File000146
-
Upload
desmond-devendran -
Category
Technology
-
view
208 -
download
0
Transcript of File000146
Module XXXIII – Investigating Internet Crimes
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
News: Fraud Investigation Leads to Charges
Date: August 09, 2008
Following a two-year investigation into international Internet fraud, a Kelowna man has been arrested.
The Calgary Police Service and Royal Canadian Mounted Police conducted a two-year investigation related to a series of Internet frauds, in which victims in the United States and Sweden were defrauded of hundreds of thousands of dollars through Internet auctions for vintage automobiles.
The investigation indicates these Internet frauds may have been part of a larger scheme, where victims were lured into bidding on Internet auction sites for vintage automobiles.
Victims would then send their money, usually in the tens of thousands of dollars, by wire transfer to bank accounts held in Calgary.
The victims would either fail to receive a purchased vehicle or received a vehicle that was not the same as the item purchased. The money that was received from victims into holding company bank accounts was then directed elsewhere.
Source: http://www.bclocalnews.com/
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
News: Does the Internet Need its Own Police Force?
Sunday, December 21, 2008 5:32 AM PST
2008 has been a year of growth in malware, infections, botnets and criminal profits. Recently, some security experts called for the punishment of these criminal activities.
Malware tripled in 2008In its 'End of Year Data Security Wrap-up for 2008', Finland-based security company F-Secure said their detection count tripled in one year, which means that the total amount of malware accumulated over the previous 21 years increased by 200 per cent in the course of just one year.Criminal activity for financial gain remains the driver for the massive increase in Internet threats. Today's malware is produced by highly organised criminal gangs using increasingly sophisticated techniques. This year has seen increasing botnet activity around the world.
These remotely controlled networks of infected computers remain a major challenge to the IT security industry because it is their vast computing power that is behind the unprecedented level of spam e-mail and malware distribution.
Roy Ko, a computer security expert based in Hong Kong, has seen an overall decrease in the number of virus incidents and phishing spyware, but an increased number of alerts in the past year. Ko is the manager of Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) at the Hong Kong Productivity Council.
Daniel Eng, a computer forensics expert, said the contemporary public IT security issues include data leakage, misuse of Foxy, potential security issues with Apple's 3G iPhone, the growth of Bonets, the vulnerability in Flash videos called 'Clickjacking' (viewers' computers put under attack upon clicking on flash videos), and anti-forensics tools.
Source: http://www.pcworld.com
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Objective
• Internet Crimes• Internet Forensics• DNS Record Manipulation• Email Headers Forging• Switch URL Redirection• Downloading a Single Page or an Entire Website• HTTP Headers• Examining Information in Cookies
This module will familiarize you with:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Flow
Internet Crimes
Internet Forensics
HTTP HeadersDNS Record Manipulation
Switch URL Redirection
Examining Information in Cookies
Email Headers Forging
Downloading a Single Page or an Entire Website
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Internet Crimes
• Phishing is a method in which an attacker sends email to collect the information from the recipients
• It uses different types of social engineering and spoofing techniques to steal the information from the recipients
Phishing:
• Spamming is populating the user’s inbox with unsolicited or junk emails• Spam email contains malicious computer programs such as viruses and Trojans which
change the computer settings or track the system
Spamming:
• Internet identity theft is the identity theft using Internet• Attacker steals other’s identity by stealing email, eavesdropping other’s transactions over
Internet, or stealing the information from computer databases
Internet Identity Theft:
Internet crime is a crime committed on the Internet, using the Internet and by means of the Internet
Internet crimes include:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Internet Crimes(cont’d)
• In the credit card fraud , an attacker illegally uses the other’s credit card for purchasing goods and other services
Credit Card Frauds:
• It refers to harassing a victim through email or Instant messaging• Internet, e-mail, or other electronic communication devices can be used to stalk
victims
Cyberstalking:
• Cyber terrorism refers to usage of information technology by the terrorists for developing their agenda
Cyber Terrorism:
• Accesses other’s computer in an unauthorized way• Attacker uses different hacking tools or password cracking tools to get access to
other’s system
Computer Hacking:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Internet Crimes (cont’d)
• Child Pornography is defined as a visual depiction of any kind, including a drawing, cartoon, sculpture, or painting, photograph, film, video, or computer-generated image of sexually explicit conduct, where it depicts a minor engaged in sexually explicit conduct
