CJE6625 Network Forensics - Lecture Modules

Switches

"Switches are the glue that our hold LANs together" (Davidoff & Ham, 2012) - Multiport bridges that physically connect network segments together - Most networks connect switches to other switches to form complex network environments FORENSIC VALUE: - Content addressable memory (CAM) table = Stores mapping between physical ports and MAC addresses - Platform to capture and preserve network traffic - Configure one port to mirror traffic from other ports for capture with a packet sniffer

Windows Services

- Applications that run in the background - Typically without user interaction - Typically starting up when system is booted - Used by attackers to maintain persistence on compromised systems - Many services are implemented as a DLL and use svchost.exe. So many instances will be running To access the Windows Services in Windows 10: 1. Left click on the Start button 2. Type Services 3. Select Services App

Wireshark - Packet Capture and Analyzer Software

- Captures traffic - Decodes raw data - Analyzes each packet based on protocols within it - Most popular and well-known packet analyzer - .pcap file - Packet Capture - www.wireshark.org - Best way to learn wireshark is to simply use it! What we will be learning this lecture: - Display filters - Protocol Hierarchy - conversations - Follow TCP Stream - Endpoints

Authentication Servers

- Centralized authentication services - Streamline account provisioning and audit tasks FORENSIC VALUE: - Logs 1. Successful and/or failed attempts 2. Brute-force password attacks 3. Suspicious login hours 4. Unusual login locations 5. Unexpected privileged logins

Central Log Server

- Combine event logs from many sources where they can be time stamped, correlated and analyzed automatically - Can vary enormously depending on organization FORENSIC VALUE: - Designed to identify and respond to network security events - Save data if one server is compromised - Retain logs from routers for longer periods of time than what routers offer - Commercial log analysis products can produce complex forensic reports and graphical representations of data (Essentially would be the same data if you pulled logs from each individual application server)

Routers

- Connect traffic on different subnets or networks - Allows different addressing schemes to communicate - MANs, WANs, and GANs are all possible because of routers FORENSIC VALUE: - Routing tables a) Map ports on the router to networks they connect b) Allows path tracing - Can function as packet filters - Logging functions and flow records - Most widely deployed intrusion detection but also most rudimentary (Basically used to determine if somebody connected to that network)

Firewalls

- Deep packet inspection: forward, log or drop - Based on source and destination IP, packet payloads, port numbers, and encapsulation protocols FORENSIC VALUE: - Granular logging - Function as both infrastructure and IDSs - Log --> 1. Allowed or denied traffic 2. System configuration changes, errors, and other events

Sysinternals - TCPView

- Detailed listings of all TCP and UDP endpoints on your system - local and remote addresses - state of TCP connections - If a file process has a network connection open, it shows you the local addresses as well as the IP addresses - Hackers will try to name processes to look familiar to see if you overlook it - Ex: You have notepad but it has a remote network connection but it should not have that so they overruled your notepad with a corrupted copy

Netstat

- Displays active TCP connections and ports on which a computer is listening - Provides ethernet statistics - IP routing table - Runs from Command Prompt - netstat [-a] [-b] [-e] [-n] [-o] [0p <Protocol>] [-r] [-s] [<interval>] - [-a]: all active TCP connections and TCP/UDP ports listening - [-b]: displays exe that created connection/port - [-e]: ethernet statistics - [-o]: includes process ID (PID) for each connection - [-r]: display routing table - What ports are listening - this is important because if somebody installs a command control server on a computer, that command control server has to be listening for connections from the bot or from the infected computers in order to make communications with them so if you see a bunch of different IP addresses connected externally on ports it will give you an idea you have an infection

arp

- Displays and modifies entries in the Address Resolution Protocol (ARP) cache --> IP addresses and MAC addresses - arp [/a [<inetaddr>] [/n <ifaceaddr>]] [/g [<inetaddr>]] [-n <ifaceaddr>]] [/d <inetaddr> [ifaceaddr]] [/s <inetaddr> <etheradd> [<ifaceaddr>]] - Arp /a Displays current arp cache tables for all interfaces - Arp -a Displays current arp cache tables for default interface - Shows you what computer has interacted with the computer you are working on

Name Servers

- Map IP addresses to host names - Domain Name System (DNS) - Recursive hierarchical distributed database FORENSIC VALUE: - Configured to log queries --> a) Connection attempts from internal to external systems (Ex: websites, SSH servers, external mail servers) and b) Corresponding times - Create timeline or suspect activities

Network Intrusion Detection Systems & Network Intrusion Prevention Systems

- NIDSs and NIPSs were designed for analysis and investigation - Monitor real time network traffic - Detect and alert security staff of adverse events FORENSIC VALUE: - Provide timely information --> 1. In progress attacks 2. Command - and - control traffic - Can be possible to recover entire contents of network packets 3. More often recovery is only source and destination IP addresses, TCP/UDP ports, and event time

Nbtstat

- NetBIOS over TCP/IP (NetBT) protocol statistics - NetBIOS name tables for both the local computer and remote computers (to show you what is connected) - NetBIOS name cache - nbtstat [/a <remotename>] [/A <IPaddress>] [/c] [/n] [/r] [/R] [/RR] [/s] [/S] [<interval>] - [/a <remotename>]: Displays the NetBIOS name table of a remote computer - [/A <Ipaddress>]: Displays the NetBIOS name table of a remote computer, specified by the IP address - [/c]: Displays the contents of the NetBIOS name cache - [/n]: Displays the NetBIOS name table of the local computer

On The Wire

- Physical cabling carries data over the network - Typical network cabling: Copper (twisted pair or coaxial cable) and Fiber-optic lines FORENSIC VALUE: - Wire tapping can provide real-time network data - Tap types: a) "Vampire" tap - punctures insulation and touches cables b) Surreptitious fiber tap - bends cable and cuts sheath, exposes light signal c) Infrastructure tap - plugs into connections and replicates signal

M2 Noob's Keylogger Demo (using file "Noobs Keylogger.pcap")

1. Apply the http filter (there were http files meaning that they prob used a web browser) 2. Apply the smtp filter (no mail sent or forwarded) 3. Apply the pop3 filter (no pop3 mail received) 4. Apply ftp filter (ftp means file were transferred, uploaded, or downloaded between computers) 5. Apply ftp-data filter to see if any data has been sent 6. Follow TCP stream on the first packet with the ftp-data filter applied 7. We skim through the metadata and towards the end we see Ardamax_FTP_Delivery which is bad because Ardamax is a key logger meaning somebody transferred a key logger to the computer 8. At this point we would look on the host side artifact to see if Ardamax was actually installed and see what was potentially captured and what was sent and so on 9. Reapply ftp-data and highlight the second packet and follow its tcp stream 10. We will see Microsoft Edge and a gmail this time so they used the key logger to capture the data and then maybe use gmail to exfiltrate the data 11. Now we go to Tools --> Credientals and we will see two packets with the same username: test_user 12. So we write down that test_user was used in packets 96 and 1824 13. When we click on 96, we will be lead to packet 96 and see in the FTP Layer that they passed in a command PASS and it gives us the password: Nipun@123. If we look at 1824, we will see the command USER passed in and test_user was entered as the user. * When we typed in the ftp filter, if we looked through the info we might have seen that it shows the Request: USER test_user and Request Pass: Nipun@123 in the Info column but it will not always be that easy to find * We will also see that the login was successful meaning that information is accurate * There are always multiple ways to find things

Networking Tools - How to run a traceroute

1. Press and Hold the Windows Flag Key on Keyboard 2. Press "R" 3. In the Run Box Type: cmd [enter] 4. Type command: tracert domain.com [enter] Example: tracert comcast.com - Makes our way to the DC area

How to do a capture on wireshark on your own network

1. Select the option that has a graph going on 2. Then click on the shark fin in the left corner 3. Then stop

M4 Demo Optional Exercise: Case Study - ICMP Flood or Something Else (Using file "icmp_camp.pcapng") part 1

1. We added a new column for UTC Time and placed it next to the Time column 2. We then looked at the file capture properties in Statistics. This gives us information on start time, end time, last packet, drop packet, total number of packets, time span, total bytes. 3. Next, we went to look at Endpoints in Statistics. We can see that the majority of the traffic is going between 192.168.153.129 and 192.168.153.130. 4. This can be confirmed by the Conversations tab in Statistics. 1,018 packets and the rest of them has a total of about 20. This is strange in this case because it says all the protocols are ICMP so why do we have so much ping traffic between these two endpoints? 5. Now we are going to use a filter "icmp.type == 8". These are all the echo requests between 129 and 130. If we change the 8 to 0, we will see the ping replies. Something is not right because we would not have that many ping replies usually. This is when we do deeper packet inspection. 6. We are looking at packet 149 and we see that there is no response seen so then we go to 150 next. 150 says it is a reply but there is an application data which is not normal either. In data, we see an ipconfig command. 7. If we look at the IP and go to .179, we see that there is data again and shows a system PATH so someone is trying to access the system using ICMP.

Other Network Devices

1. Wireless Access Points/Repeaters - Isn't necessarily the router itself but its job is to boost the signal for wireless signals. 2. Intrusions Detection Systems (IDS) - Job is to look for malicious traffic and malformed data that's trying to do something funky on your network, is a security device to alert you 3. Load Balancers 4. Firewalls - Similar to IDS but more of a pre-configured thing that only allows certain traffic in and out ** These devices may contain logs and other resources you may need to further your investigation

http status codes

200 = OK 204 = No content 401 = Unauthorized 403 = Forbidden 404 = Not found

M4 Demo Optional Exercise: Case Study - ICMP Flood or Something Else (Using file "icmp_camp.pcapng") part 2

8. Everything is coming from .129 and we know .129 is the culprit. We put the PowerShell script line we need to run within the sand to get the data and saved the output. We can copy that into the sandbox and use notepad+. 9. In Command Prompt, go to Wireshark folder in Program Files. The bar will look like this: C:\Program Files\Wireshark> .\tshark.exe -Y data -r C:\Users\nguye\Downloads\icmp_camp.pcapng -T fields -e data 10. You will get the output of data and copy all of that data and paste into Notepad++. Highlight all the data and go to Plugins and convert from hex to ascii and we get all this information. 11. They ran whoami and can use the computer name against them now. * For number and 5 of IPv4 packets, go to Protocol Hierarchy in Statistics. * For arrival time in EST of first ARP packet, apply the filter "arp" and chose the first one. EST is 5 hours behind UTC so subtract 5 hours from the given UTC time.

Local Area Network (LAN)

A local area network (LAN) is a computer network that connects computers within a limited area such as a residence, school, laboratory, university campus or office building. Wired Ethernet and Wi-Fi are the two most common connection technologies in use for local area networks. In the end everything comes to one point which is typicalluythe router

Squid Proxy Server Logs part 1

A lot of companies use squid proxy servers as a way to protect internal clients so all the traffic goes to the proxy server first and if it has info requested, then it returns the answer. If it does not, then it sends a request out to the internet and then returns to proxy then to clients. Also used for speed. EXAMPLE: 1546169125.919 208 192.168.174.110 TCP_MISS/200 18406 CONNECT i.ytimg.com:443 - HIER_DIRECT/172.217.31.22 FIELD 1 = 1546169125.919 - The client request time stamp in Squid format; the time of the client request in seconds since January 1, 1970 UTC (with millisecond resolution) FIELD 2 = 208 - The time the proxy spent processing the client request; the number of milliseconds between the time that the client established the connection with the proxy and the time that the proxy sent the last byte of the response back to the client. FIELD 3 = 192.168.174.1 - The IP address of the client's host machine. FIELD 4 = TCP_MISS/200 - The cache result code; how the cache responded to the request: HIT, MISS, and so on. Cache results are described in the proxy response status code (the HTTP response status code from Content Gateway to client). - Miss means object was not found in the cache and was instead downloaded from the actual site. - 200 was status code for OK - In this instance, the IP address 192.168.174.1 requested the website i.ytimg.com in the cache and returned it in cache. Since the proxy server already had the information, it didn't have to actually go onto the website. - TCP_MISS/200 means the client was allowed to access the site (200) but the site was not cached on squid (TCP_MISS).

What is a network?

A network is a group of two or more devices that can communicate. In practice, a network is comprised of a number of different computer systems connected by physical and/or wireless connections.

Wide Area Network (WAN)

A wide area network (WAN) is a geographically distributed private telecommunications network that interconnects multiple LANs. A WAN may consist of conenctions to a company's headquarters, branch offices, colocation facilities, cloud services, and other facilities. Typically a router or other multifunction device is used to connect a LAN to a WAN. (Essentially connects the network to other lands)

wireshark - analyze, statistics, conversations

ANALYZE - You can create your own filters STATISTICS - You can see protocol hierarchy and conversations and endpoints STREAM - You can follow a stream by right clicking on a packet then select "Follow TCP Stream" When you click on a packet, it shows you all the data below and even shows all the bits and bytes When you highlight some thing in the data it will show you where the bits are in it you can do save as in file in the action bar

Apache Web Server

Access Logs - Contains information about requests coming to the web server - IP address, date, time, webpage requested Status Codes: 200 = OK 302 = found 400 = bad request/error Common log 192.168.174.150 - frank [10/Oct/2021:13:55:36 -0700] "GET /apache_pb.gif HTTP //1.0" 200 2326 Client IP Address: 192.168.174.150 Userid of person making request: frank Date and Time: Oct 10, 2021 at 1:55:36 PM Request line from client: requested this gif file Status code: 200 = OK/good request Size of object in bytes: 2326 bytes Combined log 192.168.174.150 - frank [10/Oct/2021:13:55:36 -0700] "GET /apache_pb.gif HTTP //1.0" 200 2326 "http://www.example.com/start.html" "Mozilla/4.08 [en] (Win10; I; Nav)" Client IP Address: 192.168.174.150 Userid of person making request: frank Date and Time: Oct 10, 2021 at 1:55:36 PM Request line from client: requested this gif file Status code: 200 = OK/good request Size of object in bytes: 2326 bytes Referrer HTTP request header: "http://www.example.com/start.html" (if someone was on a website and clicked on a link to bring them to this web server, it will give you the refer) User Agent HTTP request header: "Mozilla/4.08 [en] (Win10; I; Nav)" Web Browser: Mozilla 4.08 OS: windows 10

OSI Model - Which layers are data, segments, packets, frames, and bits?

All People Seem To Need Data Processing Application is the outermost layer starting at the host artifact and each layer is farther in the model. 7. Application: Network process to application - FTP, HTTP, DNS, Telnet 6. Presentation: Translation, compression, encryption - SSL, JPEG 5. Session: Interhost communication - APIs are RPC and NetBIOS 4. Transport: End-to-end connections and reliability - TCP, UDP, RDP 3. Network: Path determination and logical addressing - IP information, IPv4/IPv6 2. Data Link: Physical addressing - Ethernet, MAC addresses 1. Physical ~~~~~~ Encapsulated Terms Data - Layers 7 to 5: Application, Presentation, Session Segments - Layer 4: Transport Packets - Layer 3: Network Frames - Layer 2: Data Link Bits - Physical

Computers

Also referred to as Host Side Artifacts SERVICES: - Windows Services applet - macOS launch daemons - Linux Service Scripts NETWORK CONNECTIONS: - Netstat - Nbstat - Ifconfig/ipconfig - arp WINDOWS SYSINTERNALS: - Over 100 small programs to manage, troubleshoot, and diagnose windows systems and applications - TCPView - PsFile - Process Explorer

Internet Protocol (IP) Address

An Internet Protocol address (IP address) is a numerical label assigned to each device connected to a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: 1. Identify the device 2. Identify the Network Numbers can range from 0 to 255 giving you a total of 256 numbers. Sections are split into octets. Certain octets are reserved for your device address and certain octets are reserved for your network address. There are different configurations on different devices. Each number is unique! Router is divided into 2 IP addresses for its private and public addresses. 192 is the internal and local. 82 is the external and how the world sees you. webpage will record the 82 not the 192. this can be an issue when investigating because if there are 500 computers in the same area, you will not be able to identify which computer committed the offense based on the public ip address. we split the router's ip address into two so we do not run out of ip addresses.

Application Server

Common types: - Database - Web - Email - Chat - VoIP / voicemail FORENSIC VALUE: - Far too many to list! - Account information

M4 Demo Analyzing Packets on TCP (Using file "FTP- Unknown-56.pcap")

Consider a scenario where an FTP server is listening on port 10,008 which is a non-standard FTP port or an attacker is infiltrating the network and is using port 443 to listen to FTP packets. How would you recognize that the HTTP port is used for FTP services? 1. With the pcap file open in Wireshark, we look at the first TCP and it looks normal. We got the [SYN] then the [SYN, ACK] and that's our initial 3 way handshake. 2. Then we look at the next one and we see in the fourth packet, that there is data. Normally in the TCP packet protocol, it stops at TCP layer. If TPC sends data, it will be in the TCP layer. But in this packet, it has its only Data Application layer which is not normal. It also tells us that there is 42 bytes in its data. 3. If you right click on any packet with protocol TCP and it has a Data layer, do Follow -> TCP Stream and it shows us the stream. This gives us the user and pass used in this stream. By reading the stream, we see FTP commands going across the network but it is not shown as FTP traffic so how do we see it in its right form? 4. Click on the first packet with no filter. Go the Analyze and click on Decode As. Hit the plus sign and fill in the following information: Field=TCP port, Value=10008, Type=Integer, base 10, Default=(none), Current=FTP. Then click ok. 5. Now we should see the packets have the proper protocols. Some of the previous packets had TCP as its protocol but now it has changed to FTP. For clearer understanding, you can filter the packets with "ftp" to see all the ftp files now. Questions: - How many bytes is the first [PSH,ACK] packet after the initial 3 way handshake? 42 bytes (Normal would be 0) - What is the user name sent in this stream? local - What is the password sent in this stream? 12345

