Department of

Computer Science and

Engineering

FORENSICS IN CYBER SECURITY

Course Code : 20232IT204
Year / Semester : 2024-25/ SUMMER
Slot :
Course Category : Program Elective
Faculty Name : Dr. M Saravanan
Credits :4
Hours :75

School of Computing
Vel Tech Rangarajan Dr. Sagunthala R&D Institute of
Science and Technology
 Unit - 2

UNIT II Network Forensics

Network forensics overview-Securing a
Network- Developing procedures for network
forensics-Investigating virtual networks-Examining
Honeynet projects-E-mail Investigations: Role of
client and server in E-mail, Investigating E-mail
crimes and violations, E-mail Servers, E-mail
Forensic tools.

Department of Computer Science and Engineering 2

 Network Forensics Overview

 Network forensics is the process of collecting

and analyzing raw network data.

 Network forensics is the study of data in motion,

with special focus on gathering evidence via a
process that will support admission into court.

 Tracking network traffic systematically to ascertain

how an attack was carried out or how an event
occurred on a network.

 Because network attacks are on the rise, there’s

more focus on this field and an increasing demand
for skilled technicians.
Department of Computer Science and Engineering 3
Network Forensics Overview

Department of Computer Science and Engineering 4

 The Need for Established
Procedures
 Network forensics is closely related to network
intrusion detection

 Traditionally, computer forensics has focused on file

recovery and filesystem analysis performed against
system internals or seized storage devices.

 However, the hard drive is only a small piece of the story.

 These days, evidence almost always traverses the network

and sometimes is never stored on a hard drive at all.

 With network forensics, the entire contents of e-mails, IM

conversations, Web surfing activities, and file transfers can
be recovered from network equipment and reconstructed
to reveal the original transaction.
Department of Computer Science and Engineering 5
 Challenges

Department of Computer Science and Engineering 6

The Principles of Network
Forensics
 Network forensics can be generally defined as a science of
discovering and retrieving evidential information in a networked
environment about a crime in such a way as to make it admissible in
court.

The five rules are that evidence must be:

 Admissible. Must be able to be used in court or elsewhere.

 Authentic. Evidence relates to incident in a relevant way.

 Complete. No tunnel vision, exculpatory evidence for alternative

suspects.

 Reliable. No question about authenticity and veracity.

 Believable. Clear, easy to understand, and believable by a jury.

Department of Computer Science and Engineering 7

Computer Forensics

Department of Computer Science and Engineering 8

 Network forensic investigations

Usually there are three types of people who use digital evidence from
network forensic investigations: police investigators, public
investigators, and private investigators.

The following are some examples:

 Criminal prosecutors. Incriminating documents related to homicide,
financial fraud, drug-related records.

 Insurance companies. Records of bill, cost, services to prove fraud in

medical bills and accidents.

 Law enforcement officials. Require assistance in search warrant

preparation and in handling seized computer equipment.

 Individuals. To support a possible claim of wrongful termination,

sexual harassment, or age discrimination.

Department of Computer Science and Engineering 9

Network forensic Process

Department of Computer Science and Engineering 10

 Activities

The primary activities of network forensics are investigative in nature.

The investigative process encompasses the following:

 Identification

 Preservation

 Collection

 Examination

 Analysis

 Presentation

 Decision

Department of Computer Science and Engineering 11

Securing a Networks

Department of Computer Science and Engineering 12

 Securing a Networks

 Network forensics is used to determine how a security breach

occurred;

 however, steps must be taken to harden networks before a

security breach

 happens, particularly with recent increases in network

attacks, viruses, and other security incidents.

 Hardening includes a range of tasks, from applying the latest

patches to using a layered network defense strategy,
which sets up layers of protection to hide the most valuable
data at the innermost part of the network.

Three modes of protection:

 People
 Technology
 Operations
Department of Computer Science and Engineering 13
 Secure your network

To find your Gateway IP Address and connect to it in

Windows

 Click Start > Run > type 'cmd' > Click 'Enter’

 Once the Command Prompt window opens, type 'ipconfig /all' and
hit 'Enter’

 Locate the line labeled 'Gateway' and make note of the number
that follows. It will look similar to '192.168.1.1’

 Open Internet Explorer (or your favorite browser)

 Enter the Gateway IP Address into the address bar and click 'Enter

Department of Computer Science and Engineering 14

 Disk Partitions

To find your Gateway IP Address and connect to it on a Mac


Open your Finder and run 'Terminal' inside of Applications > Utilities

 Once the terminal window opens, type 'ipconfig -a' and hit 'Enter’

 Locate the line labeled 'Gateway' and make note of the number
that follows. It will look similar to '192.168.1.1’

 Open Safari (or your favorite browser)

 Enter the Gateway IP Address into the address bar and click 'Enter'

Department of Computer Science and Engineering 15

Securing a network attached storage on the i
nternet

Department of Computer Science and Engineering 16

 Network Security

 Network forensics is the process of collecting and analyzing raw network

data and tracking network traffic systematically to ascertain how an attack
was carried out or how an event occurred on a network.

 Being able to spot variations in network traffic can help you track
intrusions, so knowing your network’s typical traffic patterns is important.

 Network forensics can also help you determine whether a network is truly
under attack or a user has inadvertently installed an untested patch or
custom program.

