Module 4

Network Forensics
Part 1
1. Introduction to Network Forensics
 Network Forensics is a branch of digital forensics that mainly deals with
the investigation of events and activities related to digital networks.

 Network Forensics is capturing, recording and analysis of packets in order

to determine the source of network security attacks.

 We can say network forensics is about the analysis and observation of

traffic on computer networks which ranges from Local Area Network (LAN)
to Wide Area Network (WAN) and the internet.

2. Goals of Network Forensics

The major goals of network forensics are:

 To collect evidence.

 To analyse network traffic data, which is collected from different sites and
different network equipment such as firewalls and intrusion detection
systems (IDS).

 To detect attacks and analyse the nature of attackers.

 To detect intrusion pattern, focussing on attacker’s activity.

1
3. Password Cracking
Maximum time individuals use name and password to gain access to any system.
Passwords are very easy to be cracked by the hacker and then the hacker can use
that password to imitate the genuine user.

Passwords can be cracked in the following ways:

1. Use of Brute Force

2. Recover and exploit the password stored on the system

3. Make use of password decryption software

4. Social Engineering

1. Dictionary Attack: An attack that takes advantage of the fact people tends to
use common words and short passwords. The hacker uses a list of common
words, the dictionary and tries them, often with numbers before and/or after
the words, against accounts in a company for each username. (Usernames are
generally pretty easy to determine as they are almost universally based on the
names of the employees.)

2. Brute Force: Using a program to generate likely passwords or even random

character sets. These attacks start with commonly used, weak passwords like
Password123 and move on from there. The programs running these attacks
usually try variations on upper- and lower-case characters as well.

3. Traffic Interception: In this attack, the cybercriminal uses software such as

packet sniffers to monitor network traffic and capture passwords as they’re
passed. Similar to eavesdropping or trapping a phone line, the software
monitors and captures critical information. Obviously, if that information such as
passwords is encrypted, the task is easier. But even encrypted. Information may
be decryptable, depending on the strength of the encryption method used.

2
4. Key Logger Attack: A cybercriminal manages to install software that tracks the
user’s keystrokes, enabling the criminal to gather not only the username and
password for an account but exactly which website or app the user was logging
into with the credentials. This type of attack generally relies on the user first
falling prey to another attack that installs the malicious key logger software on
their machine.

5. Social Engineering Attacks: This attack refers to the broad range of methods to
obtain information from the user. The methods which are used here:

 Phishing: Emails, text etc. sent to fool users into providing their credentials,
clicking a link that installs malicious software or going to a fake website.
 Spear Phishing: Similar to phishing but with better crafted, tailored
emails/texts which rely on information already gathered about the users.
For example, a hacker may know that the user has a particular type of
insurance account and reference it in the email or use the company’s logo
and layout to make the email seem more legitimate.
 Baiting: Attackers leave infected USBs or other devices in public or
employer locations in the hopes that these will be picked up and used by
the employees.

Prevention and Response:

General password protection measures include:

1. Follow guidelines for generating strong passwords.
2. Configure settings so that user accounts are deactivated or locked out after
a sensible number of incorrect password attempts.
3. Use EFS on Windows 2000/XP/.NET computers to encode files.
4. Store critical data on network servers instead of storing it on local
machines.
5. Do not rely on the password protection built into most applications.
6. Permit password shadowing on UNIX/LINUX system.

3
 7. Deactivate LAN Manager authentication on windows network.
8. Confirm that passwords are never sent across the network in plain text
format.
9. Use anti sniffer software and sniffer detection techniques to protect against
hackers who try to capture passwords travelling across the network.

Protecting the network against social engineers:

Administrators find it particularly exciting to safeguard against social engineering
attacks. Accepting strongly expressed policies that forbid exposing passwords and
other network information to anyone over the telephone and educating users
about the occurrence are understandable steps that administrators can take to
reduce the probability of this type of security break.

4. Technical Exploit:-
Some popular technical exploit hackers use to gain access or interrupt
communication on networks. Some of those are:

1. Protocol Exploits:
Protocol exploits use the features of a protocol, like the handshake
method TCP uses to create a communication session, to attain a result that was
never planned, for example, overpowering the targeted system to the point
where it is unable to communicate with genuine users.

a. DOS Attacks that exploit TCP/IP: DOS attacks are one of the most widespread
collections of internet attackers who want to disrupt a network’s actions. In
February 2000, DOS attacks brought down several of the world’s biggest
websites, together with Yahoo.com and Buy.com.

