Network Forensics Tools for Cybercrime Investigation

Lead-off Presentation byGlen Myers, IP Fabrics

May 12, 2009

IPFabrics

CybercrimeCybercrime

Targets can be

IndividualsEnterprises

• Companies• Service providers / carriers• Government

Network or part thereof

Crimes include

Illegal accessIllegal interceptionInterferenceFraudID theftTheft of intellectual propertyHarassmentObscene/offensive contentCrimes against children. . .

Crimes (depending on locality of course) where the network (“Internet”) is the vehicle

IPFabrics

Cybercrime Forensics vs Lawful InterceptCybercrime Forensics vs Lawful Intercept

For lawful intercept, you have a target (e.g., suspect)• Court order to intercept the tel number 1-503-444-2499• Court order to intercept the signaling information for

sip:glen@voicebox.net• Court order to intercept the email of glen@gmail.com

For cybercrime, that’s the biggest challenge• You discover “something’s going on”• You may or may not identify the potential victim(s)• You usually have no idea of the source• If you do eventually discover the source, you may find you have no

legal jurisdiction

IPFabrics

todate: Jan 29, 2008 8:37 AMsubject: Tax Refund - Online Form

hide details 8:37 AM (25 minutes ago) Reply

Warning: This message may not be from whom it claims to be. Beware of following any links in it or of providing the sender with any personal information. Learn more

Link omitted

After the last annual calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of $375.20.Please submit the tax refund request and allow us 3-9 days in order to process it.

A refund can be delayed for a variety of reasons. For example submitting invalid records or applying after the deadline.

To access the form for your tax refund, please click here

Note: For security reasons, we will record your ip-address, the date and time. Deliberate wrong inputs are criminally pursued and indicated.

Regards, Internal Revenue Service

Copyright 2008, Internal Revenue Service U.S.A. All rights reserved.

Email as a VehicleEmail as a Vehiclehttp://www.fbi.govANTI FRAUD & MONITARY CRIME DIVISION

Code: FBI/111Tel: 1-646-778-3497Private Email: f.b.i.investigation@instruction.com

ATTENTION: BENEFICIARY

We the Federal Bureau Of Investigation (FBI) United States Of America have discovered through our intelligent monitoring network that you have a transaction going on as ...

text omitted

YOURS FAITHFULLY,

F.B.I DIRECTOR ROBERT S. MUELLER III.

The United States Department of Justice Order 556-73 establishes rulesand regulations for the subject of an FBI Identification Record toobtain a copy of his or her own Record for review. The FBI’s CriminalJustice Information Services (CJIS) Division processes these requests tochek illegal activities in U.S.A.

FOR CORPORATE AFFAIRSFEDERAL BUREAU OF INVESTIGATION (FBI)UNITED STATES OF AMERICA

IPFabrics

Network Capabilities NeededNetwork Capabilities NeededGreat flexibility

• May need to look at a lot of things – SMTP email, webmail, web page interactions, P2P traffic, instant messaging, virus signatures, VoIP, chat rooms, file sharing, ...

• Need to filter out a lot of “noise” (ads, IPTV, YouTube, ...)

Real-time “onion peeling” capability• Need to redirect your device from A to B to C to D to E ...• E.g., by discovering some suspect content in an email, we then watch for

traffic to a specific email address or IP addresses connecting to a particular URL.

Ability to tap concurrently into multiple network segments• Different pieces of the puzzle may go down different paths

Evidentiary capabilities• Assurances on the data that will stand up in court

Be completely invisible on the networkOperate at network bandwidthsNeed to go a step beyond DPI ...

IPFabrics

Basic DPI isn’t Good EnoughBasic DPI isn’t Good EnoughTypical IP packet traversing a network

IP header TCP header Payload

Typical DPI view

Can’t rely on standard TCP port numbers• Some apps have none, some can jump if a specific port is blocked, some can also jump to HTTP

Can’t assume a “conversation” uses a fixed set of ports• E.g., Yahoo Mail cycles through a wide range of client ports during one session

TCP payloads often span multiple IP packets• Risk of missing a signature that spans packets

Most interesting data is gzip compressed• All of the mail webmail services compress, including the addressing info

Data is encoded in HTML, Javascript,... in application-specific manner• E.g., the encoding of an email address is very different among Hotmail, Yahoo, Gmail, Mail.com, ...

Gotta understand what is clutter and ignore it in order to keep up with line rate• E.g., in webmail interactions, 90% of the TCP connections and 99% of the packets are clutter

What is better is “deep application-protocol inspection”• Knowledge in the device of syntax and semantics for specific applications

IPFabrics

Example ToolsExample Tools

DeepProbe-10 Provided with software “surveillance modules” for specific applicationsReconstructs the desired application informationMaps different applications of like form (e.g., webmail, instant messengers) into single canonical formGenerally provisioned from elsewhere over a networked API, but also has browser interface (e.g., for unpeeling the onion)

DeepProbe-1

4 10GbE inputs6 1GbE inputs

4 1GbE inputs

IPFabrics

Example FiltersExample FiltersGive me all the email to/from glen@gmail.com

Get any Yahoo mail containing the phrase “U-238 enrichment”

Give me any mail attachments sent by glen@live.com

Give me just the to/from info on every yahoo.com email

Give me all the presence information reported to Yahoo Messenger user glen_roberts

Give me all the email downloaded by POP3 user glen_roberts

Give me the to/from info from all calls associated with sip:glen@voicebox.net

Give me all of the port 80 traffic from this specific cable modem address

Let me know if glen@gmail.comever sends a message with the URL www.darkmarket.com in it.

Watch all SMTP traffic for the appearance of this list of 1623 credit-card numbers and give me any mail that has one

Give me the voice traffic of glen@live.com

Give me the output stream of chat room Hacker’s Lounge:1

Give me all IM messages from glen@live.com.

Get me any IM message from freihofer@live.comcontaining “how old r u”