Department of

Computer Science and Engineering

FORENSICS IN CYBER SECURITY

Course Code : 10212CS230
Year / Semester : 2024-25/ INTENSIVE
Slot : S1
Course Category : Program Elective
Faculty Name : Dr. T.VIJAYANANDH
Credits :4
Hours :75

School of Computing
Vel Tech Rangarajan Dr. Sagunthala R&D Institute of
Science and Technology
 Unit - 2

UNIT II Network Forensics

Network forensics overview-Securing a
Network- Developing procedures for network
forensics-Investigating virtual networks-Examining
Honeynet projects-E-mail Investigations: Role of
client and server in E-mail, Investigating E-mail
crimes and violations, E-mail Servers, E-mail
Forensic tools.

Department of Computer Science and Engineering 2

 Network Forensics Overview

 Network forensics is the process of collecting and analyzing

raw network data.

 Network forensics is the study of data in motion, with special

focus on gathering evidence via a process that will support
admission into court.

 Tracking network traffic systematically to ascertain how an

attack was carried out or how an event occurred on a network.

 Because network attacks are on the rise, there’s more focus on

this field and an increasing demand for skilled technicians.

Department of Computer Science and Engineering 3

Network Forensics Overview

Department of Computer Science and Engineering 4

 The Need for Established Procedures

 Network forensics is closely related to network intrusion detection

 Traditionally, computer forensics has focused on file recovery and

filesystem analysis performed against system internals or seized storage
devices.

 However, the hard drive is only a small piece of the story.

 These days, evidence almost always traverses the network and sometimes
is never stored on a hard drive at all.

 With network forensics, the entire contents of e-mails, IM conversations,

Web surfing activities, and file transfers can be recovered from network
equipment and reconstructed to reveal the original transaction.

Department of Computer Science and Engineering 5

 Challenges

Department of Computer Science and Engineering 6

The Principles of Network Forensics

 Network forensics can be generally defined as a science of discovering and retrieving

evidential information in a networked environment about a crime in such a way as to
make it admissible in court.

The five rules are that evidence must be:

 Admissible. Must be able to be used in court or elsewhere.

 Authentic. Evidence relates to incident in a relevant way.

 Complete. No tunnel vision, exculpatory evidence for alternative suspects.

 Reliable. No question about authenticity and veracity.

 Believable. Clear, easy to understand, and believable by a jury.

Department of Computer Science and Engineering 7

Computer Forensics

Department of Computer Science and Engineering 8

 Network forensic investigations

Usually there are three types of people who use digital evidence from network forensic
investigations: police investigators, public investigators, and private investigators.

The following are some examples:

 Criminal prosecutors. Incriminating documents related to homicide, financial fraud,
drug-related records.

 Insurance companies. Records of bill, cost, services to prove fraud in medical bills
and accidents.

 Law enforcement officials. Require assistance in search warrant preparation and in

handling seized computer equipment.

 Individuals. To support a possible claim of wrongful termination, sexual harassment,

or age discrimination.

Department of Computer Science and Engineering 9

Network forensic Process

Department of Computer Science and Engineering 10

 Activities

The primary activities of network forensics are investigative in nature.

The investigative process encompasses the following:

 Identification

 Preservation

 Collection

 Examination

 Analysis

 Presentation

 Decision
Department of Computer Science and Engineering 11
Securing a Networks

Department of Computer Science and Engineering 12

 Securing a Networks

 Network forensics is used to determine how a security breach occurred;

 however, steps must be taken to harden networks before a security breach

 happens, particularly with recent increases in network attacks, viruses, and

other security incidents.

 Hardening includes a range of tasks, from applying the latest patches to using
a layered network defense strategy, which sets up layers of protection to
hide the most valuable data at the innermost part of the network.

Three modes of protection:

 People
 Technology
 Operations

Department of Computer Science and Engineering 13

 Secure your network

To find your Gateway IP Address and connect to it in Windows

 Click Start > Run > type 'cmd' > Click 'Enter’

 Once the Command Prompt window opens, type 'ipconfig /all' and hit 'Enter’

 Locate the line labeled 'Gateway' and make note of the number that follows. It will
look similar to '192.168.1.1’

 Open Internet Explorer (or your favorite browser)

 Enter the Gateway IP Address into the address bar and click 'Enter

Department of Computer Science and Engineering 14

 Disk Partitions

To find your Gateway IP Address and connect to it on a Mac


Open your Finder and run 'Terminal' inside of Applications > Utilities

 Once the terminal window opens, type 'ipconfig -a' and hit 'Enter’

 Locate the line labeled 'Gateway' and make note of the number that follows. It will
look similar to '192.168.1.1’

 Open Safari (or your favorite browser)

 Enter the Gateway IP Address into the address bar and click 'Enter'

Department of Computer Science and Engineering 15

Securing a network attached storage on the internet

Department of Computer Science and Engineering 16

 Network Security

 Network forensics is the process of collecting and analyzing raw network

data and tracking network traffic systematically to ascertain how an attack
was carried out or how an event occurred on a network.

 Being able to spot variations in network traffic can help you track
intrusions, so knowing your network’s typical traffic patterns is important.

 Network forensics can also help you determine whether a network is truly
under attack or a user has inadvertently installed an untested patch or
custom program.