 Network forensics examiners must establish standard procedures for how

to acquire data after an attack or intrusion incident.

Department of Computer Science and Engineering 17

 Securing a Networks

 Network forensics is used to determine how a security breach occurred;

however, steps must be taken to harden networks before a security breach
happens.

 Layered network defense strategy, which sets up layers of protection to

hide the most valuable data at the innermost part of the network.

 It also ensures that the deeper into the network an attacker gets, the more
difficult access becomes and the more safeguards are in place.

 The National Security Agency (NSA) developed an approach, called the

defense in depth (DiD) strategy.

Department of Computer Science and Engineering 18

 Procedures for Network Forensics

1. Always use a standard installation image for systems on a

network. This image isn’t a bit-stream image but an image
containing all the standard applications used. You should also
have MD5 and SHA-1 hash values of all application and OS files.

2. When an intrusion incident happens, make sure the

vulnerability has been
fixed to prevent other attacks from taking advantage of the
opening.

3. Attempt to retrieve all volatile data, such as RAM and running

processes, by
doing a live acquisition before turning the system off.
Department of Computer Science and Engineering 19
 Procedures for Network Forensics

4. Acquire the compromised drive and make a

forensic image of it.

5. Compare files on the forensic image with the

original installation image. Compare hash values
of common files, such as Win.exe and standard
dynamic link libraries (DLLs), and ascertain
whether they have changed.

Department of Computer Science and Engineering 20

 Basic Communication

 Payload
Trailer
Ports
20 and 21 - FTP (File Transfer Protocol)
 22 - SSH and Secure FTP
 23 - Telnet
 25 - SMTP (Simple Mail Transfer Protocol)
 43 - WhoIS
 53 - DNS (Domain Name Service)
 69 - TFTP (Trivial FTP)
 80 - HTTP (Hypertext Transfer Protocol)
 110 - POP3 (Post Office Protocol Version 3)
 137, 138, and 139 - NetBIOS
 161 and 162 - SNMP (Simple Network Management Protocol)

Department of Computer Science and Engineering 21

 Ports

 179 - BGP (Border Gateway Protocol)

 194 - IRC (Internet Relay Chat)
 220 - IMAP (Internet Message Access Protocol)
 389 - LDAP (Lightweight Directory Access Protocol )
 443 - HTTPS (Hypertext Transfer Protocol Secure)
 445 - Active Directory
 464 - Kerberos change password
 465 - SMTP over SSL
 6666 - Beast port
 43188 - Reachout port
 3389 - Windows Remote Desktop

Department of Computer Science and Engineering 22

Network Traffic Analysis

Department of Computer Science and Engineering 23

 Packet Viewing

Department of Computer Science and Engineering 24

Packet address and protocol

Department of Computer Science and Engineering 25

 Packet Details

Department of Computer Science and Engineering 26

 Developing Procedures for Network Forensics

1. Always use a standard installation image for systems on a network.

2. When an intrusion incident happens, make sure the vulnerability has

been
fixed to prevent other attacks from taking advantage of the opening.

3. Attempt to retrieve all volatile data, such as RAM and running

processes, by
doing a live acquisition before turning the system off.

4. Acquire the compromised drive and make a forensic image of it.

5. Compare files on the forensic image with the original installation

image.
Department of Computer Science and Engineering 27
 Reviewing Network Logs

TCP log from 2017-12-16:15:06:33 to 2017-12-16:15:06:34.

Fri Dec 15 15:06:33 2017; TCP; eth0; 1296 bytes; from
204.146.114.10:1916 to 156.26.62.201:126
Fri Dec 15 15:06:33 2017; TCP; eth0; 625 bytes; from
192.168.114.30:289 to 188.226.173.122:13
Fri Dec 15 15:06:33 2017; TCP; eth0; 2401 bytes; from
192.168.5.41:529 to 188.226.173.122:31
Fri Dec 15 15:06:33 2017; TCP; eth0; 1296 bytes; from
206.199.79.28:1280 to 10.253.170.210:168;first packet

Department of Computer Science and Engineering 28

 10 External Sites

Top 10 External Sites Visited:

4897 188.226.173.122
2592 156.26.62.201
4897 110.150.70.190
4897 132.130.65.172
4897 192.22.192.204
4897 83.141.167.38
1296 167.253.170.210
1296 183.74.83.174
625 6.234.186.83
789 89.40.199.255

Department of Computer Science and Engineering 29

 Top 10 Internal

Top 10 Internal Users:

4897 192.168.5.119
4897 192.168.5.41
4897 192.168.5.44
4897 192.168.5.5
2401 204.146.114.50
1296 192.168.5.95
1296 204.146.114.10
1296 204.146.114.14
1296 206.199.79.28
625 192.168.5.72

Department of Computer Science and Engineering 30

 Using Network Tools

Tools such as Splunk (www.splunk.com), Spiceworks

(www.spiceworks.com),Nagios (www.nagios.org),
and Cacti (www.cacti.net) help you monitor your
network efficiently and thoroughly.

For example, you can consult records that the tool

generate to prove an employee ran a program
without permission.

You can also monitor your network and shut down

machines or processes that could be harmful.

