Module 4

Network Forensics
Part 2
11. Network Intrusion and Attack
1. Intrusions versus attacks:
It is important for investigators to realize the difference between an
intrusion and an attack, because whether or not there was a real unauthorized
entry to the network or system, it can be a significant aspect in evidencing the
elements of a criminal offense.

2. Recognizing direct versus distributed attacks:

A direct attack is launched from a computer used by the attacker
(often after pre-intrusion/attack tools, such as port scanners are used to find
potential victims). As compared to direct attack, the distributed attack is more
complex. This type of attacks includes multiple victims, which include not only
the target of the attack, but also intermediary remote system from which the
attack is launched that are controlled by the attacker.

3. Automated attacks:
Attacks implemented by a computer program rather than the attacker
physically carrying out the phases in the attack sequence are called automated
attack.

4. Accidental attacks:
Sometimes, intrusions and attacks may really be unintentional. The user
who appears to have sent the virus via email is frequently a victim of the attack

1
 himself/herself. In numerous cases, huge quantities of virus attacks are
introduced accidentally. When a lower state of obligation is present, some acts
are still considered criminal.

5. Preventing Intentional Internal Security Breaches:

Security breaches is an event that affects unauthorized access of data,
applications, services, networks, and/or devices by avoiding their core security
mechanisms. It happens when an individual or an application illegally move in a
private, confidential or unauthorized logical IT perimeter.

Internal attackers are more hazardous for several reasons:

a) People inside the network generally know more about the company, the
network and the layout of the buildings, normal working process and other
information that makes it easier for them to gain access without
recognition.
b) Internal attackers generally have at least some degree of legal access and
could find it easy to determine passwords in the current security system.
c) Internal hackers know what activities will incur the most damage, what
information is on the network.

6. Preventing unauthorized external intrusions:

Unauthorized intrusion can be defined as attack in which the attacker get
a access into the system by means of different hacking and cracking
techniques.

7. Planning for Firewall failures:

The planning must take into consideration the possibility that the
firewall will fail:
a) If intruders do get in, what is the contingency plan?
b) How can they reduce the amount of damage attackers can do?
c) How can the most sensitive or valuable data be protected?

2
 When considering maintenance and testing and examining firewall failure,
organizations should ask the following questions:
a) When was the last time the firewall rule set was fully verified?
b) When was the firewall rule set updated?
c) When was the last time the firewall was fully tested?
d) When was the last time the firewall rule set was optimized?

8. External intruders with internal access:

External intruders are basically outsiders who physically break into
one’s facility to gain access to one’s network, although not actually a true
insider because he or she is not authorized to be there and does not have a
valid account on the network.

9. Recognizing the “Fact of the Attack”:

To recognize that an attack is happening, IDSs use two methods:

a) Pattern Recognition: Investigating files, network traffic, series in RAM or

other data for identifiable marks of attack, like mysterious increases in file
size or particular character strings.
b) Effect Recognition: Recognizing the results of an attack, like a system
crash triggered by overload or an unexpected reboot for no reasons.
Exploits are called “fragattacks” the when number of TCP/IP exploits use
patchy packages. It is more problematic to recognize effect, because the
“effects” often look like normal network traffic or problems triggered by
hardware or software faults.

10. Identifying and Categorizing Attack types:

The attack type refers to how an intruder obtains access to your
computer or network and what the attacker does once he/she has gained
entry – the DOS attacks, scanning and spoofing, nuke attacks and
distribution of malicious code, some of the more corporate types of hack

3
 attacks, including social engineering attacks. It is useful to sort these
different intrusions and attacks into classifications:
a) Pre-intrusion/attack activities
b) Password cracking methods
c) Technical Exploits
d) Malicious code attacks

12. Analyzing Network Traffic: -

 Network forensics analysis, like any other forensic investigation, presents
many challenges. The first challenge is related to traffic data sniffing.
 Depending on the network configuration and security measures where the
sniffer is deployed, the tool may not capture all desired traffic data.
 To solve this issue, the network administrator should use a span port on
network devices in multiple places of the network.
 One tedious task in the network forensics is data correlation, which can be
either casual or temporal. For the latter case, timestamps should be logged
as well.

13. Network Based Evidence: -

Capturing network communications is a serious and essential step when
examining suspected crimes or exploitations.

What is Network based Evidence?

 Collecting network-based evidence involves setting up a computer system
to perform network monitoring, deploying the network monitor and
evaluating the effectiveness of the network monitor.
 Catching the traffic is only a part of the work but extracting meaningful
results is the other challenge.

4
  After gathering the raw data, which forms network-based evidences, next
step is to analyse them. These evidences include reforming the network
activity, executing low level protocol analysis and understanding the
network activity.

