Index
Access control lists (ACLs), firewall, 359–60
Access logfile, Squid, 378
Active Directory domain controllers, 5
Active Directory events, 5
Activity pattern matching, 173, 175–77
elements, 175
Address Resolution Protocol (ARP), 53–54, 338
Admissibility of evidence, 17
Advanced Encryption Standard (AES), 211
Advanced persistent threat (APT), 480–84
term, early usage of, 481
AIM. See AOL Instant Messenger (AIM)
AirPcap USB adapter, 51
AirPort Express, 351
Alerts
data, 265
fidelity, 261
NIDS/NIPS functionality, 260–61
“Tcp Window Scale Option,” 284–85
Ann Tunnels Underground (case study), 441–59
challenge questions, response to, 458
next steps, 459
timeline, 456
tunneled IP packet analysis, 451–54
tunneled IP packets, quest for, 446–50
tunneled IP segment analysis, 454–56
Ann’s Aurora (case study), 492–517
challenge questions, response to, 515
overview of, 492
Ann’s Bad AIM scenario, 83–95, 100–101, 109, 131–33
Ann’s Coffee Ring (case study), 356–68
challenge questions, response to, 367
DNS stimulus and response, 364
explanations, potential, 366–67
firewall diagnostic commands, 357–58
prohibited connection attempts, 366–67
rogue system, 366
Ann’s Rendezvous (case study), 135–57
analysis (protocol summary), 135–36
challenge questions, response to, 155–56
email account monitoring, 157
overview of, 135
packet capture, further analysis of, 157
theory of the case, 155
timeline, 154
Antivirus evasion, early, 464
Antivirus scan/scanner, 7, 8, 371, 496, 512, 516
Antivirus signatures, 287, 420
Antivirus software, 463–64, 515
AOL Instant Messenger (AIM), 88
Ann’s Bad AIM scenario, 83–95, 100–101, 109, 131–33
OSCAR protocol and, 78, 88, 89
Apcupsd, 304
Apple
AirPort Express, 216–17, 342, 346, 351
Airport Extreme, 305
iChat, 88
Application proxies, 345
Application servers, 29, 300–301
Arbor Networks, 478
ASCII values associated with protocols, 83–84
Asleap tool, 213
Asymmetric warfare, 468
Attachment file carving in SMTP, 146–47
Attacks on wireless devices and networks, 224–28
rogue wireless access points, 225–27
WEP cracking, 228
Audit Record Generation and Utilization System. See Argus
Authentication
AAA logging, 355
PAP, 213
servers, 27
Authentication, authorization, and accounting (AAA) logging, 355
Authentication Header (AH), 427–28
Authentication logs, Linux, 299
BackTrack Linux, 51
Bakos, George, 391
Baselining in flow record analysis, 173, 174
Basic Service Set Identification (BSSID), 204, 233
Bejtlich, Richard, 481
Berkeley Packet Filter (BPF), 55–59
packet filtering with, 101
Binary values associated with protocols, 83–84
Bitmasking, 58
Blacklisting, 373
Bless hex editor, 99
Blog spam, 485
Bluetooth access point, 226–27
Border Gateway Protocol (BGP), 347
distributed management, 462–63
full-featured control, 463
implications for network forensics, 463
Storm, 462, 465, 469, 478, 479
Waledac, 464, 470–71, 478, 479, 487, 489–90
BPF. See Berkeley Packet Filter (BPF)
Bradley, Brian, 42
Buffered local logging, 353
intercepting traffic in, 47–49
optical, 47
twisted pair, 47
undersea cable cuts, 49
Cabling, 24
Cache-control, 372
expiration, 372
Camouflaging Worm (C-Worm), 475
Capturing evidence, 20
Carnegie Mellon, 163
Carpenter, Shawn, 482
Carriage-return/linefeeds (CRLFs), 147, 386–87
Cascade virus, 463
Case studies. See also individual case studies
Ann Tunnels Underground, 441–59
InterOptic Saves the Planet, Part 1, 276–87
InterOptic Saves the Planet, Part 2, 402–20
Catching a Corporate Pirate (real-world case), 6–7
potential ramifications, 6
questions, 6
results, 7
C&C. See Command-and-control channels (C&C)
Centralized C&C, 466
Centralized network log architecture, 307–8
Central log servers, 29
CERT, 170
Certificate authorities (CAs), 394–96
Challenge Handshake Authentication Protocol (CHAP), 213
China
cybersecurity attack and defense capabilities, 482–83
“Operation Aurora” and, 480–81
Circumstantial evidence, 12–13
ASA (See Cisco ASA)
Catalyst switches, 162
CiscoWorks Management Center, 342, 351
commercial enterprise tools, 233
enterprise wireless access points (3600 AP), 216
Inter-Switch Link (ISL), 424–25
Java-based cross-platform interfaces, 70
Java-based proprietary interfaces, 351
LEAP protocol, 213
NetFlow, 162, 163, 166–68, 170–71, 177, 179, 184
PEAP protocol, 213
RSPAN, 53
sensor software, 163
Wireless Location Appliance (WLA), 233, 234
WRT54G wireless router, 229
5500, 54
5505, 337, 338, 346, 349–50, 352, 354
Ann’s Coffee Ring (case study), 364, 366
Curious Mr. X (case study), 184–85, 187, 193–94
L0ne Sh4rk’s Revenge (case study), 318, 319
v8.3(2), 357
CLI. See Command-line interface (CLI)
Click fraud, 479
Cole, Eric, 11
Collector, definition of, 161
Collector placement and architecture, 169–70
congestion, 169
reliability, 169
security, 169
strategy for analysis, 170
Argus, 171
flow-tools, 171
nfdump, 171
NfSen, 171
Collision avoidance and detection, 201–2
Command-and-control channels (C&C)
in blending network activity, 478–79