Department of Computer Science and Engineering 31

 Using Packet Analyzers

Packet analyzers are devices or software placed on a network to

monitor traffic. Most
network administrators use them for increasing security and tracking
bottlenecks.
However, attackers can use them to get information covertly. Most
packet analyzers
work at Layer 2 or 3 of the OSI model.

Department of Computer Science and Engineering 32

 Wireshark

Wireshark then traces the packets associated with an exploit. To see

how this tool works, download the most recent version of Wireshark
for Windows (www.wireshark.org/ download.html) and install it on
your workstation. Then follow these steps:
1. Start Wireshark, Notice the list of networks with traffic

Department of Computer Science and Engineering 33

 Wireshark

2. Double-click a network that’s showing activity. (If you’re not

on a live network,
ping another student or yourself and visit some Web sites and
download a file
to generate traffic. Then start this activity again.)

3. After several frames have been captured, click Stop.

4. After the trace has been loaded, scroll through the upper pane
until you see a
UDP frame or an SSOP frame. Right-click the frame, point to
Follow, and click
UDP Stream. You should see a window similar

Department of Computer Science and Engineering 34

 UDP

5. Review the information in this window, and then exit

Wireshark.
Department of Computer Science and Engineering 35
 Investigating Virtual Networks

An article in the Journal of Cybersecurity explores how to

modify the investigation approach that’s used in physical
networks so that it applies to virtual or logical networks

A virtual switch is a little different from a physical switch,

in that there’s no spanning tree between virtual switches.
For example, say that 24 students each create a virtual

Department of Computer Science and Engineering 36

 Network Forensics
• Evidence scattered around the world. Not enough time. Not enough staff.
Unrealistic expectations. Internal political conflicts.
• Gross underestimation of costs. Mishandling of evidence. Too many cooks
in the kitchen. Network forensic investigations can be tricky.
• In addition to all the challenges faced by traditional investigators, network
forensics investigators often need to work with unfamiliar people in
different countries, learn to interact with obscure pieces of equipment, and
capture evidence that exists only for fleeting moments.

37
 Network Forensics
• Laws surrounding evidence collection and admissibility are
often vague, poorly understood, or nonexistent. Frequently,
investigative teams find themselves in situations where it is
not clear who is in charge, or what the team can accomplish.

38
 Network Forensics
• In addition to all the challenges faced by traditional investigators, network
forensics investigators often need to work with unfamiliar people in
different countries, learn to interact with obscure pieces of equipment, and
capture evidence that exists only for fleeting moments.
• Laws surrounding evidence collection and admissibility are often vague,
poorly understood, or nonexistent. Frequently, investigative teams find
themselves in situations where it is not clear who is in charge, or what the
team can accomplish.

39
 Hospital Laptop goes missing
• A doctor reports that her laptop has been stolen from her office in a busy
U.S. metropolitan hospital. The computer is password-protected, but the
hard drive is not encrypted.
• Upon initial questioning, the doctor says that the laptop may contain copies
of some patient lab results, additional protected health information (PHI)
downloaded from email attachments, schedules that include patient names,
birth dates, and IDs, notes regarding patient visits, and diagnoses

40
 Ramifications
• Since the hospital is regulated by the United States’ Health Information
Technology for Economic and Clinical Health (HITECH) Act and Health
Insurance Portability and Accountability Act (HIPAA), it would be
required to notify individuals whose PHI was breached.

• If the breach is large enough, it would also be required to notify the media.
This could cause significant damage to the hospital’s reputation, and also
cause substantial financial loss, particularly if the hospital were held liable
for any damages caused due to the breach

41
 Investigation
1. Precisely when did the laptop go missing?
2. Can we track down the laptop and recover it?
3. Which patient data was on the laptop?
4. How many individuals’ data was affected?
5. Did the thief leverage the doctor’s credentials to gain any
further access to the hospital network?

42
 Investigation
• Investigators began by working to determine the time when
the laptop was stolen, or at least when the doctor last used it.
• This helped establish an outer bound on what data could have
been stored on it.
• Establishing the time that the laptop was last in the doctor’s
possession also gave the investigative team a starting point for
searching physical surveillance footage and access logs.
• The team also reviewed network access logs to determine
whether the laptop was subsequently used to connect to the
hospital network after the theft and, if so, the location that it
connected from

43
 Missing Laptop
• First, they could interview the doctor to establish the time that
she last used it, and the time that she discovered it was
missing.
• Investigators might also find evidence in wireless access point
logs, Dynamic Host Control Protocol (DHCP) lease
assignment logs, Active Directory events, web proxy logs, and
of course any sort of laptop tracking software (such as Lojack
for Laptops) that might have been in use on the device.

44
 Missing Laptop
• Once investigators established an approximate time of theft,
they could narrow down the patient information that might
have been stored on the system.
• Email logs could reveal when the doctor last checked her
email, which would place an outer bound on the emails that
could have been replicated to her laptop.
• These logs might also reveal which attachments were
downloaded.

45
 Missing Laptop
• More importantly, the hospital’s email server would have
copies of all of the doctor’s emails, which would help
investigators gather a list of patients likely to have been
affected by the breach.
• Similarly, hospital applications that provide access to lab
results and other PHI might contain access logs, which could
help investigators compile a list of possible data breach
victims.

