COEN 252 Computer Forensics

1. COEN 252 Computer Forensics Network Protocols Overview for Network Forensics

2. Network Protocols: Layering • Complexity of networking leads to layered architectures. • TCP/IP stack has four levels. • OSI has seven.

3. Network Protocols: Layering

4. Network Protocols: Layering • Each layer adds a header. • Application • TCP • IP • Link

5. Link Layer • Network Interface Cards (NIC) • Unique Medium Access Control (MAC) number • Format 48b written as twelve hex bytes. • First 6 identify vendor. • Last 6 serial number. • NICs either select based on MAC address or are in promiscuous mode (capture every packet).

6. Link Layer • Address Resolution Protocol (ARP) • Resolves IP addresses to MAC addresses • RFC 826

7. Link Layer: ARP Resolution Protocol • Assume node A with IP address 10.10.10.100 and MAC 00:01:02:03:04:05 wants to talk to IP address 10.10.10.101. • Sends out a broadcast who-has request: 00:01:02:03:04:05; ff:ff:ff:ff:ff:ff; arp 42 who-has 10.10.10.101 • All devices on the link capture the packet and pass it to the IP layer. • 10.10.10.101 is the only one to answer: a0:a0:a0:a0:a0:a0; 00:01:02:03:04:05; arp 64; arp reply 10.10.10.101 is-at a0:a0:a0:a0:a0:a0 • A caches the value in its arp cache.

8. Link Layer: ARP Resolution Protocol ARP requests:

9. Link Layer Forensics Network monitoring tools such as Argus or Ethereal log MAC addresses.

10. Link Layer Forensics Example: Spike in network traffic comes from a computer with a certain IP address. However, Argus logs reveal that the traffic comes from a computer with a different MAC then the computer assigned that IP. (Spoofing) Finally, intrusion response finds the computer with that MAC, a Linux laptop that has been compromised and is used for a Denial of Service attack.

11. Link Layer Forensics • ARP cache can be viewed on Windows NT/2000/XP with arp –a command.

12. ATM • ATM • uses fiber optic cables and ATM switches. • encapsulates data into ATM cells. • number identifies the circuit that ATM has established between two computers. • ATMARP allows machines to discover MAC addresses. • ATMARP has a central server that responds to ARP requests. • ATM forensics is similar.

13. Link Layer Evidence • Sniffers in promiscuous mode. • Intruders also use sniffers. • Typically monitor traffic to / from compromised system. • Sometimes they monitor themselves coming back to look at the sniffer logs. • Intruders sometimes encrypt their traffic. • But the sniffers still see the packets, they just cannot read them. • Installing sniffers can violate the wire-tapping and other laws and is resource-intensive. • FreeBSD / OpenBSD seem to be the best platforms.

14. Link Layer Evidence • Sniffer location: • On compromised machine. • Evidence not trustworthy. • Nearby host. • Switched Port Analyzer (SPAN) • Copies network traffic from one switch port to another • Only copy valid ethernet packets. • Do not duplicate all error information. • Copying process has lower priority and some packets might not be mirrored. • Misses out on traffic on the local link.

15. Link Layer Evidence • Sniffer configuration • Can capture entire frames. • Or only first part. • Tcpdump default setting.

16. Link Layer Evidence • Some organizations log ARP information. • Routers keep ARP tables. • show ip arp • All hosts keep ARP tables. • DHCP often assigns addresses only to computers with known MAC.

17. Link Layer Evidence An employee received harassing e-mail from a host on the employer’s network with IP address 192.168.1.65. DHCP server database showed that this IP was assigned to a computer with MAC address 00:00:48:5c:3a:6c. This MAC belonged to a network printer. The router’s ARP table showed that the IP address 192.168.1.65. was used by a computer with MAC 00:30:65:4b:2a:5c. Although this MAC was not on the organization’s list, there were only a few Apple computers on the network and the culprit was soon found.

18. Link Layer Evidence • Analyze and filter log files: • Keyword searches • E.g. for USER, PASS, login • Nicknames, channel names • Filters • Reconstruction • E.g. contents of web-mail inbox.

19. Link Layer Evidence NetIntercept Screenshot

20. IP • Uses IP addresses of source and destination. • IP datagrams are moved from hop to hop. • “Best Effort” service. • Corrupted datagrams are detected and dropped.

21. IP • Addresses contain IP address and port number. • IPv4 addresses are 32 bit longs • IPv6 addresses are 8*16 bits long.

22. IP: ICMP • Internet Control Message Protocol • Created to deal with non-transient problems. • Fragmentation is necessary, but the No Frag flag is set. • UPD datagram sent to a non-listening port. • Ping.

23. IP: ICMP • ICMP error messages should not be sent: • For any but the first fragment. • A source address of broadcast or loopback address. • Are probably malicious, anyway.

24. IP: ICMP • ICMP errors are not sent: • In response to an ICMP error message. • Otherwise, craft a message with invalid UDP source and destination port. Then watch ICMP ping-ponging. • A destination broadcast address. • Don’t answer with destination unreachable for a broadcast. Otherwise, this makes it trivial to scan a network.

25. Transport Layer: TCP and UDP • Transmission Control Protocol (TCP) • Reliable • Connection-Oriented. • Slow • User Datagram Protocol (UDP) • Unreliable • Connectionless. • Fast.

26. TCP • Only supports unicasting. • Full duplex connection. • Message numbers to prevent loss of messages.

27. TCP:Three Way Handshake • Initiator to responder: Syns • Responder to initator: Acks, Synt • Initiator to responder: Ackt • Sets up two connections with initial message numbers s and t.