 Network forensics examiners must establish standard procedures for how

to acquire data after an attack or intrusion incident.

Department of Computer Science and Engineering 17

 Securing a Networks

 Network forensics is used to determine how a security breach occurred;

however, steps must be taken to harden networks before a security breach
happens.

 Layered network defense strategy, which sets up layers of protection to

hide the most valuable data at the innermost part of the network.

 It also ensures that the deeper into the network an attacker gets, the more
difficult access becomes and the more safeguards are in place.

 The National Security Agency (NSA) developed an approach, called the

defense in depth (DiD) strategy.

Department of Computer Science and Engineering 18

 Procedures for Network Forensics

1. Always use a standard installation image for systems on a network. This

image isn’t a bit-stream image but an image containing all the standard
applications used. You should also have MD5 and SHA-1 hash values of all
application and OS files.

2. When an intrusion incident happens, make sure the vulnerability has been
fixed to prevent other attacks from taking advantage of the opening.

3. Attempt to retrieve all volatile data, such as RAM and running processes, by
doing a live acquisition before turning the system off.

Department of Computer Science and Engineering 19

 Procedures for Network Forensics

4. Acquire the compromised drive and make a forensic image

of it.

5. Compare files on the forensic image with the original

installation image. Compare hash values of common files,
such as Win.exe and standard dynamic link libraries (DLLs),
and ascertain whether they have changed.

Department of Computer Science and Engineering 20

 Basic Communication

 Payload
Trailer
Ports
20 and 21 - FTP (File Transfer Protocol)
 22 - SSH and Secure FTP
 23 - Telnet
 25 - SMTP (Simple Mail Transfer Protocol)
 43 - WhoIS
 53 - DNS (Domain Name Service)
 69 - TFTP (Trivial FTP)
 80 - HTTP (Hypertext Transfer Protocol)
 110 - POP3 (Post Office Protocol Version 3)
 137, 138, and 139 - NetBIOS
 161 and 162 - SNMP (Simple Network Management Protocol)

Department of Computer Science and Engineering 21

 Ports

 179 - BGP (Border Gateway Protocol)

 194 - IRC (Internet Relay Chat)
 220 - IMAP (Internet Message Access Protocol)
 389 - LDAP (Lightweight Directory Access Protocol )
 443 - HTTPS (Hypertext Transfer Protocol Secure)
 445 - Active Directory
 464 - Kerberos change password
 465 - SMTP over SSL
 6666 - Beast port
 43188 - Reachout port
 3389 - Windows Remote Desktop

Department of Computer Science and Engineering 22

Network Traffic Analysis

Department of Computer Science and Engineering 23

Packet Viewing

Department of Computer Science and Engineering 24

Packet address and protocol

Department of Computer Science and Engineering 25

Packet Details

Department of Computer Science and Engineering 26

 Developing Procedures for Network Forensics

1. Always use a standard installation image for systems on a network.

2. When an intrusion incident happens, make sure the vulnerability has been
fixed to prevent other attacks from taking advantage of the opening.

3. Attempt to retrieve all volatile data, such as RAM and running processes, by
doing a live acquisition before turning the system off.

4. Acquire the compromised drive and make a forensic image of it.

5. Compare files on the forensic image with the original installation image.

Department of Computer Science and Engineering 27

 Reviewing Network Logs

TCP log from 2017-12-16:15:06:33 to 2017-12-16:15:06:34.

Fri Dec 15 15:06:33 2017; TCP; eth0; 1296 bytes; from
204.146.114.10:1916 to 156.26.62.201:126
Fri Dec 15 15:06:33 2017; TCP; eth0; 625 bytes; from
192.168.114.30:289 to 188.226.173.122:13
Fri Dec 15 15:06:33 2017; TCP; eth0; 2401 bytes; from
192.168.5.41:529 to 188.226.173.122:31
Fri Dec 15 15:06:33 2017; TCP; eth0; 1296 bytes; from
206.199.79.28:1280 to 10.253.170.210:168;first packet

Department of Computer Science and Engineering 28

 10 External Sites

Top 10 External Sites Visited:

4897 188.226.173.122
2592 156.26.62.201
4897 110.150.70.190
4897 132.130.65.172
4897 192.22.192.204
4897 83.141.167.38
1296 167.253.170.210
1296 183.74.83.174
625 6.234.186.83
789 89.40.199.255

Department of Computer Science and Engineering 29

 Top 10 Internal

Top 10 Internal Users:

4897 192.168.5.119
4897 192.168.5.41
4897 192.168.5.44
4897 192.168.5.5
2401 204.146.114.50
1296 192.168.5.95
1296 204.146.114.10
1296 204.146.114.14
1296 206.199.79.28
625 192.168.5.72

Department of Computer Science and Engineering 30

 Using Network Tools

 Tools such as Splunk (www.splunk.com), Spiceworks

(www.spiceworks.com),Nagios (www.nagios.org), and Cacti
(www.cacti.net) help you monitor your network efficiently and
thoroughly.

 For example, you can consult records that the tool generate to
prove an employee ran a program without permission.

 You can also monitor your network and shut down machines or
processes that could be harmful.