46
 Results
• pinpoint the time of the theft and track the laptop through the facility out to
a visitor parking garage.
• Parking garage cameras - low-fidelity image of the attacker, a tall man
wearing scrubs, and investigators also correlated this with gate video of the
car itself as it left the lot with two occupants.
• video -police, -track the license plate. The laptop -recovered

47
 Digital Evidence
• Any observable and recordable event, or artifact of an event,
that can be used to establish a true understanding of the cause
and nature of an observed occurrence
• Categories
– Real
– Best
– Direct
– Circumstantial
– Hearsay
– Business Records

48
 Real Evidence
• “Real evidence” is roughly defined as any physical, tangible object that
played a relevant role in an event that is being adjudicated.
• It is the knife that was pulled from the victim’s body.
• It is the gun that fired the bullet.
• It is the physical copy of the contract that was signed by both parties.

49
 Best Evidence
• If the original evidence is not available, then alternate evidence of its
contents may be admitted under the “best evidence rule.”
• For example, if an original signed contract was destroyed but a duplicate
exists, then the duplicate may be admissible. However, if the original exists
and could be admitted, then the duplicate would not suffice

• Direct Evidence
• “Direct evidence” is the testimony offered by a direct witness of the act or
acts in question. The human testimony is classified as “direct evidence

50
Circumstantial Evidence
• “circumstantial evidence” is evidence that does not directly
support a specific conclusion.
• Rather, circumstantial evidence may be linked together with
other evidence and used to deduce a conclusion
Hearsay Evidence
• “Hearsay” is the label given to testimony offered second-hand
by someone who was not a direct witness of the act or acts in
51
question.
Business records
• Business records can include any documentation that an
enterprise routinely generates and retains as a result of normal
business processes, and that is deemed accurate enough to be
used as a basis for managerial decisions.
Acquisition
• It can be difficult to locate specific evidence in a network
environment. Networks contain so many possible sources of
evidence—from wireless access points to web proxies to
central log servers—that sometimes pinpointing the correct
location of the evidence is tricky

52
Content
• Unlike filesystems, which are designed to contain all the
contents of files and their metadata, network devices may or
may not store evidence with the level of granularity desired.
• Network devices often have very limited storage capacity
Storage
• Network devices commonly do not employ secondary or
persistent storage. As a consequence, the data they contain
may be so volatile as to not survive a reset of the device

53
Privacy
• Depending on jurisdiction, there may be legal issues involving personal
privacy that are unique to network-based acquisition techniques
Seizure
• Seizing a hard drive can inconvenience an individual or organization.
Often, however, a clone of the original can be constructed and deployed
such that critical operations can continue with limited disruption.
• Seizing a network device can be much more disruptive.
• In the most extreme cases, an entire network segment may be brought
down indefinitely. Under most circumstances, however, investigators can
minimize the impact on network operations

54
 Admissibility
• File system-based evidence is now routinely admitted in both
criminal and civil proceedings.
• As long as the filesystem-based evidence is lawfully acquired,
properly handled, and relevant to the case, there are clear
precedents for authenticating the evidence and admitting it in
court.
• In contrast, network forensics is a newer approach to digital
investigations.

55
 OSCAR
The overall step-by-step process recommended is as follows:
• Obtain information
• Strategize
• Collect evidence
• Analyze
• Report

56
 Obtain information
• obtain information about the incident itself, and obtain
information about the environment.

57
 Incident
• Description of what happened
• Date, time, and method of incident discovery
• Practical Investigative Strategies
• Persons involved
• Systems and data involved
• Actions taken since discovery
• Summary of internal discussions
• Legal issues
• Time frame

58
 Environment
• Business model
• Legal issues
• Network topology
• Available sources of network evidence
• Organizational structure
• Incident response management process/procedures
• Communications systems
• Resources available

59
 Strategise
• Take the time to accurately assess your resources and plan
your investigation.
• For example, the organization collects firewall logs but stores
them in a distributed manner on systems that are not easily
accessed.
• The organization has a web proxy, which is centrally accessed
by key security staff. ARP tables can be gathered from any
system on the local LAN.

60
 Collect Evidence
• Document—Make sure to keep a careful log of all systems
accessed and all actions taken during evidence collection.
• Your notes must be stored securely and may be referenced in
court.
• Even if the investigation does not go to court, your notes will
still be very helpful during analysis.
• Be sure to record the date, time, source, method of acquisition,
name of the investigator(s), and chain of custody.

61
 Collect Evidence
• Capture—Capture the evidence itself. This may involve capturing packets
and writing them to a hard drive, copying logs to hard drive or CD, or
imaging hard drives of web proxies or logging servers.
• Store/Transport—Ensure that the evidence is stored securely and maintain
the chain of custody. Keep an accurate, signed, verifiable log of the
persons who have accessed or possessed the evidence.

62
 Analyse
• The analysis process is normally nonlinear, but certain
elements should be considered essential:
• Correlation One of the hallmarks of network forensics is that it
involves multiple sources of evidence.
• Much of this will be timestamped, and so the first
consideration should be what data can be compiled, from
which sources, and how it can be correlated.

63
 Analyse
• Timeline Once the multiple data sources have been aggregated
and correlated, it’s time to build a timeline of activities
• Events of Interest Certain events will stand out as potentially
more relevant than others.
• Corroboration Due to the relatively low fidelity of data that
characterizes many sources of network logs, there is always
the problem of “false positives.”