4
 DOS attack types include:

a) DNS DOS attacks: It abuses the domain name system protocols.

b) SYN/LAND attacks: It abuses the way the TCP handshake process works.
c) The Ping of Death: It makes use of a “killer packet” to overpower a system.
d) Ping flood, fraggle and smurf attacks: It uses numerous approaches to
overflow the network or server.
e) UDP bomb and UDP snork: It abuses the User Datagram Protocol (UDP).
f) Teardrop attacks: It abuses the IP packet header fields.
g) Exploitations of SNMP: It is combined with maximum TCP/IP activities.

b. Source Routing Attacks: TCP/IP supports source routing, which is a means to

permit the sender of network data to route the packets through a specific point
on the network. There are two types of source routing:
1. Strict Source Routing: The sender of the data can lay down the exact route
(rarely used).
2. Loose Source Record Route(LSRR): The sender can specify certain routers
called hops by which the packet must pass.

The source path is choice in the IP header that allows the sender to overrule
routing decisions that are normally made by the router between the source and
destination machines. Network administrators use source routing to map the
network or for troubleshooting routing and communication problems. It can also
be used to force traffic through a route that will provide the best performance.
Unfortunately, source routing can be exploited by hackers.

c. Other Protocol Exploits: The attacks we have discussed so far involve exploiting
some feature or weakness of the TCP/IP protocols. Hackers can also exploit
vulnerabilities of other common protocols such as HTTP, DNS, Common Gateway
Interface (CGI) and other commonly used protocols.

5
2. Application Exploits:
Application software exploits are those that take benefit of the flaws of

particular application programs. These weaknesses are often called bugs.

a. Bug Exploits: Common bugs can be categorized as follows:

1. Buffer Overflows: Buffer overflows occur when the number of bytes or
characters input exceeds the maximum number allowed by the program.
2. Unexpected Input: The computer programmer might not take steps to
describe what happens if invalid input is passed. This might cause the
program to crash or open a way into the system.
3. Configuration Bugs: These are not really “bugs”. As an alternative, they
are conducts of configuring the software that leaves it vulnerable to
circulation and distribution.

b. Mail Bombs:
 A mail bomb is a means of overwhelming a mail server, causing it to stop
functioning and thus denying service to users.
 A mail bomb is a relatively simple form of attack, accomplished by
sending a massive quantity of email to a specific user or system.
 Programs available on hacking sites on the internet allow a user to easily
launch a mail bomb attack, automatically sending floods of email to a
specified address while protecting the attacker’s identity.
 The solution to repeated mail bomb attacks is to block traffic from the
originating network using packet filters.

c. Browser Exploits:

Web browsers are customer software programs like Chrome, Netscape and
Opera that attach to servers running web server software like IIS or Apache
and request web pages via URL, which is a responsive address that indicates
an IP address and specific files on the server at that address. The browser
receives files that are encoded and must understand the code that governs
6
 how the page will be displayed on the user’s display screen. Browsers are
open to a number of types of attack.

1. Exploitable Browser Characteristics: Initially browser programs were

simple, but today’s browsers are complex. They are capable of not only
displaying text and graphics, but also about playing sound files and movies
and running executable code. The browser software stores information
about the computer on which it is installed and even about the user, which
can be uploaded to web servers, either deliberately by the user or in
response to code in a website.

2. Web Spoofing: Web spoofing is a medium by which a hacker is able to see

and even make changes to web pages that are conveyed to or from another
computer. These pages include confidential information such as credit card
numbers entered into online commerce forms and passwords that are used
to access restricted websites. JavaScript can be used to route web pages
and information through the attacker’s computer, which impersonates the
destination web server.

3. We Server Exploits: Web server host web pages that are made
reachable and manageable to others across the internet or an intranet.

