copyright 2005 richard bejtlich 1 network forensics primer richard bejtlich [email protected] ...

Copyright 2005 Richard Bejtlich

1

Network Forensics Primer

Richard [email protected]

www.taosecurity.com / taosecurity.blogspot.com

Look sharp, troops. It's time to learn

network forensics.


2

• Introduction• What is Network Forensics?• Collecting Network Traffic as Evidence• Protecting and Preserving Network-Based Evidence• Analyzing Network-Based Evidence• Presenting and Defending Conclusions• Conclusion

Overview


3

Overview

• Introduction– Speaker biography– Purpose of course– Why network forensics– Course outline What better way to relate

to a law enforcement audience than to turn to the finest crime fighter of the 80s -- TJ Hooker?


4

Introduction

• Bejtlich ("bate-lik") biography– TaoSecurity LLC (05-present)

• ManTech (04-05)

• Foundstone (02-04)

• Ball Aerospace (01-02)

• Captain at US Air Force CERT (98-01)

• Lt at Air Intelligence Agency (96-98)

– Author• Tao of Network Security Monitoring: Beyond Intrusion

Detection (solo, Addison-Wesley, Jul 04)

• Extrusion Detection: Security Monitoring for Internal Intrusions (solo, Addison-Wesley, Dec 05 - Jan 06)

• Real Digital Forensics (co-author, Addison-Wesley, Sep 05)

• Contributed to Incident Response, 2nd Ed and Hacking Exposed, 4th Ed


5

Introduction

• Purpose of course– Introduce ways to collect, protect, analyze, and present network-

based evidence– Host-based forensics is not addressed

• For more coverage of host-based forensics, I recommend Incident Response, 2nd Ed by Mandia, Prosise, and Pepe

– Share experiences conducting real network forensics – Encourage attendees to plan to perform network forensics prior

to an incident, not during an incident– This course is an introduction to material I present for an entire

day elsewhere• Network Security Operations (www.taosecurity.com/training.html)

• Network Forensics at USENIX LISA (www.usenix.org/events/lisa05)

• Items in blue are not expanded upon in this hour-long talk


6

Introduction

• Why network-based evidence?– Host-centric forensics is an established discipline, but many

investigators ignore or do not understand network traffic– Network-based evidence can be found everywhere– Network-based evidence can be easy to collect -- without

anyone's notice

• Network forensics should always be performed!

I'm sold. Let's talk network forensics!

Rookies...


7

Introduction

Plan Protect

DetectRespond

The Security Process

Defensible Network Architecture

Network Security Monitoring

Pervasive Network Awareness

Network Incident Response

Network Forensics

Traffic Threat Assessment

Preparation for Incident Response


8

Overview

• What is Network Forensics?– Definitions– Evidence guidelines– Daubert– Kumho

To Serve and to Protect Packets

You can't carry enough weaponry when performing

network forensics. Phasers on stun.


9

What is Network Forensics?

• The "network" in "network forensics" != "computer"– Network here means "relating to packets" or "network traffic"

• Definition of forensics (dictionary.com)– Relating to, used in, or appropriate for courts of law or for public

discussion or argumentation.– Of, relating to, or used in debate or argument; rhetorical.– Relating to the use of science or technology in the investigation

and establishment of facts or evidence in a court of law: a forensic laboratory.

• Many claim to perform network forensics, but most of these practitioners are probably just capturing packets– These guidelines will elevate your game to forensic levels

• Forensics helps with "patch and proceed" or "pursue and prosecute"


10


• Evidence Guidelines: three broad sources– Federal Rules of Evidence– Daubert v. Merrell Dow Pharmaceuticals, Inc., 113 S. Ct. 2786

(1993)– Kumho Tire Company, Ltd v. Patrick Carmichael 119 S.Ct. 1167

(March 23, 1999)

Good grief Spock, what happened to

your ears?

Let it go, Bill.


11


• Daubert criteria– “[W]hether it [a scientific theory or technique] can be (and has

been) tested”– “[W]hether the theory or technique has been subjected to peer

review and publication”– “[C]onsider the known or potential rate of error... and the

existence and maintenance of standards controlling the technique's operation”

– “The technique is ‘generally accepted’ as reliable in the relevant scientific community”

• The better your network forensic methodology meets these criteria, the more success you will have in the board room or court room


12


• Kumho findings– Required the Court “to decide how Daubert applies to the

testimony of engineers and other experts who are not scientists.”