64
 Recovery
• Recovery of additional evidence Often the efforts described
above lead to a widening net of evidence acquisition and
analysis.
• Interpretation Throughout the analysis process, you may need
to develop working theories of the case.
• These are educated assessments of the meaning of your
evidence, designed to help you identify potential additional
sources of evidence, and construct a theory of the events that
likely transpired. 65
 Report
The report must be:
• Understandable by nontechnical laypeople, such as:
– Legal teams
– Managers
– Human Resources personnel
– Judges
– Juries
• Defensible in detail
• Factual

66
 Cabling
• Data is signaled on copper when stations on the shared
medium independently adjust the voltage.
• Cabling can also consist of fiber-optic lines, which are made
of thin strands of glass.
• Stations connected via fiber signal data through the presence
or absence of photons.

67
 Cabling
• Both copper and fiber-optic mediums support digital signaling.
• Network forensic investigators can tap into physical cabling to
copy and preserve network traffic as it is transmitted across
the line.
• Taps can range from “vampire” taps, which literally puncture
the insulation and make contact with copper wires, to
surreptitious fiber taps, which bend the cable and cut the
sheathing to reveal the light signals as they traverse the glass.
68
 wireless
• The wireless medium has made networks very easy to set up.
Wireless networks can easily be deployed even without “line-
of-sight”—RF waves can and do travel through air, wood, and
brick investigators can still gather a lot of information from
encrypted wireless networks.
• Although data packets that traverse a wireless network may be
encrypted, commonly management and control frames are not.
• In the clear, wireless access points advertise their names,
presence, and capabilities; stations probe for access points;
and access points respond to probes.

69
 Switches
• Switches are the glue that hold our LANs together. They are
multiport bridges that physically connect multiple stations or
network segments together to form a LAN
• In a typical deployment, organizations have “core” switches,
which aggregate traffic from many different segments, as well
as “edge” switches, which aggregate stations on individual
segments

70
• Switches contain a “content addressable memory” (CAM)
table, which stores mappings between physical ports and each
network card’s MAC address. Given a specific device’s MAC
address, network investigators can examine the switch to
determine the corresponding physical port, and potentially
trace that to a wall jack and a connected station.

71
 Routers
• Routers connect different subnets or networks together and
facilitate transmission of packets between different network
segments, even when they have different addressing schemes.
Routers add a layer of abstraction that enables stations on one
LAN to send traffic destined for stations on another LAN

72
• Where switches have CAM tables, routers have routing tables.
Routing tables map ports on the router to the networks that
they connect. This allows a forensic investigator to trace the
path that network traffic takes to traverse multiple networks.

73
 DHCP
• The Dynamic Host Configuration Protocol (DHCP) is widely
used as the mechanism for assigning IP addresses to LAN
stations, so that they can communicate with other stations on
the local network, as well as with systems across
internetworked connections. In the early days of networking,
administrators had to manually configure individual desktops
with static IP addresses.

74
• When DHCP servers assign (or “lease”) IP addresses, they
typically create a log of the event, which includes the assigned
IP address, the MAC address of the device receiving the IP
address, and the time the lease was provided or renewed.
Other details, such as the requesting system’s hostname, may
be logged as well.

75
 DNS
• enterprises typically use the Domain Name System (DNS), in
which individual hosts query central DNS servers when they
need to map an IP address to a hostname, or vice versa. DNS
is a recursive hierarchical distributed database; if an
enterprise’s local DNS server does not have the information to
resolve a requested IP address and hostname, it can query
another DNS server for that information.

76
• DNS servers can be configured to log queries for IP address
and hostname resolutions. These queries can be very
revealing. For example, if a user on an internal desktop
browses to a web site, the user’s desktop will make a DNS
query to resolve the host and domain names of the web server
prior to retrieving the web page. DNS server –logs- internal to
external systems - web sites, SSH servers, external email
servers, and more.

77
 Authentication servers
• Authentication servers are designed to provide centralized
authentication services to users throughout an organization so
that user accounts can be managed in one place, rather than on
hundreds or thousands of individual computers. This allows
enterprises to streamline account provisioning and audit tasks.

78
• Authentication servers typically log successful and/or failed
login attempts and other related events. Investigators can
analyze authentication logs to identify bruteforce password-
guessing attacks, account logins at suspicious hours or unusual
locations, or unexpected privileged logins, which may indicate
questionable activities.

79
 NIDS/NIPS
• NIDS/NIPS devices monitor network traffic in real time for
indications of any adverse events as they transpire. When
incidents are detected, the NIDS/NIPS can alert security
personnel and provide information about the event. NIPSs
may further be configured to block the suspicious traffic as it
occurs.

80
• The value of this data provided by NIDS/NIPS is highly
dependent upon the capabilities of the device deployed and its
configuration. With many devices it is possible to recover the
entire contents of the network packet or packets that triggered
an alert

81
 Firewalls
• Firewalls are specialized routers designed to perform deeper
inspection of network traffic in order to make more intelligent
decisions as to what traffic should be forwarded and what
traffic should be logged or dropped. Unlike most routers,
modern firewalls are designed to make decisions based not
only on source and destination IP addresses, but also based on
the packet payloads, port numbers, and encapsulated
protocols.