4. Buffer Overflows: A buffer is a type of temporary area to hold the data. To

accelerate the processing, many software programs use a memory buffer to
stock alterations of data and then the information in the buffer is copied to
the hard disk. There are two types of overflows:
a. Stack Overflows
b. Heap Overflows

7
3. Operating System Exploits:
Some exploits are unique to a particular operating system or family of
operating systems. These hacks exploit specific characteristics of the operating
system code to carry out the attack. All operating systems have their own
vulnerabilities.

a. The WinNuke Out-of-band attack:

The out-of-band (OOB) attack is one that exploits a vulnerability in some
Microsoft networks, so it is sometimes called the Windows OOB bug. It works as
follows:

i. A TCP/IP connection is established with the target IP address, using port 139
(the NETBIOS port).

ii. Then the program sends data using a flag called MSG_OOB (or urgent) in the
packet header.

iii. This flag instructs the computer’s Winsock to send data called out-of-band
data.

iv. Upon receipt of this flag, the targeted windows server expects a pointer to the
position in the packet where the urgent data ends, with normal data following,
but the OOB pointer in the packet created by WinNuke points to the end of the
frame, with no data following.

b. Router Exploits:
Many of the new cheap routers intended for broadband connections come
with default administrator passwords that can be used on any of the vendor’s
devices, if the administrator does not change the password. This means the
hacker with the knowledge of the default password could log on and make
changes to the routing table or router configuration.

8
5. Network Attacks: -

i. Passive Attack:
A passive attack is a type of attack where the attacker simply monitor the
network activity as a part of reconnaissance. A Passive attack is difficult to
detect, because the attacker is not actively attacking any target machine or
participating in network traffic. An example of an passive attack is an attacker
capturing packets from the network.
Prevention: Potential threats from passive attacks can be eliminated by
implementing good network encryption.

ii. Active Attack:

An active attack is a type of attack where the attacker actively launching
attack against the target servers. In active attack, the attacker is actively

sending traffic that can be detected.

Prevention: Active attacks can be prevented by using Firewalls and IPS
(Intrusion Prevention System).

iii. Close-in Attack:

A close-in attack is a type of attack where the attacker is physically close to
the target system. Attacker can take the advantages of being physically close to
the target device.
Prevention: Good physical security can prevent close-in attack.

iv. Insider Attack:

An insider attack is an attack from inside users, who use their access
credentials and knowledge of the network to attack the target machines.
Prevention: Good layer2 security, authentication and physical security can
prevent insider attacks.

9
 v.Distribution Attack:
Distribution attacks are the attacks using backdoors introduced to
hardware or software systems at the time of manufacture. Once the hardware
or software became functional, attacker can leverage the backdoor to attack
the target devices.
Prevention: Trusted hardware/software vendors and integrity checks can
prevent distribution attacks.

6. Prevention of Network Attacks: -

It is hard to detect and prevent network attacks once virus built and further the
type of virus is not known, but it can be prevented by taking some actions upon
that.

1. Change your password frequently to prevent password hacking.

2. Take a backup of important files and programs regularly.

3. Do not open the unknown or spam email without security.

4. Use antivirus program to detect and prevent from the viruses.

5. Use strong encryption to perform daily transaction on the web, while

transferring personal information, SSL(Digital Certificate) can be used which
being hard for the intruders.

6. Using firewall, it is a machine between your system’s network and internet,

that filtering the traffic which might be unsafe.

10
7. Intrusion Detection System (IDS): -
An Intrusion Detection System (IDS) maintains network traffic looks for unusual
activity and sends alerts when it occurs. The main duties of an Intrusion Detection
System (IDS) are anomaly detection and reporting; however, certain Intrusion
Detection Systems can take action when malicious activity or unusual traffic is
discovered.

11
A) Features of IDS: -

Intrusion Detection provides the following features:

1. IDS continuously monitor network traffic, system activities and events in

real-time to identify any suspicious or malicious behavior promptly. It also
audit the system files, other configurations and operating systems.

2. IDS generate alerts or notifications when they detect potentially harmful

activities or security breaches. These alerts are sent to security
administrators or a centralized management console for further
investigation.

3. IDS use various techniques, such as statistical analysis, machine learning, or

behavioral analysis, to detect deviations from normal patterns of network
traffic or system behavior. Anomalies may indicate potential security
threats or breaches.

4. IDS maintain a database of known attack patterns or signatures. They

compare network traffic or system events against these signatures to
identify known threats, such as malware, viruses, or intrusion attempts.

