Copyright 2005 Richard Bejtlich
1
Network Forensics Primer
Richard [email protected]
www.taosecurity.com / taosecurity.blogspot.com
Look sharp, troops. It's time to learn
network forensics.
Copyright 2005 Richard Bejtlich
2
• Introduction• What is Network Forensics?• Collecting Network Traffic as Evidence• Protecting and Preserving Network-Based Evidence• Analyzing Network-Based Evidence• Presenting and Defending Conclusions• Conclusion
Overview
Copyright 2005 Richard Bejtlich
3
Overview
• Introduction– Speaker biography– Purpose of course– Why network forensics– Course outline What better way to relate
to a law enforcement audience than to turn to the finest crime fighter of the 80s -- TJ Hooker?
Copyright 2005 Richard Bejtlich
4
Introduction
• Bejtlich ("bate-lik") biography– TaoSecurity LLC (05-present)
• ManTech (04-05)
• Foundstone (02-04)
• Ball Aerospace (01-02)
• Captain at US Air Force CERT (98-01)
• Lt at Air Intelligence Agency (96-98)
– Author• Tao of Network Security Monitoring: Beyond Intrusion
Detection (solo, Addison-Wesley, Jul 04)
• Extrusion Detection: Security Monitoring for Internal Intrusions (solo, Addison-Wesley, Dec 05 - Jan 06)
• Real Digital Forensics (co-author, Addison-Wesley, Sep 05)
• Contributed to Incident Response, 2nd Ed and Hacking Exposed, 4th Ed
Copyright 2005 Richard Bejtlich
5
Introduction
• Purpose of course– Introduce ways to collect, protect, analyze, and present network-
based evidence– Host-based forensics is not addressed
• For more coverage of host-based forensics, I recommend Incident Response, 2nd Ed by Mandia, Prosise, and Pepe
– Share experiences conducting real network forensics – Encourage attendees to plan to perform network forensics prior
to an incident, not during an incident– This course is an introduction to material I present for an entire
day elsewhere• Network Security Operations (www.taosecurity.com/training.html)
• Network Forensics at USENIX LISA (www.usenix.org/events/lisa05)
• Items in blue are not expanded upon in this hour-long talk
Copyright 2005 Richard Bejtlich
6
Introduction
• Why network-based evidence?– Host-centric forensics is an established discipline, but many
investigators ignore or do not understand network traffic– Network-based evidence can be found everywhere– Network-based evidence can be easy to collect -- without
anyone's notice
• Network forensics should always be performed!
I'm sold. Let's talk network forensics!
Rookies...
Copyright 2005 Richard Bejtlich
7
Introduction
Plan Protect
DetectRespond
The Security Process
Defensible Network Architecture
Network Security Monitoring
Pervasive Network Awareness
Network Incident Response
Network Forensics
Traffic Threat Assessment
Preparation for Incident Response
Copyright 2005 Richard Bejtlich
8
Overview
• What is Network Forensics?– Definitions– Evidence guidelines– Daubert– Kumho
To Serve and to Protect Packets
You can't carry enough weaponry when performing
network forensics. Phasers on stun.
Copyright 2005 Richard Bejtlich
9
What is Network Forensics?
• The "network" in "network forensics" != "computer"– Network here means "relating to packets" or "network traffic"
• Definition of forensics (dictionary.com)– Relating to, used in, or appropriate for courts of law or for public
discussion or argumentation.– Of, relating to, or used in debate or argument; rhetorical.– Relating to the use of science or technology in the investigation
and establishment of facts or evidence in a court of law: a forensic laboratory.
• Many claim to perform network forensics, but most of these practitioners are probably just capturing packets– These guidelines will elevate your game to forensic levels
• Forensics helps with "patch and proceed" or "pursue and prosecute"
Copyright 2005 Richard Bejtlich
10
What is Network Forensics?
• Evidence Guidelines: three broad sources– Federal Rules of Evidence– Daubert v. Merrell Dow Pharmaceuticals, Inc., 113 S. Ct. 2786
(1993)– Kumho Tire Company, Ltd v. Patrick Carmichael 119 S.Ct. 1167
(March 23, 1999)
Good grief Spock, what happened to
your ears?
Let it go, Bill.
Copyright 2005 Richard Bejtlich
11
What is Network Forensics?
• Daubert criteria– “[W]hether it [a scientific theory or technique] can be (and has
been) tested”– “[W]hether the theory or technique has been subjected to peer
review and publication”– “[C]onsider the known or potential rate of error... and the
existence and maintenance of standards controlling the technique's operation”
– “The technique is ‘generally accepted’ as reliable in the relevant scientific community”
• The better your network forensic methodology meets these criteria, the more success you will have in the board room or court room
Copyright 2005 Richard Bejtlich
12
What is Network Forensics?
• Kumho findings– Required the Court “to decide how Daubert applies to the
testimony of engineers and other experts who are not scientists.”