14. Goals of Network Monitoring: -

Network monitoring is not planned to prevent attacks. Instead. It permits
investigators to complete a number of tasks:

1. Confirm or dismiss suspicious surrounding an alleged computer security

incident.

2. Collect additional evidence and information.

3. Verify the scope of a settlement.

4. Identify additional parties involved.

5. Determine a timeline of events occurring on the network.

6. Make sure of the compliance with a desired activity.

15. Types of Network Monitoring: -

Network monitoring consists of several different types of data collection:

1. Event Monitoring

2. Trap-and-trace Monitoring

3. Full-content monitoring

1. Event Monitoring:

5
 Events are the alerts which tell that something has occurred on your
network. Event monitoring is based on rules or thresholds working on the
network monitoring platform. Traditional events are generated by a network IDS,
but events can also be created by network health monitoring software such as
MRTG (Multi Router Traffic Grapher). The snort tool is used to capture the events.

2. Trap and Trace Monitoring:

Non-content monitoring records the session or exchange data summarizing
the network movement. Law authorization refers to such non-content monitoring
as a pen register or a trap-and-trace. In general, it includes the protocol, IP
addresses and ports used by a network communication. While monitoring
additional data is also considered, for example flag, count of bytes of information
sent by each side and counts of packets sent by each side. The tcptrace tool is
used to summarize the session.

3. Full Content Monitoring:

Full-content monitoring produces data that contains the raw packets
collected from the wire. It offers the highest reliability, because it represents the
actual communication passed between computers on a network. Full content
data contains packet headers and payloads. The tcpdump tool is used to capture
the packets.

16. Process of collecting Network based evidence: -

1. Setting up a network monitoring system:
Hardware and software based network diagnostic tools, IDS sensors and
packet capture utilities all have their dedicated purposes. Creating a successful
network observation system includes the following steps:

a) Deciding your goals: The first step for carrying out network investigation is
to know why you are doing it in the first place. Regulate the goals of your

6
 network monitoring, because they will impact the hardware, software and
filters you use to collect evidence. Decide what you intend to achieve, for
example

 Watch traffic to and from a particular host.

 Monitor a particular individual’s activities.

 Verify interruption endeavours

 Look for particular attack marks

 Focus on the utilization of a particular protocol

b) Choosing Appropriate Hardware: Big organizations can buy the commercial

system or they may build their own network monitor. Important thing is
this system must have horse power to perform the monitoring functions.
How much data your system can collect, it depends on CPU type, RAM
amounts and hard drive capacity of that system.

c) Choosing Appropriate Software: Choosing software is the most difficult

challenge in assembling network monitoring. Different monitoring tools are
required to meet the different needs and the tools are very expensive.
The factors which will affect the software selection are:
 What type of host operating system will you use?
 Do you want to permit remote access to your monitor or access your
monitor only at the console?
 Do you want to implement a silent network sniffer?
 Do you need portability of the capture files?
 What are the technical skills of those responsible for the monitor?
 How much data traverses the network?

It is important to choose appropriate:

 Operating System
 Remote Access

7
  Silent Sniffers
 Data file formats

d) Deploying the network monitor: The placement of the network monitor is

maybe the most important issue in setting up an investigation system.
Newer devices and network technology, like network switches, VLANs and
multiple data-rate networks have created some new challenges for
investigators. The typical goal of network investigation is to capture all
activity related to a specific target system. Switches will segment a network
by noticing and sensing the presence of workstations based on their MAC
addresses. Once switch builds a port to a MAC address relationship table, it
will release packets from a port only if the receiving system is present.

e) Evaluating the network monitor: When carrying out network monitoring,

you cannot just start tcpdump and walk away from the console. You need
to check to make sure the disk is not filling rapidly, verify that the packet
capture program is executing suitably and see what kind of load the
network monitoring is carrying.

2. Performing a Trap and Trace:

It captures non-content information from a network. It refers to observing
IP and TCP headers without observing any content within packet themselves. It
can also be used to sense network traffic irregularities like backdoor programs
that permit secret file transfers that challenge the detection by a normal IDS. Trap
and Trace can be accomplished by using free standard tools like tcpdump and
windump. The tcpdump and Windump capture files have the same binary format,
so one can capture traffic using tcpdump and view it using windump.

3. Using TCPDUMP for Full Content Monitoring:

8
 It is done for computer security incident response. Tcpdump tool is used for
full content monitoring. Here maximum traffic is collected and then filtered to
find out full data content from the whole traffic. The important aspect of
collecting full content data is file naming and ensuring the file integrity.

4. Collecting Network-based Log files:

When you collect the evidences, make sure that you are looking over the
potential sources of evidence when you respond to an incident. Some examples
are:

 Firewalls, routers, servers, IDS sensors and other network devices may keep

up logs that record network based events.