Routing with Network Protocols Explained with the OSI Model

DEFINITIONS: The Open Systems Interconnection (OSI) model DEFINES a networking framework to implement protocols in layers, with control passed from one layer to the next. It conceptually divides computer network architecture into 7 layers in a logical progression. The LOWER LAYERS deal with electrical signals, chunks of binary data, and routing of these data across networks. HIGHER LEVELS cover network requests and responses, representation of data, and network protocols as seen from a user's point of view. LAYERS: 1. APPLICATION = Example: Type an email in the program using the graphical user interface - This is how you interact with the program. 2. PRESENTATION = Text must be converted to a standard format to be made ready for sending - Its job is to control the encoding of the data. For example a file has a binary attachment like an image. That cannot pass through a normal email system. It has to be translated to the appropriate language. 3. SESSION = Setup and teardown of the association between two communicating endpoints - Establishes the rule and methods of what devices are going to remain connected. Example: If I don't hear from you every 5 seconds, I will try to reestablish the connection. 4. TRANSPORT = Data is broken up into small numbered data blocks called segments - Divides large data into smaller segments routed across the internet - Important because you don't want to take up your whole internet resources or else other traffic will not be able to pass through - divide packets to go through different directions and keeps track the numbering of the packets 5. NETWORK = Network addresses are attached to the segments and are now called packets - we broke our data up and now we have to get it somewhere. we place addresses on it which is usually the IP address to allow it to route across the network. 6. DATA = Local hardware addresses are attached for local routing and a frame is created - ensures that there are reliable error-free transmissions across the equipments 7. PHYSICAL = Frames are converted to electrical signals and passed along a wire or radio wave - handle the conversion of data to its transmission means CONCEPTS: - Think of the OSI model as a Russian nesting doll. With eac

CentralOps.net

Domain Dossier --> Google.com Domain whois record - ownership information on record network whois record - actual internet address assigned to this domain name dns records - different routing features, routing structure about the domain address lookup - ip address arin - who assigns ip addresses in america network whois record gives us information about the organization that belongs to the ip address range dns records are the bottom and have a ton of important information like an A record aka the ip address in txt records in dns records, google purchased or is in corporation with facebook for some reason but google basically said before we work with you, we have to verify your identity and you have to put this code in your dns record and then we will query this code in your record --- Domain Dossier --> npsec.net It will say contact privacy under owner because that is private information that a user can select

Domains and DNS

Domains and the Domain Name System (DNS) is the key to allowing humans to surf the internet. DNS converts human readable domain names (eg. Google.com) into IP addresses (64.233.185.113). Domain Name Servers are the Internet's equivalent of a phone number book.

DHCP Servers

Dynamic Host Configuration Protocol - Automatic Assignment of IP address FORENSIC VALUE: - Investigation often begins with IP addresses - DHCP leases IP addresses - Creates log of events a) IP address b) MAC address of requesting device c) Time lease was provided or renewed d) Requesting systems host name

Host Side Artifacts

Evidence available on computers Services: - Windows Services applet - macOS launch daemons - Linus Service Scripts Network Connections: - Netstat - Nbtstat - arp Windows Sysinternals: - Over 100 small programs to manage troubleshoot and diagnose windows systems and applications - TCPView - Process Monitor - Process Explorer

How do I find my EXTERNAL Internet Protocol (IP) Address

External IP Address is what the world sees you as. This is important because as you browse the internet this is the address being logged. One way to find it: IPChicken.com (Yes for real!!) Current IP address: 73.138.97.60 Name Address: c-73-138-97-60.hsd1.fl.comcast.net Remote Port: 53894 Browser: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36 (Internal IP address is good for configuration.)

Squid Proxy Server Logs part 2

FIELD 5 = 18406 - The length of the Content Gateway Response to the client in bytes, including headers and content. - Number of bytes returned FIELD 6 = CONNECT - The client request method: GET, POST, and so on. - Request was CONNECT to the website i.ytimg.com so proxy server made a connection to that website FIELD 7 = i.ytimg.com:443 - The client request canonical URL; blanks and other characters that might not be parsed by log analysis tools are replaced by escape sequences. The escape sequence is a percentage sign followed by the ASCII code number of the replaced character in hex. FIELD 8 = (-) - The authenticated client's user name. A hyphen (-) means no authentication was required. - no log in in this case FIELD 9 = HIER_DIRECT/172.217.31.22 - The proxy hierarchy route; the route Content Gateway used to retrieve the object. The proxy request server name; the name of the server that fulfilled the request. If the request was a cache hit, this field contains a hyphen (-). FIELD 10 = HIER_DIRECT/172.217.31.22 - The proxy response content type; the object content type taken from the Content Gateway response header

Common Protocols and Application - FTP

FTP - File Transfer Protocol is a standard network protocol used for the transfer of computer files between a client and server on a computer network. FTP is built on a client-server model architecture using separate control and data connections between the client and the server. There are numerous free and paid FTP software products available for download. Example: We used Tectia and Bitvise.

(T/F) The purpose of the Domain Name System (DNS) is to break network data into smaller more manageable sized packets (called domains) to help ensure networks operates efficiently and reliable.

False

(T/F) The purpose of the OSI (Open Systems Interconnection) Model is to explain in exact detail how network traffic physically moves between devices on a network.

False

(T/F) A router's primary job is to secure your network by blocking malicious network traffic.

False - Firewall

MySQL Database Logs

General Query Log - Client Connections - Logs each statement from clients (queries) Log format: yymmdd hh:mm:ss thread_id command_type query_body 181230 - 2018, December 30th 519 - 5 minutes and 19 seconds Thread id is 58 Type is connected Command body is Verilog

Internal vs External IP addresses

Generally your home or work network will use 2 different IP addresses. One will be your internal IP which is used to route data inside your network only. - Every device will have its own unique internal IP address. - Some common internal IP blocks include 192.168.1.xxx (Home/Small Businesses) and 10.xxx.xxx.xxx (Large Organizations). - To view your own IP address, we can use the command line interface (CLI). - Key Point: These addresses are non-routable. Important for security.

Common Protocols and Application - HTTP

HTTP - Hypertext Transfer Protocol is the underlying protocol used by the World Wide Web. This protocol defines how files (text, graphic images, sound, video, and other multimedia files) are formatted and transmitted and what actions web servers and browsers should take in response to various commands. Don't always have to do http:// as part of a default. Common port number is port 80.

Common Protocols and Application

Here are some examples of common Internet tools/programs you should be familiar with and the protocols they use. Remember the internet is much more than the web (HTTP)...

What is IPv4?

IPv4 uses 32 binary bits to create a single unique address on the network. An IPv4 address is expressed by four numbers separated by dots. Each number is the decimal (base-10) representation for an eight-digit (base-2) number, also called an octet. - 32 bit because it is made up of 4 sections of 8 bits each which would be an octet

Protocols

In information technology, a protocol is the special set of rules that end-points in a telecommunication connection use when they communicate. Protocols specify interactions between the communicating entities. Basically defines the rules that things work by. Example: HTTP has a protocol that makes sure that all browsers and servers can properly transfer all kinds of files and data no matter what make and version of the software as long as we are all speaking the same HTTP protocol.

Snort IDPS Logs

LOG FORMAT: Date, Time, IP Source & Port, IP Destination & Port, Description, Severity - Response to a Snort Rule Snort - Intrusion Detection and System that only create log entries in response to a snort rule Snort Rule: For any alert of any TCP connection from any IP address and any port to any IP address and any port, say the message "Exploit detected" with an SID

Cisco ADA Firewall Logs

LOG FORMAT: Date, Time, Message Code, Message, IP Hostname Source, IP Hostname Destination - When it shows you a deny message, it also attaches why it was denied

As it relates to networking, a "LAN" is a:

Local Area Network

Deep Packet Inspection (DPI)

Looking beyond the packet headers, TCP/IP information and state of connections - Looks at the Data in the Application Layer - Does the port match the protocol? - Is data encapsulated in different protocols? - TCP/IP Layers are what you see in Wireshark. We get the physical, data-link, internet, transport (TCP/UDP), and application.

Network Logs

Multiple Sources of Network Logs Application Server Logs - Webserver - Email server - Oracle WebLogic server - SAP NetWeaver Database Logs Firewall Logs Intrusion Detection and Prevention System Logs Proxy Server Logs

Sources of Network-Based Evidence

Network environments are usually varied and unique, but they all have similarities. There are many sources of evidence in a network. - On the wire - In the air - Computers - Switches - Routers - DHCP Server - Name Servers - Authentication Server - Network Intrusion Detection / Prevention Systems - Firewalls - Web Proxies - Application Server - Central Log Server

Common Protocols and Application - P2P

P2P - "Peer to Peer" protocol allows computer systems to connect directly to each other via the Internet. Files can be shared between systems on the network without the need of a central server or central hub. In other words, each computer on a P2P network becomes a file server as well as a client. Once connected to the network, P2P software allows you to search for files on other people's computers. Meanwhile, other users on the network can search for files on your computer but typically only within a single folder that you have designated to share. Common P2P software programs include Kazaa, Limewire, BearShare, Morpheus, and Acquisition. These programs conenct to a P2P network, such as "Gnutella," which allows the computer to access thousands of other systems on the network. P2P & digital piracy

