Technical Fundamentals

Technical Fundamentals

FLOW ANALYSIS Section 2.2 Network Forensics TRACKING HACKERS THROUGH CYBERSPACE FLOW ANALYSIS Defined Examination of sequences of related packets (flows). Flow analysis is typically conducted in order to identify traffic patterns, isolate suspicious activity, analyze higher-layer protocols, or extract data . (Davidoff & Ham, 2012) Flow defined In RFC 3679, a flow is defined as a sequence of packets sent from a particular

source to a particular unicast, anycast, or multicast destination that the source desires to label as a flow. A flow could consist of all packets in a specific transport connection or a media stream. However, a flow is not necessarily 1:1 mapped to a transport connection. (Davidoff & Ham, 2012) Flow and stream are becoming interchangeable FLOW ANALYSIS TOOLS Wireshark: Follow TCP Stream OTHER TOOLS Tshark

Tcpflow Parses non-fragmented IP packets and reassembles TCP stream into a file Pcapcat Lists all of the streams that it sees It can dump individual streams Use magic numbers Magic number is a constant used to identify a file format 1

Tcpxtract Using file signatures it extracts and reconstructs payload data Example $ tcpxtract -f capturefile.pcap -o output_dir/ FLOW ANALYSIS TECHNIQUES Lists Conversations and Flows Export a Flow File and Data Carving

LISTS CONVERSATIONS AND FLOWS View packet conversations using tshark $ tshark -qn -z conv ,tcp -r evidence01.pcap ==================================================================== TCP Conversations Filter: | <- | -> | Total | Frames Bytes Frames Bytes Frames Bytes 192.168.1.159:1271 <-> 205.188.13.12:443 31 29717 16 1451 47 31168 192.168.1.159:1221 <-> 64.12.25.91:443 24 4206 16 1799 40 6005 192.168.1.158:51128 <-> 64.12.24.50:443 20 2622 20 1681 40 4303

192.168.1.158:5190 <-> 192.168.1.159:127 9 1042 15 13100 24 14142 192.168.1.159:1273 <-> 64.236.68.246:80 5 1545 5 1964 10 3509 192.168.1.2:54419 <-> 192.168.1.157:80 3 206 4 272 7 478 192.168.1.2:55488 <-> 192.168.1.30:22 2 292 3 246 5 538 ==================================================================== LIST TCP FLOWS

Identify specific flow of interest Look for IP and port $ pcapcat -r evidence01.pcap [1] TCP 192.168.1.2:54419 -> 192.168.1.157:80 [2] TCP 192.168.1.159:1271 -> 205.188.13.12:443 [3] TCP 192.168.1.159:1272 -> 192.168.1.158:5190 [4] TCP 192.168.1.159:1273 -> 64.236.68.246:80 Enter the index number of the conversation to dump or press enter to quit: EXPORT A FLOW Identify the file that most likely contains the evidence for export $ pcapcat -r evidence01.pcap -w internal -stream.dump -f 'host 192.168.1.158 and port 5190 ' [1] TCP 192.168.1.159:1272 -> 192.168.1.158:5190 Enter the index number of the conversation to dump or press enter to quit: 1 Dumping index value 1 $ tcpflow -r evidence01.pcap 'host 192.168.1.158 and port 5190

Example display: tcpflow [25586]: tcpflow version 0.21 by Jeremy Elson tcpflow [25586]: looking for handler for datalink type 1 for interface evidence01.pcap tcpflow [25586]: found max FDs to be 16 using OPEN_MAX tcpflow [25586]: 192.168.001.159.01272 -192.168.001.158.05190: new flow tcpflow [25586]: 192.168.001.158.05190 -192.168.001.159.01272: new flow tcpflow [25586]: 192.168.001.158.05190 -192.168.001.159.01272: opening new output file tcpflow [25586]: 192.168.001.159.01272 -192.168.001.158.05190: opening new output file Wireshark Click on packet and right-click of Follow TCP Stream Save As in raw format MANUAL FILE AND DATA CARVING

Carve the file out of the exported flow Open in hex editor Look for the magic numbers (file signatures) Examples: Jpeg beginning 0xffd8 - end 0xffd9 .docx beginning 0x504B Figure file size to find end of file add initial byte offset to expected size Gather hashes Example: $ sha256sum filename $ md5sum filename

Confirm file size Open a copy and confirm the file is correct 1.HTTP://WWW.KORELOGIC.COM/RESOURCES/ PROJECTS/DFRWS_CHALLENGE_2006/ DFRWS_2006_FILE_CARVING_CHALLENGE.PDF 1. AUTOMATIC FILE CARVING $ tcpxtract -f evidence01.pcap

... Found file of type "zip" in session [192.168.1.158:17940 -> 192.168.1.159:63492] , exporting to 00000023. zip Found file of type "zip" in session [192.168.1.158:17940 -> 192.168.1.159:63492] , exporting to 00000024. zip Found file of type "zip" in session [192.168.1.158:17940 -> 192.168.1.159:63492] , exporting to 00000025. zip $ ls -l ... -rwx ------ 1 student student 12020 2011 -01 -08 11:22 00000023. zip -rwx ------ 1 student student 11068 2011 -01 -08 11:22 00000024. zip -rwx ------ 1 student student 10264 2011 -01 -08 11:22 00000025. zip HIGHER-LAYER TRAFFIC ANALYSIS

Hypertext Transfer Protocol (HTTP) Simple Mail Transfer Protocol (SMTP) Domain Name System (DNS) Dynamic Host Configuration Protocol (DHCP) Etc

HTTP RFC 2616 defined methods OPTIONS obtain information about communication GET retrieve information ID by Uniform Resource Identifier (URI) HEAD retrieves information without message body POST send data to URI for processing PUT upload information to specified URI DELETE delete resource specified TRACE echo request message back to client, helpful for debugging CONNECT - reserved DHCP 1.