Department of Computer Science and Engineering 31

 Using Packet Analyzers

Packet analyzers are devices or software placed on a network to monitor traffic. Most
network administrators use them for increasing security and tracking bottlenecks.
However, attackers can use them to get information covertly. Most packet analyzers
work at Layer 2 or 3 of the OSI model.

Department of Computer Science and Engineering 32

 Wireshark

Wireshark then traces the packets associated with an exploit. To see how this tool
works, download the most recent version of Wireshark for Windows (
www.wireshark.org/ download.html) and install it on your workstation. Then follow
these steps:
1. Start Wireshark, Notice the list of networks with traffic

Department of Computer Science and Engineering 33

 Wireshark

2. Double-click a network that’s showing activity. (If you’re not on a live

network,
ping another student or yourself and visit some Web sites and download a file
to generate traffic. Then start this activity again.)

3. After several frames have been captured, click Stop.

4. After the trace has been loaded, scroll through the upper pane until you see a
UDP frame or an SSOP frame. Right-click the frame, point to Follow, and click
UDP Stream. You should see a window similar

Department of Computer Science and Engineering 34

 UDP

5. Review the information in this window, and then exit Wireshark.

Department of Computer Science and Engineering 35

 Investigating Virtual Networks

An article in the Journal of Cybersecurity explores how to modify the

investigation approach that’s used in physical networks so that it applies
to virtual or logical networks

A virtual switch is a little different from a physical switch, in that there’s

no spanning tree between virtual switches. For example, say that 24
students each create a virtual

Department of Computer Science and Engineering 36

 Network Forensics
• Evidence scattered around the world. Not
enough time. Not enough staff. Unrealistic
expectations. Internal political conflicts. Gross
underestimation of costs. Mishandling of
evidence. Too many cooks in the kitchen.
Network forensic investigations can be tricky.

37
• In addition to all the challenges faced by
traditional investigators, network forensics
investigators often need to work with
unfamiliar people in different countries, learn
to interact with obscure pieces of equipment,
and capture evidence that exists only for
fleeting moments.

38
• Laws surrounding evidence collection and
admissibility are often vague, poorly
understood, or nonexistent. Frequently,
investigative teams find themselves in
situations where it is not clear who is in
charge, or what the team can accomplish.

39
 Hospital Laptop goes missing
• A doctor reports that her laptop has been
stolen from her office in a busy U.S.
metropolitan hospital. The computer is
password-protected, but the hard drive is not
encrypted.

40
• Upon initial questioning, the doctor says that
the laptop may contain copies of some patient
lab results, additional protected health
information (PHI) downloaded from email
attachments, schedules that include patient
names, birth dates, and IDs, notes regarding
patient visits, and diagnoses

41
 Ramifications
• Since the hospital is regulated by the United
States’ Health Information Technology for
Economic and Clinical Health (HITECH) Act and
Health Insurance Portability and
Accountability Act (HIPAA), it would be
required to notify individuals whose PHI was
breached.

42
• If the breach is large enough, it would also be
required to notify the media. This could cause
significant damage to the hospital’s
reputation, and also cause substantial
financial loss, particularly if the hospital were
held liable for any damages caused due to the
breach

43
 Investigation
• 1.Precisely when did the laptop go missing?
• 2. Can we track down the laptop and recover
it?
• 3. Which patient data was on the laptop?
• 4. How many individuals’ data was affected? 5.
Did the thief leverage the doctor’s credentials
to gain any further access to the hospital
network?

44
 Investigation
• Investigators began by working to determine
the time when the laptop was stolen, or at
least when the doctor last used it. This helped
establish an outer bound on what data could
have been stored on it. Establishing the time
that the laptop was last in the doctor’s
possession also gave the investigative team a
starting point for searching physical
surveillance footage and access logs.
45
• The team also reviewed network access logs
to determine whether the laptop was
subsequently used to connect to the hospital
network after the theft and, if so, the location
that it connected from

46
 Missing Laptop
• First, they could interview the doctor to
establish the time that she last used it, and the
time that she discovered it was missing.
Investigators might also find evidence in
wireless access point logs, Dynamic Host
Control Protocol (DHCP) lease assignment
logs, Active Directory events, web proxy logs,
and of course any sort of laptop tracking
software (such as Lojack for Laptops) that
might have been in use on the device 47
• Once investigators established an approximate
time of theft, they could narrow down the
patient information that might have been
stored on the system. Email logs could reveal
when the doctor last checked her email, which
would place an outer bound on the emails
that could have been replicated to her laptop.
These logs might also reveal which
attachments were downloaded.
48
• More importantly, the hospital’s email server
would have copies of all of the doctor’s
emails, which would help investigators gather
a list of patients likely to have been affected
by the breach. Similarly, hospital applications
that provide access to lab results and other
PHI might contain access logs, which could
help investigators compile a list of possible
data breach victims.
49
 Results
• pinpoint the time of the theft and track the
laptop through the facility out to a visitor
parking garage.
• Parking garage cameras - low-fidelity image of
the attacker, a tall man wearing scrubs, and
investigators also correlated this with gate
video of the car itself as it left the lot with two
occupants.
• video -police, -track the license plate. The
laptop -recovered 50
 Digital Evidence
• any observable and recordable event, or
artifact of an event, that can be used to
establish a true understanding of the cause
and nature of an observed occurrence

51
 Categories
• Real
• Best
• Direct
• Circumstantial
• Hearsay
• Business Records

52
 Real Evidence
• “Real evidence” is roughly defined as any
physical, tangible object that played a relevant
role in an event that is being adjudicated. It is
the knife that was pulled from the victim’s
body. It is the gun that fired the bullet. It is the
physical copy of the contract that was signed
by both parties.