82
• These days, nearly every organization has deployed firewalls
on their network perimeters— the network boundaries
between the enterprise and their upstream provider. In an
enterprise environment, firewalls are also commonly deployed
within internal networks to partition network segments in
order to provide enclaves that are protected from each other

83
• Today, modern firewalls have granular logging capabilities
and can function as both infrastructure protection devices and
fairly useful IDSs as well. Firewalls can be configured to
produce alerts and log allowed or denied traffic, system
configuration changes, errors, and a variety of other events.

84
 Web proxies
• Web proxies are commonly used within enterprises for two
purposes: first, to improve performance by locally caching
web pages and, second, to log, inspect, and filter web surfing
traffic. In these deployments, web traffic from local clients is
funneled through the web proxy

85
• Web proxies can be a gold mine for forensic investigators,
especially when they are configured to retain granular logs for
an extended period of time. Whereas forensic analysis of a
single hard drive can produce the web surfing history for users
of a single device, an enterprise web proxy can literally store
the web surfing logs for an entire organization.

86
 Application servers
• Database servers
• Web servers
• Email servers
• Chat servers
• VoIP/voicemail servers

87
• There are far too many kinds of application servers for us to
review every one in depth (there have been dozens if not
hundreds of books published on each type of application
server). However, when you are leading an investigation, keep
in mind that there are many possible sources of network-based
evidence

88
• There are many commercial and free applications that can
interpret web proxy logs and provide visual reports of web
surfing patterns according to client IP address or even
username

89
 Central log servers
• Central log servers aggregate event logs from a wide variety of
sources, such as authentication servers, web proxies, firewalls,
and more. Individual servers are configured to send logs to the
central log server, where they can be timestamped, correlated,
and analyzed by automated tools and humans far more easily
than if they resided on disparate systems.

90
• Much like intrusion detection systems, central log servers are
designed to help security professionals identify and respond to
network security incidents. Even if an individual server is
compromised, logs originating from it may remain intact on
the central log server. routers-limited storage space, may retain
logs for very short periods of time, but the same logs may be
sent in real time to a central log server and preserved for
months or years.

91
 Examining the Honeynet Project

 The Honeynet Project (www.honeynet.org) was developed to make

information widely available in an attempt to thwart Internet and
network attackers.

 Many people participate in this worldwide project, which is now a

nonprofit organization.

 The objectives are awareness, information, and tools. The first step
is to make people and organizations aware that threats exist and
they might be targets.

 The second is to provide information on how to protect against

these threats, including how attackers operate, how they
communicate, and what tactics they use.

 Finally, for people who want to do their own research, the Honeynet
Project offers tools and methods.
Department of Computer Science and Engineering 92
 Role of E-mail in Investigations

Emails play a very important role in business communications and have

emerged as one of the most important applications on internet.

An investigator has the following goals while performing email forensics −

• To identify the main criminal

• To collect necessary evidences

• To presenting the findings

• To build the case

Department of Computer Science and Engineering 93

Challenges in Email Forensics

Fake Emails

Spoofing

Anonymous Re-emailing

Department of Computer Science and Engineering 94

 Email Forensic Investigation

Some of the common techniques which can be used for email forensic
investigation are

• Header Analysis

• Server investigation

• Network Device Investigation

• Sender Mailer Fingerprints

• Software Embedded Identifiers

Department of Computer Science and Engineering 95

 How E-mail Works

A client has 4 things :

1) Messages in mailbox.

2) Contents can be seen by selecting the header.

3) Messages can be created and sent.

4) Attachments can be added.

Department of Computer Science and Engineering 96

 How E-Mail Works

Department of Computer Science and Engineering 97

 How E-Mail Works

Department of Computer Science and Engineering 98

 How E-Mail Works

Department of Computer Science and Engineering 99

 Exploring the Role of E-mail in Investigations

With the increase in e-mail scams and fraud attempts with phishing
or spoofing

– Investigators need to know how to examine and interpret the unique

content of e-mail messages

• Phishing e-mails are in HTML format

– Which allows creating links to text on a Web page

• One of the most noteworthy e-mail scams was 419, or the Nigerian
Scam

• Spoofing e-mail can be used to commit fraud

Department of Computer Science and Engineering 10

0
 Roles of the Client and Server in E-mail

Send and receive e-mail in two environments

– Internet

– Controlled LAN, MAN, or WAN

• Client/server architecture

– Server OS and e-mail software differs from those on the client side

• Protected accounts

– Require usernames and passwords

Department of Computer Science and Engineering 10

1
Roles of the Client and Server in E-mail (continued)

Department of Computer Science and Engineering 10

2
Roles of the Client and Server in E-mail (continued)

• Name conventions

– Corporate: [email protected]

– Public: [email protected]

