COEN 252 Computer Forensics Challenges of Network Forensics

  • Slides: 41
Download presentation
COEN 252 Computer Forensics Challenges of Network Forensics

COEN 252 Computer Forensics Challenges of Network Forensics

Challenges of Network Forensics n Evidence in a network is dispersed. n n Scope

Challenges of Network Forensics n Evidence in a network is dispersed. n n Scope of investigation fluid. No isolated crime scene. Hard to collect all evidence. Equally hard to destroy all evidence.

Challenges of Network Forensics: Preparation and Authorization n System administrators routinely gather network data.

Challenges of Network Forensics: Preparation and Authorization n System administrators routinely gather network data. But usually, more data is needed. Basic problem: Where to find all the relevant data.

Challenges of Network Forensics: Preparation and Authorization Step 1: n n n Investigation of

Challenges of Network Forensics: Preparation and Authorization Step 1: n n n Investigation of the network. Determine the location of servers, … Determine their type Plan for the processing of the data n Often, evidence needs to be gathered simultaneously at various sites. This should not disrupt operations. n n Network scanning is aggressive and can lead to automatic response.

Challenges of Network Forensics: Preparation and Authorization 2 nd Step: Seek authorization. n Depends

Challenges of Network Forensics: Preparation and Authorization 2 nd Step: Seek authorization. n Depends on n n n Situation Country Type of data Who is collecting data. Sometimes, law enforcement needs to demonstrate that they exhausted all other means. A warrant for all sites involved is advisable.

Challenges of Network Forensics: Preparation and Authorization n Using passwords obtained during investigation usually

Challenges of Network Forensics: Preparation and Authorization n Using passwords obtained during investigation usually requires additional authorization. The FBI prosecuted successfully two Russian computer intruders, Aleksey Ivanov and Gorshkov, for breaking into ecommerce sites. The FBI lured the two by a factitious jobinterview, then captured the passwords on their systems. The FBI used these passwords to gain access to their computers at home that yielded a wealth of evidence on the men’s computer hacking and fraud.

Challenges of Network Forensics: Preparation and Authorization Russia’s counterintelligence service filed criminal charges against

Challenges of Network Forensics: Preparation and Authorization Russia’s counterintelligence service filed criminal charges against an FBI agent because the agent illegally seized evidence against them by downloading data from their computers in Chelyabinsk, Russia. But U. S. District Judge John C. Coughenour of Seattle ruled that Gorshkov and Ivanov gave up any expectation of privacy by using computers in what they believed were the offices of a public company.

Challenges of Network Forensics: Preparation and Authorization “When (the) defendant sat down at the

Challenges of Network Forensics: Preparation and Authorization “When (the) defendant sat down at the networked computer … he knew that the systems administrator could and likely would monitor his activities, ” Coughenour wrote. “Indeed, the undercover agents told (Gorshkov) that they wanted to watch in order to see what he was capable of doing. ” He also found that the Fourth Amendment did not apply to the computers, “because they are the property of a non-resident and located outside the United States, ” or to the data — at least until it was transmitted to the United States.

Challenges of Network Forensics: Preparation and Authorization The judge noted that investigators obtained a

Challenges of Network Forensics: Preparation and Authorization The judge noted that investigators obtained a search warrant before viewing the vast store of data — nearly 250 gigabytes, according to court records. He rejected the argument that the warrant should have been obtained before the data was downloaded, noting that “the agents had good reason to fear that if they did not copy the data, (the) defendant’s co-conspirators would destroy the evidence or make it unavailable. ” Finally, Coughenour rejected defense arguments that the FBI’s actions “were unreasonable and illegal because they failed to comply with Russian law, ” saying that Russian law does not apply to the agents’ actions.

Challenges of Network Forensics: Preparation and Authorization n Warrants can be too broad: n

Challenges of Network Forensics: Preparation and Authorization n Warrants can be too broad: n n Evidence collected under such a warrant might be admissible. Warrants can be too specific: n Do not allow investigators to find all the relevant data.