53
 Best Evidence
• If the original evidence is not available, then
alternate evidence of its contents may be
admitted under the “best evidence rule.” For
example, if an original signed contract was
destroyed but a duplicate exists, then the
duplicate may be admissible. However, if the
original exists and could be admitted, then the
duplicate would not suffice

54
 Direct Evidence
• “Direct evidence” is the testimony offered by a
direct witness of the act or acts in question.
The human testimony is classified as “direct
evidence

55
 Circumstantial Evidence
• “circumstantial evidence” is evidence that
does not directly support a specific
conclusion. Rather, circumstantial evidence
may be linked together with other evidence
and used to deduce a conclusion

56
 Hearsay Evidence
• “Hearsay” is the label given to testimony
offered second-hand by someone who was
not a direct witness of the act or acts in
question.

57
 Business records
• Business records can include any
documentation that an enterprise routinely
generates and retains as a result of normal
business processes, and that is deemed
accurate enough to be used as a basis for
managerial decisions.

58
 Acquisition
• It can be difficult to locate specific evidence in
a network environment. Networks contain so
many possible sources of evidence—from
wireless access points to web proxies to
central log servers—that sometimes
pinpointing the correct location of the
evidence is tricky

59
 Content
• Unlike filesystems, which are designed to
contain all the contents of files and their
metadata, network devices may or may not
store evidence with the level of granularity
desired. Network devices often have very
limited storage capacity

60
 Storage
• Network devices commonly do not employ
secondary or persistent storage. As a
consequence, the data they contain may be so
volatile as to not survive a reset of the device

61
 Privacy
• Depending on jurisdiction, there may be legal
issues involving personal privacy that are
unique to network-based acquisition
techniques

62
 Seizure
• Seizing a hard drive can inconvenience an
individual or organization. Often, however, a
clone of the original can be constructed and
deployed such that critical operations can
continue with limited disruption. Seizing a
network device can be much more disruptive.
In the most extreme cases, an entire network
segment may be brought down indefinitely.
Under most circumstances, however,
investigators can minimize the impact on
network operations 63
 Admissibility
• Filesystem-based evidence is now routinely
admitted in both criminal and civil
proceedings. As long as the filesystem-based
evidence is lawfully acquired, properly
handled, and relevant to the case, there are
clear precedents for authenticating the
evidence and admitting it in court. In contrast,
network forensics is a newer approach to
digital investigations.
64
 OSCAR
• The overall step-by-step process
recommended is as follows:
• Obtain information
• Strategize
• Collect evidence
• Analyze
• Report

65
 Obtain information
• obtain information about the incident itself,
and obtain information about the
environment.

66
 Incident
• Description of what happened
• Date, time, and method of incident discovery
• Practical Investigative Strategies
• Persons involved
• Systems and data involved
• Actions taken since discovery
• Summary of internal discussions
• Legal issues
• Time frame 67
 Environment
• Business model
• Legal issues
• Network topology
• Available sources of network evidence
• Organizational structure
• Incident response management
process/procedures
• Communications systems
• Resources available 68
 Strategise
• take the time to accurately assess your
resources and plan your investigation.
• For example, the organization collects firewall
logs but stores them in a distributed manner
on systems that are not easily accessed. The
organization has a web proxy, which is
centrally accessed by key security staff. ARP
tables can be gathered from any system on
the local LAN.
69
 Collect Evidence
• Document—Make sure to keep a careful log of
all systems accessed and all actions taken
during evidence collection. Your notes must
be stored securely and may be referenced in
court. Even if the investigation does not go to
court, your notes will still be very helpful
during analysis. Be sure to record the date,
time, source, method of acquisition, name of
the investigator(s), and chain of custody.
70
 Collect Evidence
• Capture—Capture the evidence itself. This
may involve capturing packets and writing
them to a hard drive, copying logs to hard
drive or CD, or imaging hard drives of web
proxies or logging servers.
• Store/Transport—Ensure that the evidence is
stored securely and maintain the chain of
custody. Keep an accurate, signed, verifiable log
of the persons who have accessed or possessed
the evidence. 71
 Analyse
• The analysis process is normally nonlinear, but
certain elements should be considered
essential:
• Correlation One of the hallmarks of network
forensics is that it involves multiple sources of
evidence. Much of this will be timestamped, and
so the first consideration should be what data
can be compiled, from which sources, and how
it can be correlated.
72
• Timeline Once the multiple data sources have
been aggregated and correlated, it’s time to
build a timeline of activities
• Events of Interest Certain events will stand out
as potentially more relevant than others.
• Corroboration Due to the relatively low fidelity
of data that characterizes many sources of
network logs, there is always the problem of
“false positives.”
73
 Recovery
• Recovery of additional evidence Often the
efforts described above lead to a widening net
of evidence acquisition and analysis.