5. IDS inspect network packets to analyze the protocols used in

communication. By examining protocol headers and payloads, IDS can
detect abnormalities or misuse of protocols that may indicate an attack or
unauthorized activity.

6. IDS detects error in system configuration and it also detects and cautions if
the system is in danger.

12
B) Offerings of IDS: -
The IDS will offer the following:
1. Add a superior degree of integrity to the remainder of your infrastructure.

2. Recognize and report modifications to knowledge.

3. Trace user action from purpose of entry to purpose of impact.

4. Automate a task of observation the net finding out the most recent attacks.

5. Notice mistakes in your system configuration.

6. Sense once your system is under fire.

7. Make the protection management of your system potential by non-expert

employees.

8. Guide system supervisor within the important step of building a policy for
your computing assets.

The IDS will not offer the following:

1. Conduct investigations of attacks but not human interventions.

2. Compensate for a weak identification and authentication mechanisms.

3. Deal with a number of the trendy network, hardware and options

4. Compensate for flaws in network protocols.

5. Always alter complications involving packet-level attacks.

6. Compensate for issues within the excellence or integrity of knowledge the

system offers.

13
 7. Analyse all the traffic on a busy network.

C) Types of IDS: -
Intrusion Detection system can be classified into different ways. Those are:

1. Active IDS

2. Passive IDS

3. Network based IDS

4. Host based IDS

5. Knowledge based IDS (Signature based)

6. Behaviour-based IDS (Anomaly based)

1. Active IDS:
It is also called Intrusion Detection and Prevention System (IDPS). Systems
that are configured to automatically block mistrusted attacks in progress without
any interference required by an operator, are called active IDS. IDPS has the
advantage of providing real-time corrective action in reaction to an attack, but
has many disadvantages also.

2. Passive IDS:
The system that is configured only to observe and analyse network traffic
activity and alert an operator to potential vulnerabilities and attacks is called
passive IDS. It cannot perform any protective or corrective functions on it’s own.
It only detects and alerts the user about it.

3. Network base IDS:

14
  Network intrusion detection systems (NIDS) are set up at a planned point
within the network to examine traffic from all devices on the network.

 It performs an observation of passing traffic on the entire subnet and

matches the traffic that is passed on the subnets to the collection of known
attacks. Once an attack is identified or abnormal behavior is observed, the
alert can be sent to the administrator.

 It is placed mostly at important points in the network so that it can keep an

eye on the traffic travelling to and from the different devices on the
network. The IDS is placed along the network boundary or the network and
the server.

 The advantage of Network based IDS is that, it can be deployed easily and
at low cost, without having to be loaded for each system.

4. Host based IDS:

 A Host based IDS is generally a software application fixed on a system and
observes activity only on the local system, which has software application
installed on it.

 The agents monitor the operating system directly and write data to log files
and/or trigger alarms. A Host Intrusion Detection system (HIDS) can only
monitor the individual workstations on which the agents are installed and it
15
 cannot monitor the entire network. Host based IDS systems are used to
monitor any intrusion attempts on critical servers.

 The advantage of this system is, it can accurately monitor the whole system
and does not require installation of any other hardware.

 The drawbacks of HIDS are:

1. Difficult to analyse the intrusion attempts on multiple computers.

2. HIDS can be very difficult to maintain in large networks with different
operating systems and configurations.
3. HIDS can be disabled by attackers after the system is compromised.

5. Knowledge based IDS (Signature Based):

In knowledge-based IDS it’s effectiveness is based on known attack
methods which is the main weakness of this IDS. Knowledge based IDS, also
known as Signature based, are reliant on a database of known attack signatures.
Knowledge based systems look closely at data and try to match it with a signature
pattern in the signature database. If an incident matches a signature, the IDS
registers that an attack has happened or is happening by giving an alert, alarm
etc. So this IDS is only as effective as it’s signature database, so the database must
be kept updated.

16
An advantage of this system is, it has more accuracy and standard alarms
understood by user.

6. Behaviour based IDS (Anomaly Based):

A behaviour-based IDS mentions a baseline or learned pattern of normal
system activity to recognize active intrusion attempts. This IDS is also known as
anomaly-based or statistical-based intrusion detection. Deviation from this
baseline or pattern cause an alarm to be triggered.

Higher false alarms are often related with behaviour-based intrusion detection
system.

