1 / 66

Whodunit?

Whodunit?. Beginning the cyber investigation. Addresses. MAC address Network card (NIC interface card) Identifies a physical device.. The card!!! This is how a packet is delivered on a local network Network (IP) address Logical address Associated with a MAC address

diamond
Download Presentation

Whodunit?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Whodunit? Beginning the cyber investigation

  2. Addresses • MAC address • Network card (NIC interface card) • Identifies a physical device.. The card!!! • This is how a packet is delivered on a local network • Network (IP) address • Logical address • Associated with a MAC address • Identifies a LOGICAL device

  3. MAC address • Series of six hexadecimal digits • 00-3E-42-A6-51-0E • “burned in” by manufacturer • In reality, can be changed in many cases

  4. IP address • “Dotted decimal” or “dotted quad” • 32 bits (4 octets) • Each octet has a value from 0 thru 255 • 192.168.0.1 • Each IP address has a • Prefix • Identifies a network • Suffix • Identifies a host (device) on that network

  5. IP addresses • IP “prefixes” must be unique on a global basis • The suffixes must be unique on the local level

  6. IP delivery • IP address is used to deliver a message • Comparison using subnet mask determines if: • Local network • A lookup is performed for the MAC address matching the destination IP • Remote network • Packet is sent to the ‘gateway’ / router • Router decides the next hop to send packet to the destination network (determined by prefix) • Arrival at remote network • A lookup is performed for the MAC address matching the destination IP

  7. IP addresses • Prefix part identifies a class A,B,C range • A uses the last 3 octets to identify a host • B uses the last 2 octets • C uses the last octet • If the octet identifying the host is “0” • Means the entire network • 192.168.1.0 (means the entire 192.168.1 network) • If the suffix octet is 255 (all binary 1’s) • Broadcast address for that network • 192.168.1.255 sending to all on the 192.168.1 net

  8. CIDR Classless Inter-Domain Routing

  9. Rationale • Class “C” addresses need entries in network routing tables • Too many unique entries • Affects the performance of the router • Develop a different “network identifier” • Allocate number of bits to identify the network • C class uses 24 bits for the network and remaining 8 bits for the host on the network

  10. Routing • Network mask needs to determine the network identifier in the IP address • Routing can be done using contiguous blocks of class C addresses represented by a single entry in the routing table • Improves scalability of routing system

  11. Supernet • Arbitrary sized network • Create a network from a contiguous block of “C” addresses • Criteria • Consecutive address ranges • 192.168.6.0 • 192.168.7.0 • Third octet of the first address range must be divisible by 2 • 192.168.6.0 • New network can have up to 512 unique hosts • New netmask is 255.255.254.0 • 9 bits available for the host address

  12. Supernet • Combination of more than two class C networks • Done in powers of 2 • Third octet must be divisible by the number of networks you’re combining • 192.168.16.0 • 192.168.17.0 • …… • 192.168.24.0 • 8 networks combined • Netmask 255.255.248.0 • 21 bits used for the host • 192.168.19.45/21 • IP address, first 21 bits identify the network

  13. Ports • TCP and UDP • Ports identify ‘processes’ running • Numbered 1 to 65535 • “well known ports” • Associated with services • 80 HTTP • 20,21 FTP • 443 HTTPS • 110 POP3 • 23 TELNET • 25 SMTP

  14. Private Network

  15. Cable Modem

  16. Private Network thru Cable Modem

  17. Tools • Connection properties • arp • ping • ipconfig • pathping • nslookup • Enable/Disable/Repair

  18. TCP/IP properties • Control Panel • Network connections • Locate the connection (typically Local Area Network) • Right click • Find the ‘properties’ tab • Client for Microsoft networks • File/printer sharing • Internet Protocol (TCP/IP)

  19. Properties of TCP/IP • DHCP • Look for my IP address using a DCHP server which assigns it to me • Should also retrieve the settings for • Gateway (way out of network) • DNS (lookup service for URL to IP) • Network (subnet) mask • Alternative • Specify the IP yourself • Make sure it’s not already assigned • Specify your own netmask, DNS, gateway

  20. Properties of TCP/IP • Need to talk between local devices • No need for gateway in general • Unless you’re looking up URLs, no need for DNS • Network mask should be consistent with IP address pattern on that network segment • ‘mismatch’ will cause the packet to be sent to the router (gateway) • Thinks the address is not local • ‘mismatch’ may believe that a foreign address is on your local network • Will not be routed

  21. Toolbox Applying your knowledge

  22. Tools • ipconfig / ifconfig • ping • pathping • tracert / traceroute • arp • netstat • nslookup • dig • whois • host

  23. So many tools… • So little time… • Live incident or autopsy • Volatile information first • Disturbing the system • Durable / non-volatile information

  24. Windows Volatile Information Going, Going……

  25. Volatile • Information residing in memory • Temporary nature • Gone on shutdown • Time sensitive • Gone before shutdown • What do you go for first??? • Minimize the footprint you leave as you collect the data

  26. Order of Volatility • Registers and cache • Routing table, arp tables, process table, kernel statistics, connections • Temp file systems • Hard disk / non-volatile storage systems • Remote / offsite logging and monitoring data • Physical configuration and network topology • Archival media

  27. Types of Volatile Information • System time • Users on system • Processes running • Connections • Status of the network • Clipboard • Command history • Services and drivers

  28. Common Errors • No documentation on the baseline system • Failing to document your collection process • Shutdown or reboot of machine • Closing down terminal or shell should also not be done • Reliance on the suspect machine

  29. Methodology • Preparation • Document the Incident • Policy Verification • Volatile Data Collection Strategy • Volatile Collection Setup • Volatile Collection Process

  30. Preparation • Toolkit • Guidelines • Policies

  31. Documentation • Profile • How detected • Scenario • Time of occurrence • Who/what reported • Hardware and software involved • Contacts for involved personnel • How critical is suspicious system • Collection Logbook • Who is collecting • History of tools used and executed commands • Generated output and reports • Timestamp of executed commands • Expected system changes as you execute commands • Forensics toolkit logbook • Usage, output and affects

  32. Policy Verification • Examine policies for violations of rights by your actions • User signed policies • Consent • Establish your legal boundaries

  33. Volatile Data Collection Strategy • Types of data to collect • Tools to do the job • Where is output saved? • Administrative vs. user access • Media access (USB, floppy, CD) • Machine connected to network

  34. Volatile Collection Setup • Trusted command shell • Establish transmission and storage method • Ensure integrity of forensic toolkit output • MD5 hash

  35. Volatile Collection Process • Collect uptime, time, date, command history • Generate time/date to establish audit trail • Begin command history to document your collection • Collect all volatile information system and network information • End collection with date/time and command history

  36. System Time

  37. Systeminfo.exe • XP and 2003

  38. Uptime • Uptime from www.dwam.net/docs/aintx • Psinfo from Sysinternals

  39. Users • Psloggedon (Sysinternals) • Netusers.exe (somarsoft) • Two switches • /l local logged on • /h history • Net session • Users • Name / IP of client • Client type

  40. Processes • Identify • Executable • Command line used • How long was it running? • Security context • Modules or dll it’s accessing • Memory used

  41. Pslist • Sysinternals

  42. Task Manager

  43. Pslist -t

  44. ListDLLs • Sysinternals

  45. handle • Sysinternals

  46. Tasklist

  47. PS • Aintx

  48. Cmdline • DiamondCS • www.diamondcs.com.au

  49. Process Memory • Current state of processes • Passwords • Server addresses • Remote connections

  50. pmdump • www.NTSecurity.nu

More Related