74
• Interpretation Throughout the analysis
process, you may need to develop working
theories of the case. These are educated
assessments of the meaning of your evidence,
designed to help you identify potential
additional sources of evidence, and construct
a theory of the events that likely transpired.

75
 Report
• The report must be:
• Understandable by nontechnical laypeople,
such as: – Legal teams – Managers – Human
Resources personnel – Judges – Juries
• Defensible in detail
• Factual

76
 Cabling
• Data is signaled on copper when stations on
the shared medium independently adjust the
voltage. Cabling can also consist of fiber-optic
lines, which are made of thin strands of glass.
Stations connected via fiber signal data
through the presence or absence of photons.
Both copper and fiber-optic mediums support
digital signaling.

77
• Network forensic investigators can tap into
physical cabling to copy and preserve network
traffic as it is transmitted across the line. Taps
can range from “vampire” taps, which literally
puncture the insulation and make contact with
copper wires, to surreptitious fiber taps, which
bend the cable and cut the sheathing to reveal
the light signals as they traverse the glass.

78
 wireless
• The wireless medium has made networks very
easy to set up. Wireless networks can easily be
deployed even without “line-of-sight”—RF
waves can and do travel through air, wood,
and brick

79
• investigators can still gather a lot of
information from encrypted wireless
networks. Although data packets that traverse
a wireless network may be encrypted,
commonly management and control frames
are not. In the clear, wireless access points
advertise their names, presence, and
capabilities; stations probe for access points;
and access points respond to probes.
80
 Switches
• Switches are the glue that hold our LANs
together. They are multiport bridges that
physically connect multiple stations or
network segments together to form a LAN
• In a typical deployment, organizations have
“core” switches, which aggregate traffic from
many different segments, as well as “edge”
switches, which aggregate stations on
individual segments
81
• Switches contain a “content addressable
memory” (CAM) table, which stores mappings
between physical ports and each network
card’s MAC address. Given a specific device’s
MAC address, network investigators can
examine the switch to determine the
corresponding physical port, and potentially
trace that to a wall jack and a connected
station.
82
 Routers
• Routers connect different subnets or networks
together and facilitate transmission of packets
between different network segments, even
when they have different addressing schemes.
Routers add a layer of abstraction that enables
stations on one LAN to send traffic destined
for stations on another LAN

83
• Where switches have CAM tables, routers
have routing tables. Routing tables map ports
on the router to the networks that they
connect. This allows a forensic investigator to
trace the path that network traffic takes to
traverse multiple networks.

84
 DHCP
• The Dynamic Host Configuration Protocol
(DHCP) is widely used as the mechanism for
assigning IP addresses to LAN stations, so that
they can communicate with other stations on
the local network, as well as with systems
across internetworked connections. In the
early days of networking, administrators had
to manually configure individual desktops with
static IP addresses.
85
• When DHCP servers assign (or “lease”) IP
addresses, they typically create a log of the
event, which includes the assigned IP address,
the MAC address of the device receiving the IP
address, and the time the lease was provided
or renewed. Other details, such as the
requesting system’s hostname, may be logged
as well.

86
 DNS
• enterprises typically use the Domain Name
System (DNS), in which individual hosts query
central DNS servers when they need to map
an IP address to a hostname, or vice versa.
DNS is a recursive hierarchical distributed
database; if an enterprise’s local DNS server
does not have the information to resolve a
requested IP address and hostname, it can
query another DNS server for that
information. 87
• DNS servers can be configured to log queries
for IP address and hostname resolutions.
These queries can be very revealing. For
example, if a user on an internal desktop
browses to a web site, the user’s desktop will
make a DNS query to resolve the host and
domain names of the web server prior to
retrieving the web page. DNS server –logs-
internal to external systems - web sites, SSH
servers, external email servers, and more. 88
 Authentication servers
• Authentication servers are designed to
provide centralized authentication services to
users throughout an organization so that user
accounts can be managed in one place, rather
than on hundreds or thousands of individual
computers. This allows enterprises to
streamline account provisioning and audit
tasks.

89
• Authentication servers typically log successful
and/or failed login attempts and other related
events. Investigators can analyze
authentication logs to identify bruteforce
password-guessing attacks, account logins at
suspicious hours or unusual locations, or
unexpected privileged logins, which may
indicate questionable activities.

90
 NIDS/NIPS
• NIDS/NIPS devices monitor network traffic in
real time for indications of any adverse events
as they transpire. When incidents are
detected, the NIDS/NIPS can alert security
personnel and provide information about the
event. NIPSs may further be configured to
block the suspicious traffic as it occurs.

91
• The value of this data provided by NIDS/NIPS
is highly dependent upon the capabilities of
the device deployed and its configuration.
With many devices it is possible to recover the
entire contents of the network packet or
packets that triggered an alert

92
 Firewalls
• Firewalls are specialized routers designed to
perform deeper inspection of network traffic
in order to make more intelligent decisions as
to what traffic should be forwarded and what
traffic should be logged or dropped. Unlike
most routers, modern firewalls are designed
to make decisions based not only on source
and destination IP addresses, but also based
on the packet payloads, port numbers, and
encapsulated protocols. 93
• These days, nearly every organization has
deployed firewalls on their network
perimeters— the network boundaries
between the enterprise and their upstream
provider. In an enterprise environment,
firewalls are also commonly deployed within
internal networks to partition network
segments in order to provide enclaves that are
protected from each other
94
• Today, modern firewalls have granular logging
capabilities and can function as both
infrastructure protection devices and fairly
useful IDSs as well. Firewalls can be configured
to produce alerts and log allowed or denied
traffic, system configuration changes, errors,
and a variety of other events.