centralized C&C, drawbacks of, 466
communications in network behavior of malware, 487–90
hiding, in encryption and obfuscation, 464
peer-to-peer, 469
Storm/Waledec peer-to-peer C&C system, 478
Command-line interface (CLI), 266
Commercial enterprise tools, 233
Computer network operations (CNOs), 482–83
Conficker worm, 468, 472–73, 475–76, 478–79, 488, 489
Configuration, NIDS/NIPS
evidence, 264
Snort, 269
Consumer-class firewalls, 346
Consumer-class routers, 342
Content-addressable memory (CAM), 25, 52–54, 69, 336–37
Content data, 265
Content filter/filtering, 370, 373–74, 400
subtypes, 205
Conversations
listing, in flow analysis, 109
TCP (See TCP conversations (in case study))
Cookies, 122
Correlation
Counter Mode with CBC-MAC Procotol (CCMP), 211
Covert network tunneling, 430–32
strategies, 430
Crocker, Steve, 77
CSMA/CA, 202
Curious Mr. X (case study), 184–97
analysis (first steps), 185–86
challenge questions, response to, 196
external attacker and port 22 traffic, 186–89
internal victim (192.30.1.101), 193–94
Daemon ports, variable, 472–73
DATA command in SMTP, 127
Data frames, 205
Decryptors and decryption keys, 464
Department of Homeland Security, 13, 468, 474
Department of Justice (DoJ), 12–15
DHCP. See Dynamic Host Configuration Protocol (DHCP)
3315, 123
3679 (Unused DHCP Option Codes), 105
Digital evidence. See Evidence
Digital Millennium Copyright Act (DMCA), 6
Direct evidence, 12
Directionality of flows, 175
Dirty values in flow record analysis, 173, 174
Dirty word list, 100
Disk cache, Squid, 379
Display filters
ICP, 374
centralized, drawbacks of, 466
IRC, 465
peer-to-peer C&C, 469
Distributed denial-of-service (DDoS) attacks, 462, 465
Distributed management, botnets and, 462–63
Distributed Management Task Force (DMTP), 294
Distributed scanning networks, 475
DNS. See Domain Name System (DNS)
Domain Name System (DNS), 26, 128–29. See also Ann Tunnels Underground (case study)
covert network tunneling, 431–32
forensic value, 26
higher-layer protocols, 128–29
queries, 129
recursion, 129
stimulus and response, 364
zone transfer, 128
Dow Chemical, 481
Downadup worm
W32.Downadup.A, 468, 476, 488, 489
W32.Downadup.C, 468, 472–73, 475–76
Draft Internetwork Protocol Specification, 37
Dynamic Host Configuration Protocol (DHCP), 122–25
exchange in, 124
forensic value of, 26
RFCs (See DHCP RFCs)
servers, 26
Dynamic Random-Access Memory (DRAM), 336
EAP. See Extensible Authentication Protocol (EAP)
802.11 protocol, 50, 51, 202–12
AES, 211
authentication, 213
802.11n in Greenfield mode, 220, 226
802.1X (See 802.1X)
network-byte order, 207
TKIP, 211
WPA, 211
WPA2, 211
impact on wireless networks, 213
implications for investigator, 213
Email account monitoring, 157
Email spam, 127, 462, 465, 471, 487
“Emerging Threats,” 269
Encapsulating Security Payload (ESP), 428
Encrypted web traffic, 392–400
access to (See Encrypted web traffic access)
forensic investigators and, 394
rise in, factors leading to, 393
TLS/SSL (See TLS/SSL-encrypted traffic)
Encrypted web traffic access, 396–400
Encryption and obfuscation, 463–65
C&C channels, hiding, 464
IDS/antivirus evasion, early, 464
modern, 464
End of file (EOF), 109
Enterprise-class firewalls, 345–46
Enterprise-class routers, 341–42
Entity Tag (ETag), 373
Environment, obtaining information on, 18
ESS capabilities, 223
Etherleak, 120
European Organization for Nuclear Research (CERN), 120–21
Event logging. See also Logging
Events of interest in analysis of evidence, 21
acquiring (See Evidence acquisition)
admissibility of, 17
analyzing (See Evidence analysis)
collecting (See Evidence collection)
content, 16
definition of, 9
direct, 12
forensic value of (See Evidence sources)
intercepting (See Evidence interception)
investigative strategies, 9–22
off-system, 376
prioritization of, 19
privacy, 16
seizure of, 17
storage, 16
volatile, 376
Evidence acquisition, 16, 45–72
conclusion, 72
inspection without access, 70–71
interactive, 45
passive, 45
traffic acquisition software, 54–65
corroboration, 21
events of interest, 21
interpretation, 21
recovery of additional evidence, 21
timeline, 21
capturing, 20
storing/transporting, 20
tips for, 20
application servers, 29
authentication servers, 27
cabling, 24
central log servers, 29
DHCP servers, 26
DNS servers, 26
switches, 25
Evil Bit set, 63
Evolution-Data Optimized (EV-DO) wireless network, 213
Expiration in caching, 372
Expires header, 372
Exploitation, direct network-base, 485, 486, 487
Extensible Authentication Protocol (EAP), 212–13
Lightweight Extensible Authentication Protocol (LEAP), 213
Protected Extensible Authentication Protocol (PEAP), 213
Transport Layer Security (EAP-TLS), 213
Facebook, 479
Federal Communications Commission (FCC), 50, 200
Federal Rules of Evidence (FRE), 10
best evidence, 11
business records, 14
hearsay, 13
Fidelity alerts, 261
File carving
in TCP conversations, 495–98, 510–13
Filters/filtering. See also Packet filtering
in flow record analysis, 173–74