1.HTTP://WWW.TIWOC.DE/BLOG/2008/05/ DYNAMIC-HOST-CONFIGURATION-PROTOCOL/ 2. IMAGE/S CLIPPED FROM WORK CITED 2. SMTP Important vocabulary Mail User Agent (MUA) end-users mail client Mail Submission Agent ((MSA) Local mail submissions Mail Transfer Agent (MTA) transfers mail between mail servers Mail eXchanger (MX) accepts incoming messages for a domain Mail Delivery Agent (MDA) local mail delivery

Basic commands HELO opens connection MAIL identifies return address RCPT identifies recipient address DATA message content DNS Query-response protocol Client question = single UDP packet Server response = single UDP packet 1. 1. HTTP://WWW.TROYJESSUP.COM/HEADERS/DNS _HEADER.PNG

HIGHER-LAYER ANALYSIS TOOLS Oftcat Input = reassembled single flow of transport layer payload (ex: tcpflow or pcapcat) Output = protocol summary of all OFT activity and any recovered files transferred http://blog.kiddaland.net/dw/oftcat Smtpdump 1. 2. IMAGE/S CLIPPED FROM WORK CITED HIGHER-LAYER ANALYSIS TOOLS

Findsmtpinfo.py Input = pcap file Output = extracted authentication data, credentials, mail header info, attachments, MD5 sum and produces a report http://forensicscontest.com/contest02/Finalists/Jeremy_Rossi/findsmtpinfo.py NetworkMiner Multipurpose traffic analyzer HIGHER-LAYER ANALYSIS TECHNIQUES Small specialized tools Great for higher-layer protocol analysis

Best to use if you have a good idea of what the packet contains Most interface easily with other tools Example: Oftcat smtpdump Multipurpose tools Best when a wide range of information is needed Gather lots of different information Example: NetworkMiner Works Cited Davidoff, S., & Ham, J. (2012). Network Forensics Tracking Hackers Through Cyberspace. Boston: Prentice Hall.

Recently Viewed Presentations

  • Farmacologia do SNA Prof. Ms. Daniele Cazoni Balthazar

    Farmacologia do SNA Prof. Ms. Daniele Cazoni Balthazar

    Beta 2: Broncodilatação - vasodilatação - pequena diminuição da resistência periférica - aumento da glicogenólise muscular e hepática - aumento da liberação de glucagon - relaxamento da musculatura lisa uterina - tremor muscular. Beta 3 - Termogênese e lipólise.
  • Quarterly Review Presento - klabs.org

    Quarterly Review Presento - klabs.org

    Platform ASICs Reliability Bob Madge Miguel Vilchis LSI Logic , Milpitas, CA Vish Bhide Three Aspects of Reliability Infant Mortality Failures (Latent Defects and active defects that are not screenable with Testing) Environmental induced Failures (SER etc..)
  • Moving to Office 365 - ITS

    Moving to Office 365 - ITS

    Chris Smith (ITS), Christopher Smith (CSM), Diana Bennett, Ricardo Flores, Tania Beliz, Yun Mei Lawrence, Theresa Martin, Alan Miller, Jim . Petromilli. WebAccess 2+ Timeline. ... Office 365 Migration. Email is Microsoft Exchange 2007.
  • Training Manual - Introduction

    Training Manual - Introduction

    Provide needed aids. Community-based rehabilitation is a realistic means of reintegrating the individual into society. Rehabilitation Society has to be prepared not only to prevent road traffic injuries but also to mitigate their consequences and enhance the quality of life...
  • MATLAB 5 - Univerzita Pardubice

    MATLAB 5 - Univerzita Pardubice

    COMSOL Multiphysics Karel Bittner [email protected] www.humusoft.cz [email protected] HUMUSOFT s.r.o. Založeno v r. 1990, sídlo v Praze Produkty a služby v oblasti technických výpočtů, řídicí techniky, simulace dynamických systémů a podnikových procesů MATLAB, Simulink, Stateflow Inženýrské výpočty, simulace dynamických systémů The...
  • The Book of Romans Chapter 8 WHO RUNS

    The Book of Romans Chapter 8 WHO RUNS

    happened to the creation; it is a result of Adam's arrogance and sin. And further, says Paul, the same freedom from death that God's children (another synonym for sons of God or for Believers) have now attained, will also happen...
  • SADC WRC-15 - June 2014

    SADC WRC-15 - June 2014

    the band 698-713 MHz/753-768 MHz within the frequency range 694-790 MHz and the band 791-801 / 832-842 MHz within the frequency range 790-862 MHz are the preferred bands for broadband PPDR within certain countries of Region 1 which have given...
  • Perspectives on Personality Explain each of the four

    Perspectives on Personality Explain each of the four

    -Conscious mind: where one's current mental awareness exists. Preconscious mind: contains memories and past events. Unconscious mind: a hidden part of the mind that surfaces during day-dreaming or actual dreams. Freud believed the unconscious mind was most important factor in...