An advantage of this system is they can detect new and unique attacks.

D) Difference between network based IDS and host based

IDS:-
Network-based IDS Host-based IDS

Broad in scope. Narrow in scope, monitor specific

activates.

Examine packet headers and entire Does not see packet headers.
packet.

Near real time response. Respond after a suspicious entry.

Host Independent. Host dependent.

Bandwidth dependent. Bandwidth independent.

17
 No overload. Overload.

Slow down the networks that have IDs Slow down the hosts that have IDS
clients installed. clients installed.

Network-based IDS Host-based IDS

Detects network attacks, as payload is Detects local attacks before they hit
analyzed. the network.

Not suitable for encrypted and Well-suited for encrypted and

switches network. switches environment.

Does not perform normally detection Powerful tool for analyzing a possible
of complex attacks. attack because of relevant information
in database.

High false positives rate. Low false positives rate.

Lower cost of ownership. Require no additional hardware.

8. Intrusion Prevention System (IPS): -

18
  An Intrusion Prevention System (IPS) is a network security technology that
examines network traffic for signs of potential security threats and takes
action to prevent them.
 IPS uses a combination of signature-based and anomaly-based
detection methods to identify potential threats. Signature-based detection
involves comparing network traffic to a database of known signatures or
patterns of malicious activity. Anomaly-based detection, on the other hand,
involves identifying deviations from normal network behavior.
 IPS works by monitoring network traffic in real-time and analyzing it for
potential security threats. When IPS detects a potential threat, it takes
action to prevent it. The action taken by IPS depends on the configuration
and the severity of the threat.

Why IPS is Important

 IPS is an essential tool in network forensics because it helps organizations
identify potential security breaches in real-time and take action to prevent
them.

 IPS also provides valuable information about the nature of the attack,
including the source IP address, the type of attack, and the affected
devices. This information can be used to analyze the attack and develop
countermeasures to prevent future attacks.

9. Difference between IDS,IPS and Firewall: -

19
10. Address Spoofing: -
20
  Spoofing is a sort of trick where an invader tries to obtain illegal access to
your system or information by acting to be the genuine user.
 The main purpose is to trick the user into declaring confidential information
in order to obtain access to any individual’s computer system, bank account
or to snip personal information, like passwords, email ids etc.
 Hackers use spoof addresses to fool other computers and double cross
them into thinking a message instigated from a different machine.

Types of Address Spoofing: -

There are various types of spoofing such as:

1. IP Spoofing

2. ARP Spoofing

3. DNS Spoofing

1. IP Spoofing:
The simple procedure for sending data over the internet and many other
computer networks is the Internet Protocol. It also contains the usage of a
reliable IP address that can be used by network invaders to overcome network
security measures, like authentication based on IP addresses. To insist on, that it
came from an IP address other than the genuine source IP spoofing deals with
varying the packet headers of the message.

2. ARP Spoofing:
The ARP cache is preserved and maintained by the Address Resolution
Protocol (ARP). This is the table that maps IP addresses to MAC (physical)
addresses of computers on the network. The MAC address is used at the physical
level to locate the destination computer to which the message should be
delivered, this is the reason why this cache is necessary. A broadcast message
sent by ARP to all the computers on the subnet, if there is no cache entry for a
particular IP address requesting that the machine with the IP address in question
respond with it’s MAC address. This mapping then gets added to the ARP cache.
21
 The method of sending forged replies that result in incorrect entries in the cache
is also called ARP poisoning or ARP spoofing.

3. DNS Spoofing:
DNS Spoofing, also called as DNS cache poisoning. It is a form of hacking in
which unethical domain name system data is familiarized into a DNS resolver’s
cache, triggering the name server to yield an incorrect IP address, distracting
the traffic to the invader’s computer. Spoofing attacks can cause severe safety
difficulties for DNS servers susceptible to such attacks.

DNS Spoofing discusses to two methods of instigating a DNS server to direct

users inaccurately:

1. Poisoning of the DNS cache of name resolution servers which results in

directing users to the wrong websites or e-mail being sent to the wrong
mail servers.

2. Using the recursive mechanism of DNS to expect the request that a DNS
server will send and responding with counterfeit information.

This technique can even be used to fraud the victim into providing personal
information through web forms.

22