– “Daubert's general holding -- setting forth the trial judge's general ‘gatekeeping’ obligation -- applies not only to testimony based on ‘scientific’ knowledge, but also to testimony based on ‘technical’ and ‘other specialized’ knowledge.”
– “[A] trial court may consider one or more of the more specific factors that Daubert mentioned when doing so will help determine that testimony's reliability.”
– Introduced a level of “flexibility” and discretion into the process of accepting expert witness testimony.
– “Daubert's list of specific factors neither necessarily nor exclusively applies to all experts or in every case. Rather, the law grants a district court the same broad latitude when it decides how to determine reliability as it enjoys in respect to its ultimate reliability determination.”
Copyright 2005 Richard Bejtlich
13
Collecting Network Traffic as Evidence
• Secure the sensor• Limit access to the sensor• Position the sensor properly• Verify the sensor collects traffic as expected• Determine sensor failure modes• Recognize and compensate for collection weaknesses• Use trusted tools and techniques• Document and automate the collection process
Nice bandana and "workout gloves", Adrian.
Copyright 2005 Richard Bejtlich
14
Collecting Network Traffic as Evidence
• Position the sensor properly
• Consider perimeter monitoring scenario at right– Perimeter is easiest place
to monitor– However, sensor as shown
may not be able to see all the traffic an analyst needs to understand the scope of an intrusion
• Alternative deployments shown on following slides
Copyright 2005 Richard Bejtlich
15
Collecting Network Traffic as Evidence
• At left we monitor perimeter (via tap) and DMZ (via switch SPAN)
• At right we add a filtering bridge/sensor to watch and/or control a high value target
Copyright 2005 Richard Bejtlich
16
Collecting Network Traffic as Evidence
• Don't forget to accommodate address translation issues• Here we add a second interface behind the gateway
Copyright 2005 Richard Bejtlich
17
Collecting Network Traffic as Evidence
• This network shows a variety of instrumentation options
Copyright 2005 Richard Bejtlich
18
Collecting Network Traffic as Evidence
• My preferred platform for serious monitoring at a reasonable cost is configured as follows– Appliance: Dell PowerEdge 750 1U rackmount server– 512 MB RAM– Intel PIV 2.8 GHz CPU– 2X250 GB SATA drives in RAID 0 configuration– Dual onboard NICs plus extra dual NICs– Approximately $2,000 without discounts– OS: FreeBSD 5.4 RELEASE (sample dmesg output at
http://www.nycbug.org/?NAV=dmesgd&dmesgd_criteria=&dmesgid=647#647)
– Network access: Net Optics tap (http://www.netoptics.com/products/product_family_details.asp?cid=1&pid=4&Section=products&menuitem=1)
Copyright 2005 Richard Bejtlich
19
Collecting Network Traffic as Evidence
• Consider using Network Security Monitoring principles to guide your data collection strategies– Alert data (Snort, other IDSs)
• Traditional IDS alerts or judgments (“RPC call!”)
• Context-sensitive, either by signature or anomaly
– Full content data (Tcpdump)• All packet details, including application layer
• Expensive to save, but always most granular analysis
– Session data (Argus, SANCP, NetFlow)• Summaries of conversations between systems
• Content-neutral, compact; encryption no problem
– Statistical data (Capinfos, Tcpdstat)• Descriptive, high-level view of aggregated events
• Sguil (www.sguil.net) is an interface to much of this in a single open source suite
Copyright 2005 Richard Bejtlich
20
Collecting Network Traffic as Evidence
• Collect network traffic using NSM principles
Copyright 2005 Richard Bejtlich
21
Collecting Network Traffic as Evidence
• Verify the sensor collects traffic as expected
Copyright 2005 Richard Bejtlich
22
Protecting and Preserving Network-Based Evidence
• Hash traces after collection and store hashes elsewhere• Understand forms of evidence• Copy evidence to read-only media when possible• Create derivative evidence• Follow chains of evidence
Beam me up, Scotty. Bill's
lost it.
Copyright 2005 Richard Bejtlich
23
Protecting and Preserving Network-Based Evidence
• Understand forms of evidence• Best evidence: original form of network-based evidence
available to the investigator – If the NBE is given to the investigator as an attachment in an
email, that email and its attachment is the investigator’s best evidence.
– It is much preferred from a forensic standpoint to obtain the original file containing traffic as it was written to a hard drive.
• Best evidence should, to the extent practically possible, never be analyzed directly. – Rather, investigators should make working copies of the best
evidence, and analyze those duplications.– Network traffic saved on a sensor is the best evidence available.– Copies of that traffic transferred to a central location become
working copies.
Copyright 2005 Richard Bejtlich
24
Protecting and Preserving Network-Based Evidence
• Create derivative evidence1. Ensure you have a SHA256 hash of the original file stored in a
safe location.
