Scribd
Upload
10 views17 pages

Network Forensics: Analyzing Cybercrime Evidence

The document discusses network forensics, focusing on the analysis of data packets and the importance of network log mining in investigating cybercrimes. It outlines the procedures for seizing networking devices and highlights various forensic artifacts, including DHCP, NTP, DNS, and logs from firewalls and intrusion detection systems. Additionally, it covers different types of ICMP attacks and their implications for network security.

Uploaded by

7601nandu
Copyright
© All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
10 views17 pages

Network Forensics: Analyzing Cybercrime Evidence

The document discusses network forensics, focusing on the analysis of data packets and the importance of network log mining in investigating cybercrimes. It outlines the procedures for seizing networking devices and highlights various forensic artifacts, including DHCP, NTP, DNS, and logs from firewalls and intrusion detection systems. Additionally, it covers different types of ICMP attacks and their implications for network security.

Uploaded by

7601nandu
Copyright
© All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Network Forensic

Forensic Footprints

● Data travels in the form of packets


● Packets hold very valuable information such as source, destination,and
contents.
● In the event that a networking-related crime hacker/attacker might
have left some traces, investigators need to analyze these. Such traces
are also called footprints.
● The traffic passing through the device gets digitally logged.
● The process of extracting logs from networking devices is known as
network log mining.
● It involves identification, extraction, arranging, and examining the log
data.
● In packet analysis of captured traffic
● The only method to determine whether the traffic is generated via a
genuine source or was created via bots.
Seizure of Networking Devices

● Contain crucial data, which is useful in an investigation of a cybercrime


case.
● All networking devices are sturdy and durable.
Steps to be followed to investigate such devices as Firewalls, L3
switches, Intrusion Prevention Systems (IPS), etc., are the following:
1. Switch off device and turn off its power supply.
2. Disconnect the cables and pack the device in proper anti-static
packing material.
3. Fill the chain of custody form – which is the official
documentation form used by law enforcement agencies along
with all the chronological history of the electronic evidence.
Networking Devices like Firewalls:

● Traffic allowed and blocked on the firewall.


● Bandwidth and protocol usage like high CPU
usage and exceeding limits.
● Bytes transferred (large files) if any.
● Detected attack activities like attacks coming
from sources.
● Administrator access like log in failed attempts.
● Another challenge is the rise of anti-forensic techniques
● Hackers have mastered the art of clearing the trail.
● Clearing logs, Encryption, spoofing, and Data wiping is a set
practice among the cybercriminals.
Some techniques that investigators use are:
Session identification :–
➢ Explains how attacker made his/her way into the network.
➢ Analyze all the collected logs from various sources.
Pattern discovery and analysis:-
➢ To crack the pattern of an attacker- Reconstruction
○ Resolution: it extracts salient rules, patterns, and statistics by
eliminating irrelevant data.
○ Backtracing: reconstruction of an event from the end to the
start.
Network Forensic Artifacts

● Related to networking and communication


● To provide evidence or insights into network communication.
[Link] Host Configuration Protocol (DHCP):
➢ Before sending any data on the network, the computer must
contact the DHCP server to assign it an IP address.
➢ DHCP logs
○ Join
○ Present
○ left
2. Network Time Protocol (NTP): It provides accurate time services on
the network and allows for consistency among computers on a network.
3. Domain Name Server (DNS):
➢ DNS request/response traffic
➢ To resolve the hostname to an IP address.
4. Web Proxy logs:
➢ Capture web traffic requests and response.
➢ Cache copies of resources retrieved from the webservers
➢ Include copies of files, like malware, that was retrieved from a
web server.
5. Firewalls:

➢ Perform packet inspection and make decisions on what traffic should be


forwarded, logged, and blocked.
➢ Firewalls can be configured to log traffic at various levels of detail based on the
needs of the organization.

6. Intrusion Detection System (IDS) and Intrusion Prevention System (IPS):

➢ IDS monitors the network interface and examines network traffic and compares
it against signatures or patterns of known malicious traffic to identify suspicious
network traffic.
➢ IDS finds anything suspicious, it logs the traffic in an alert file.
➢ IPS is similar to IDS except for the fact that it also prevent and logs potential
attempts and attacks.
ICMP Attacks

● Belongs to the IP protocol family.


● Connectionless protocol and not use any port number.
● Used for diagnostics, error reporting and querying a web
server.
● Carries no data and usually
● Carries messages alerting errors and message reply reports
● ignored by the firewall.
● Hackers use ICMP to send payloads.
ICMP Sweep Attack

● To scan a target network to discover vulnerable hosts for


further probing and possible attacks.
● Sending a bunch of ICMP requests
● ICMP replies- the selected hosts are alive and connected to
the targets’ network.
● Distributed denial of service attack and is also known as a
Smurf attack where an attacker sends ICMP echo ping
requests to multiple destination addresses.
Traceroute Attack
● Command used to discover the route that the packets take when
traveling to their destination and is used to determine network
topology.
● Tracereoute sends out a series of packets with an increasing TTL
(time to live) value set.
● Windows systems use ICMP traceroutes and Linux systems use
UDP traceroutes.
● Each ICMP time exceeded message to provide a trace of the path
that the packet.
Inverse Mapping Attack

● Technique used to map the internal networks or hosts that are


protected by a firewall or any other filtering device.
● the hacker sends an ICMP reply message to a wide range of IP
addresses
● Internal router- respond back with an ICMP ‘Host Unreachable’
for every host
● Nov 1999- Systems Administration and Network Security (SANS)
institute
ICMP Smurf Attack

● The hacker will spoof the source address of the ICMP packet and
will broadcast ICMP echo requests to all computers in the network.
● Creating a flood of messages causing network degradation of the
victim system.
● Denial of Service (DoS) attack
Drive-By Downloads

You might also like