurs

TCP/IP layers:

network access, internet, transport, application

TCP/IP Layers: Network access

this is where the MAC address lives, and this layer makes sure that systems on the same network can communicate. Both the physical and data link layers of the OSI model are represented by this layer

TCP/IP Layers: Internet

the same as the network layer in the OSI model, where the IP lives

TCP/IP Layers: Transport

corresponds to layer 4, shares the same name between OSI and TCP/IP model. The usage of ports

TCP/IP Layers: Application

encompasses all functions of layer 5-7 in the OSI model, apps reside here

protocol data units:

wrapped up in different headers from each layer, allowing the receiving system to identify where the data is headed

internet protocols are known for:

the many protocols that comprise the Internet, and are briefly covered as they occur in network traffic analysis

ICANN (Internet Corporation for Assigned Names and Numbers),

very top level, own the entire internet address space, hands out blocks to other organizations and assigns them to providers.

Every IP address is a network address and a host address

the subnet mask tells the computer which is the network part and which is the host. 32 bits long

ICMP is used to

transmit error messages, used for diagnostic purposes, and requests called pings

TCP offers

guaranteed delivery, meaning that the sending host will either get the message through or receive message through or receive a message indicating why a failure occurred.

three-way handshake:

establishes a connection between two systems

Program called Services are

listening to and responsible for managing communications

A service on a Unix-like system is typically called

a daemon

macOS does not

use the same systems as Unix-like systems

Linux services:

two different ways to manage services.

how to manage linux services: Init

all management scripts are at /etc/init.d

how to manage linux services: systemd

new manner to start and manage service

Connections:

TCP communications described as four-tuple

tools:

netstat, nbstat, ifconfig/ipconfig, sysinternals, ntop, task manager/resource monitor, arp

netstat:

command-line utility that provides much network info; the common options used are netstat -a, -r, -s

nbstat:

used to get stats related to NetBT

ifconfig/ipconfig:

shows IP address configurations for network interface on the system

Sysinternals:

Windows, over 121 programs, used to see TCPView, PsFile, and Process Explorer

capture packet tools:

tcpdump/tshark, wireshark, networkminer

tcpdump and tshark

console base tools

Wireshark

GUI based tool, visualization

NetworkMiner

a network forensics tool that pulls useful files and other evidence out of captured packets

port spanning (also called port mirroring)

cisco calls it switch port analyzer. problem = oversubscription

ARP Spoofing =

a type of cyber attack where a malicious actor sends fake Address Resolution Protocol (ARP) messages onto a local network.

Passive Scanning:

watches the data that passes across the network and reports specific details from all of the different layers. More than a summary of header information

Packet Analysis with Wireshark:

Extracts much information and analyzes it, providing statistics about the captured packets and combines the frames into communications, making sure to decode the data

Denial of service attacks (DOS):

makes a service unavailable for a user

SYN floods:

a type of DoS attack in which the attacker sends a large number of SYN requests (part of the TCP handshake) to a target server, but never completes the handshake by sending the final ACK

Malformed Packets:

issues with large packets that require fragmentation, which offset overlap - the target system could have issues in assembling the packet

UDP Floods:

The Purpose is to consume all available network bandwidth, only the CPU resources used to process UDP, but no admission control resources

Amplification Attacks:

A method of increasing the amount of requests sent to disable services and systems

Insider threats:

Same attacks as mentioned, but it is due to an insider, resulting in potential data loss, attacks from local networks, and it is easier to track down.

SQL Injection:

Inserting malicious SQL queries into input fields to manipulate databases and extract sensitive data.

Cross-Site Scripting (XSS):

Injecting malicious scripts into web pages viewed by other users to steal data, hijack sessions, or perform actions on their behalf

time difference:

attacks at off hours have a greater opportunity of not being detected

time zones:

The time zone provides a coherent understanding of when an event happened and where the system is located

traceroute:

a diagnostic tool, using TTL in the IP header to obtain the address if the router sends ICMP error message once the TTL becomes 0

whois:

query and response protocol used to retrieve information about the ownership and registration details of domain names, IP addresses, and autonomous system numbers (ASNs). It allows users to find out who owns a particular domain, when it was registered, and other related details.

geolocation:

get info from the location from the IP and different databases

Wifi positioning:

A database that collects information associated with people and their location, used to locate systems using wireless networks they connect to

location-based services:

done using JavaScript and web pages, using many of the previously seen methods to get and provide to a server

You won't always rely on packet capture, so

using incident detection systems, logging, and Antivirus can be good starting points.

NetFlow

is a protocol created by Cisco to help troubleshoot and analyze network activity, mainly used by network administrators, but also helpful for network forensic investigators to look into network issues or security events.

Logging

can come from Operating Systems and Application logs, as well as network devices like routers and switches. They are oen used to correlate with other data sources, such as NetFlow or packet captures, to analyze network activity. Centralized log servers allow logs from different sources to be collected and monitored in one place, making it easier to watch for issues

Syslog

is an old Unix-based logging system, used in Linux, Solaris, AIX, HP-UX, and macOS. originally functioned as a de facto standard until it was eventually fully standardized by the Internet Engineering Task Force (IETF)

syslog also

uses TCP and a non-default port to forward to, and uses UDP for the transport protocol and the default port

Antivirus programs

are valuable during investigations because their logs provide key details. The logs show when a file was flagged as potentially harmful and when virus definitions were updated. Antivirus soware works by using definitions of known malware to detect viruses in files.

Incident Response Preparation:

When an incident occurs, you will be much happier if you have systems and capabilities in place ahead of time.