Child Pornography:
• It refers to unauthorized copying and distribution of software, music’s, or movies over the Internet
Internet Piracy:
• Non-delivering the product• Triangulation• Misrepresentation• Shill bidding• Trading black market products• Fee stacking• Bid shielding or multiple bidding
Internet Auction Fraud:
Creation and/or distribution of Viruses, Trojans, and Spam
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Internet Forensics
Internet Forensics is the application of scientific and legally sound methods for the investigation of Internet crimes
It uses a combination of advanced computing techniques and human intuition to uncover clues about people and computers involved in Internet crime
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Why Internet Forensics
Underlying Internet protocols were not designed to address the problems
Electronic evidence is fragile in nature
It is difficult to verify the source of a message or the operator of a website
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Goals of Investigation
To ensure that all applicable logs and evidence are preserved
To understand how the intruder is entering the system
To discover why the intruder has chosen the target machine
To gather as much evidence of the intrusion as possible
To obtain information that may narrow your list of suspects
To document the damage caused by the intruder
Gather enough information to decide if law enforcement should be involved
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Steps to Investigate Internet Crimes
1• Obtain a search warrant and seize the victim’s apparatus
2• Interview the victim
3• Prepare bit-stream copies
4• Identify the victim’s configuration
5• Acquire the evidence
6• Examine and analyze
7• Generate the report
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Obtain a Search Warrant
The search warrant application should describe clearly how to perform the on-site examination of the computer and the network device
Seize all the devices suspected to be used in crime including:
• Victim’s computer• Router• Webcam• Switch• Other network device
Forensic tests should be performed on all equipment listed in the search warrant
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Interview the Victim
Interview the victim about the incident
Ask him/her the following question:
• What incident occurred with the victim?• From where did the intruder enter the network?• What was the purpose of the attack?• What are the major losses from this incident?
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Prepare Bit-Stream Copies
Prepare a copy of the memory and configuration of the affected computer using a tool such as Safe Back
Never work directly on the original evidence
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Check the Logs
Check the offsite or remote logs
Check the system, email and web server, and firewall log files
Check log files of the chat sessions if attacker monitored or had conversation with the victim through IRC services
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Identify the Source of the Attack
Trace the source of the attack from where the attack originated
• Website• Email id
The source can be the following:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
IP Address
Each computer communicating over the Internet is assigned a unique 32-bits numeric address, which is written as four numbers separated by periods
• Example 183.154.216.212
• Class A• For large networks with many devices
• Class B• For medium-sized networks
• Class C• For small networks (fewer than 256
devices)• Class D
• Multicast addresses• Class E
• Reserved for future use
There are five different address formats or classes:
32 bits
Network Host
Network HostHostNetwork
8 bits
0-255 0-255 0-255 0-255
8 bits 8 bits 8 bits
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Internet Assigned Numbers Authority
IANA assigns the globally unique number called an IP address
It is the entity that oversees global IP address allocation, DNS root zone management, media types, and other Internet protocol assignments
It is operated by the ICANN, whose headquarters are in Los Angeles, California, US
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Regional Internet Registry (RIR)
RIR is an organization overseeing the allocation and registration of Internet number resources within a particular region of the world
• American Registry for Internet Numbers (ARIN) for North America and parts of the Caribbean
• RIPE Network Coordination Centre (RIPE NCC) for Europe, the Middle East and Central Asia
• Asia-Pacific Network Information Centre (APNIC) for Asia and the Pacific region
• Latin American and Caribbean Internet Address Registry (LACNIC) for Latin America and parts of the Caribbean region
• African Network Information Centre (AfriNIC) for Africa
There are currently five RIRs in operation:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Internet Service Provider
Internet Service Providers are commercial vendors that provide Internet service
They may reserve blocks of IP addresses that can be assigned to their users
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Trace the IP Address of the Attacker’s Computer
Examine the email headers and get the IP address of the attacker’s system
Access a website that allows you to find IP address information
Use IP address locating tools such as WhoisIP to find out the location of the attacker
