Hacking and electronic crimes sophistication has grown at an exponential rate in recent years. In fact, recent reports have indicated[CC1] that cyber crime already surpasses the illegal drug trade! Unethical hackers, better known as black hats, are preying on information systems of government, corporate, public, and private networks and are constantly testing the security mechanisms of these organizations to the limit with the sole aim of exploiting them and profiting from the exercise. High-profile crimes have proven that the traditional approach to computer security is simply not sufficient, even with the strongest perimeter, properly configured defense mechanisms such as firewalls, intrusion detection, and prevention systems, strong end-to-end encryption standards, and anti-virus software. Hackers have proven their dedication and ability to systematically penetrate networks all over the world. In some cases, black hats may be able to execute attacks so flawlessly that they can compromise a system, steal everything of value, and completely erase their tracks in less than 20 minutes!
The EC-Council Press is dedicated to stopping hackers in their tracks.
Network forensics is the capturing, recording, and analysis of network events in order to discover the source of security attacks. Capturing network traffic over a network is simple in theory, but relatively complex in practice. This is because of the large amount of data that flows through a network and the complex nature of Internet protocols. Because recording network traffic involves a lot of resources, it is often not possible to record all of the data flowing through the network. An investigator needs to back up these recorded data to free up recording media and to preserve the data for future analysis.
Analyzing Network Data
The analysis of recorded data is the most critical and most time-consuming task. Although there are many automated analysis tools that an investigator can use for forensic purposes, they are not sufficient, as there is no foolproof method for discriminating bogus traffic generated by an attacker from genuine traffic. Human judgment is also critical because with automated traffic analysis tools, there is always a chance of a false positive. An investigator needs to perform network forensics to determine the type of an attack over a network and to trace out the culprit. The investigator needs to follow proper investigative procedures so that the evidences recovered during investigation can be produced in a court of law.
Network forensics can reveal the following information:
- How an intruder entered the network
- The path of intrusion
- The intrusion techniques an attacker used
- Traces and evidence
Network forensics investigators cannot do the following:
- Solve the case alone
- Link a suspect to an attack
The Intrusion Process
Network intruders can enter a system using the following methods:
- Enumeration: Enumeration is the process of gathering information about a network that may help
an intruder attack the network. Enumeration is generally carried out over the Internet. The following
information is collected during enumeration:
– Topology of the network
– Life of live host
– Network architecture and types of traffic (for example, TCP, UDP, and IPX)
– Potential vulnerabilities in host systems
- Vulnerabilities: An attacker identifies potential weaknesses in a system, network, and elements of the network and then tries to take advantage of those vulnerabilities. The intruder can find known vulnerabilities using various scanners.
- Viruses: Viruses are a major cause of shutdown of network components. A virus is a software program written to change the behavior of a computer or other device on a network, without the permission or knowledge of the user.
- Trojans: Trojan horses are programs that contain or install malicious programs on targeted systems.
These programs serve as back doors and are often used to steal information from systems.
- E-mail infection: The use of e-mail to attack a network is increasing. An attacker can use e-mail spamming and other means to flood a network and cause a denial-of-service attack.
- Router attacks: Routers are the main gateways into a network, through which all traffic passes. A router attack can bring down a whole network.
- Password cracking: Password cracking is a last resort for any kind of attack.
Looking for Evidence
An investigator can find evidence from the following:
- From the attack computer and intermediate computers: This evidence is in the form of logs, files, ambient data, and tools.
- From firewalls: An investigator can look at a firewall’s logs. If the firewall itself was the victim, the investigator treats the firewall like any other device when obtaining evidence.
- From internetworking devices: Evidence exists in logs and buffers as available.
- From the victim computer: An investigator can find evidence in logs, files, ambient data, altered configuration files, remnants of Trojaned files, files that do not match hash sets, tools, Trojans and
viruses, stored stolen files, Web defacement remnants, and unknown file extensions.
End-To-End Forensic Investigation
An end-to-end forensic investigation involves following basic procedures from beginning to end. The following are some of the elements of an end-to-end forensic trace:
The end-to-end concept: An end-to-end investigation tracks all elements of an attack, including how the
attack began, what intermediate devices were used during the attack, and who was attacked.
- Locating evidence: Once an investigator knows what devices were used during the attack, he or she
can search for evidence on those devices. The investigator can then analyze that evidence to learn more about the attack and the attacker.
- Pitfalls of network evidence collection: Evidence can be lost in a few seconds during log analysis
because logs change rapidly. Sometimes, permission is required to obtain evidence from certain sources, such as ISPs. This process can take time, which increases the chances of evidence loss. Other pitfalls include the following:
– An investigator or network administrator may mistake normal computer or network activity for
– There may be gaps in the chain of evidence.
– Logs may be ambiguous, incomplete, or missing.
– Since the Internet spans the globe, other nations may be involved in the investigation.
- Event analysis: After an investigator examines all of the information, he or she correlates all of the
events and all of the data from the various sources to get the whole picture.