Challenges of Network Forensics: Preparation and Authorization n n Warrants requesting email are harder

Challenges of Network Forensics: Preparation and Authorization n n Warrants requesting email are harder to obtain. Rather ask for: n Records associated with subscriber account: n n n n Screen Name Phone number Address Credit card numbers Connection records (including IP addresses, logon dates, phone numbers) … Some subscribers (ebay) can provide law enforcement because the user agreement allows for that.

Challenges of Network Forensics: Preparation and Authorization n Investigators need not be present when

Challenges of Network Forensics: Preparation and Authorization n Investigators need not be present when data at an internet provider is collected. In October of 2000, police officers in Minnesota began investigating Dale Robert Bach for potential child pornography crimes. As part of the investigation, an officer obtained a search warrant to be served upon Yahoo, an internet service provider (ISP) in California. Minnesota requires that an officer be present at the service of a search warrant. Rather than adhering to the requirements provided by Minnesota law, the officer investigating Mr. Bach served the search warrant to Yahoo by fax. Upon receiving the fax, Yahoo employees retrieved all data from Mr. Bach's account, including deleted email messages. Yahoo then mailed the disk to Minnesota, where the data became evidence in Bach's federal criminal prosecution.

Challenges of Network Forensics: Preparation and Authorization At trial, Bach moved to have the

Challenges of Network Forensics: Preparation and Authorization At trial, Bach moved to have the evidence suppressed, citing both violations of the Minnesota statute, as well as violations of a federal statute. The district court held that the evidence should be suppressed as the search was illegal under both federal and state laws. The government appealed to the circuit court. On October 10, 2002, the Eighth Circuit held oral arguments in United States v. Bach, the first Circuit case examining how a case examining how the Fourth Amendment protects stored e-mail and other files held by Internet Service Providers (ISPs). The district court suppressed the evidence, stating that the law enforcement practice of faxing search warrants for the contents of e-mails to ISPs violated the Constitution because the Fourth Amendment required the government to be physically present to execute the warrant. The government appealed to the circuit court. At oral argument, the government's attorney urged the court to resolve the question on narrow reasonableness grounds, without addressing the broader issue of whether an Internet user has an expectation of privacy in remotely stored files held by an ISP.

Challenges of Network Forensics: Preparation and Authorization The Eighth Circuit ruled that service of

Challenges of Network Forensics: Preparation and Authorization The Eighth Circuit ruled that service of a warrant on an ISP by fax complies with the "reasonableness" requirements of the Fourth Amendment. The court resolved the case on the narrow ground that the government's actions were "reasonable, " without deciding the broader issue of whether an Internet user has a Fourth Amendment expectation of privacy in their e-mail. In January 2003, the Circuit judges narrowly rejected the defendant's petition for reconsideration, voting 5 to 4 against the motion.

Challenges of Network Forensics: Identification n Locate the systems that contain the most useful

Challenges of Network Forensics: Identification n Locate the systems that contain the most useful evidence. n n n Seek end-points and intermediate systems (switches, routers, proxies). Look for log files that give an overview of system activities. Look for supporting systems such as authentication servers and caller-id systems.

Challenges of Network Forensics: Identification n Example: n n n Investigator examines compromised machine

Challenges of Network Forensics: Identification n Example: n n n Investigator examines compromised machine and determines the source and method of attack. Investigator locates other system that are compromised and observes traffic on compromised systems. This determines the source of the attack.

Challenges of Network Forensics: Identification n Example: n n Investigator contacts ISP to preserve

Challenges of Network Forensics: Identification n Example: n n Investigator contacts ISP to preserve related evidence. Intruder has stolen a dial-up account. But ISP has Automatic Number Identification. This gives the phone number used to dial into the ISP modems.

Challenges of Network Forensics: Identification n Example: n n Investigator contacts ISP to preserve

Challenges of Network Forensics: Identification n Example: n n Investigator contacts ISP to preserve related evidence. Intruder has stolen a dial-up account. But ISP has Automatic Number Identification. This gives the phone number used to dial into the ISP modems.

Challenges of Network Forensics: Identification n Example: n n Phone number leads to intruder’s

Challenges of Network Forensics: Identification n Example: n n Phone number leads to intruder’s home. Search warrant is obtained and intruder is caught red-handed.

