a research on challenges in cybercrime and scope of criminal networks in cyberspace implementing...
DESCRIPTION
Abstract- Network forensics deals with the capture, recording and analysis of network events in order to discover evidential information about the source of security attacks in a court of law. This paper discuss the different tools and techniques available to conduct network forensics. Some of the tools under discussion include: eMailTrackerPro–to identify the physical location of an email sender;WebHistorian–to find the duration of each visit and the files uploaded and downloaded from the visited website;packetsniffers like Ethereal–to capture and analyze the data exchanged among the different computers in the network. The second half of the paper presents a survey of different IPtraceback techniques like packet marking that help a forensic investigator to identify the true sources of the attacking IP packets. We also discuss the use of Honey pots and Honey nets that gather intelligence about the enemy and the tools and tactics of network intruders. The growing danger from crimes committed against computers, or against information on computers, is beginning to claim attention in national capitals. In most countries around the world, however, existing laws are likely to be unenforceable against such crimes. This lack of legal protection means that businesses and governments must rely solely on technical measures to protect themselves from those who would steal, deny access to, or destroy valuable information. Self-protection, while essential, is not sufficient to make cyberspace a safe place to conduct business. The rule of law must also be enforced. Countries where legal protections are inadequate will become increasingly less able to compete in the new economy. As cyber crime increasingly breaches national borders, nations perceived as havens run the risk of having their electronic messages blocked by the network .National governments should examine their current statutes to determine whether they are sufficient to combat the kinds of crimes discussed in this report. Where gaps exist, governments should draw on best practices from other countries and work closely with industry to enact enforceable legal protections against these new crimes. This report analyzes the state of the law in 52 countries. It finds that only ten of these nations have amended their laws to cover more than half of the kinds of crimes that need to be addressed. While many of the others have initiatives underway, it is clear that a great deal of additional work is needed before organizations and individuals can be confident that cyber criminals will think twice before attacking valued systems and information.TRANSCRIPT
A Research on Challenges in Cybercrime and Scope of Criminal Networks in Cyberspace Implementing Cyber Forensic Tools : An Exploratory Study
K KalaiselviDept. of Computer Applications,
Koshy’s Institute of Management Studies, [email protected]
What is Network Forensics?Captures, records, analysis n/w eventsDiscovers sources of security attacksCollection & analysis of data from n/ws,
computers, communication streams
Forensic TechniquesEmail ForensicsWeb ForensicsPacket SniffersIPTraceBack TechniqueHoney Pots and Honey Nets
Email ForensicsIncreased network connectivity
progressively increasesData theft, Identity theft Spam email threat & Network hacking
emailTrackpro SmartWhoIs
Email Forensics – Tools
Trace email sender Studies source & content of emailIdentifies date/time etc., of sender &
recipientTrace path traversed by messageIdentifies Phishing emails
Email Forensics – How it works?
emailTrackproAnalyzes the email headerDetects the IP address of the systemMsg header provides audit trail of every machine
the mail passes through.Has built-in location –database which tracks the
country/regions/area mapCopy & paste the email header in emailtrackpro
tool & start.Generates reports with IP ,domain content
information(reg.website address)
Web ForensicsAnalyzesDuration of each web visit Files uploaded/downloaded from visited websiteReveals the browsing historyCookies setup during visitsIn IE ----index.datIn Firefox,Mozilla, Netscape browsers----
history.datExplores the browsing history & gathers the
critical information of a crime
Web Forensics - ToolsMandiant webHistorianIndex.dat analyzer
Mandiant Web HistorianReviews the website URLReveals what/when/where/how the intruders
looked into the sitesCan parse a specific history Can recursively search through a given folder
or driveGenerates single report for all browsers
available
Index.dat AnalyserExamines & deletes the content of index.dat Views browsing history,cookies & cacheProvides direct visit to the website listed in o/p
analyzerOpens the uploaded/downloaded files from the
website
Packet Snifferss/w that captures , analyze the data exchanges
from different systems in n/wIntrusion Detection System-collects initial
information from packets,collects traffic in /out of n/w
Explores hidden information in the different headers of TCP/IP
N/w engineers ,admin, security professionals monitors n/w
Packet Sniffers – ToolsEtherealWinPcap and AirPcap
EtherealCaptures,filters live packetsDisplays the header information of all the
protocols used in the transmission of the packet headers
Supports Windows,Linux & UnixProtocols used –TCP,UDP,Address Resolution
Protocol(ARP)
winPcap and airPcapwinPcap ----captures intercepted packet at
the n/w interface in windowsairPcap----captures control frames (ACK,RTS,CTS) mgmt
frames(request/response,Authentication) data frames follows IEEE 802.11 background wireless
LAN interfaces ,currently for windows
IPtracebackTrace back from the victim to the
source of attackMasquerade attacks thro’ Spoofing
IPtraceback - ToolsInput Debugging : recognizes the signature
pattern in all attacked packets Sends to upstream router till it reaches the
source Filters & blocks the pattern
Controlled flooding: change in the rate of packets in the upstream router is tested recursively
Packet marking: samples the path one node at a time rather than taking the entire path
HoneyPots & HoneyNetsn/w designed for being compromisedObserves the activities & behaviour of the
intruderAllows detailed analysis of the tools used
by intrudersInbound connection to Honeypot –needs
probeOutbound connection -Hop compromised
Honeywall-captures & monitors data traffic entering & leaving the honeypot
Sebek-logging s/w that intercepts the data after the attackers’ encryption s/w decrypts it(identifies the signature of the attackers)
Virtual Honeypots- simulated machine ,modelled to behave as required with different IP address.
ConclusionExhaustive survey on tools & techniques to conduct
network forensics are the need of the hour.Various forensics techniques were explored which are
not efficient for all the attacks in network.Iptraceback mechanism,Honeypots,Honeynets
architecture ,virtual Honey pots were discussed briefly
Detection of malicious attacks, protection of production system by the forensic professional are to be made more effective.
Self protection remains the first line of defense and a model approach is needed.
Future workFuture research involves deploying and
analyzing the effectiveness of commercial tools ,to detect all kinds of attacks
Comprehensive forensic analysis for wireless networks
Identifying the tools for the same
THANK YOU