28. TCP:Three Way Handshake • 20:13:34.972069 IP Bobadilla.scu.edu.1316 > server8.engr.scu.edu.23: S 2882650416:2882650416(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) • 20:13:34.972487 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1316: S 1012352000:1012352000(0) ack 2882650417 win 32768 <mss 1460> (DF) • 20:13:34.972500 IP Bobadilla.scu.edu.1316 > server8.engr.scu.edu.23: . ack 1 win 17520 (DF)

29. TCP:Terminating Connections • Graceful shutdown • Party 1 to Party 2: Fin • Party 2 to Party 1: Ack • Party 2 to Party 1: Fin • Party 1 to Party 2: Ack • Abrupt shutdown • Party 1 to Party 2: Res

30. TCP:Shutting down a connection • 20:48:45.221851 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: P 4:5(1) ack 5 win 16958 (DF) • 20:48:45.226300 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: P 5:7(2) ack 5 win 32768 (DF) • 20:48:45.231650 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: P 7:23(16) ack 5 win 32768 (DF) • 20:48:45.231666 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: . ack 23 win 16940 (DF) • 20:48:45.235303 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: F 23:23(0) ack 5 win 32768 (DF) • 20:48:45.235331 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: . ack 24 win 16940 (DF) • 20:48:45.235494 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: F 5:5(0) ack 24 win 16940 (DF) • 20:48:45.236027 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: . ack 6 win 32767 (DF)

31. TCPExchanging Data • Each packet has a sequence number. • (One for each direction.) • Initial sequence numbers are created during initial three way handshake. • NMap uses the creation of these sequence numbers to determine the OS. • OS are now much better with truly random sequence numbers.

32. TCP Exchanging Data • Party that receives packet sends an acknowledgement. • Acknowledgement consists in • Ack flag. • Sequence number of the next package to be expected.

33. TCP Exchanging Data • If a package is lost, then the ack number will not change: • “Duplicate acknowledgement” • Depending on settings, sender will resend, after at most three stationary ack numbers. • Also, resend after timeout.

34. TCP Exchanging Data • 20:48:45.087563 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: . ack 4 win 16959 (DF) • 20:48:45.087583 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: P 3:4(1) ack 4 win 16959 (DF) • 20:48:45.096443 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: P 4:5(1) ack 4 win 32768 (DF) • 20:48:45.221851 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: P 4:5(1) ack 5 win 16958 (DF) • 20:48:45.226300 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: P 5:7(2) ack 5 win 32768 (DF) • 20:48:45.231650 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: P 7:23(16) ack 5 win 32768 (DF) • 20:48:45.231666 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: . ack 23 win 16940 (DF)

35. TCP flags • Part of TCP header • F : FIN - Finish; end of session • S : SYN - Synchronize; indicates request to start session • R : RST - Reset; drop a connection • P : PUSH - Push; packet is sent immediately • A : ACK - Acknowledgement • U : URG - Urgent • E : ECE - Explicit Congestion Notification Echo • W : CWR - Congestion Window Reduced

36. UDP • “Send and pray” • No connection. • No special header like TCP. • Protocol field in the IP header is 0x11 • Another field in the IP header contains UDP specific header information

37. Fragmentation • IP datagram can come across smaller maximum transmission units than its own size. • Resender chops up the IP datagram into many IP datagrams, the fragments.

38. Fragmentation • Fragments are reassembled at the destination. • Fragments carry: • Fragment identifier • Offset in original data portion • Length of data payload in fragment • Flag that indicates whether or not this is the final fragment.

39. Fragmentation Example • Large Echo Request • ping -l 1480 129.218.19.198 • Assume MTU is 1500

40. Fragmentation

41. Fragmentation: First Fragment

42. Fragmentation: Second Fragment

43. Fragmentation: Last Fragment

44. Fragmentation ping –l 65500 129.218.19.198 12:02:18.256066 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp 1472: echo request seq 6400 (frag 10712:1472@0+) 12:02:18.257282 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@1472+) 12:02:18.258498 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@2944+) 12:02:18.258502 IP dhcp-19-115.engr.scu.edu.137 > 129.210.19.255.137: udp 50 12:02:18.259714 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@4416+) 12:02:18.261177 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@5888+) 12:02:18.262389 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@7360+) 12:02:18.263604 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@8832+) 12:02:18.264820 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@10304+) 12:02:18.266037 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@11776+) 12:02:18.267495 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@13248+) 12:02:18.268712 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@14720+)

45. Fragmentation • DF (Don’t Fragment) Flag • If forwarding node finds that the datagram needs to be fragmented but that the DF flag is set, it should respond with ICMP host unreachable – need to fragment. • Useful to find minimum MTU on a link.

46. Fragmentation • Stateless firewalls look only at individual packages. • Protocol header is only in the first fragment. • “Stealth attacks / scans” have evil payload only in the second and following fragments.

47. Fragments:Teardrop and Friends • Teardrop (1997) • Fragments with overlapping offset fields. • Many contemporary OS crashed, hang, rebooted. • Jolt2 • Single fragment with non-zero offset. • Receiving system allocates resources to reconstruct a datagram that never arrives.

48. Fragments:Teardrop and Friends • Create fragments that seem to come from a GB datagram. • Trusting OS tries to allocate memory and dies. • Ping of Death • Win95 allowed to send a ping that was just a tad too long. Receiving host would crash. • Unnamed Attacks • Missing fragments lead to resource allocation.

49. ICMP • ICMP has no port numbers. • No acks, no message delivery guarantee • http://www.iana.org/assignments/icmp-parameters • First Byte Type • Second Byte Code

50. ICMP • Mapping Techniques. • Detect up host. • Detect OS through responses.