95
 Web proxies
• Web proxies are commonly used within
enterprises for two purposes: first, to improve
performance by locally caching web pages
and, second, to log, inspect, and filter web
surfing traffic. In these deployments, web
traffic from local clients is funneled through
the web proxy

96
• Web proxies can be a gold mine for forensic
investigators, especially when they are
configured to retain granular logs for an
extended period of time. Whereas forensic
analysis of a single hard drive can produce the
web surfing history for users of a single device,
an enterprise web proxy can literally store the
web surfing logs for an entire organization.

97
 Application servers
• Database servers
• Web servers
• Email servers
• Chat servers
• VoIP/voicemail servers

98
• There are far too many kinds of application
servers for us to review every one in depth
(there have been dozens if not hundreds of
books published on each type of application
server). However, when you are leading an
investigation, keep in mind that there are
many possible sources of network-based
evidence

99
• There are many commercial and free
applications that can interpret web proxy logs
and provide visual reports of web surfing
patterns according to client IP address or even
username

100
 Central log servers
• Central log servers aggregate event logs from
a wide variety of sources, such as
authentication servers, web proxies, firewalls,
and more. Individual servers are configured to
send logs to the central log server, where they
can be timestamped, correlated, and analyzed
by automated tools and humans far more
easily than if they resided on disparate
systems.
101
• Much like intrusion detection systems, central
log servers are designed to help security
professionals identify and respond to network
security incidents. Even if an individual server
is compromised, logs originating from it may
remain intact on the central log server.
routers-limited storage space, may retain logs
for very short periods of time, but the same
logs may be sent in real time to a central log
server and preserved for months or years. 102
 Examining the Honeynet Project

 The Honeynet Project (www.honeynet.org) was developed to make information

widely available in an attempt to thwart Internet and network attackers.

 Many people participate in this worldwide project, which is now a nonprofit

organization.

 The objectives are awareness, information, and tools. The first step is to make people
and organizations aware that threats exist and they might be targets.

 The second is to provide information on how to protect against these threats,

including how attackers operate, how they communicate, and what tactics they use.

 Finally, for people who want to do their own research, the Honeynet Project offers
tools and methods.

Department of Computer Science and Engineering 103

 Role of E-mail in Investigations

Emails play a very important role in business communications and have

emerged as one of the most important applications on internet.

An investigator has the following goals while performing email forensics −

• To identify the main criminal

• To collect necessary evidences

• To presenting the findings

• To build the case

Department of Computer Science and Engineering 104

Challenges in Email Forensics

Fake Emails

Spoofing

Anonymous Re-emailing

Department of Computer Science and Engineering 105

 Email Forensic Investigation

Some of the common techniques which can be used for email forensic
investigation are

• Header Analysis

• Server investigation

• Network Device Investigation

• Sender Mailer Fingerprints

• Software Embedded Identifiers

Department of Computer Science and Engineering 106

 How E-mail Works

A client has 4 things :

1) Messages in mailbox.

2) Contents can be seen by selecting the header.

3) Messages can be created and sent.

4) Attachments can be added.

Department of Computer Science and Engineering 107

How E-Mail Works

Department of Computer Science and Engineering 108

How E-Mail Works

Department of Computer Science and Engineering 109

How E-Mail Works

Department of Computer Science and Engineering 110

 Exploring the Role of E-mail in Investigations

With the increase in e-mail scams and fraud attempts with phishing
or spoofing

– Investigators need to know how to examine and interpret the unique

content of e-mail messages

• Phishing e-mails are in HTML format

– Which allows creating links to text on a Web page

• One of the most noteworthy e-mail scams was 419, or the Nigerian
Scam

• Spoofing e-mail can be used to commit fraud

Department of Computer Science and Engineering 111

 Roles of the Client and Server in E-mail

Send and receive e-mail in two environments

– Internet

– Controlled LAN, MAN, or WAN

• Client/server architecture

– Server OS and e-mail software differs from those on the client side

• Protected accounts

– Require usernames and passwords

Department of Computer Science and Engineering 112

Roles of the Client and Server in E-mail (continued)

Department of Computer Science and Engineering 113

Roles of the Client and Server in E-mail (continued)

• Name conventions

– Corporate: [email protected]

– Public: [email protected]

– Everything after @ belongs to the domain name

• Tracing corporate e-mails is easier

– Because accounts use standard names the administrator

establishes

Department of Computer Science and Engineering 114

Investigating E-mail Crimes and Violations

• Similar to other types of investigations

• Goals

– Find who is behind the crime

– Collect the evidence

– Present your findings

– Build a case

Department of Computer Science and Engineering 115

Investigating E-mail Crimes and Violations (continued)