– “Daubert's general holding -- setting forth the trial judge's general ‘gatekeeping’ obligation -- applies not only to testimony based on ‘scientific’ knowledge, but also to testimony based on ‘technical’ and ‘other specialized’ knowledge.”

– “[A] trial court may consider one or more of the more specific factors that Daubert mentioned when doing so will help determine that testimony's reliability.”

– Introduced a level of “flexibility” and discretion into the process of accepting expert witness testimony.

– “Daubert's list of specific factors neither necessarily nor exclusively applies to all experts or in every case. Rather, the law grants a district court the same broad latitude when it decides how to determine reliability as it enjoys in respect to its ultimate reliability determination.”


13

Collecting Network Traffic as Evidence

• Secure the sensor• Limit access to the sensor• Position the sensor properly• Verify the sensor collects traffic as expected• Determine sensor failure modes• Recognize and compensate for collection weaknesses• Use trusted tools and techniques• Document and automate the collection process

Nice bandana and "workout gloves", Adrian.


14


• Position the sensor properly

• Consider perimeter monitoring scenario at right– Perimeter is easiest place

to monitor– However, sensor as shown

may not be able to see all the traffic an analyst needs to understand the scope of an intrusion

• Alternative deployments shown on following slides


15


• At left we monitor perimeter (via tap) and DMZ (via switch SPAN)

• At right we add a filtering bridge/sensor to watch and/or control a high value target


16


• Don't forget to accommodate address translation issues• Here we add a second interface behind the gateway


17


• This network shows a variety of instrumentation options


18


• My preferred platform for serious monitoring at a reasonable cost is configured as follows– Appliance: Dell PowerEdge 750 1U rackmount server– 512 MB RAM– Intel PIV 2.8 GHz CPU– 2X250 GB SATA drives in RAID 0 configuration– Dual onboard NICs plus extra dual NICs– Approximately $2,000 without discounts– OS: FreeBSD 5.4 RELEASE (sample dmesg output at

http://www.nycbug.org/?NAV=dmesgd&dmesgd_criteria=&dmesgid=647#647)

– Network access: Net Optics tap (http://www.netoptics.com/products/product_family_details.asp?cid=1&pid=4&Section=products&menuitem=1)


19


• Consider using Network Security Monitoring principles to guide your data collection strategies– Alert data (Snort, other IDSs)

• Traditional IDS alerts or judgments (“RPC call!”)

• Context-sensitive, either by signature or anomaly

– Full content data (Tcpdump)• All packet details, including application layer

• Expensive to save, but always most granular analysis

– Session data (Argus, SANCP, NetFlow)• Summaries of conversations between systems

• Content-neutral, compact; encryption no problem

– Statistical data (Capinfos, Tcpdstat)• Descriptive, high-level view of aggregated events

• Sguil (www.sguil.net) is an interface to much of this in a single open source suite


20


• Collect network traffic using NSM principles


21


• Verify the sensor collects traffic as expected


22

Protecting and Preserving Network-Based Evidence

• Hash traces after collection and store hashes elsewhere• Understand forms of evidence• Copy evidence to read-only media when possible• Create derivative evidence• Follow chains of evidence

Beam me up, Scotty. Bill's

lost it.


23


• Understand forms of evidence• Best evidence: original form of network-based evidence

available to the investigator – If the NBE is given to the investigator as an attachment in an

email, that email and its attachment is the investigator’s best evidence.

– It is much preferred from a forensic standpoint to obtain the original file containing traffic as it was written to a hard drive.

• Best evidence should, to the extent practically possible, never be analyzed directly. – Rather, investigators should make working copies of the best

evidence, and analyze those duplications.– Network traffic saved on a sensor is the best evidence available.– Copies of that traffic transferred to a central location become

working copies.


24


• Create derivative evidence1. Ensure you have a SHA256 hash of the original file stored in a

safe location.

