Digital ForensicsOutlineNetwork AttacksSlide 4Slide 5Network Security MechanismsSlide 7Network Forensics RevisitedNetwork Forensics: Open Source ToolsNetwork Forensics: NetworkMinerNetwork Forensics: Commercial ToolsSlide 12Network AnalysisSocial Network Analysis of 9/11 Terrorists (www.orgnet.com)Social Network Analysis of 9/11 TerroristsSlide 16Slide 17Slide 18Slide 19Social Network Analysis of Steroid Usage in Baseball (www.orgnet.com)Applying to Network ForensicsDigital ForensicsDr. Bhavani ThuraisinghamThe University of Texas at DallasNetwork Forensics - IIOctober 29, 2008OutlineNetwork AttacksSecurity MeasuresNetwork Forensics and ToolsTypes of NetworksRelationship to Social Network AnalysisSpecial presentation-http://www.apricot.net/apricot2007/presentation/tutorial/ryan-network-forensics-tut.pdfNetwork Attacks Denial of service Denial of service attacks cause the service or program to cease functioning or prevent others from making use of the service or program. These may be performed at the network layer by sending carefully crafted and malicious datagrams that cause network connections to fail. They may also be performed at the application layer, where carefully crafted application commands are given to a program that cause it to become extremely busy or stop functioning. Preventing suspicious network traffic from reaching hosts and preventing suspicious program commands and requests are the best ways of minimizing the risk of a denial of service attack. It is useful to know the details of the attack method, so you should educate yourself about each new attack as it gets publicized.Network Attacks Spoofing This type of attack causes a host or application to mimic the actions of another. Typically the attacker pretends to be an innocent host by following IP addresses in network packets. For example, a well-documented exploit of the BSD rlogin service can use this method to mimic a TCP connection from another host by guessing TCP sequence numbers. To protect against this type of attack, verify the authenticity of datagrams and commands. Prevent datagram routing with invalid source addresses. Introduce unpredictablility into connection control mechanisms, such as TCP sequence numbers and the allocation of dynamic port addresses.Network Attacks Eavesdropping This is the simplest type of attack. A host is configured to "listen" to and capture data not belonging to it. Carefully written eavesdropping programs can take usernames and passwords from user login network connections. Broadcast networks like Ethernet are especially vulnerable to this type of attack. To protect against this type of threat, avoid use of broadcast network technologies and enforce the use of data encryption.IP firewalling is very useful in preventing or reducing unauthorized access, network layer denial of service, and IP spoofing attacks. It not very useful in avoiding exploitation of weaknesses in network services or programs and eavesdropping.Network Security MechanismsNetwork security starts from authenticating any user, most likely a username and a password. Once authenticated, a stateful firewall enforces access policies such as what services are allowed to be accessed by the network usersThough effective to prevent unauthorized access, this component fails to check potentially harmful contents such as computer worms being transmitted over the network. An intrusion prevention system (IPS) helps detect and prevent such malware. IPS also monitors for suspicious network traffic for contents, volume and anomalies to protect the network from attacks such as denial of service. Communication between two hosts using the network could be encrypted to maintain privacy. Individual events occurring on the network could be tracked for audit purposes and for a later high level analysis.Network Security MechanismsHoneypots, essentially decoy network-accessible resources, could be deployed in a network as surveillance and early-warning tools. Techniques used by the attackers that attempt to compromise these decoy resources are studied during and after an attack to keep an eye on new exploitation techniques. Such analysis could be used to further tighten security of the actual network being protected by the honeypotSome tools: Firewall, Antivirus software and Internet Security Software. For authentication, use strong passwords and change it on a bi-weekly/monthly basis. When using a wireless connection, use a robust password. Network analyzer to monitor and analyze the network.Network Forensics RevisitedNetwork forensics is the process of capturing information that moves over a network and trying to make sense of it in some kind of forensics capacity. A network forensics appliance is a device that automates this process. Wireless forensics is the process of capturing information that moves over a wireless network and trying to make sense of it in some kind of forensics capacity.Network Forensics: Open Source ToolsOpen source tools-Wireshark -Kismet -Snort -OSSEC -NetworkMiner is an open source Network Forensics Tool available at SourceForge. -Xplico is an Internet/IP Traffic Decoder (NFAT). Protocols supported: HTTP, SIP, FTP, IMAP, POP, SMTP, TCP, UDP, IPv4, IPv6Network Forensics: NetworkMinerNetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. The purpose of NetworkMiner is to collect data (such as forensic evidence) about hosts on the network rather than to collect data regarding the traffic on the network. The main view is host centric (information grouped per host) rather than packet centric (information showed as a list of packets/frames).Network Forensics: Commercial ToolsDeep Analysis Tools (data mining based tools)-E-Detective -ManTech International Corporation -Network Instruments -NIKSUN's NetDetector -PacketMotion -Sandstorm's NetIntercept -Mera Systems NetBeholder -InfoWatch Traffic MonitorNetwork Forensics: Commercial ToolsFlow-Based Systems-Arbor Networks -GraniteEdge Networks -Lancope http://www.lancope.com/ -Mazu Networks http://www.mazunetworks.com/ Hybrid Systems-These systems combine flow analysis, deep analysis, and security event monitoring and reporting.
View Full Document