FLOW ANALYSIS Section 2.2 Network Forensics TRACKING HACKERS THROUGH CYBERSPACE FLOW ANALYSIS Defined Examination of sequences of related packets (flows). Flow analysis is typically conducted in order to identify traffic patterns, isolate suspicious activity, analyze higher-layer protocols, or extract data . (Davidoff & Ham, 2012) Flow defined In RFC 3679, a flow is defined as a sequence of packets sent from a particular
source to a particular unicast, anycast, or multicast destination that the source desires to label as a flow. A flow could consist of all packets in a specific transport connection or a media stream. However, a flow is not necessarily 1:1 mapped to a transport connection. (Davidoff & Ham, 2012) Flow and stream are becoming interchangeable FLOW ANALYSIS TOOLS Wireshark: Follow TCP Stream OTHER TOOLS Tshark
Tcpflow Parses non-fragmented IP packets and reassembles TCP stream into a file Pcapcat Lists all of the streams that it sees It can dump individual streams Use magic numbers Magic number is a constant used to identify a file format 1
Tcpxtract Using file signatures it extracts and reconstructs payload data Example $ tcpxtract -f capturefile.pcap -o output_dir/ FLOW ANALYSIS TECHNIQUES Lists Conversations and Flows Export a Flow File and Data Carving
LISTS CONVERSATIONS AND FLOWS View packet conversations using tshark $ tshark -qn -z conv ,tcp -r evidence01.pcap ==================================================================== TCP Conversations Filter: | <- | -> | Total | Frames Bytes Frames Bytes Frames Bytes 192.168.1.159:1271 <-> 205.188.13.12:443 31 29717 16 1451 47 31168 192.168.1.159:1221 <-> 64.12.25.91:443 24 4206 16 1799 40 6005 192.168.1.158:51128 <-> 64.12.24.50:443 20 2622 20 1681 40 4303
192.168.1.158:5190 <-> 192.168.1.159:127 9 1042 15 13100 24 14142 192.168.1.159:1273 <-> 64.236.68.246:80 5 1545 5 1964 10 3509 192.168.1.2:54419 <-> 192.168.1.157:80 3 206 4 272 7 478 192.168.1.2:55488 <-> 192.168.1.30:22 2 292 3 246 5 538 ==================================================================== LIST TCP FLOWS
Identify specific flow of interest Look for IP and port $ pcapcat -r evidence01.pcap [1] TCP 192.168.1.2:54419 -> 192.168.1.157:80 [2] TCP 192.168.1.159:1271 -> 205.188.13.12:443 [3] TCP 192.168.1.159:1272 -> 192.168.1.158:5190 [4] TCP 192.168.1.159:1273 -> 64.236.68.246:80 Enter the index number of the conversation to dump or press enter to quit: EXPORT A FLOW Identify the file that most likely contains the evidence for export $ pcapcat -r evidence01.pcap -w internal -stream.dump -f 'host 192.168.1.158 and port 5190 ' [1] TCP 192.168.1.159:1272 -> 192.168.1.158:5190 Enter the index number of the conversation to dump or press enter to quit: 1 Dumping index value 1 $ tcpflow -r evidence01.pcap 'host 192.168.1.158 and port 5190
Example display: tcpflow [25586]: tcpflow version 0.21 by Jeremy Elson tcpflow [25586]: looking for handler for datalink type 1 for interface evidence01.pcap tcpflow [25586]: found max FDs to be 16 using OPEN_MAX tcpflow [25586]: 192.168.001.159.01272 -192.168.001.158.05190: new flow tcpflow [25586]: 192.168.001.158.05190 -192.168.001.159.01272: new flow tcpflow [25586]: 192.168.001.158.05190 -192.168.001.159.01272: opening new output file tcpflow [25586]: 192.168.001.159.01272 -192.168.001.158.05190: opening new output file Wireshark Click on packet and right-click of Follow TCP Stream Save As in raw format MANUAL FILE AND DATA CARVING
