6 th annual workshop on the teaching computer forensics 6 th annual teaching computer forensics...

6th Annual Workshop on the Teaching Computer Forensics 6th Annual Teaching Computer Forensics Workshop

Enhancing the Experience in Network Incident Investigations

Dr. Jianming Cai ([email protected]), Ms. Angeliki Parianou ([email protected]), and

Ms. Bo Li ([email protected])

Faculty of Computing London Metropolitan University


Topics

• Network incident investigation

• Experiment in real world

• The experimental platform

• Platform test

• Forensic evidence collected/analysis

• Summary


Network Incident Investigation Network Incident Investigation • Network Forensics:

– network-centric for computing

– growing popularity of the Internet at home

– data available outside of the disk-based digital evidence

• Standalone investigation or alongside a computer forensics analysis (to reveal links between digital devices or to reconstruct how a crime was committed).

• Investigators have often to rely on packet filters, firewalls, and intrusion detection systems which were set up to anticipate breaches of security. Data is now more volatile and unpredictable.

• When investigating network intrusion the investigator and the attacker are often of similar skill level, compared with other areas of digital forensics where the investigator often is higher skilled.


Experiment in Real World Experiment in Real World

• There is therefore an increasing demand for the graduates from Computer Forensics to enhance their experience in network incident investigations.

• Institution’s security policies restrict students from practising Network Forensics in real world.

• The experiment of Network Forensics has often to reply on the case studies extracted from textbooks.

• A platform, which enables students to practise network incident investigation in real-life case studies, is desirable.


The Experimental PlatformThe Experimental Platform

• The platform we developed is composed of a low-interaction honeypot and a rule-based IDS.

• The software packages, namely Honeyd and Snort, are employed.

• Based on this platform, students can analyze malicious activities, collect evidence, and launch incident investigations.


Network Topology of the PlatformNetwork Topology of the Platform

The “Network Forensics” Lab The Institutional Network


Advantages of the PlatformAdvantages of the Platform• Relatively independent of institution’s network server,

which does not have issues with institution’s network security and admin policies.

• Gathering network forensic information, investigating into real life cases, and collecting the evidence needed for apprehension and prosecution of network intruders.

• The software employed in this platform are freely available for student’s home use, i.e. it is low cost and flexible in practice.


The Deployed HoneydThe Deployed Honeyd(withwith eight virtual honeypotseight virtual honeypots))

Cisco IOS 11.3-12.0 (11)195.251.161.181

`

Mydoom – Microsoft XP Professional SP1195.251.161.183

`

Linux Kernel 2.4.20195.251.161.186

`

Linux Kernel 2.4.20195.251.161.182

Microsoft Server 2003 195.251.161.187

Sun Solaris 9 – Relay Server195.151.161.185

`

Microsoft Windows XP Professional SP1195.251.161.180

`

Microsoft Windows XP Professional SP1195.251.161.184

Honeyd Host195.251.161.147

Arpd daemon195.251.161.180 - 195.251.161.187

Router

Arpd: a daemon that listens to ARP (Address Resolution Protocol) requests and answers for IP addresses that are unallocated.


The Deployed Honeyd (Cont.)The Deployed Honeyd (Cont.)• The virtual honeypots deployed includes:

– A Linux honeypot with the personality “Linux kernel 2.4.20”

– A Windows honeypot with the personality “Microsoft XP Pro SP1”

– A Router honeypot with the personality of “ Cisco IOS11.3-12.0(11)”

– A Server honeypot with the personality of “ Microsoft Server 2003”

– A Mydoom Vulnerable honeypot with the personality of “Microsoft XP Pro SP1”

– A Mail Relay Server honeypot with the personality of “Sun Solaris 9”


The Deployed Honeyd (Cont.)The Deployed Honeyd (Cont.)

• It creates various virtual hosts with different operating systems in order to attract a wider range of suspicious activity.

• In addition a NIDS, namely Snort, is employed to monitor the network traffic for any known attacks and vulnerabilities.

• Malicious network traffic are being monitored, recorded, and analysed.

• The output of the Snort is sent to a Mysql database.• The traffic captured by Snort tool is then presented by

BASE (Basic Analysis and Security Engine) version 1.4.5.


Platform Test• The implemented Honeyd was put on the

Internet for about one month, which recorded every piece of traffic targeted at those eight virtual honeypots.

• The results of the experiment were recorded in various log files, generated by the Honeyd and the logs of Snort retained in the Mysql database.

• In addition, the web.log was also used to record connection attempts towards these emulated Web services.


Part of the Test Results

Packet Protocol Types


Part of the Test Results (Cont.)

Top 10 IP Addresses/Countries Attempted Connections


Part of the Test Results (Cont.)Part of the Test Results (Cont.)