Findsmtpinfo.py, 130–31, 152–54
Firewalls, 27–28, 344–48. See also Ann’s Coffee Ring (case study)
application proxies and, 345
consumer-class, 346
forensic value of, 28
investigating, reasons for, 344
logs in L0ne Sh4rk’s Revenge (case study), 325–28
off-system, 348
packet filters and, 344
persistent, 347
roll-your-own, 346
session-layer proxies and, 345
SO/HO, 346
storage in, 336
volatile, 347
Flags in flow record data, 175
Flow, definition of, 105
definition of, 104
record (See Flow record analysis)
Flow analysis techniques, 109–20
list conversations, 109
list TCP flows, 110
tcpflow, 107
Flow-dscan, 179
Flow export (transport-layer protocols), 168
Flow-nfilter, 179
Flow record
analyzing (See Flow record analysis)
data elements, 175
definition of, 160
flags, 175
information, 265
ports, 175
processing (See Flow record processing system)
protocols, 175 (See also Flow record export protocols)
goals and resources, 172
starting indicators, 173
techniques (See Flow record analysis techniques)
tools (See Flow record analysis tools)
Flow record analysis techniques, 173–77
activity pattern matching, 173, 175–77
Flow record analysis tools, 177–82
Argus, 179
NfSen, 181
Flow record export protocols, 166–68
IPFIX, 167
transport-layer protocols and, 168
Flow record processing system, 161–82
collectors and aggregators, 168–71
flow record export protocols, 166–68
Flow sensing. See Sensors
Flow-tools suite, 171
“Follow TCP Stream” function in Wireshark, 105–6, 506, 507
Footers, 108
Forward proxy, 370
Frame analysis, 802.11, 205–6. See also Endianness
data frames, 205
FRE. See Federal Rules of Evidence (FRE)
Full-featured control, 463
General rule options, 271
Generator ID (GID), 273
Generic Routing Encapsulation (GRE), 425
Google, 33–34, 301, 446, 480, 481, 488, 513
Grant, Rebecca, 481
Greenfield mode (GF), 220, 226
Gudjonsson, Kristinn, 107, 129
Guénichot, Franck, 91, 93, 130
GUI interfaces, 266
Gulliver’s Travels (Swift), 205–6
Hacked Government Server (real-world case), 7–8
potential ramifications, 7
questions, 7
results, 8
Hacker, Alyssa P., 42
HackMe, Inc. (case study), 236–56
challenge questions, response to, 253–55
filter on WAP-announcing management frames, 237–38
overview of, 236
patterns and time frames, 245–47
quick-and-dirty statistics, 242–48
WEP Cracking Attack, 253
WEP-encrypted data frames, 242–44
WLAN, inventory of stations on, 238–40
Ham, Jonathan, 425
Hard drive, 336
Headers, 108
Health Information Technology for Economic and Clinical Health (HITECH) Act, 4
Health Insurance Portability and Accountability Act (HIPAA), 4, 292, 393
HELO command in SMTP, 127
Hexadecimal values associated with protocols, 83–84
Higher-layer analysis tools, 129–31
NetworkMiner, 131
oftcat, 129
small specialized tools, 131–32
smtpdump, 130
Higher-layer protocols, 120–29
analyzing (See Higher-layer analysis tools)
Higher-layer traffic analysis. See Higher-layer protocols
Higher-level protocol awareness, 259–60
normalization, 260
Hospital Laptop Goes Missing (real-world case), 4–6
potential ramifications, 4
questions, 4
Host baselines, 174
Host intrusion detection/prevention systems (HIDS/HIPS), 258
HTTP. See Hypertext Transfer Protocol (HTTP)
Huitema, C., 426
Hypertext, 121
HyperText Markup Language (HTML), 121
Hypertext Transfer Protocol (HTTP), 120–22
analysis, in TCP conversations, 508–10
messages, 121
methods defined by RFC 2616, 121–22
reason phrase, 122
status code, 122
TCP conversations (in case study), 508–10
ICMP. See Internet Control Message Protocol (ICMP)
analyzing (See ICMP tunneling analysis)
implications for the investigator, 438–39
IP and, 39
ICMP tunneling analysis, 434–38
packet capture analysis, 436–38
IDG News Service, 468
IEEE. See Institute of Electrical and Electronics Engineers (IEEE)
IETF. See Internet Engineering Task Force (IETF)
Incident, obtaining information on, 17–18
Induction coils, 48
on environment, 18
Initialization vectors (IVs), 228
Inspection without access, 70–71
port scanning, 71
vulnerability scanning, 71
InSSIDer, 231
Institute of Electrical and Electronics Engineers (IEEE), 50. See also 802.11 protocol
CSMA/CA, 202
IEEE 802.1Q, 424
LAN/MAN Standards Committee, 78
Layer 2 protocol series, 201–12
reasons for layers, 201
Standards Association (IEEE-SA), 78
InterOptic Saves the Planet, Part 1 (case study), 276–87
next steps, 287
packet analysis, initial, 278–79
Snort alert analysis, 277
suspicious file from Snort capture, 281–82
“Tcp Window Scale Option” alert, 284–85
InterOptic Saves the Planet, Part 2 (case study), 402–20
challenge questions, response to, 418–19
Squid cache analysis, further, 411–15
Squid cache page extraction, 405–8
Intercepting traffic in cables, 47–49
Inter Client Basic Messages (ICBM), 88, 91, 102, 103
SCP and SFTP, 67
SSH, 67
Telnet, 68
TFTP, 70
International Organization for Standardization (ISO), 31, 78
Internet Access Monitor, 381
Internet Architecture Board (IAB), 77
Internet Assigned Numbers Authority (IANA), 40, 77, 85