Carve the file out of the exported flow Open in hex editor Look for the magic numbers (file signatures) Examples: Jpeg beginning 0xffd8 - end 0xffd9 .docx beginning 0x504B Figure file size to find end of file add initial byte offset to expected size Gather hashes Example: $ sha256sum filename $ md5sum filename
Confirm file size Open a copy and confirm the file is correct 1.HTTP://WWW.KORELOGIC.COM/RESOURCES/ PROJECTS/DFRWS_CHALLENGE_2006/ DFRWS_2006_FILE_CARVING_CHALLENGE.PDF 1. AUTOMATIC FILE CARVING $ tcpxtract -f evidence01.pcap
... Found file of type "zip" in session [192.168.1.158:17940 -> 192.168.1.159:63492] , exporting to 00000023. zip Found file of type "zip" in session [192.168.1.158:17940 -> 192.168.1.159:63492] , exporting to 00000024. zip Found file of type "zip" in session [192.168.1.158:17940 -> 192.168.1.159:63492] , exporting to 00000025. zip $ ls -l ... -rwx ------ 1 student student 12020 2011 -01 -08 11:22 00000023. zip -rwx ------ 1 student student 11068 2011 -01 -08 11:22 00000024. zip -rwx ------ 1 student student 10264 2011 -01 -08 11:22 00000025. zip HIGHER-LAYER TRAFFIC ANALYSIS
Hypertext Transfer Protocol (HTTP) Simple Mail Transfer Protocol (SMTP) Domain Name System (DNS) Dynamic Host Configuration Protocol (DHCP) Etc
HTTP RFC 2616 defined methods OPTIONS obtain information about communication GET retrieve information ID by Uniform Resource Identifier (URI) HEAD retrieves information without message body POST send data to URI for processing PUT upload information to specified URI DELETE delete resource specified TRACE echo request message back to client, helpful for debugging CONNECT - reserved DHCP 1.
1.HTTP://WWW.TIWOC.DE/BLOG/2008/05/ DYNAMIC-HOST-CONFIGURATION-PROTOCOL/ 2. IMAGE/S CLIPPED FROM WORK CITED 2. SMTP Important vocabulary Mail User Agent (MUA) end-users mail client Mail Submission Agent ((MSA) Local mail submissions Mail Transfer Agent (MTA) transfers mail between mail servers Mail eXchanger (MX) accepts incoming messages for a domain Mail Delivery Agent (MDA) local mail delivery
Basic commands HELO opens connection MAIL identifies return address RCPT identifies recipient address DATA message content DNS Query-response protocol Client question = single UDP packet Server response = single UDP packet 1. 1. HTTP://WWW.TROYJESSUP.COM/HEADERS/DNS _HEADER.PNG
HIGHER-LAYER ANALYSIS TOOLS Oftcat Input = reassembled single flow of transport layer payload (ex: tcpflow or pcapcat) Output = protocol summary of all OFT activity and any recovered files transferred http://blog.kiddaland.net/dw/oftcat Smtpdump 1. 2. IMAGE/S CLIPPED FROM WORK CITED HIGHER-LAYER ANALYSIS TOOLS
Findsmtpinfo.py Input = pcap file Output = extracted authentication data, credentials, mail header info, attachments, MD5 sum and produces a report http://forensicscontest.com/contest02/Finalists/Jeremy_Rossi/findsmtpinfo.py NetworkMiner Multipurpose traffic analyzer HIGHER-LAYER ANALYSIS TECHNIQUES Small specialized tools Great for higher-layer protocol analysis
Best to use if you have a good idea of what the packet contains Most interface easily with other tools Example: Oftcat smtpdump Multipurpose tools Best when a wide range of information is needed Gather lots of different information Example: NetworkMiner Works Cited Davidoff, S., & Ham, J. (2012). Network Forensics Tracking Hackers Through Cyberspace. Boston: Prentice Hall.