 DHCP servers record network access when an PC requests an IP lease.

All investigative clues have some unique challenges for the investigator. That
challenges are:

a) The network based logs are stored in many formats.

b) This log may originate from several different operating systems.

c) This logs may require special software to access and read.

d) These logs are geographically dispersed and sometimes use an

inaccurate current time.

The main challenge for investigators is in tracing all these logs and associating
them.

17. Network Evidence Handling: -

There should be some rules and regulations for performing forensic
investigations: -

9
 Rule 1: An examination should never be performed on the original media.

Rule 2: A copy is made onto forensically sterile media. New media should always
be used if available.

Rule 3: The copy of an evidence must be an exact, bit by bit copy (sometimes
referred to as bit streamed copy).

Rule4: The computer and the data on it must be protected during the acquisition
of media to ensure that the data is not modified (Use a write blocking device

when possible).

Rule 5: The examination must be conducted in such a way as to prevent any

modification of the evidence.

Rule 6: The chain of the custody of all evidence must be clearly maintained to
provide an audit log of whom might have accessed the evidence and at what
time.

18. Steps involved in generic network forensic

examination: -
A generic network forensic examination includes the following steps:

1. Identification: Recognizing and determining an incident based on network

indicators. This step is significant since it has an impact in the following
steps.

2. Preservation: Securing and isolating the state of physical and logical

evidences from being altered, such as, for example, protection from
electromagnetic damage or interference.

3. Collection: Recording the physical scene and duplicating digital evidence

using standardized methods and procedures.

10
 4. Examination: In-depth systematic search of evidence relating to the
network attack. This focuses on identifying and discovering potential
evidence and building detailed documentation for analysis.

5. Analysis: Determine significance, reconstruct packets of network traffic

data and draw conclusions based on evidence found.

6. Presentation: Summarize and provide explanation of drawn conclusions.

7. Incident Response: The response to attack or intrusion detected is initiated

based on the information gathered to validate and assess the incident.

19. Investigating Router: -

 Routers can be tools used by investigators as they can be targets of attack,
stepping stones for attackers.
 To allow investigators to resolve complex network incidents, router can
provide valuable information and evidence.
 The information stored on routers such as passwords, routing tables and
network block information, makes routers a valuable first step for attackers
bent on penetrating internal networks.

20. Procedure to investigate Router: -

The following procedure should be followed to investigate router:

1) Obtaining Volatile data prior to powering down:

a) The response process is always begin by obtaining the most volatile data
first. Memory contains some information which may be important for the
investigation, as the routers have less data storage. That’s why these
information should be saved before powering down the router.

11
b) Non-volatile RAM stores the router configuration. So when the router is
rebooted or power down , then there are chances of losing the system
state information in memory like current routing tables, listening services
and current passwords.

c) The below steps are followed to investigate router:

i) Establishing a router connection:

It is necessary before doing anything. Accessing router from the
console port is the best way. Whenever router connection is
established, at that time make sure to log the entire session.

ii) Record system time: It helps in cross referencing the data.

iii) Determining who is logged on: It helps in finding who is logged on

the router.

iv) Determine the routers uptime: The time that the system has been
online since the last reboot can also be important.

v) Determine the listening sockets: Here it can be known that which

ports are listening on the router. An external port scanner is used to
determine which services are running on the router. Here the
configuration file, which covers all aspects of router’s configuration
can also be examined.

vi) Save the router configuration: Router configuration information is

stored in single file in NVRAM. When the router boots, it uses this
stored configuration. It is possible to change the configuration of the
router without modifying the configuration files stored in NVRAM.

vii) Review the routing table: The routing table contains the blueprint of
how the router forwards packets. If an attacker does the changes to
the routing table, then the attacker also change the packets sending
location. Manipulating the routing table is a primary reason for
compromising a router. Static routes which are within the

12
 configuration file, are also visible to attacker, so the attacker can
changes the routes.

viii) Check interface configuration: The information of every routers

interface which is available in configuration file should be checked.

2) Finding the proof:

As at first, the evidences are collected and saved, so the next step
depends on the type of incident suspected, based on the initial
investigation. So it is necessary to check the responses for the different
incident types which involved the routers including how to identify
collaborating evidence.

The types of incidents that involves routers are as follows:

1. Direct Compromise

2. Routing Table Manipulation

3. Theft of Information

4. Denial of Service

21. Router as a Forensic Tool: -

Routers have many uses during incident response, especially during recovery. A
couple of the more useful router features are ACLs and logging capabilities. Also there
are specific actions that can be taken on routers to mitigate the effects of DOS attacks.