Internet Cache Protocol (ICP), 374
Internet Content Adaptation Protocol (ICAP), 374–75
Internet Control Message Protocol (ICMP), 39. See also ICMP tunneling
Internet Engineering Task Force (IETF), 31, 76–78, 201. See also Requests for comments (RFCs)
GRE protocol, 425
ISO 8601 compliance standards, 298
Teredo, 426
Internet Key Exchange (IKE), 427–28
Internet Message Access Protocol (IMAP), 141
Internet Protocol (IP), 37–41. See also IP addresses
characteristics of, 39
as connectionless protocol, 38
header, 37
ICMP and, 39
packet, 37
specification, 37
Internet Protocol Security (IPsec), 427–28
Internet Protocol Suite, 35–44
history and development of, 36–37
Internet Relay Chat (IRC), 465
Internet Society (ISOC), 77
Internet Standards. See Requests for comments (RFCs)
Internetworking, principles of, 30–35
Inter-Switch Link (ISL), 424–25
Intrusion detection systems (IDSs), 257–58, 464
Intrusion prevention systems (IPSs), 257–58
Investigative strategies, 3–22
conclusion, 22
Iodine, 432
IP. See Internet Protocol (IP)
IP addresses. See also IPv4; IPv6
MAC-to-IP mappings, 338, 340, 343, 358
source and destination, 175, 176
static, 122
IP Flow Information Export (IPFIX), 162, 164, 166, 167–68, 170–71, 177, 179
IP packet analysis, tunneled, 451–54
encapsulated protocol type, 453–54
source and destination IPv4 addresses, 451–52
IPv6 over, with Teredo, 425–26
NAT traffic, 426
protocol identification, 84
source and destination, in tunneled IP packet analysis, 451–52
in hexadecimals, 41
protocol identification, 84
Javascript, 265, 464, 509–10, 513–15
JPEG
Juniper, 163, 167, 342, 429, 481, 483
Kang, B. B. H., 470
Keys, Squid cache, 380
Kismet, 232
Koobface worm, 479
L0ne Sh4rk’s Revenge (case study), 318–34
activity following compromise, 324–25
analysis, first steps in, 319
authentication failure, 319–22
challenge questions, response to, 332–33
theory of the case, 332
Laptop tracking software, 5
Last-Modified header, 373
Least-recently-used (LRU) algorithm, 379
Legacy equipment, 210
Libpcap, 55
Lightweight Extensible Authentication Procotol (LEAP), 213
Linksys WRT54G router, 23, 216, 217–18, 342, 346
Linux
AirPcap USB adapter, 222
AirPort utility and, 351
apcupsd, 304
ARP cache, 338
BackTrack Linux, 51
command-line tools, 381, 383–84, 389, 403, 444
console connection, example of, 349–50
etc/passwd file on, 274
event logging (See UNIX/Linux event logging)
“file” command, 390
Kismet and, 232
MARS and, 310
ROM, 336
SNARE and, 310
Snort files and directories, 269
switch 802.11 interface into
infrastructure mode, 228
TCP/UDP port numbers, 85
Ubuntu Linux server, 297, 299–300, 338, 361–62, 365, 455
uniq tool, 238
ZoneMinder, 303
Lisiecki, Philip, 303
Local area network (LAN), 6
buffered, 353
network log architecture, 306
terminal, 353
Logging, 352–55. See also Logs
AAA, 355
event (See Event logging)
local (See Local logging)
syslog, 354
Logs, 291–334. See also Logging; Network log architecture
aggregation and analysis tools, 309–10
conclusion, 317
forensics relating to, 311–17 (See also OSCAR methodology)
L0ne Sh4rk’s Revenge (case study), 318–34
laundry event, 303
network equipment, 305
SSH, 8
TLS, 307
WAP, 5
web proxy, 5
Lojack for Laptops, 5
MAC addresses. See also Ann’s Coffee Ring (case study); HackMe, Inc. (case study)
control frames, 205
destination station, 229
802.11 network adapters, 51
MAC-to-IP mappings, 338, 340, 343, 358
randomized scanning, 473
Skyhook to get GPS coordinates of, 234
spoofed scanning, 474
MAC OS X, 33, 163, 232, 297, 351
Magic numbers, 108
MAIL command in SMTP, 127
Mail delivery agent (MDA), in SMTP, 126
Mail eXchanger (MX), in SMTP, 126
Mail submission agent (MSA), in SMTP, 126
Mail transfer agent (MTA), in SMTP, 126
Mail user agent (MUA), in SMTP, 126
Ann’s Aurora (case study), 492–517
distributed C&C systems, 465–69
encryption and obfuscation, 463–65
future of, 491
goals of, 461
metamorphic network behavior, 472–77
network activity, blending, 477–79
network behavior of malware, 484–90
self-updates, automatic, 469–71
social networking sites and, 479, 485, 487, 488
Managed switches, 339
subtypes, 204
Management information base (MIB), 69
Many to many IP addresses, 176
Many to one IP addresses, 176
Mapping ports, 338, 340, 343, 358
Maximum transmit unit (MTU), 228
Media access control addresses. See MAC addresses
Message body, 121
Message header, 121
Metadata options, 271
Metamorphic network behavior, 472–77
daemon ports, variable, 472–73
propagation strategies, multiple, 472
scanning for new targets, 473–77
Microsoft
MS-CHAP, 213
online library of technical specifications, 78
Operation b49, 471
Operation b49, 471
Remote Desktop Protocol, 192
SQL servers, 486
Microsoft Windows
ARP cache, 338
event logging (See Microsoft Windows event logging)
MARS and, 310
NetStumbler, 231
SNARE and, 310
Windows executable files, 494, 501, 505, 514–15
Windows Server 2003 R2, 295
Windows Vista, 292, 293, 294, 295, 455