– Everything after @ belongs to the domain name

• Tracing corporate e-mails is easier

– Because accounts use standard names the administrator

establishes

Department of Computer Science and Engineering 10

3
Investigating E-mail Crimes and Violations

• Similar to other types of investigations

• Goals

– Find who is behind the crime

– Collect the evidence

– Present your findings

– Build a case

Department of Computer Science and Engineering 10

4
Investigating E-mail Crimes and Violations (continued)

Depend on the city, state, or country

– Example: spam

– Always consult with an attorney

• Becoming commonplace

• Examples of crimes involving e-mails

– Narcotics trafficking

– Extortion

– Sexual harassment

– Child abductions and pornography

Department of Computer Science and Engineering 10

5
 Examining E-mail Messages

Access victim’s computer to recover the evidence

• Using the victim’s e-mail client

– Find and copy evidence in the e-mail

– Access protected or encrypted material

– Print e-mails

• Guide victim on the phone

– Open and copy e-mail including headers

• Sometimes you will deal with deleted e-mails

Department of Computer Science and Engineering 10

6
 Examining E-mail Messages (continued)

Copying an e-mail message

– Before you start an e-mail investigation

• You need to copy and print the e-mail involved in the crime or policy violation

– You might also want to forward the message as an attachment to another e-

mail address

• With many GUI e-mail programs, you can copy an e-mail by dragging it to a
storage medium

– Or by saving it in a different location

Department of Computer Science and Engineering 10

7
Examining E-mail Messages (continued)

Department of Computer Science and Engineering 10

8
 Viewing E-mail Headers

Learn how to find e-mail headers

– GUI clients

– Command-line clients

– Web-based clients

• After you open e-mail headers, copy and paste them into a text document

– So that you can read them with a text editor

• Headers contain useful information

– Unique identifying numbers, IP address of sending server, and sending time

Department of Computer Science and Engineering 10

9
 Viewing E-mail Headers

• Yahoo (Client)

– Click Mail Options

– Click General Preferences and Show All headers on incoming messages

– Copy and paste headers

Department of Computer Science and Engineering 11

0
 Yahoo Mail Header

Department of Computer Science and Engineering 11

1
 Yahoo Full Header View

Department of Computer Science and Engineering 11

2
Viewing E-mail Headers (continued)

• Outlook

– Open the Message Options dialog box

– Copy headers

– Paste them to any text editor

• Outlook Express

– Open the message Properties dialog box

– Select Message Source

– Copy and paste the headers to any text editor

Department of Computer Science and Engineering 11

3
Viewing E-mail Headers (continued)

Department of Computer Science and Engineering 11

4
Viewing E-mail Headers (continued)

Department of Computer Science and Engineering 11

5
 Deleting NTFS Files

Department of Computer Science and Engineering 11

6
Viewing E-mail Headers (continued)

• Novell Evolution

– Click View, All Message Headers

– Copy and paste the e-mail header

• Pine and ELM

– Check enable-full-headers

• AOL headers

– Click Action, View Message Source

– Copy and paste headers

Department of Computer Science and Engineering 11

7
Viewing E-mail Headers (continued)

Department of Computer Science and Engineering 11

8
Viewing E-mail Headers (continued)

Department of Computer Science and Engineering 11

9
Viewing E-mail Headers (continued)

Department of Computer Science and Engineering 12

0
Viewing E-mail Headers (continued)

Department of Computer Science and Engineering 12

1
 Viewing E-mail Headers (continued)

• Hotmail

– Click Options, and then click the Mail Display Settings

– Click the Advanced option button under Message Headers

– Copy and paste headers

• Apple Mail

– Click View from the menu, point to Message, and then click Long Header

– Copy and paste headers

Department of Computer Science and Engineering 12

2
Viewing E-mail Headers (continued)

Department of Computer Science and Engineering 12

3
Viewing E-mail Headers (continued)

Department of Computer Science and Engineering 12

4
 Examining E-mail Headers

• Gather supporting evidence and track suspect

– Return path

– Recipient’s e-mail address

– Type of sending e-mail service

– IP address of sending server

– Name of the e-mail server

– Unique message number

– Date and time e-mail was sent

– Attachment files information

Department of Computer Science and Engineering 12

5
 Examining Additional E-mail Files

• E-mail messages are saved on the client side or left at the server

• Microsoft Outlook uses .pst and .ost files

• Most e-mail programs also include an electronic address book

• In Web-based e-mail

– Messages are displayed and saved as Web pages in the browser’s cache folders

– Many Web-based e-mail providers also offer instant messaging (IM) services

Department of Computer Science and Engineering 12

6
 Validating Email Address

• We can use an online Tool Email Dossier to get details about the validity of
an email address.

Department of Computer Science and Engineering 12

7
 Tracing an E-mail Message

• Contact the administrator responsible for the sending server

• Finding domain name’s point of contact

– www.arin.net

– www.internic.com

– www.freeality.com

– www.google.com

• Find suspect’s contact information

• Verify your findings by checking network e-mail logs against e-mail

addresses

Department of Computer Science and Engineering 12

8
 Online Email Tracer

• We can use Online Email Tracer to make our work easier.