The List of Packet Destination IP Address



The List of Packet Destination Ports



Source Countries of the Relay Virtual Server


Destination IP address Operating SystemNumber of Connection

Attempts

Number of

Source IP

addresses

1 195.251.161.181 Cisco Router IOS 11.3-12.0 334 (28%) 194

2 195.251.161.185Sun Solaris – Open relay

server213 (17%) 158

3 195.251.161.186 Linux Kernel 2.4.20 187 (15%) 88

4 195.251.161.182 Linux Kernel 2.4.20 158 (13%) 53

5 195.251.161.187Microsoft Windows server

200379 (6.6%) 29

6 195.251.161.184Microsoft Windows XP Pro

SP179 (6.6%) 27

7 195.251.161.180Microsoft Windows XP Pro

SP170 (5.8%) 21

8 195.251.161.183

Microsoft Windows XP Pro

SP1 –

Mydoom vulnerable

69 (5.8%) 25

Destination IPs Attacked and Detected by the Snort



Top 10 Source IPs Attempted Connection and Detected by the Snort

Number Source IP address Number of Connection Attempts

1 61.128.110.96 110

2 122.225.100.154 104

3 219.150.223.253 93

4 219.149.194.245 45

5 211.143.198.2 35

6 41.238.62.214 16

7 221.130.140.18 16

8 83.219.146.180 14

9 41.130.16.37 14

10 188.17.215.239 14



Signature

Classification

Total

Sensor

Source

Address

Dest.

Address

First Last

1SQL version overflow

attempt

attempted-

admin

486

(40.8%)1 41 8 26/07/10 25/08/10

2 unclassified450

(37.8%)1 190 8 26/07/10 13/08/10

3 PSNG_TCP_PORTSWEEPattempted-

recon

214

(17.9%)1 208 7 01/08/10 16/08/10

4 SQL ping attempt misc-activity 18 (1.5%) 1 9 8 11/08/10 12/08/10

5 PSNG_TCP_PORTSCANattempted-

recon18 (1.5%) 1 2 5 13/08/10 14/08/10

6

TELNET Solaris login

environment variable

authentication bypass

attempt

attempted-

admin3 (0.2%) 1 3 1 23/8/10 25/08/10

7SQL Worm propagation

attemptMisc-attack 3 (0,2%) 1 3 2 24/8/10 25/8/10

Unique Alerts Generated by the Snort



Honeyd

Source IP AddressSource IP DNS Resolution Snort Alert

Number of

Connection

Attempts

1 61.128.110.96CNINFONET Xingjiang province

networkSQL version overflow attempt 110

2 61.176.216.44 CHINA Unicom province network PSNG_TCP_PORTSWEEP 5

3 222.191.251.183 CHINANET province network PSNG_TCP_PORTSWEEP 1

4 122.225.100.154 CHINANET – Zhu Zhenhua SQL version overflow attempt 104

5 219.150.223.253Telecom

CHINANET province networkSQL version overflow attempt 93

6 219.149.194.245 CHINANET PROVINCE NETWORKSQL version overflow attempt -

SQL Worm propagation attempt46

7 211.143.198.2China Mobile Communications

Corporation - fujianSQL version overflow attempt 35

8213.160.136.96

Prosto InternetSQL version overflow attempt - SQL

Worm propagation attempt1

9 93.114.238.38 SC Gliga SRL, SQL version overflow attempt 1

10 201.240.30.46Latin American and Caribbean IP

address Regional Registry, PSNG_TCP_PORTSWEEP 2

Cross-referenced Source IP Addresses by Virtual Honeypots and the Snort



SummarySummary

• An increasing demand for the graduates from Computer Forensics to enhance their experience in network incident investigations.

• The platform developed to enable students to practise network incident investigation in real-life case studies.

• Although the evidence collected from the honeypot system may or may not be deemed admissible in court, the platform is intended for students to enhance the skills of Network Forensics.


ReferenceReference1. Casey, Eoghan, Digital Evidence and Computer Crime, 2nd Edition. Elsevier. ISBN 0-12-

163104-4, 2004

2. A. Obied, “Honeypots and Spam, Available online at: ahmed.obied.net/research/papers/honeypots_spam.pdf, [Accessed:3/7/2010]

3. J. Kloet, “A Honeypot Based Worm Alerting System”, SANS Institute, 2005, Available online at: http://www.sans.org/reading_room/whitepapers/detection/honeypot-based-worm-alerting-system_1563, [Accessed: 3/6/2010]

4. Lai-Ming Shiue and Shang-Juh Kao. Countermeasure for detection of honeypot deployment. In ICCCE 2008: International Conference on Computer and Communication Engineering, pages 595–599, May 2008.

5. The honeynet project, http://www.honeynet.org, [Accessed: 28/6/2010]

6. HoneyTrap, http://honeytrap.carnivore.it, [Accessed: 29/6/2010]

7. Intrusion Detection, Honeypots and Incident Handling Resources http://www.honeypots.net/honeypots/products, [Accessed: 29/6/2010]

8. L. Spitzner, Honeypots: Tracking Hackers. Pearson Education Inc, 2002

9. Intrusion Detection, Honeypots and Incident Handling Resources, http://www.honeypots.net, [Accessed: 20/7/2010]

10. P. Defibaugh-Chavez, R. Veeraghattam, M. Kannappa, S. Mukkamala, and A. Sung, “Network Based Detection of Virtual Environments and Low Interaction Honeypots,” 2006 IEEE Information Assurance Workshop, West Point, NY: , pp. 283-289.

6 th annual workshop on the teaching computer forensics 6 th annual teaching computer forensics...

Documents

th annual workshop

practising network forensics

network forensics lab

computer forensics analysis

network intrusion

areas of digital forensics

institutional network

institutions network