Windows XP, 293, 294, 295, 509, 513, 514
WinDump, 59
Microsoft Windows event logging, 292–96
Event Log Service and Event Viewer, 293
Miller, Damien, 163
Monitor mode, 51
Morgan Stanley, 481
Mozilla, 478
MyDoom self-mailer worm, 470
MySpace, 479
Name servers, 26
NAT. See Network Address Translation (NAT)
National Vulnerability Database, 513
Nazario, Joe, 478
Nelson, Ted, 121
NetBee library, 79
Net-SNMP suite, 351
NetStumbler, 231
Network activity in malware, blending, 477–79
social networking sites, 479
Storm/Waledec C&C protocol evolution, 478
Network Address Translation (NAT)
in Curious Mr. X case study, 185
IPv4 traffic, 426
NAT traversal (NAT-T) techniques, 426
Network-based evidence, 15–22. See also Evidence
definition of, 15
Network baselines, 174
Network behavior of malware, 484–90
payload behavior, 490
Network-byte order, 207
Network devices and servers
Ann’s Coffee Ring (case study), 356–68
conclusion, 355
storage media, 336
Network equipment logs, 305
Network forensics investigative methodology. See OSCAR methodology
Network intrusion detection/prevention systems. See NIDS/NIPS
Network log architecture, 306–11
local, 306
log aggregation and analysis tools, 309–10
remote logging pitfalls and strategies, 308–9
Network Situational Awareness (NetSA) group, 170
Network Time Protocol (NTP), 85
Ann Tunnels Underground (case study), 441–59
confidentiality (See Network tunneling for confidentiality)
function of (See Network tunneling for functionality)
IP packets, 446–50 (See also IP packet analysis, tunneled)
TCP segment analysis (See TCP segment analysis, tunneled)
Network tunneling for confidentiality, 427–30
implications for the investigator, 430
Network tunneling for functionality, 423–27
GRE, 425
implications for the investigator, 426–27
IPv6 over IPv4 with Teredo, 425–26
ISL, 424
VLAN trunking, 424
conclusion, 275
detection modes, 261
in encryption and obfuscation, 463–65
evidence (See NIDS/NIPS evidence)
function of (See NIDS/NIPS functionality)
InterOptic Saves the Planet (case study), 276–87
interfaces, 266
investigating, reasons for, 258
roll-your-own, 263
NIDS/NIPS detection modes, 261
behavioral analysis, 261
protocol awareness, 261
signature-based analysis, 261
activities correlated across multiple sensors, 265
alert data, 265
configuration, 264
content data, 265
forensic value of, 27
packet header and/or flow record information, 265
NIDS/NIPS functionality, 258–61
higher-level protocol awareness, 259–60
sniffing, 259
NIDS/NIPS interfaces, 266
CLI interfaces, 266
GUI interfaces, 266
off-system logging, 266
Nimda worm, 472
Nonpayload detection rule options, 271–72
Nonvolatile Random-Access Memory (NVRAM), 336
Normalization, 260
Nunnery, C., 470
Obfuscation. See Encryption and obfuscation
Off-system evidence, 376
firewalls, 348
logging, 266
routers, 343
switches, 340
WAPs, 219
web proxies, 376
Oftcat, 129
Ohio State University, 475
One to many IP addresses, 176
One to one IP addresses, 176
Open Pluggable Edge Services (OPES), 370
Open System for Communication in Realtime (OSCAR) protocol, 78, 88, 89
Open Systems Interconnection (OSI) Model, 31–35
benefits of, 33
web surfing example using, 33–35
Operating system logs, 292–300
Microsoft Windows event logging, 292–96
UNIX/Linux event logging, 297–300
Operation Aurora, 480–81, 483, 513. See also Ann’s Aurora (case study)
Operation b49, 471
“Operation: Bot Roast,” 468
Optical cables, 47
Optical time-domain reflectometers (OTDRs), 48–49
Organizational Unique Identifier (OUI), 123–24, 136, 137
OSCAR File Transfer (OFT), 88, 94
Obtain information, 17–18, 311–13
Collect evidence, 19–20, 314–16
OSI Model. See Open Systems Interconnection (OSI) Model
Overnet/eDonkey protocol, 469
Packet, 37
in Ann’s Rendezvous (case study), 157
definition of, 96
in ICMP tunnel analysis, 436–38
techniques (See Packet analysis techniques)
tools (See Packet analysis tools)
tunneled (See Network tunneling)
Packet analysis techniques, 99–103
parsing protocol fields, 101
Wireshark/tshark display filters, 96–97
Packet Details Markup Language (PDML), 79
by bit value, 58
with BPF language, 101
firewalls and, 344
with Wireshark display filters, 101–3
Packet header, 265
Packet logging, NIDS/NIPS, 267–68
Packet Summary Markup Language (PSML), 79
Parsing protocol fields, 101
Passive evidence acquisition, 45
Password Authentication Protocol (PAP), 213
Passwords. See Logins
Payload behavior, 490
Payload detection rule options, 272
Peer-to-peer (P2P)
C&C, 469
filesharing, 6
Perl-compatible regular expressions (PCRE), 271, 272
Permutation scanning, 474
firewalls, 347
routers, 343
switches, 340
WAPs, 219
Phrack magazine, 434
uninterruptible power supply logs, 304
Pidgeon sniffing, 46
Pietrosemoli, Ermanno, 50
Point-to-Point Protocol (PPP), 212–13
Point-to-Point Protocol over Ethernet (PPPoE), 213
Politecnico di Torino, 79
Porras, Phillip, 488
Ports
in flow record data, 175
MAC-to-IP mappings, 338, 340, 343, 358
scanning, 71
TCP (See TCP ports)
wireless port knocking, 227
Post-detection rule options, 272
Postel, John, 37
Premaster secret, 396
Pre-shared keys (PSKs), 211
Pretty Park worm, 465
Privacy, 16
Propagation
in metamorphic network behavior, 472
in network behavior of malware, 485–87
vectors for, 485
Proprietary interfaces, 70, 351
Protected Extensible Authentication Protocol (PEAP), 213
definition of, 76
IEEE-SA, 78
information on, 76
ISO, 78
techniques (See Protocol analysis techniques)
tools (See Protocol analysis tools)
vendors, 78
Protocol analysis techniques, 82–95
protocol identification, 82–90
Protocol analysis tools, 79–82
PDML, 79
PSML, 79
Protocols, 30–31. See also Internet Protocol (IP); Internet Protocol Suite
ASCII values associated with, 83–84
binary values associated with, 83–84
connectionless, 38, 39, 43, 105, 168, 169
in flow record data, 175
flow record export (See Flow record export protocols)
hexadecimal values associated with, 83–84
higher-layer (See Higher-layer protocols)
higher-level protocol awareness, 259–60
IEEE Layer 2 protocol series, 201–12
mismatch, 30
reassembly in higher-level protocol awareness, 259–60
transport-layer, 168
PySiLK, 178
QoSient, LLC, 163
Queries, DNS, 129
Qwest DSL modem/router, 342, 346
Ra, 179
Rackspace, 481
Racluster, 179
Ragraph, 179
Ragrep, 179
Rahisto, 179
Rasort, 179
Raw traffic, 209
RCPT command in SMTP, 127
Read-Only Memory (ROM), 336
Catching a Corporate Pirate, 6–7
Hospital Laptop Goes Missing, 4–6
Reason phrase, HTTP, 122
Received Signal Strength Indication (RSSI), 231
Recursion, DNS, 129
Red Line Software, 381
Reed, David P., 44
Regional Internet Registries (RIRs), 40
Remote access Trojans (RATs), 463
Remote decentralized network log architecture, 306–7
Remote logging pitfalls and strategies, 308–9
confidentiality, 309
integrity, 309
reliability, 308
time skew, 309
Remote Switched Port Analyzer (RSPAN), 53
10 (Documentation Conventions), 77
527 (ARPAWOCKY), 75
675 (Specification of Internet Transmission Control Program), 36, 42
783 (TFTP Protocol (revision 2)), 70
791 (Internet Protocol), 37, 63
792 (Internet Control Message Protocol), 39, 129
793 (Transmission Control Program), 37
854 (Telnet Protocol Specifications), 68
855 (Telnet Option Specifications), 68
1035 (Domain names—implementation and specification), 128
1149 (Standard for the transmission of IP datagrams on avian carriers), 40
1350 (TFTP Protocol (revision 2)), 70
1918 (Address Allocation for Private Internets), 40
2026 (The Internet Standards Process – Revision 3), 77
2616 (Hypertext Transfer Protocol—HTTP/1.1), 121–22
2722 (Traffic Flow Measurement: Architecture), 159
2784 (Generic Routing Encapsulation), 78
3176 (InMon Corporation’s sFlow: A Method for Monitoring Traffic in Switched and Routed Networks), 167–68
3514 (The Security Flag in the IPv4 Header), 63
3954 (Cisco Systems NetFlow Services Export Version 9), 167
3955 (Evaluation of Candidate Protocols for IPFIX), 169
4677 (The Tao of IETF: A Novice’s Guide to the Internet Engineering Task Force), 77
4954 (SMTP Service Extension for Authentication), 128
4960 (Stream Control Transmission Protocol), 161
5101 (Specification of the IPFIX Protocol for the Exchange of IP Traffic Flow Information), 167
5103 (Bidirectional Flow Export Using IPFIX), 167
5321 (Simple Mail Transfer Protocol), 126
5473 (Reducing Redundancy in IPFIX), 167
canonical repository of, 77
definition of, 77
DHCP (See DHCP RFCs)
HTTP methods defined by, 121–22
maturity levels, 77
Reserved bit, 63
RFCs. See Requests for comments (RFCs)
Robust security network associations (RSNAs), 211
Robust security networks (RSNs), 211–12
Rogue system, 366
Rogue wireless access points, 225–27
Bluetooth access point, 226–27
802.11n in Greenfield mode, 220, 226
wireless port knocking, 227
Roll-your-own firewalls, 346
Roll-your-own NIDS/NIPS, 263
Roll-your-own routers, 342
Rough consensus and running code, 77
consumer-class, 342
investigating, reasons for, 341
off-system, 343
persistent, 343
roll-your-own, 342
storage in, 336
volatile, 343
RSA Security, 213, 396–97, 465, 470, 483–84
Rule header, Snort, 270
Rwcount, 178
Rwcut, 178
Rwidsquery, 178
Rwpmatch, 178
Rwstats, 178
Rwuniq, 178
SANS Institute, 303
Santorelli, Steve, 477
Schneier, Bruce, 469
Secure Copy Protocol (SCP), 67
Secure Socket Layer (SSL). See also TLS/SSL-encrypted traffic
encrypted web interfaces and, 70
network tunneling for confidentiality, 428–29
protocol identification and, 86
remote logging and, 309
rsyslog and, 298
session-layer proxies and, 345
stripping attacks, 228
syslog and, 354
Security Associations (SAs), 427–28
Seizure of evidence, 17
Self-updates, automatic, 469–71
authenticated updates, 470
early systems, 469
success and failure, 471
capacity, 165
duplication, 164
perimeter vs. internal traffic, 165
resources, 165
deploy additional sensors, 166
environmental modification, 165–66
leverage existing equipment, 165–66
network equipment, 162
placement of (See Sensor placement)
