Packet and Protocol Analysis
Section II. Basic Forensic Techniques and
Tools
CSF: Forensics Cyber-Security MSIDC, Spring 2017
Nuno Santos
Summary
MSIDC - CSF - Nuno Santos
! Packet and protocol analysis
2016/17 2
Recall from last class
2016/17 MSIDC - CSF - Nuno Santos 3
! How to interpret a network trace? ! A network trace is a linearized bit-copy of collected
data exchanged over the network
! Need to understand some basic networking concepts
Computer network
010101101011110000…
Network trace file
Started with a practical example
2016/17 MSIDC - CSF - Nuno Santos 4
! Accessed URL: http://www.publico.pt
! Collected network trace on a local file
Internet
Basic concepts involved
2016/17 MSIDC - CSF - Nuno Santos 5
Sender Receiver
IP Address IP Address
Network Infrastructure
Packets
HTTP GET index.htm
Protocols HTTP TPC/IP
Internet
Connected across multiple networks
2016/17 MSIDC - CSF - Nuno Santos 6
! Computers are not wired directly but linked through interconnected networks (IP = Internet Protocol)
146.193.41.201 195.23.42.21 router switch
Network 1 Network 2
Network 3
Within a network, computers use MAC addresses
2016/17 MSIDC - CSF - Nuno Santos 7
! Media Access Control address (MAC address) ! Unique identifier assigned to network interfaces for
communications at the data link layer of a network segment ! Used as network addresses for Ethernet and WiFi
! Can be used to track traffic source within a network ! Packets sent to the Internet do not
contain MAC addresses
! Can be used to classify the type of machine ! Due to its internal structure ! http://www.macvendorlookup.com/
Our focus today
2016/17 MSIDC - CSF - Nuno Santos 8
Sender Receiver
IP Address IP Address
Network Infrastructure
Packets
HTTP GET index.htm
Protocols HTTP TPC/IP
Internet
Packet and Protocol Analysis
2016/17 MSIDC - CSF - Nuno Santos 9
Coming back to our network trace
2016/17 MSIDC - CSF - Nuno Santos 10
Packet sniffing and packet sniffers
2016/17 MSIDC - CSF - Nuno Santos 11
! Packet sniffing is the act of looking at packets as computers pass them over networks
! Packet sniffing is performed using packet sniffers ! These programs are designed to capture raw data as it crosses the
network and translate it into a human readable format for analysis ! Can be used to capture only relevant packets
! Packet sniffers range from simple, command-line programs, like tcpdump, to complex programs with GUI
Packet sniffers: Tcpdump
2016/17 MSIDC - CSF - Nuno Santos 12
! tcpdump is the granddaddy of all open source packet sniffers
! Uses libpcap, which contains a set of system-independent functions for packet capture and network analysis ! Also used by Wireshark
tcpdump libpcap
Network device driver
Network device
Packet example
2016/17 MSIDC - CSF - Nuno Santos 13
Packet network layers
2016/17 MSIDC - CSF - Nuno Santos 14
! Packets are encoded according to network layers ! Each layer plays a role in abstracting out details of lower levels
Increasing network layer
Layers are packaged “inside” each other
2016/17 MSIDC - CSF - Nuno Santos 15
Increasing network layer
Wireshark lets us navigate across each layer
2016/17 MSIDC - CSF - Nuno Santos 16
Increasing network layer
The IP protocol layer
2016/17 MSIDC - CSF - Nuno Santos 17
! IP protocol: provides for sending / receiving IP packets between any two nodes featuring valid IP addresses
IP packet
Routing an IP packet
2016/17 MSIDC - CSF - Nuno Santos 18
! IP packet: header + payload ! Header contains several fields: Source IP, Destination IP
146.193.41.201 195.23.42.21 router switch
IP packet
Format of an IP header
2016/17 MSIDC - CSF - Nuno Santos 19
IP protocol
2016/17 MSIDC - CSF - Nuno Santos 20
But, the sender IP was not expected…
2016/17 MSIDC - CSF - Nuno Santos 21
! What we observed: ! 193.136.128.7
! What we expected: ! 195.23.42.21
Any ideas why?
Is there a proxy serving web requests?
