Network Forensics Tools for Cybercrime Investigation
Transcript of Network Forensics Tools for Cybercrime Investigation
Network Forensics Tools for Cybercrime Investigation
Lead-off Presentation byGlen Myers, IP Fabrics
May 12, 2009
IPFabrics
CybercrimeCybercrime
Targets can be
IndividualsEnterprises
• Companies• Service providers / carriers• Government
Network or part thereof
Crimes include
Illegal accessIllegal interceptionInterferenceFraudID theftTheft of intellectual propertyHarassmentObscene/offensive contentCrimes against children. . .
Crimes (depending on locality of course) where the network (“Internet”) is the vehicle
IPFabrics
Cybercrime Forensics vs Lawful InterceptCybercrime Forensics vs Lawful Intercept
For lawful intercept, you have a target (e.g., suspect)• Court order to intercept the tel number 1-503-444-2499• Court order to intercept the signaling information for
sip:[email protected]• Court order to intercept the email of [email protected]
For cybercrime, that’s the biggest challenge• You discover “something’s going on”• You may or may not identify the potential victim(s)• You usually have no idea of the source• If you do eventually discover the source, you may find you have no
legal jurisdiction
IPFabrics
todate: Jan 29, 2008 8:37 AMsubject: Tax Refund - Online Form
hide details 8:37 AM (25 minutes ago) Reply
Warning: This message may not be from whom it claims to be. Beware of following any links in it or of providing the sender with any personal information. Learn more
Link omitted
After the last annual calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of $375.20.Please submit the tax refund request and allow us 3-9 days in order to process it.
A refund can be delayed for a variety of reasons. For example submitting invalid records or applying after the deadline.
To access the form for your tax refund, please click here
Note: For security reasons, we will record your ip-address, the date and time. Deliberate wrong inputs are criminally pursued and indicated.
Regards, Internal Revenue Service
Copyright 2008, Internal Revenue Service U.S.A. All rights reserved.
Email as a VehicleEmail as a Vehiclehttp://www.fbi.govANTI FRAUD & MONITARY CRIME DIVISION
Code: FBI/111Tel: 1-646-778-3497Private Email: [email protected]
ATTENTION: BENEFICIARY
We the Federal Bureau Of Investigation (FBI) United States Of America have discovered through our intelligent monitoring network that you have a transaction going on as ...
text omitted
YOURS FAITHFULLY,
F.B.I DIRECTOR ROBERT S. MUELLER III.
The United States Department of Justice Order 556-73 establishes rulesand regulations for the subject of an FBI Identification Record toobtain a copy of his or her own Record for review. The FBI’s CriminalJustice Information Services (CJIS) Division processes these requests tochek illegal activities in U.S.A.
FOR CORPORATE AFFAIRSFEDERAL BUREAU OF INVESTIGATION (FBI)UNITED STATES OF AMERICA
IPFabrics
Network Capabilities NeededNetwork Capabilities NeededGreat flexibility
• May need to look at a lot of things – SMTP email, webmail, web page interactions, P2P traffic, instant messaging, virus signatures, VoIP, chat rooms, file sharing, ...
• Need to filter out a lot of “noise” (ads, IPTV, YouTube, ...)
Real-time “onion peeling” capability• Need to redirect your device from A to B to C to D to E ...• E.g., by discovering some suspect content in an email, we then watch for
traffic to a specific email address or IP addresses connecting to a particular URL.
Ability to tap concurrently into multiple network segments• Different pieces of the puzzle may go down different paths
Evidentiary capabilities• Assurances on the data that will stand up in court
Be completely invisible on the networkOperate at network bandwidthsNeed to go a step beyond DPI ...
IPFabrics
Basic DPI isn’t Good EnoughBasic DPI isn’t Good EnoughTypical IP packet traversing a network
IP header TCP header Payload
Typical DPI view
Can’t rely on standard TCP port numbers• Some apps have none, some can jump if a specific port is blocked, some can also jump to HTTP
Can’t assume a “conversation” uses a fixed set of ports• E.g., Yahoo Mail cycles through a wide range of client ports during one session
TCP payloads often span multiple IP packets• Risk of missing a signature that spans packets
Most interesting data is gzip compressed• All of the mail webmail services compress, including the addressing info
Data is encoded in HTML, Javascript,... in application-specific manner• E.g., the encoding of an email address is very different among Hotmail, Yahoo, Gmail, Mail.com, ...
Gotta understand what is clutter and ignore it in order to keep up with line rate• E.g., in webmail interactions, 90% of the TCP connections and 99% of the packets are clutter
What is better is “deep application-protocol inspection”• Knowledge in the device of syntax and semantics for specific applications
IPFabrics
Example ToolsExample Tools
DeepProbe-10 Provided with software “surveillance modules” for specific applicationsReconstructs the desired application informationMaps different applications of like form (e.g., webmail, instant messengers) into single canonical formGenerally provisioned from elsewhere over a networked API, but also has browser interface (e.g., for unpeeling the onion)
DeepProbe-1
4 10GbE inputs6 1GbE inputs
4 1GbE inputs
IPFabrics
Example FiltersExample FiltersGive me all the email to/from [email protected]
Get any Yahoo mail containing the phrase “U-238 enrichment”
Give me any mail attachments sent by [email protected]
Give me just the to/from info on every yahoo.com email
Give me all the presence information reported to Yahoo Messenger user glen_roberts
Give me all the email downloaded by POP3 user glen_roberts
Give me the to/from info from all calls associated with sip:[email protected]
Give me all of the port 80 traffic from this specific cable modem address
Let me know if [email protected] sends a message with the URL www.darkmarket.com in it.
Watch all SMTP traffic for the appearance of this list of 1623 credit-card numbers and give me any mail that has one
Give me the voice traffic of [email protected]
Give me the output stream of chat room Hacker’s Lounge:1
Give me all IM messages from [email protected].
Get me any IM message from [email protected] “how old r u”