The IP address identifies the computer that is used to send the message to other computers within the Internet
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Domain Name System (DNS)
DNS is a distributed Internet directory service
It translates domain names to IP addresses and vice versa
It enables you to assign authoritative names without the need to communicate with a central registrar
Source: http://nirlog.com/www.example.com 145.214.158.216
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
DNS Record Manipulation
• Mail Server - MX • DNS Server - NS • Network Host - A • Alias - CNAME • Reverse Host Record - PTR • Text Record - TXT
DNS uses several different records for converting domain names into IP addresses such as:
• DNS Poisoning:• In a DNS poisoning attack, DNS servers are manipulated to fetch updated, incorrect DNS
records from a server
• DNS Pharming :• Pharming is a term used for different approaches for manipulating DNS records
DNS Record manipulation techniques:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
DNS Lookup
A process which converts a unique IP address into a domain name and vice-versa
A DNS Lookup service also gives the following information:
• Details of Domain Name Servers • Registrars of domain name • Regional Internet Registries
Example of online DNS Lookup services:
• www.dnsstuff.com • http://www.bankes.com/nslookup.htm • http://www.network-tools.com/
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Nslookup
Nslookup is a program to query Internet domain name servers and also displays information that can be used to diagnose Domain Name System (DNS) infrastructure
It helps to find additional IP addresses if authoritative DNS is known from whois
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Analyze the Whois Information
Analyze the IP address information from the Whois database, which shows information from the RIR database
Look for the physical address, telephone number, and other contact information from the registry
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Whois
Whois is the client utility that communicates with WHOIS servers located around the world to obtain information about domain registration
It supports IP address queries and automatically selects the appropriate Whois server for IP addresses
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Example Whois Record
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Whois Tools and Utilities
http://www.dnsstuff.com/
http://whois.domaintools.com/
http://network-tools.com/
http://centralops.net/co/
http://www.betterwhois.com/
Samspade, http://samspade.org/
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Samspadehttp://samspade.org/
Samspade is an integrated network query tool for Windows
• Nslookup: This utility gives the details of Domain Name Server• Whois lookup: Whois lookup provides all the details of a domain name• Name and contact details of registrar: Name and contact details of domain name
owner• Traceroute: This utility traces the route to the Domain Name Server and gives the
details of all the intermediate gateways between the DNS and a specified computer connected to the system
• SMTP verification utility: Simple Mail Transfer Protocol (SMTP) verifies the origin of emails
Functions:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
SamSpade Report
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
IP Address Locatorhttp://www.geobytes.com/IpLocator.htm?Getlocation
IP address Locator assists in locating the geographical location of an IP Address
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
IP Address Locator: Screenshot
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
www.centralops.net: Tracing Geographical Location of a URL
• Email Dossier• Ping• Traceroute• NsLookup• AutoWhois• TcpQuery• AnalyzePath
www.centralops.net is a collection of Internet utilities developed by Hexillion for:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
DNS Lookup Result: centralops.net
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Traceroute
Traceroute works by exploiting a feature of the Internet Protocol called TTL (Time To Live)
It reveals the path IP packets travel between two systems by sending out consecutive UDP packets with ever-increasing TTLs
As each router processes an IP packet, it decrements the TTL; When the TTL reaches zero, it sends back a "TTL exceeded" message (using ICMP) to the originator
Routers with DNS entries reveal the name of routers, network affiliation, and geographic location
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Collect the Evidence
• Running processes (ps or the /proc file system)• Active network connections (netstat)• ARP cache (arp)• List of open files (lsof)• Virtual and physical memory (/dev/mem, /dev/kmem)
Volatile and important sources of evidence on live
systems, and the commands used to capture the evidence
• Guidance Software’s EnCase (:www.guidancesoftware.com)
• Accessdata’s Forensic Toolkit (www.accessdata.com)
Computer Forensic Tools for Data Collection include:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Examining Information in Cookies
Cookies are used for authenticating, tracking, and maintaining specific information about users
Syntax of a Set-Cookie header looks like:
•Set-Cookie: <NAME>=<CONTENT>; expires=<TIMESTAMP>; path=<PATH>; domain=<DOMAIN>;
• Identifies cookie
NAME
• String of information that has some specific meaning to the server.