1) Understanding Access Control Lists:

Access Control Lists (ACLs) are mechanism that restrict traffic
passing through the router. Packets can be restricted based on a dazzling
array of attributes, including the following:

a) Protocol

13
 b) Source or Destination IP Address

c) TCP or UDP source or destination port

d) TCP flag

e) ICMP message type

f) Time of day

2) Monitoring with Routers:

During incidents, it is often helpful to monitor network traffic.
Routers can be used for this task and they can prove invaluable in many
cases, such as when other monitoring software cannot keep up with the
bandwidth passing through the router.

3) Responding to DDoS Attack:

DDoS attacks are multiprotocol attacks. ICMP, UDP and TCP
packets are part of the attack. Attacks involving ICMP and UDP packets can
be mitigated quickly by blocking ICMP and UDP packets.

22. Challenges in Network Forensics: -

There are so many challenges in network forensics. Those are:

1. High Speed Data Transmission: The high data rate of network traffic makes
capturing and preserving all network packets difficult for network forensics.
In a matter of seconds, millions of packets are sent across the network,
which is made up of thousands of interconnected network devices.

2. Data Storage on the network devices: The network transmits a massive

amount of data, which is captured and analysed for investigation. However,
such data makes retrieving evidence from the network more difficult for
network forensics. For example, the captured data must be stored on

14
 devices with a large storage capacity, whereas the network
interconnectivity device’s storage capacity is limited.

3. Data Integrity: Data integrity is critical in the network forensics process,

which must be addressed. The ability to keep accurate, complete and
consistent data in the network is known as data integrity. Network
forensics must ensure the integrity of data captured on the network, which
is a difficult and time-consuming task. The scope, size and velocity of data
make it difficult for investigators to maintain data integrity.

4. Data Privacy: In the network forensics investigation process, data privacy is

a critical consideration. Accessing data on an organization’s network may
be in violation of it’s privacy policies. As a result, businesses prefer not to
allow any third party investigators to use their network data for any
investigation. An investigator’s trace file may contain a user’s password,
email content, bank account information and other personal information.

5. Access to IP addresses: In network forensics, gaining access to an intruder’s

source IP address is a crucial step. The origin of the attack is indicated by
the source IP address. Intruders use a variety of techniques to conceal their
origin source IP address from various network security devices.

15
 6. Data Extraction Location: Network forensics is made more difficult by the
distributed nature and virtualized characteristics of networks, which make
it difficult to determine the best location and device for data extraction. A
network with thousands of devices connected to each other via high-speed
data links transmitting millions of packets per second is difficult to manage
for each link and device individually.

23. Tools used in Network Forensics: -

There are different types of hardware tools and software tools available for
network forensics.

Hardware Tools:

1) Network Tap:
 It is basically a tapping device using which we can come in between the
communication of two legitimate users.

 It is a hardware device which allows an attacker to the communication or

eavesdrop to the communication.

 So tapper is basically a device the attacker may plant into the network and
try to listen to the communication between A and B that’s what is known as
tap.

2) Port Mirroring:
 Port Mirroring is basically used on a network switch to send a copy of
network packets seen on one switch port to a network monitoring
connection on another switchboard.

 So basically port mirroring is like projecting your screen on wall with help of
projector.

 It assists administrators to closely monitor network performance and notify

you when problems arise.

16
 Software Tools:

1) Wireshark:
 It is a free and an open-source packet analyser available in Linux as well as
in Windows.

 It is an open-source network sniffing tool which is specifically designed to

track the data packets during a transmission over the network.

 With help pf Wireshark we can actually start monitoring the entire

communication by capturing the packets. Along with this, it supports the
filtering option of the packets based upon the protocols and port numbers.

2) TCP Dump: It is a computer program that analyses a data network packet

that runs from a command line interface and allows users to view TCP/IP
and other packets sent or received over the network to which the
computer is connected. This tool is based on the libpcap interface.

3) Network Miner: Network Miner is a network forensic analysis tool (NFAT)

for windows. It can be utilized as a passive network sniffer/packet capture
tool to identify operating systems, sessions, hostnames, open ports etc,
without compromising network traffic.

4) Splunk: Splunk is a restrictive, convenient, exceptionally extensible log

accumulation and analysis tool. Splunk performs catching, ordering and
correlation in searchable containers to generate charts, alerts, dashboards
and visualizations.

24. Advantages and Disadvantages of Network Forensics: -

Advantages:
 Network forensics helps in identifying security threats and vulnerabilities.

 It analyzes and monitors network performance demands.

17
  Network forensics helps in reducing downtime.

 Network resources can be used in a better way by reporting and better

planning.

 It helps in a detailed network search for any trace of evidence left on the
network.

Disadvantages:
The only disadvantage of network forensics is that it is difficult to implement.

18