Transmission Control Protocol (TCP) & Internet Protocol (IP)

Perhaps the two most famous protocols in computers are TCP/IP (they are actually a suite of multiple protocols grouped together under two main names) TCP = divides a message or file into packets that are transmitted over the internet and then reassembled when they reach their destination (Transport Layer) IP = is responsible for the address of each packet so that it gets to the correct destination aka for routing it (Network Layer)

Common Protocols and Application - RDP

RDP - Remote Desktop Protocol is a proprietary protocol developed by Microsoft, which provides a user with a graphical interface to connect to another computer over a network connection. The user employs RDP client software for this purpose, while the other computer must run RDP server software.

Common Protocols and Application - SMTP

SMTP - Simple Mail Transfer Protocol is an Internet standard for electronic mail (email) transmission. First defined in 1982, it was updated in 2008 with Extended SMTP, which is the protocol in widespread use today. Although electronic mail servers and other mail transfer agents use SMTP to send and receive mail messages, user-level client mail applications typically use SMTP only for sending messages to a mail server for relaying. For retrieving messages, client applications usually use either IMAP (Internet Message Access Protocol) or POP3 (Post Office Protocol).

Common Protocols and Application - SSH

SSH - Secure Shell is a cryptographic network protocol for operating network services securely over an unsecured network. Typical applications include remote command-line login and remote command execution, but any network service can be secured with SSH.

Sysinternals - Process Monitor

Shows real-time file system, Registry and process/thread activity Processes: System, Idle, smss.exe, csrss.exe, wininit.exe, lsass.exe, services.exe, svchost.exe, taskhost.exe, winlogon.exe, explorer.exe, Registry, Memory Compression, RuntimeBroker.exe, dwm.exe, dilhost.exe * You can look at list in M3 lecture video

Sysinternals - Process Explorer

Shows which program has a file or directory open (When you highlight one, it shows you the system information below too) Two Windows: - Top window shows list of active processes - Bottom windows shows handle selected in top window, or DLLS and memory mapped files

The most popular suite of routing protocols used in today's network infrastructure is:

TCP/IP

DPI with OSI Layers and TCP/IP Layers - Analyzing Packets in Wireshark

TCP/IP Layer Application = OSI Layers Application, Presentation, Session - File Transfer Protocol (FTP) in Wireshark (Will not always have an application layer) TCP/IP Layer Transport = OSI Layer Transport - Transmission Control Protocol with Src, Dst, and Sequence Number in Wireshark - Payload deals with if it has another protocol within it - EXAMPLE: If protocol is only TCP, there should be no additional Data layer --> Warning sign that something is wrong! In example, we see in data that it says USER, PASS, QUIT, CWD, PWD, and so on. These things belong to FTP so the protocol should say FTP instead of TCP, but somebody has hidden the data. TCP/IP Layer Network = OSI Layer Internet - Internet Protocol with Src and Dst in Wireshark TCP/IP Layer Data-Link = OSI Layer Data-Link - Ethernet and MAC Addresses in Wireshark TCP/IP Layer Physical = OSI Layer Physical - Frame in Wireshark

In squid- and netscape-format log files, what do the cache result codes mean?

TCP_MISS = Object not found in cache, downloaded from the OCS TCP_HIT = Object found in cache TCP_NC_MISS = The request was made for an object that can't be cached TCP_REFRESH_MISS = Appliance had the object in cache, but a check with OCS (GET with the if-modified-since) indicated that the object was stale. Object was downloaded from the OCS and the new object was placed in cache.

M3 Log Analysis Assignment Demo (using file " ")

THIS!!

What is Windows SysInternals?

THIS!!

What is the largest wan on the planet?

The Internet!! The Internet is nothing more than a billion of LANs and WANs

On the Wire vs In the Air in Terms of Security

The air is much less secure than the wire

Routers - The Network Traffic Cop

The routers job is to quickly, efficiently and accurately move information in the form of electrical signals and/or radio waves (Wi-Fi) to and from various network connected devices. Nowadays router modem are built together even though they serve different purposes.

Technical Aspect beyond Scope of Internet Protocol (IP) address

This has been a very brief overview of IP addressing. In reality it is a much more complex protocol and the details of the inner working of TCP/IP are beyond the scope of this class. If you are interested in learning more, the internet is full of excellent tutorials on networking fundamentals -- just head over to 64.233.185.113 to start - wait do I mean by that?

How do I find my INTERNAL Internet Protocol (IP) Address

To start the Windows CLI (Windows Prompt): 1. Press and Hold the Windows Flag Key on Keyboard 2. Press R 3. In the Run Box Type: CMD [enter] 4. At the command Prompt type: ipconfig /all [enter] Windows IP Configuration - How Windows sees your device Physical address attached to Wireless LAN adapter Wi-Fi = Hardware address of your device, helpful for filtering addresses ** in my case, it was in Ethernet adapter Ethernet 2 DHCP Enabled = dynamic host control protocol Default gateway = actual address of the router, this is where out the internet through, for outbound traffic

Networking Tools - Whois Traceroute

Traceroute, also called tracepath or tracert, is a network tool used to determine the path packets take from one IP address to another. It will list all the routers it passes through until it reaches its destination, or fails to and is decarded. In addition to this, it will tell you how long each 'hop' from router to router takes. - Popular for investigating domain names and used for network diagnostics. - Will be run at the command line - Good program because as the packets traverse the network, they return to you the name of the router that it routed to and you will start to see ISPs naming their locations

(T/F) A network can generally be defined as two or more devices that can communicate with each other.

True

(T/F) An Internet Protocol address (IP address) is a numerical label assigned to each device connected to a computer network that uses the Internet Protocol for communication.

True

(T/F) IPv4 addresses are commonly represented by 4 groups of numbers between 0-255 separated by a dot.

True

(T/F) In telecommunications and networking a "Protocol" is a standardized set of rules and methods used by hardware manufacturers and software developers to help enable reliable communications.

True

Web Proxies

Two uses: 1. Improve performance by caching web pages 2. Log, inspect, and filter web surfing FORENSIC VALUE: - Granular logs can be retained for an extended period of time - Visual reports of web surfing patterns according to IP addresses or usernames (Active Directory logs) - Analyze --> a) phishing email successes b) Inappropriate web surfing habits c) Web-based malware - View end-user content in cache

Which of these is NOT a layer in the OSI Model? A. Network B. User C. Physical D. Session

User

Networking Tools - Whois

WHOIS is a widely used Internet record listing that identifies who owns a domain (or IP range) and how to get in contact with them. The Internet Corporation for Assigned Names and Numbers (ICANN) regulates domain name registration and ownership.

IPv4 vs IPv6 Example

We're running out of IP addresses to give to devices. One way of getting around that is by doing internal private addresses but even so, we are starting to run out so we are getting into IPv6.

Windows Event Viewer

Windows Log for local events: - Application - Security - System Windows Event Logging records five types of events: 1. Error 2. Warning 3. Information 4. Success Audit 5. Failure Audit Event IDs: - 4768 - Invalid password or username - 4624 - typical logon - 4625 - failed logon To access the Event Viewer in Windows 10: 1. Right click on the Start button and select Event Viewer 2. Select the type of logs that you wish to review (ex: Application, System, Security)

In The Air

Wireless station - to - station signals - Radio frequency (RF) - Infrared (IR) -> not very common FORENSIC VALUE: Can be trivial as information is often encrypted, however valuable information can still be obtained - Management and controls frames are usually not encrypted - Access points (AP) advertise their names, presence, and capabilities - Stations probes for APs and APs respond to probes - Volume-based statistical traffic analysis

Networking Tools - Wireshark

Wireshark is the world's foremost and widely-used network protocol analyzer. It is a network capture analyzer. It lets you see what's happening on your network at a microscopic level and is the de facto standard across many commercial and non-profit enterprises, government agencies, and educational institutions. Wireshark is a free and open source software project available for anyone to download.

Deep Packet Inspection Introduction

Within the network, packets themselves that were captured with Wireshark have the header information which includes the frame information, ether information, IP information, and then TCP or UDP if that's what Transmission Protocol user it is. Then you have the data like you are using HTTP for example to go to a website, we've got a data being transferred back and forth from the website and its actual web pages. These different protocols that we use on the Internet to stuff like transfer files, graphics, streaming videos, etc. UDP is used a lot for streaming videos. HTTPs are usually for websites and file transfer. When those protocols are used, we go beyond TCP or UDP and we have data. And data is the next layer up in this network stack and hackers have the ability to disguise the type of that data they're sending or the protocol that they are using to disguise the data and this means deep packet inspections useful. You can dig down deep in order to identify the hidden data by mislabeling the protocols.

Wireshark - display filter

right below the action bar and you can type something like http for example and it looks for any http traffic unless everything is encrypted then it wont show you can look at the guide to see the many combinations that you can set in the display filter