Challenges of Network Forensics: Identification n Much network evidence is time-critical. n n n

Challenges of Network Forensics: Identification n Much network evidence is time-critical. n n n Logs are expunged. Caches in highly active devices such as routers are volatile. This creates a need for instant analysis. n n Gathering evidence is usually higher priority. Plan becomes important.

Challenges of Network Forensics: Identification n Mistakes because of haste are common. n n

Challenges of Network Forensics: Identification n Mistakes because of haste are common. n n Subpoena to AOL for 3: 13 pm instead of 3: 13 am resulted in wrong subscriber information for IP address. Mistakes in IP address also leads to wrong subscriber information. Intruders try to mislead investigators by hiding their tracks. Corroborating Evidence is essential.

Challenges of Network Forensics: Identification n Given the haste, the difficulties, the wide variety

Challenges of Network Forensics: Identification n Given the haste, the difficulties, the wide variety of evidence, we need a Methodical Approach. n Digital Evidence Map: n Lays out the evidentiary resources of a network.

Challenges of Network Forensics: Identification n Digital Evidence Map Router Intrusion Detection System IDS

Challenges of Network Forensics: Identification n Digital Evidence Map Router Intrusion Detection System IDS logs & evidence proc. UNIX Server Firewall Dial-up rotaries Kerberos Server Firewall logs Firewall Router logs

Challenges of Network Forensics: Documentation, Collection, Preservation n Byte-for-byte copy of network computers is

Challenges of Network Forensics: Documentation, Collection, Preservation n Byte-for-byte copy of network computers is often impossible. n n n Systems cannot be shut down. Too much data to collect. Limited authority to access data. Impossible to gain physical access. Likely that evidence is altered before physical access is gained.

Challenges of Network Forensics: Documentation, Collection, Preservation n Real Time Evidence Gathering n n

Challenges of Network Forensics: Documentation, Collection, Preservation n Real Time Evidence Gathering n n From resources like hyperterminal or Script. IRC chat sessions n n Equivalent of video-taping the session might be required. Monitoring of network traffic. n Intrusion Detection Systems (IDS) do not log everything.

Challenges of Network Forensics: Documentation, Collection, Preservation n Real Time Gathering Preserving evidence and

Challenges of Network Forensics: Documentation, Collection, Preservation n Real Time Gathering Preserving evidence and establishing a chain of custody is a challenge. n Example: n n Log files can be preserved: n n n With time and date stamp. Documentation of file location and metadata. Copied to disk, MD 5 ed, printed out, …

Challenges of Network Forensics: Documentation, Collection, Preservation Case Example: In a homicide case, investigators

Challenges of Network Forensics: Documentation, Collection, Preservation Case Example: In a homicide case, investigators collected all the log entries of network activity of the victim, but not the entire file. It was later determined that the offender might have logged in at the same time in order to chat and to arrange a meeting an hour later. By the time this was realized, the tapes with the log file was already reused and all other log entries were lost. It was now impossible to determine who else was logged on at the same time as the victim.

Challenges of Network Forensics: Documentation, Collection, Preservation n Maintain a detailed record of the

Challenges of Network Forensics: Documentation, Collection, Preservation n Maintain a detailed record of the entire collection process to authenticate the evidence at a later time.

Challenges of Network Forensics: Documentation, Collection, Preservation Case Example: An intruder was caught breaking

Challenges of Network Forensics: Documentation, Collection, Preservation Case Example: An intruder was caught breaking into a computer system on an organization’s network via the internet. Before disconnecting the system from the network, investigators gathered evidence that showed clearly that a crime was being committed. To achieve the equivalent of a videotape of the crime, they used a sniffer to monitor network traffic. They logged onto the compromised system using a client that kept a log of the session, then gathered evidence of the intruder’s presence on the system and the programs the intruder was running. They found other compromised systems and connected to them through a backdoor created by the intruder. Because there was a risk that the intruder might destroy evidence, they collected evidence remotely. Recall that they used a program that monitored their keystrokes and thus documented the investigation.

Challenges of Network Forensics: Documentation, Collection, Preservation Standard Procedure n n n Follow a

Challenges of Network Forensics: Documentation, Collection, Preservation Standard Procedure n n n Follow a standard operating procedure to reduce mistakes and increase consistency. Retain a log of all activities during the collection process (including screen shots). Document from which server the data actually comes. Calculate MD 5 values of evidence prior to transferring it. Possibly digitally sign and encrypt the data. Possibly use write-once media to collect evidence.

Challenges of Network Forensics: Filtering n n Forensic analysis of a network incident typically

Challenges of Network Forensics: Filtering n n Forensic analysis of a network incident typically contains too much data. Some collected data is privileged or confidential. n For example, if all traffic through a router is collected during an incident.

Challenges of Network Forensics: Filtering n Filter before collecting data? n n Can loose

Challenges of Network Forensics: Filtering n Filter before collecting data? n n Can loose evidence. Better to filter after data is collected.

Challenges of Network Forensics: Filtering n Filtering for log files: n Usually part of

Challenges of Network Forensics: Filtering n Filtering for log files: n Usually part of command interface. n n n Ntlast extracts from the NT Event log. Collect log from a Cisco router in a file, then use a filtering tool. Sniffers (commercial, non-commercial) have filters. Capture all, then filter the results.

Challenges of Network Forensics: Filtering n Emails n n Filter for portions of headers

Challenges of Network Forensics: Filtering n Emails n n Filter for portions of headers Filter for IP addresses

Challenges of Network Forensics: Evidence Recovery n Sometimes, we can recover deleted log files.

Challenges of Network Forensics: Evidence Recovery n Sometimes, we can recover deleted log files. n At least portions of it.

Challenges of Network Forensics: Reconstruction of the Event n Investigative Reconstruction n n Systematic

Challenges of Network Forensics: Reconstruction of the Event n Investigative Reconstruction n n Systematic process of piecing together evidence and information gathered during an investigation to gain a better understanding of what transpired. Use physical imprints to infer offense related behavior.

Challenges of Network Forensics: Reconstruction of the Event n Some intruders use toolkits, which

Challenges of Network Forensics: Reconstruction of the Event n Some intruders use toolkits, which are left behind after an intrusion. n n Individualization of toolkit allows conclusions about intruder. Absence of a toolkit might indicate n n Successful removal of toolkit. Intruder skilful enough to not need a toolkit. Perhaps intruder had legitimate access. …

Challenges of Network Forensics: Reconstruction of the Event n n n n Investigative reconstruction

Challenges of Network Forensics: Reconstruction of the Event n n n n Investigative reconstruction Develops leads Locates additional evidence Develops an understanding of case facts and their relations Locates concealed evidence Develop suspects with motive, means, opportunity Establishes evidence for insider knowledge n n n Prioritizes investigations Anticipates intruder actions Links related crimes with same behavioral impact. Give insight into offender fantasy, motives, intents, state of mind. Guides suspect interviews. Presents case in court.

Challenges of Network Forensics: Reconstruction of the Event n Evidence used to reconstruct a

Challenges of Network Forensics: Reconstruction of the Event n Evidence used to reconstruct a crime is n Relational n Example: Intruder obtained unauthorized access to a computer behind a firewall and then broke into the accounting system. n n n Intruder needed to know a password. That fact can be used to locate potential sources of evidence: router error logs, intrusion detection logs, … Example: Cyberstalking. n How did the offender obtain information about the victim.

Challenges of Network Forensics: Reconstruction of the Event n Evidence used to reconstruct a

Challenges of Network Forensics: Reconstruction of the Event n Evidence used to reconstruct a crime is n Functional n n n What conditions were necessary for certain aspects of the incident to be possible? E. g. : Defense attorney questions how you know that the suspect could create his floppy with his computer. Temporal n Creates chronological list of events n A timeline

Challenges of Network Forensics: Reconstruction of the Event n Examples n Relational evidence: n

Challenges of Network Forensics: Reconstruction of the Event n Examples n Relational evidence: n n Which computer generates most of the network traffic during an incident? Intruders might communicate in real time via IRC while breaking into computers around the world.