software (See Sensor software)
standalone appliances, 162
types of, 162
upgrade network equipment, 166
Argus, 163
yaf, 164
Service Set Identifiers (SSIDs), 204
Session-layer proxies, firewalls and, 345
Shell commands, Linux, 383, 384
Shutko, Alexandr, 79
Kismet, 232
NetStumbler, 231
RSSI, 231
statistical flow analysis, 170–71
Simple Mail Transfer Protocol (SMTP), 126–28
analyzing (See SMTP analysis)
Ann’s Rendezvous (case study), 135–57
commands, 127
mail transfer agent, 126
mail user agent, 126
RCPT command, 127
terminology, 126
transcript, 127
use of, 126
Simple Network Management Protocol (SNMP), 68–69
interfaces, 351
Net-SNMP suite, 351
Snort alerts, 269
Sinclair, G., 470
Single pre-shared key (PSK), 50–51
Sixth-byte offset, 57
Small office/home office (SO/HO)
firewalls, 346
unmanaged switches, 339
Smart switches, 339
Smith, Rick, 391
SMTP. See Simple Mail Transfer Protocol (SMTP)
attachment file carving, 146–47
Snaplen, 60
Sniffing, 224–25. See also Evidence interception
NIDS/NIPS functionality, 259
pidgeon, 46
SNMP. See Simple Network Management Protocol (SNMP)
Snort ID (SID), 269, 273, 274, 275, 279, 283
Snort in NIDS/NIPS, 268–75. See also InterOptic Saves the Planet, Part 1 (case study)
configuration, 269
overview of, 268
rule header, 270
Social networking sites, malware and, 479, 485, 487, 488
SO/HO. See Small office/home office (SO/HO)
Solaris, 163, 179, 297, 310, 346
SolarWinds Network Management Software, 351
SonicWALL, 163
Spam, 127, 462, 465, 471, 485, 487
Spectrum analysis in capturing and analyzing wireless traffic, 220–21
Spoofed scanning, 474
Squid, 377–81. See also InterOptic Saves the Planet, Part 2 (case study)
access logfile, 378
automated Squid cache extraction, 391–92
disk cache, 379
dissecting a disk cache in web proxy analysis, 384–92
extracting a cached web object, 385–90
keys, 380
Squid Analysis Report Generator (SARG), 382, 383
Squidview, 382
SSH File Transfer Protocol (SFTP), 67
SSL. See Secure Socket Layer (SSL)
Sslsniff, 400
Standards-track documents. See Requests for comments (RFCs)
Starting indicators in flow record analysis, 173
Static IP address, 122
Statistical flow analysis, 159–97
collection and aggregation, 168–71
conclusion, 183
Curious Mr. X (case study), 184–97
flow record, definition of, 160
flow record export protocols, 166–68
flow record processing system, 161
Statistics, definition of, 172
Status code, HTTP, 122
Stevens, Kathryn, 479
Stevens, W. Richard, 35
Storage media, 336
Storing/transporting evidence, 16, 20
Storm worm, 462, 465, 469, 478, 479
“Strategic Command” (STRATCOM), 481
Strategy, investigative. See Investigative strategies
Stream Control Transmission Protocol (SCTP), 168
Stream reassembly, 105
Sun Tsu, 22
Swap.state, Squid cache, 379–80
Switched Port Analyzer (SPAN), 53, 54, 184–85
ARP, 338
CAM table, 337
investigating, reasons for, 337
managed, 339
off-system, 340
persistent, 340
smart, 339
storage in, 336
unmanaged, 339
volatile, 340
Symantec, 466, 467, 471, 476–77, 478, 483, 486
System for Internet Level Knowledge. See SiLK
Targets, scanning for new, 473–77
distributed scanning networks, 475
permutation scanning, 474
spoofed scanning, 474
TCP. See Transmission Control Protocol (TCP)
TCP conversations (in case study), 495–513
in capturing and analyzing wireless traffic, 222–24
TCP in flow analysis
listing, 110
TCP/IP Illustrated Volume 1 (Stevens), 35
TCP/IP Model, 32
TCP/IP protocol suite. See Internet Protocol Suite
port 21, 193, 196, 197, 197 196, 333
port 22, 185–87, 195, 196, 454–55
port 25, 126
port 53, 129
port 80, 61, 121, 178, 194, 196
port 143, 141
port 445, 476
port 514, 196
port 4022, 67
port 4444, 495
port 29008, 82
leveraging port number in protocol identification, 84–86
values for, possible, 42
TCP segment analysis, tunneled, 454–56
TCP destination port, 455
TCP flags, 456
“Tcp Window Scale Option” alert, 284–85
Team Cymru, 477
conclusion, 44
Internet Protocol Suite, 35–44
internetworking, principles of, 30–35
network-based evidence, sources of, 23–29
Telnet, 68
Temporal Key Integrity Protocol (TKIP), 211
Teredo, IPv6 over IPv4 with, 425–26
Terminal local logging, 353
Three-way handshake, 43
Timeline in analysis of evidence, 21
Time magazine, 482
Time to live (TTL), 57, 179, 271, 272, 479–80
TLS. See Transport Layer Security (TLS)
TLS/SSL-encrypted traffic, 396–400
commercial interception tools, 400
Wireshark for decrypting, 397–98
Tools in higher-layer traffic analysis
Top-level domains (TLDs), 128, 277, 403, 441, 468
Traffic acquisition software, 54–65
libpcap, 55
tshark, 64
WinPcap, 55
Wireshark, 64
Ann’s Rendezvous (case study), 135–57
higher-level traffic analysis, 120–33
statistical flow analysis, 159–97
wireless devices and networks, 199–256
Transmission Control Protocol (TCP), 41–43
characteristics of, 43
as connection-oriented protocol, 43
in conversations (See TCP conversations (in case study))
handshake, 31, 188, 499, 502, 504, 505–6, 514
