Documente Academic
Documente Profesional
Documente Cultură
Network-based
Evidence
Collecting network-based evidence includes
setting up a computer system to perform network
monitoring, deploying the network monitor, and
evaluating the effectiveness of the network monitor.
4/11/2019 2
Network monitoring is not intended to prevent attacks.
Instead, it allows investigators to accomplish a number of
tasks:
▼ Confirm suspicions surrounding an computer security
incident.
■ Accumulate additional evidence and information.
■ Verify the scope of a compromise.
■ Identify additional parties involved.
■ Determine a timeline of events occurring on the
network.
4/11/2019 3
Network monitoring can include several different types
of data collection: 1. event monitoring, 2. trap-and-
trace monitoring, and 3. full-content monitoring
4/11/2019 4
The following is an example of event capture by Snort,
an event data generator: Outbound connection attempt
from web server [**]
[Priority: 0]
02/10-14:21:34.668747 172.16.1.7:49159 ->
66.192.0.70:22
TCP TTL:64 TOS:0x0 ID:42487 IpLen:20 DgmLen:60
DF
******S* Seq: 0x3B0BF3E1 Ack: 0x0 Win: 0xFFFF
TcpLen: 40
TCP Options (6) => MSS: 1460 NOP WS: 1 NOP NOP
TS: 5255946 0
4/11/2019 5
Noncontent monitoring records the session or transaction
data summarizing the network activity.
Law enforcement refers to such noncontent monitoring as
a pen register or a trap-and-trace.
It typically includes the protocol, IP addresses, and ports
used by a network communication.
.
4/11/2019 6
Session data does not care about the content of a
conversation.
Here is a sample of session data, generated by tcptrace,
which is a tool that can summarize sessions. It shows four
sessions from a web server listening on port 80:
1322 packets seen, 1302 TCP packets traced
elapsed wallclock time: 0:00:00.025971, 50902 pkts/sec
analysed trace file elapsed time: 0:06:23.119958
TCP connection info:
1: 172.16.1.128:1640 - 172.16.1.7:80 (a2b) 62> 93<
(reset)
4/11/2019 7
2: 172.16.1.128:1641 - 172.16.1.7:80 (c2d) 86> 132<
(reset)
3: 172.16.1.6:49163 - 172.16.1.7:80 (e2f) 6> 6<
(complete)
4: 172.16.1.6:49164 - 172.16.1.7:80 (g2h) 8> 8<
(complete)
4/11/2019 8
Full-content monitoring yields data that includes the
raw packets collected from the wire.
4/11/2019 9
The following is a sample packet captured in its entirety
and displayed using tcpdump:
4/11/2019 10
Network diagnostic and troubleshooting
hardware can capture data reliably and
usually are the most efficient at capturing
data at the full rate of the monitored network
segment.
For example, they lack remote management
capabilities and proper storage space, and
they usually cost a lot of money.
4/11/2019 11
Setting up a sniffer box to perform network surveillance
requires a bit of planning and preparation.
4/11/2019 12
Creating a successful network surveillance system
involves the following steps:
▼ Determine your goals for performing the network
surveillance.
■ Ensure that you have the proper legal standing to
perform the monitoring activity.
■ Acquire and implement the proper hardware and
software.
■ Ensure the security of the platform, both
electronically and physically.
■ Ensure the appropriate placement of the monitor on
the network.
▲ Evaluate your network monitor.
4/11/2019 13
The first step to performing network surveillance is to
know why you are doing it in the first place.
Determine the goals of your network monitoring, because
they will influence the hardware, software, and filters you
use to collect evidence. Decide what you intend to
accomplish, such as:
▼ Watch traffic to and from a specific host.
■ Monitor traffic to and from a specific network.
■ Monitor a specific person’s actions.
■ Verify intrusion attempts.
■ Look for specific attack signatures.
▲ Focus on the use of a specific protocol.
4/11/2019 14
You can buy a commercial system or build your own
network monitor. The key issue is to ensure your system
has the horsepower required to perform its monitoring
function.
4/11/2019 15
4/11/2019 16
The amount of hard drive space your system requires
depends on the specificity of your filters and the amount
of network traffic traversing the monitored segment.
4/11/2019 17
On Internet based networks, applying a trap-
and-trace on your network means monitoring
the IP headers and the TCP headers (or other
Transport layer protocol header), without
monitoring any content within the packets
themselves.
This is a nonintrusive way of determining the
source of a network-based attack.
Trap-and-trace monitors are extremely helpful
in DoS cases, where they may provide
the only evidence other than oral testimony that
“the router crashed six times yesterday.”
4/11/2019 18
The following command line initiates a trap-
and-trace using tcpdump with no filtering
and prints the output to the screen:
4/11/2019 19
4/11/2019 20
After you have your network monitor system
set up, you are ready to begin full-content
monitoring, collecting the raw packets from
the network. The following command
line begins the writing of packets to disk with
tcpdump:
tcpdump -n -i dc0 -s 1514 -w
/var/log/tcpdump/emergency_capture.lpc &
Here is what the switches mean for modern
tcpdump implementations (libpcap 3.6.2
and tcpdump 3.6.2 and newer):
4/11/2019 21
Here is what the switches mean for modern tcpdump
implementations (libpcap 3.6.2
and tcpdump 3.6.2 and newer):
▼ -n Do not resolve hostnames to IP addresses or ports to
port names. This avoids seeing “www” instead of “80” as
the port number.
■ -i dc0 Listen on interface dc0. The interface doesn’t
need an IP address to capture packets. To bring up an
interface in Unix without an IP address and without a
capability to transmit packets on the wire, use the
following command (replace dc0 with the name of your
sniffing interface): ifconfig dc0 up –arp.
4/11/2019 22
■ -s 1514 Set the “snap” length to 1514 bytes. This will
capture entire Ethernet
frames and avoid tcpdump’s default snap length of 68
bytes.
■ -w /var/log/tcpdump Write tcpdump’s output to a file
in the /var/
tcpdump directory called emergency_capture.lpc. (This
filename and .lpc
extension are arbitrary.)
▲ & Send the process into the background.
4/11/2019 23
In situations where you are collecting too much traffic
for your monitoring system to handle, you will need to
filter the full-content data. The simplest way to
implement filtering in tcpdump relies on building
Berkeley Packet Filters. The tcpdump manual page
offers numerous options for pointing the tool’s
attention toward specific packets.
During computer security incidents, we often depend
on watching traffic either from hosts of interests or to
hosts of interests. For example, to record all traffic to or
from the 12.44.56.0/24 network block, we would use
the following command line: tcpdump -n -i dc0 -s 1514
-w /var/log/tcpdump/emergency_capture.lpc
net 12.44.56 & 4/11/2019 24
Do not overlook all the potential sources of
evidence when responding to an incident!
Most network traffic leaves an audit trail
somewhere along the path it traveled. Here
are some examples:
▼ Routers, firewalls, servers, IDS sensors, and
other network devices may maintain logs that
record network-based events.
■ DHCP servers log network access when a
PC requests an IP lease.
■ Modern firewalls allow administrators an
extensive amount of granularity when
creating audit logs.
4/11/2019 25
IDS sensors may catch a portion of an attack
due to a signature recognition or
anomaly detection filter.
■ Host-based sensors may detect the
alteration of a system library or the addition
of a file in a sensitive location.
▲ System log files three time zones away on
the primary domain controller may
show a failed authentication during a logon
attempt.
4/11/2019 26