Such a tool can be found here
http://www.cyberforensics.in/OnlineEmailTracer/index.aspx

Department of Computer Science and Engineering 12

9
 Using Network E-mail Logs

• Router logs

– Record all incoming and outgoing traffic

– Have rules to allow or disallow traffic

– You can resolve the path a transmitted e-mail has taken

• Firewall logs

– Filter e-mail traffic

– Verify whether the e-mail passed through

• You can use any text editor or specialized tools

Department of Computer Science and Engineering 13

0
Using Network E-mail Logs (continued

Department of Computer Science and Engineering 13

1
 Understanding E-mail Servers

• Computer loaded with software that uses e-mail protocols for its services

– And maintains logs you can examine and use in your investigation

• E-mail storage

– Database

– Flat file

• Logs

– Default or manual

– Continuous and circular

Department of Computer Science and Engineering 13

2
Understanding E-mail Servers (continued)

• Log information

– E-mail content

– Sending IP address

– Receiving and reading date and time

– System-specific information

• Contact suspect’s network e-mail administrator as soon as possible

• Servers can recover deleted e-mails

– Similar to deletion of files on a hard drive

Department of Computer Science and Engineering 13

3
 Understanding E-mail Servers (continued)

• /etc/sendmail.cf – Configuration information for Sendmail

• /etc/syslog.conf – Specifies how and which events Sendmail logs

• /var/log/maillog – SMTP and POP3 communications

• IP address and time stamp

• Check UNIX man pages for more information

Department of Computer Science and Engineering 13

4
Examining Microsoft E-mail Server Logs

• Microsoft Exchange Server (Exchange)

– Uses a database

– Based on Microsoft Extensible Storage Engine

• Information Store files

– Database files *.edb

• Responsible for MAPI information

– Database files *.stm

• Responsible for non-MAPI information

Department of Computer Science and Engineering 13

5
Examining Microsoft E-mail Server Logs (continued)

• Transaction logs

– Keep track of e-mail databases

• Checkpoints

– Keep track of transaction logs

• Temporary files

• E-mail communication logs

– res#.log

• Tracking.log – Tracks messages

Department of Computer Science and Engineering 13

6
Examining Microsoft E-mail Server Logs

Department of Computer Science and Engineering 13

7
 Examining Microsoft E-mail Server Logs (continued)

• Troubleshooting or diagnostic log

– Logs events

– Use Windows Event Viewer

– Open the Event Properties dialog box for more details about an event

Department of Computer Science and Engineering 13

8
Examining Microsoft E-mail Server Logs (continued)

Department of Computer Science and Engineering 13

9
Examining Microsoft E-mail Server Logs (continued)

Department of Computer Science and Engineering 14

0
Using Specialized E-mail Forensics Tools

• Tools include:

– AccessData’s Forensic Toolkit (FTK)

– ProDiscover Basic

– FINALeMAIL

– Sawmill-GroupWise

– DBXtract

– Fookes Aid4Mail and MailBag Assistant

– Paraben E-Mail Examiner

– Ontrack Easy Recovery EmailRepair

– R-Tools R-Mail
Department of Computer Science and Engineering 14
1
Using Specialized E-mail Forensics Tools

• Tools allow you to find:

– E-mail database files

– Personal e-mail files

– Offline storage files

– Log files

• Advantage

– Do not need to know how e-mail servers and clients work

Department of Computer Science and Engineering 14

2
Using Specialized E-mail Forensics Tools (continued)

• FINALeMAIL

– Scans e-mail database files

– Recovers deleted e-mails

– Searches computer for other files associated with email

Department of Computer Science and Engineering 14

3
Using Specialized E-mail Forensics Tools (continued)

Department of Computer Science and Engineering 14

4
Using Specialized E-mail Forensics Tools (continued)

Department of Computer Science and Engineering 14

5
Using AccessData FTK to Recover E-mail

• FTK

– Can index data on a disk image or an entire drive for faster

data retrieval

– Filters and finds files specific to e-mail clients and servers

• To recover e-mail from Outlook and Outlook Express

– AccessData integrated dtSearch

• dtSearch builds a b-tree index of all text data in a drive, an

image file, or a group of files

Department of Computer Science and Engineering 14

6
Using Access Data FTK to Recover E-mail

Department of Computer Science and Engineering 14

7
Using AccessData FTK to Recover E-mail (continued)

Department of Computer Science and Engineering 14

8
Using AccessData FTK to Recover E-mail (continued)

Department of Computer Science and Engineering 14

9
Using a Hexadecimal Editor to Carve E-mail Messages

• Very few vendors have products for analyzing email in systems other
than Microsoft

• mbox format – Stores e-mails in flat plaintext files

• Multipurpose Internet Mail Extensions (MIME) format

– Used by vendor-unique e-mail file systems, such as Microsoft .pst or .ost

• Example: carve e-mail messages from Evolution

Department of Computer Science and Engineering 15

0
Using Access Data FTK to Recover E-mail

Department of Computer Science and Engineering 15

1
Using Access Data FTK to Recover E-mail

Department of Computer Science and Engineering 15

2
Using a Hexadecimal Editor to Carve E-mail Messages

Department of Computer Science and Engineering 15

3
 Summary

• E-mail fraudsters use phishing and spoofing scam techniques

• Send and receive e-mail via Internet or a LAN

– Both environments use client/server architecture

• E-mail investigations are similar to other kinds of investigations

• Access victim’s computer to recover evidence

– Copy and print the e-mail message involved in the crime or policy
violation

• Find e-mail headers

Department of Computer Science and Engineering 15

4
 Summary (continued)

• Investigating e-mail abuse

– Be familiar with e-mail servers and clients’ operations

• Check – E-mail message files, headers, and server log files

• Currently, only a few forensics tools can recover deleted Outlook and
Outlook Express messages

• For e-mail applications that use the mbox format, a hexadecimal editor can
be used to carve messages manually

Department of Computer Science and Engineering 15

5
 Thank You

Department of Computer Science and Engineering