port values, 42 (See also TCP ports)
segments, 41 (See also TCP segment analysis, tunneled)
sequence numbers in covert network tunneling, 430–31
TCP RST packets, 190, 502, 505, 506, 515
TCP SYN ACK packets, 31, 38, 188, 190–92, 431, 499, 502, 505, 515
TCP SYN packets, 190, 192, 431, 502, 505
three-way handshake in, 43
values for ports, 42
Windows Size, 474
Transmit (Tx) Rate information, 231
Transport-layer protocols, 168
Transport Layer Security (TLS). See also TLS/SSL-encrypted traffic
EAP and, 213
encrypted web interfaces and, 70
implementing, 396
logs and, 307
network tunneling for confidentiality, 428–29
protocol identification and, 86
remote logging and, 309
rsyslog and, 298
session-layer proxies and, 345
stripping attacks, 228
syslog and, 354
syslog-ng and, 297
in web applications, purposes of, 394
yaf and, 164
Transport mode, 428
Tribe Flood Network (TFN), 462–63
Tribe Flood Network 2000 (TFN2K), 463
Trinoo, 462
Trivial File Transfer Protocol (TFTP), 70
Tshark, 64
capturing and analyzing wireless traffic, 222–24
Tu, Alan, 391
Tunneling. See Network tunneling
Twisted pair (TP) cables, 47
Twitter, 479
Type-of-service (TOS), 271, 274
Ubuntu Linux server, 297, 299–300, 338, 361–62, 365, 455
UDP. See User Datagram Protocol (UDP)
UDP ports
port 67, 123
port 68, 123
Undersea cable cuts, 49
Uniform Resource Identifier (URI)
extract web object from Squid cache, 385–86
filtering, 373
United States v. Simpson, 13
UNIX
apcupsd, 304
ARP cache, 338
etc/passwd file on, 274
event logging (See UNIX/Linux event logging)
Kismet and, 232
MARS and, 310
“root” account, 319
shell commands, 385
TCP/UDP port numbers, 85
Zebra, 342
UNIX/Linux event logging, 297–300
authentication logs, 299
auth.log, 318, 319–20, 323, 325, 330–31
Unmanaged switches, 339
URI. See Uniform Resource Identifier (URI)
Internet Protocol Suite, 43–44
Vampire taps, 48
Vendors, in protocol analysis, 78
“Victory in Cyberspace” report, 481
Virtual LAN. See VLAN
Virtual private networks (VPNs), 427, 429
consumer-class firewalls, 346, 357
ID (VID), 424
sensor placement, 165
tags, 424
tunneling over, challenge of, 425
Volatile evidence, 376
firewalls, 347
routers, 343
switches, 340
web proxies, 376
Volume of data transferred, 175
Voo Doo (MIT magazine), 42
VPN concentrators, 5
Vulnerability Research Team (VRT), 269–70, 273
Vulnerability scanning, 71
Waledac worm, 464, 470–71, 478, 479, 487, 489–90
off-system, 219
persistent, 219
filter on WAP-announcing management frames, 237–38
WLAN, inventory of stations on, 238–40
WAPs. See Wireless access points (WAPs)
Web proxies, 369–420. See also Encrypted web traffic; Squid
analyzing, 381–92 (See also Web proxy log analysis tools)
conclusion, 401
evidence in (See Web proxy evidence)
functionality of (See Web proxy functionality)
InterOptic Saves the Planet, Part 2 (case study), 402–20
investigating, reasons for, 369–71
logs, 5
types of, 370
obtaining, 376
off-system, 376
volatile, 376
Web proxy functionality, 371–75
Web proxy log analysis tools, 5, 381–84
Blue Coat Reporter, 381
Internet Access Monitor, 381
shell commands, Linux, 383, 384
Squidview, 382
Welchia worm, 470
WEP. See Wired Equivalent Privacy (WEP)
Whitelisting, 373
Wi-Fi, 50–51, 200–201. See also 802.11 protocol
frequency ranges, 220
hardware supporting WPA2, 210
WPA and WPA2 and, 211
Wi-Fi Protected Access (WPA), 211
Wi-Fi Protected Access 2 (WPA2), 211
Wired Equivalent Privacy (WEP), 51, 209–11
studying, reasons for, 210
WEP Cracking, 204, 210, 224, 228, 244, 252–54
Wireless access points (WAPs), 214–19
evidence (See WAP evidence)
inspecting (See WAP inspection)
investigating, reasons for, 214
logs, 5
Wireless Control System (WCS), 233
Wireless devices and networks, 199–256
capturing and analyzing, 219–24
collisions in, 202
conclusion, 235
HackMe, Inc. (case study), 236–56
investigating, reasons for, 200
locating (See Wireless devices and networks, locating)
Wireless devices and networks, locating, 229–34
commercial enterprise tools, 233
nearby wireless access points, identifying, 229–31
station descriptors, gathering, 229
Wireless intrusion detection systems (WIDSs), 225, 226, 233
Wireless Local Area Network (WLAN), 50, 201
Wireless Location Appliance (WLA), 233, 234
Wireless networking, 24–25. See also Wireless devices and networks
Wireless passive evidence acquisition, 221–22
Wireless port knocking, 227
Wireless Positioning System (WPS), 233
Wireless traffic capture and analysis, 219–24
wireless passive evidence acquisition, 221–22
decrypting TLS/SSL-encrypted traffic, 397–98
“Follow TCP Stream” function, 105–6, 506, 507
Protocol Hierarchy Statistics, 442–43, 499, 501
in SMTP (Ann’s Rendezvous case study), 141–43
W95/Babylonia self-mailer worm, 469
W95/Hybris worm, 470
Worms. See Botnets
W32/Blaster, 472
W32/Doomjuice, 470
W32.Stuxnet Dossier, 467
W32.Welchia, 473
W32/Witty, 472
XOR-ing, 464
Yaf (Yet Another Flowmeter), 164
Zero-byte offset, 57
ZoneMinder, 303
Zone transfer, DNS, 128