Depend on the city, state, or country

– Example: spam

– Always consult with an attorney

• Becoming commonplace

• Examples of crimes involving e-mails

– Narcotics trafficking

– Extortion

– Sexual harassment

– Child abductions and pornography

Department of Computer Science and Engineering 116

 Examining E-mail Messages

Access victim’s computer to recover the evidence

• Using the victim’s e-mail client

– Find and copy evidence in the e-mail

– Access protected or encrypted material

– Print e-mails

• Guide victim on the phone

– Open and copy e-mail including headers

• Sometimes you will deal with deleted e-mails

Department of Computer Science and Engineering 117

 Examining E-mail Messages (continued)

Copying an e-mail message

– Before you start an e-mail investigation

• You need to copy and print the e-mail involved in the crime or policy violation

– You might also want to forward the message as an attachment to another e-

mail address

• With many GUI e-mail programs, you can copy an e-mail by dragging it to a
storage medium

– Or by saving it in a different location

Department of Computer Science and Engineering 118

Examining E-mail Messages (continued)

Department of Computer Science and Engineering 119

 Viewing E-mail Headers

Learn how to find e-mail headers

– GUI clients

– Command-line clients

– Web-based clients

• After you open e-mail headers, copy and paste them into a text document

– So that you can read them with a text editor

• Headers contain useful information

– Unique identifying numbers, IP address of sending server, and sending time

Department of Computer Science and Engineering 120

 Viewing E-mail Headers

• Yahoo (Client)

– Click Mail Options

– Click General Preferences and Show All headers on incoming messages

– Copy and paste headers

Department of Computer Science and Engineering 121

Yahoo Mail Header

Department of Computer Science and Engineering 122

Yahoo Full Header View

Department of Computer Science and Engineering 123

Viewing E-mail Headers (continued)

• Outlook

– Open the Message Options dialog box

– Copy headers

– Paste them to any text editor

• Outlook Express

– Open the message Properties dialog box

– Select Message Source

– Copy and paste the headers to any text editor

Department of Computer Science and Engineering 124

Viewing E-mail Headers (continued)

Department of Computer Science and Engineering 125

Viewing E-mail Headers (continued)

Department of Computer Science and Engineering 126

Deleting NTFS Files

Department of Computer Science and Engineering 127

Viewing E-mail Headers (continued)

• Novell Evolution

– Click View, All Message Headers

– Copy and paste the e-mail header

• Pine and ELM

– Check enable-full-headers

• AOL headers

– Click Action, View Message Source

– Copy and paste headers

Department of Computer Science and Engineering 128

Viewing E-mail Headers (continued)

Department of Computer Science and Engineering 129

Viewing E-mail Headers (continued)

Department of Computer Science and Engineering 130

Viewing E-mail Headers (continued)

Department of Computer Science and Engineering 131

Viewing E-mail Headers (continued)

Department of Computer Science and Engineering 132

 Viewing E-mail Headers (continued)

• Hotmail

– Click Options, and then click the Mail Display Settings

– Click the Advanced option button under Message Headers

– Copy and paste headers

• Apple Mail

– Click View from the menu, point to Message, and then click Long Header

– Copy and paste headers

Department of Computer Science and Engineering 133

Viewing E-mail Headers (continued)

Department of Computer Science and Engineering 134

Viewing E-mail Headers (continued)

Department of Computer Science and Engineering 135

 Examining E-mail Headers

• Gather supporting evidence and track suspect

– Return path

– Recipient’s e-mail address

– Type of sending e-mail service

– IP address of sending server

– Name of the e-mail server

– Unique message number

– Date and time e-mail was sent

– Attachment files information

Department of Computer Science and Engineering 136

 Examining Additional E-mail Files

• E-mail messages are saved on the client side or left at the server

• Microsoft Outlook uses .pst and .ost files

• Most e-mail programs also include an electronic address book

• In Web-based e-mail

– Messages are displayed and saved as Web pages in the browser’s cache folders

– Many Web-based e-mail providers also offer instant messaging (IM) services

Department of Computer Science and Engineering 137

 Validating Email Address

• We can use an online Tool Email Dossier to get details about the validity of
an email address.

Department of Computer Science and Engineering 138

 Tracing an E-mail Message

• Contact the administrator responsible for the sending server

• Finding domain name’s point of contact

– www.arin.net

– www.internic.com

– www.freeality.com

– www.google.com

• Find suspect’s contact information

• Verify your findings by checking network e-mail logs against e-mail

addresses

Department of Computer Science and Engineering 139

 Online Email Tracer

• We can use Online Email Tracer to make our work easier.