2. After verifying the hashes match, use the desired Tcpdump filter to extract packets of interest to a new file and directory.

elise@bourque$ tcpdump -n -r 2005-06-01-14\:23\:41.bourque.taosecurity.com.ngeth0.lpc

-w /home/analyst/2005-06-01-14\:23\:41.bourque.taosecurity.com.ngeth0.lpc.excerpt

port 80

reading from file

2005-06-01-14:23:41.bourque.taosecurity.com.ngeth0.lpc, link-type EN10MB (Ethernet)

3. Hash the resulting file locally and remotely.

4. Copy the remote file to the local workstation.

5. Make multiple copies of the new local evidence file, and analyze them at will.

6. Document these steps on both platforms.


25

Analyzing Network-Based Evidence

• Validate results with more than one system• Beware of malicious traffic• Document not just what you find, but how you found it• Follow a methodology

You know the ladies used to call me "Jim Kirk." You wouldn't happen to be a

green alien...?


26


• Validate results with more than one system– Use different tools. Example:

Tcpdump, Snort, Ethereal– Use different operating systems.

Example: Unix (BSD, Linux, Solaris), Windows

– Use different architectures. Example: x86, SPARC

– Use different libraries: Example: Libpcap, Data Link Provider Interface (DLPI on Solaris, http://docs.sun.com/app/docs/doc/816-0222/6m6nmlstj?q=dlpi&a=view)

I'm quite an expert with the police

baton, aka the "tonfa"

to you martial

arts types.


27


• Follow a methodology1. Make a new directory on the analysis platform to contain data

provided by the client or collected by yourself.

2. Copy the evidence provided by the client into the analysis directory.

3. Change the permissions of the copy to ensure the analyst user cannot accidentally modify the file.

4. Hash the file and copy the hash elsewhere.

5. Use the Capinfos program packaged with Ethereal to gain initial statistics on the capture file.

6. Run Dave Dittrich’s Tcpdstat to obtain basic statistics on the trace .

7. Extract sessions from the trace using Argus.

8. Gain some high-level idea of the contents of the Argus file with Racount.


28


• Follow a methodology (continued)9. Use the Rahosts program to create an ordered list of all of the

IP addresses seen in the Argus data.

10. (optional) Confirm the number of Argus records.

11. (optional) Enumeration source IP, dest IP, dest port combos.

12. Perform traffic threat assessment.

13. (optional) Process trace with Snort to find obviously malicious events, or build custom signatures.

When hitting suspects, it's important to keep your eyes closed! Tonfa-chop!


29

Presenting and Defending Conclusions

• Forget the OSI model• Obtain relevant

certifications• Consider how you

would attack the evidence

Up front, Officer Locklear. We'll take

cover behind that mane of yours.


30


• Forget the OSI Model


31


• Forget the OSI model– TCP/IP is like the postal service. It gets messages across the

globe or country.– TCP packets are like message sent via certified mail.– UDP packets are like normal, best-effort mail delivery. Nothing

is guaranteed but drops are not that common.– An IP address is like the street address on an envelope. – A hostname is like a well-known name for a specific location. If

an IP address is like 1600 Pennsylvania Avenue, Washington DC, a hostname is like “The White House.”

– A TCP or UDP port is like the name of a person. Multiple people can reside at any address. Names help sort out the recipient of the letter.


32


• Obtain relevant certifications– Certified Information Systems Security Professional: CISSP is

the must-have certification for security professionals; while its technical merits are lacking, I find its Code of Ethics valuable.

– Certified Information Forensics Investigator: CIFI is a vendor-neutral forensics certification sponsored by the International Information Systems Forensics Association; will help demonstrate your knowledge of core forensic investigation principles.

– Cisco Certified Network Associate: CCNA is Cisco’s entry-level networking certification; shows a basic level of comprehension of networking and device configuration.


33

Conclusion

• This presentation introduced key points on network forensics

• For more information, attend my next day-long class and/or read my books

• Contact me at [email protected]

Never shoot from the gut when doing network forensics. Warp speed,

Mr. Sulu!


34

References

• Tools– Snort: www.snort.org– Tcpdump: www.tcpdump.org– Ethereal, Tethereal, Capinfos: www.ethereal.org– Argus: www.qosient.com/argus– SANCP: www.metre.net/sancp.html– Tcpdstat: staff.washington.edu/dittrich/talks/core02/tools/tools.html– NetFlow format: www.cisco.com/go/netflow

• Certifications– CISSP: www.isc2.org– CISSP code of ethics: www.isc2.org/cgi/content.cgi?category=12– CIFI: www.iisfa.org– CCNA: www.cisco.com/go/ccna

copyright 2005 richard bejtlich 1 network forensics primer richard bejtlich [email protected] ...

Documents