2016/17 MSIDC - CSF - Nuno Santos 22
! Request served by web proxy: a local cache of web pages
146.193.41.201 195.23.42.21 router switch
IP packet 193.136.128.17
Web Proxy
Let’s validate this hypothesis
2016/17 MSIDC - CSF - Nuno Santos 23
! Check the client config ! Check the proxy IP
Yes! It’s a proxy!
Next step: Investigate the IP packet payload
2016/17 MSIDC - CSF - Nuno Santos 24
IP packet
IP packet payload
How to parse the IP packet payload?
2016/17 MSIDC - CSF - Nuno Santos 25
Need to know what’s the transport protocol of the payload
The role of the TCP protocol
2016/17 MSIDC - CSF - Nuno Santos 26
146.193.41.201 router switch
193.136.128.17
Web Proxy
! IP is best effort: packets can be dropped by routers along the way ! TCP provides abstraction of stream / flow on top of IP packets
! Ensures packets delivered (1) reliably, (2) in order, (3) without duplicates
IP packet
TCP flow
Each endpoint maintains sequence number
2016/17 MSIDC - CSF - Nuno Santos 27
1. Client sends a SYN to the server. Client sets the segment's sequence number to rand value m
2. Server replies with a SYN-ACK. The ack number is set to m+1, and the sequence number that the server chooses for the packet is another random number n
3. Client sends an ACK back to the server
TCP session establishment
We can see the entire TCP message exchange
2016/17 MSIDC - CSF - Nuno Santos 28
TCP header layout
2016/17 MSIDC - CSF - Nuno Santos 29
TCP protocol
2016/17 MSIDC - CSF - Nuno Santos 30
Port Numbers
2016/17 MSIDC - CSF - Nuno Santos 31
! If a computer is identified by an IP, port numbers differentiate applications within the same computer ! https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
Well-known port numbers
2016/17 MSIDC - CSF - Nuno Santos 32
! A few examples:
Next step: Investigate the IP packet payload
2016/17 MSIDC - CSF - Nuno Santos 33
IP packet
IP packet payload
TCP packet payload
Contains an HTTP request
2016/17 MSIDC - CSF - Nuno Santos 34
Wireshark lets us follow the TCP stream
2016/17 MSIDC - CSF - Nuno Santos 35
Client => proxy
Proxy => client
Last missing step: Ethernet frame
2016/17 MSIDC - CSF - Nuno Santos 36
IP packet
Link layer frame
Link layer: carrier of IP packets within networks
2016/17 MSIDC - CSF - Nuno Santos 37
! Ethernet protocol used for client to send IP packet to router
146.193.41.201 router switch
193.136.128.17
Web Proxy
IP packet Ethernet frame
Format of Ethernet frame
2016/17 MSIDC - CSF - Nuno Santos 38
! MAC addresses are used for message delivery
! The IP packet is enclosed inside the data payload
Let’s inspect the Ethernet frame of our IP packet
2016/17 MSIDC - CSF - Nuno Santos 39
A case study
2016/17 MSIDC - CSF - Nuno Santos 40
! You are the manager of a company and receive a tip that an employee is using his computer to view images that violate the company’s computer use policy
! You then hire a forensics investigator to assist in the matter and, together, decide to monitor the suspected employee’s activity on the network for the next week
! Goal: see if there is any evidence to support or refute the claims against the employee viewing images.
Case study: Search through the packets
2016/17 MSIDC - CSF - Nuno Santos 41
! After capturing the packets, search through the packets to identify images that violate the policy
Case study: Perform file carving
2016/17 MSIDC - CSF - Nuno Santos 42
! Export the portion of the payload that contains the bytes of the image
Case study: Caught in procrastination!
2016/17 MSIDC - CSF - Nuno Santos 43
! Exported image created from exported bytes
Conclusions
2016/17 MSIDC - CSF - Nuno Santos 44
! Packet and protocol analysis play a fundamental role in network forensics
! Typical communications are centered around TCP/IP protocols, which tend to be structured in network layers
! Packet analysis tools like Wireshark allow us to interpret the content of individual packets and flows
References
2016/17 MSIDC - CSF - Nuno Santos
! Primary bibliography ! [Casey11], Chapter 21, 23.2.2
45
Next class
MSIDC - CSF - Nuno Santos
! Web and E-Mail forensics
2016/17 46