2. After verifying the hashes match, use the desired Tcpdump filter to extract packets of interest to a new file and directory.
elise@bourque$ tcpdump -n -r 2005-06-01-14\:23\:41.bourque.taosecurity.com.ngeth0.lpc
-w /home/analyst/2005-06-01-14\:23\:41.bourque.taosecurity.com.ngeth0.lpc.excerpt
port 80
reading from file
2005-06-01-14:23:41.bourque.taosecurity.com.ngeth0.lpc, link-type EN10MB (Ethernet)
3. Hash the resulting file locally and remotely.
4. Copy the remote file to the local workstation.
5. Make multiple copies of the new local evidence file, and analyze them at will.
6. Document these steps on both platforms.
Copyright 2005 Richard Bejtlich
25
Analyzing Network-Based Evidence
• Validate results with more than one system• Beware of malicious traffic• Document not just what you find, but how you found it• Follow a methodology
You know the ladies used to call me "Jim Kirk." You wouldn't happen to be a
green alien...?
Copyright 2005 Richard Bejtlich
26
Analyzing Network-Based Evidence
• Validate results with more than one system– Use different tools. Example:
Tcpdump, Snort, Ethereal– Use different operating systems.
Example: Unix (BSD, Linux, Solaris), Windows
– Use different architectures. Example: x86, SPARC
– Use different libraries: Example: Libpcap, Data Link Provider Interface (DLPI on Solaris, http://docs.sun.com/app/docs/doc/816-0222/6m6nmlstj?q=dlpi&a=view)
I'm quite an expert with the police
baton, aka the "tonfa"
to you martial
arts types.
Copyright 2005 Richard Bejtlich
27
Analyzing Network-Based Evidence
• Follow a methodology1. Make a new directory on the analysis platform to contain data
provided by the client or collected by yourself.
2. Copy the evidence provided by the client into the analysis directory.
3. Change the permissions of the copy to ensure the analyst user cannot accidentally modify the file.
4. Hash the file and copy the hash elsewhere.
5. Use the Capinfos program packaged with Ethereal to gain initial statistics on the capture file.
6. Run Dave Dittrich’s Tcpdstat to obtain basic statistics on the trace .
7. Extract sessions from the trace using Argus.
8. Gain some high-level idea of the contents of the Argus file with Racount.
Copyright 2005 Richard Bejtlich
28
Analyzing Network-Based Evidence
• Follow a methodology (continued)9. Use the Rahosts program to create an ordered list of all of the
IP addresses seen in the Argus data.
10. (optional) Confirm the number of Argus records.
11. (optional) Enumeration source IP, dest IP, dest port combos.
12. Perform traffic threat assessment.
13. (optional) Process trace with Snort to find obviously malicious events, or build custom signatures.
When hitting suspects, it's important to keep your eyes closed! Tonfa-chop!
Copyright 2005 Richard Bejtlich
29
Presenting and Defending Conclusions
• Forget the OSI model• Obtain relevant
certifications• Consider how you
would attack the evidence
Up front, Officer Locklear. We'll take
cover behind that mane of yours.
Copyright 2005 Richard Bejtlich
30
Presenting and Defending Conclusions
• Forget the OSI Model
Copyright 2005 Richard Bejtlich
31
Presenting and Defending Conclusions
• Forget the OSI model– TCP/IP is like the postal service. It gets messages across the
globe or country.– TCP packets are like message sent via certified mail.– UDP packets are like normal, best-effort mail delivery. Nothing
is guaranteed but drops are not that common.– An IP address is like the street address on an envelope. – A hostname is like a well-known name for a specific location. If
an IP address is like 1600 Pennsylvania Avenue, Washington DC, a hostname is like “The White House.”
– A TCP or UDP port is like the name of a person. Multiple people can reside at any address. Names help sort out the recipient of the letter.
Copyright 2005 Richard Bejtlich
32
Presenting and Defending Conclusions
• Obtain relevant certifications– Certified Information Systems Security Professional: CISSP is
the must-have certification for security professionals; while its technical merits are lacking, I find its Code of Ethics valuable.
– Certified Information Forensics Investigator: CIFI is a vendor-neutral forensics certification sponsored by the International Information Systems Forensics Association; will help demonstrate your knowledge of core forensic investigation principles.
– Cisco Certified Network Associate: CCNA is Cisco’s entry-level networking certification; shows a basic level of comprehension of networking and device configuration.
Copyright 2005 Richard Bejtlich
33
Conclusion
• This presentation introduced key points on network forensics
• For more information, attend my next day-long class and/or read my books
• Contact me at [email protected]
Never shoot from the gut when doing network forensics. Warp speed,
Mr. Sulu!
Copyright 2005 Richard Bejtlich
34
References
• Tools– Snort: www.snort.org– Tcpdump: www.tcpdump.org– Ethereal, Tethereal, Capinfos: www.ethereal.org– Argus: www.qosient.com/argus– SANCP: www.metre.net/sancp.html– Tcpdstat: staff.washington.edu/dittrich/talks/core02/tools/tools.html– NetFlow format: www.cisco.com/go/netflow
• Certifications– CISSP: www.isc2.org– CISSP code of ethics: www.isc2.org/cgi/content.cgi?category=12– CIFI: www.iisfa.org– CCNA: www.cisco.com/go/ccna