Such a tool can be found here
http://www.cyberforensics.in/OnlineEmailTracer/index.aspx

Department of Computer Science and Engineering 140

 Using Network E-mail Logs

• Router logs

– Record all incoming and outgoing traffic

– Have rules to allow or disallow traffic

– You can resolve the path a transmitted e-mail has taken

• Firewall logs

– Filter e-mail traffic

– Verify whether the e-mail passed through

• You can use any text editor or specialized tools

Department of Computer Science and Engineering 141

Using Network E-mail Logs (continued

Department of Computer Science and Engineering 142

 Understanding E-mail Servers

• Computer loaded with software that uses e-mail protocols for its services

– And maintains logs you can examine and use in your investigation

• E-mail storage

– Database

– Flat file

• Logs

– Default or manual

– Continuous and circular

Department of Computer Science and Engineering 143

Understanding E-mail Servers (continued)

• Log information

– E-mail content

– Sending IP address

– Receiving and reading date and time

– System-specific information

• Contact suspect’s network e-mail administrator as soon as possible

• Servers can recover deleted e-mails

– Similar to deletion of files on a hard drive

Department of Computer Science and Engineering 144

 Understanding E-mail Servers (continued)

• /etc/sendmail.cf – Configuration information for Sendmail

• /etc/syslog.conf – Specifies how and which events Sendmail logs

• /var/log/maillog – SMTP and POP3 communications

• IP address and time stamp

• Check UNIX man pages for more information

Department of Computer Science and Engineering 145

Examining Microsoft E-mail Server Logs

• Microsoft Exchange Server (Exchange)

– Uses a database

– Based on Microsoft Extensible Storage Engine

• Information Store files

– Database files *.edb

• Responsible for MAPI information

– Database files *.stm

• Responsible for non-MAPI information

Department of Computer Science and Engineering 146

Examining Microsoft E-mail Server Logs (continued)

• Transaction logs

– Keep track of e-mail databases

• Checkpoints

– Keep track of transaction logs

• Temporary files

• E-mail communication logs

– res#.log

• Tracking.log – Tracks messages

Department of Computer Science and Engineering 147

Examining Microsoft E-mail Server Logs

Department of Computer Science and Engineering 148

 Examining Microsoft E-mail Server Logs (continued)

• Troubleshooting or diagnostic log

– Logs events

– Use Windows Event Viewer

– Open the Event Properties dialog box for more details about an event

Department of Computer Science and Engineering 149

Examining Microsoft E-mail Server Logs (continued)

Department of Computer Science and Engineering 150

Examining Microsoft E-mail Server Logs (continued)

Department of Computer Science and Engineering 151

Using Specialized E-mail Forensics Tools

• Tools include:

– AccessData’s Forensic Toolkit (FTK)

– ProDiscover Basic

– FINALeMAIL

– Sawmill-GroupWise

– DBXtract

– Fookes Aid4Mail and MailBag Assistant

– Paraben E-Mail Examiner

– Ontrack Easy Recovery EmailRepair

– R-Tools R-Mail
Department of Computer Science and Engineering 152
Using Specialized E-mail Forensics Tools

• Tools allow you to find:

– E-mail database files

– Personal e-mail files

– Offline storage files

– Log files

• Advantage

– Do not need to know how e-mail servers and clients work

Department of Computer Science and Engineering 153

Using Specialized E-mail Forensics Tools (continued)

• FINALeMAIL

– Scans e-mail database files

– Recovers deleted e-mails

– Searches computer for other files associated with email

Department of Computer Science and Engineering 154

Using Specialized E-mail Forensics Tools (continued)

Department of Computer Science and Engineering 155

Using Specialized E-mail Forensics Tools (continued)

Department of Computer Science and Engineering 156

Using AccessData FTK to Recover E-mail

• FTK

– Can index data on a disk image or an entire drive for faster

data retrieval

– Filters and finds files specific to e-mail clients and servers

• To recover e-mail from Outlook and Outlook Express

– AccessData integrated dtSearch

• dtSearch builds a b-tree index of all text data in a drive, an

image file, or a group of files

Department of Computer Science and Engineering 157

Using Access Data FTK to Recover E-mail

Department of Computer Science and Engineering 158

Using AccessData FTK to Recover E-mail (continued)

Department of Computer Science and Engineering 159

Using AccessData FTK to Recover E-mail (continued)

Department of Computer Science and Engineering 160

Using a Hexadecimal Editor to Carve E-mail Messages

• Very few vendors have products for analyzing email in systems other
than Microsoft

• mbox format – Stores e-mails in flat plaintext files

• Multipurpose Internet Mail Extensions (MIME) format

– Used by vendor-unique e-mail file systems, such as Microsoft .pst or .ost

• Example: carve e-mail messages from Evolution

Department of Computer Science and Engineering 161

Using Access Data FTK to Recover E-mail

Department of Computer Science and Engineering 162

Using Access Data FTK to Recover E-mail

Department of Computer Science and Engineering 163

Using a Hexadecimal Editor to Carve E-mail Messages

Department of Computer Science and Engineering 164

 Summary

• E-mail fraudsters use phishing and spoofing scam techniques

• Send and receive e-mail via Internet or a LAN

– Both environments use client/server architecture

• E-mail investigations are similar to other kinds of investigations

• Access victim’s computer to recover evidence

– Copy and print the e-mail message involved in the crime or policy
violation

• Find e-mail headers

Department of Computer Science and Engineering 165

 Summary (continued)

• Investigating e-mail abuse

– Be familiar with e-mail servers and clients’ operations

• Check – E-mail message files, headers, and server log files

• Currently, only a few forensics tools can recover deleted Outlook and
Outlook Express messages

• For e-mail applications that use the mbox format, a hexadecimal editor can
be used to carve messages manually

Department of Computer Science and Engineering 166

 Thank You

Department of Computer Science and Engineering