CONTENT
• Denotes date, time , and duration of cookie (Wdy, DD-Mon-YYYY HH:MM:SS GMT)
TIMESTAMP
• Denotes the directories on the target site
PATH
• Defines hosts within a domain that the cookie applies to
DOMAIN
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Viewing Cookies in Firefox
1. Go to Tools -> Options 2. Click on Show Cookies
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tool: Cookie Viewerhttp://www.karenware.com/
Cookie Viewer automatically scans your computer, looking for "cookies" created by Microsoft's Internet Explorer, Netscape's Navigator and Mozilla Project's Firefox web browsers
It displays the data stored in each one and also deletes any unwanted cookies stored by these browsers
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Switch URL Redirection
URL redirection is a technique where many URLs point to a single web page
It is done by posting the address of one site and redirecting the traffic it receives to the target address
It can be done in two basic ways:
• Page-based redirection:• Adding a special tag to a web page on the proxy site that tells the browser
to go to the target
• Server-based redirection• Adding a line to the web server configuration file to intercept the request
for a specific page that tells the browser to fetch it from the target location
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Sample Javascript for Page-based Redirection
var version = navigator.appVersion; // sets variable =
browser version
if (version.indexOf("MSIE") >= -1) // checks to see if
using IE
{
window.location.href="ie.htm" /* If using IE, it shows
this page replace ie.htm with page name */
}
else window.open("other.htm", target="_self") /* else
open other page replace other.html with page name */
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Embedded JavaScript
Embedded JavaScript is used by attackers to cover tracks
• Hide source HTML for a page• Manipulate the URL displayed in the
status bar and browser history
Java scripts can be used to :
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Downloading a Single Page or an Entire Web Site
To save a page from browser, Go to File -> Save Page As
• Grab-a-Site • SurfOffline 1.4• My Offline Browser 1.0
Following tools can be used to save an entire web site:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Downloading a Single Page or an Entire Web Site (cont’d)
Grab-a-Site is a file-based Offline Browser that combines speed, stability, and powerful filtering capabilities
SurfOffline is a fast and convenient website download software
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tool: My Offline Browser http://www.newprosoft.com
My Offline Browser is a multithreaded website downloader
• Download and save entire websites to your hard disk• Change all links in the HTML code to relative local links• Support multithreaded downloading (up to 50 threads)• Automatically re-execute all tasks (Project scheduler)• Support proxy server• Built-in browser• Limit the downloading by URL filter, maximum crawling
depth, and maximum file size• Export all the URLs into a text file(ASCII), Excel file
Features:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
My Offline Browser: Screenshot
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Recovering Information from Web Pages
In IE, go to View -> Source
In Firefox, go to View -> Page Source
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tool: WayBack Machinehttp://www.archive.org/
Wayback Machine is a web-based utility to browse through 85 billion web pages archived from 1996 to a few months ago
• Go to www.archive.org• Type in the web address of a site or page• Press enter or click on Take Me Back• Click on the desired date from the archived dates available• Resulting pages point to other archived pages to nearest date as possible
To view the history of a website:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Trace the Email
Trace the email address to determine the source of email
Tools and utilities:
• Samspade, http://www.samspade.org/• Visualroute, http://visualroute.visualware.com/• www.centralops.net• https://www.abika.com/forms/Verifyemailaddress.asp
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
https://www.abika.com/forms/Verifyemailaddress.asp
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
HTTP Headers
• Entity• Meta information about an entity body or resource.
• General• Applicable for use in both request and in response to messages
• Request• Sent by a browser or other client to a server
• Response• Sent by a server in response to a request
Types of Headers:
• Accept• Specifies which Internet media types are acceptable for the response and assigns preferences to
them
• Accept-Charset [Request]• Specifies which character encodings are acceptable for the response and assigns preferences to
them
• Accept-Encoding [Request]• Specifies which data format tranformations, confusingly called content (en)codings
• Accept-Ranges [Response]• Indicates the server's acceptance of range requests for a resource
Headers include the following information:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
HTTP Headers (cont’d)
• Gives the sender's estimate of the amount of time since the response (or its revalidation) was generated at the origin of the serverAge [Response]
• Lists the set of methods supported by the resource identified by the Request-URIAllow [Entity]
• Consists of credentials containing the authentication information of the client for the realm of the resource being requested Authorization [Request]
• Specifies directives that must be obeyed by all caching mechanisms along the request/response chainCache-Control [General]
• Specifies options that are desired for the particular connection and must not be communicated by proxies over further connectionsConnection [General]
• Used as a modifier to the media-typeContent-Encoding [Entity]
• Specifies the natural language(s) of the intended audience for the enclosed entityContent-Language [Entity]
• Indicates the size of the entity-body that is sent or that would have been sent if it had been requestedContent-Length [Entity]
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Email Headers Forging
1. Open a command prompt by clicking Start-> Run -> type cmd.
2. Find out the name of your ISP's mail server from email client settings (mail.isp.com or smtp.isp.com )
3. Type SMTP commands after the mail server responds
4. Continue with the address you want the mail to come FROM
5. For example, to forge mail from XYZ , type 'MAIL FROM: [email protected]'
6. Type 'RCPT TO: [email protected] after 'Sender Ok’ message
7. Type 'DATA' and press enter after 'Recipient Ok’ message
8. On the first line type 'Subject: yoursubject' and press enter twice, that will be the subject
9. Type message and press enter
10. The server should say 'Message accepted for delivery'
11. You are done
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Viewing Header Information
Header information reveals original source of a email
View and trace mail header to find the real source address of threatening or malicious mails which are generally spoofed
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tracing Back Spam Mails
• Use tracing tools such as eMailTrackerPro to trace the email header
Examine header information:
Source: http://www.emailtrackerpro.com
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tracing Back Spam Mails (cont’d)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
VisualRoutehttp://www.visualroute.com/
VisualRoute analyzes Internet connections to quickly locate where an outage or slowdown occurs
It identifies the geographical location of IP addresses and web servers on a global map
It helps to identify network intruders and Internet abusers
VisualRoute's traceroute provides three types of data:
• An overall analysis• Data table• A geographical view of the routing
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
NeoTrace (Now McAfee Visual Trace)
NeoTrace shows the traceroute output visually – map view, node view and IP view
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
NetScanTools Prohttp://www.netscantools.com/
NetScanTools Pro is an advanced Internet information gathering program for Windows 2003/XP/2000
It can be used to research for IP addresses, hostnames, domain names, email addresses, or URLs automatically or with manual tools
• Requires lesser time to gather information about Internet or local LAN users, network devices, IP addresses, ports, and many other network specifics
• Removes guesswork from an Internet investigation by automating research requiring multiple network tools
• Produces clear, concise results reports in the format that you prefer - web page or a file easily imported by a spreadsheet
• Enhances many standard network tools
Benefits:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
NetScanTools Pro: Screenshot
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Report Generation
Name of the investigator
List of router evidence
Documents of the evidence and other supporting items
List of tools used for investigation
List of devices and setup used in the examination
Brief description of the examination steps
Details about the findings:
• Information about the files • Internet related evidence• Data and image analysis
Conclusion of the investigation
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Summary
Internet crimes are crimes committed over the Internet or by using the Internet
Internet Forensics is the application of scientific and legally sound methods for the investigation of Internet crimes
URL redirection is a technique where many URLs point to a single web page
Attackers use embedded JavaScript to cover tracks
Cookies are used for authenticating, tracking, and maintaining specific information about users
DNS lookup is a process which converts a unique IP address into a domain name and is frequently used by the webmasters to research listings contained in the server log files
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited