Scribd
Upload
43 views46 pages

Packet and Protocol Analysis

Uploaded by

Arnont Phoo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
43 views46 pages

Packet and Protocol Analysis

Uploaded by

Arnont Phoo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 46

Packet and Protocol

Analysis
Section II. Basic Forensic Techniques and
Tools

CSF: Forensics Cyber-Security


MSIDC, Spring 2017
Nuno Santos
Summary

! Packet and protocol analysis

2 MSIDC - CSF - Nuno Santos 2016/17


Recall from last class
! How to interpret a network trace?
! A network trace is a linearized bit-copy of collected
data exchanged over the network

010101101011110000…
Network trace file

Computer network

! Need to understand some basic networking concepts

3 MSIDC - CSF - Nuno Santos 2016/17


Started with a practical example
! Accessed URL: http://www.publico.pt

Internet

! Collected network trace on a local file

4 MSIDC - CSF - Nuno Santos 2016/17


Basic concepts involved
Sender Receiver
Protocols
HTTP
TPC/IP
HTTP GET
index.htm

Packets
IP Address
IP Address

Internet

Network Infrastructure

5 MSIDC - CSF - Nuno Santos 2016/17


Connected across multiple networks
! Computers are not wired directly but linked through
interconnected networks (IP = Internet Protocol)
Network 2
Network 1
Network 3

switch router 195.23.42.21


146.193.41.201

6 MSIDC - CSF - Nuno Santos 2016/17


Within a network, computers use MAC addresses

! Media Access Control address (MAC address)


! Unique identifier assigned to network interfaces for
communications at the data link layer of a network segment
! Used as network addresses for Ethernet and WiFi

! Can be used to track traffic


source within a network
! Packets sent to the Internet do not
contain MAC addresses

! Can be used to classify the type


of machine
! Due to its internal structure
! http://www.macvendorlookup.com/
7 MSIDC - CSF - Nuno Santos 2016/17
Our focus today
Sender Receiver
Protocols
HTTP
TPC/IP
HTTP GET
index.htm

Packets
IP Address
IP Address

Internet

Network Infrastructure

8 MSIDC - CSF - Nuno Santos 2016/17


Packet and Protocol Analysis

9 MSIDC - CSF - Nuno Santos 2016/17


Coming back to our network trace

10 MSIDC - CSF - Nuno Santos 2016/17


Packet sniffing and packet sniffers
! Packet sniffing is the act of looking at packets as
computers pass them over networks

! Packet sniffing is performed using packet sniffers


! These programs are designed to capture raw data as it crosses the
network and translate it into a human readable format for analysis
! Can be used to capture only relevant packets

! Packet sniffers range from simple, command-line


programs, like tcpdump, to complex programs with GUI

11 MSIDC - CSF - Nuno Santos 2016/17


Packet sniffers: Tcpdump
! tcpdump is the
granddaddy of all open tcpdump
source packet sniffers
libpcap

! Uses libpcap, which


contains a set of system-
Network device driver
independent functions for
packet capture and
network analysis
! Also used by Wireshark Network
device

12 MSIDC - CSF - Nuno Santos 2016/17


Packet example

13 MSIDC - CSF - Nuno Santos 2016/17


Packet network layers
! Packets are encoded according to network layers
! Each layer plays a role in abstracting out details of lower levels

Increasing
network
layer

14 MSIDC - CSF - Nuno Santos 2016/17


Layers are packaged “inside” each other

Increasing
network layer

15 MSIDC - CSF - Nuno Santos 2016/17


Wireshark lets us navigate across each layer

Increasing
network
layer

16 MSIDC - CSF - Nuno Santos 2016/17


The IP protocol layer
! IP protocol: provides for sending / receiving IP packets
between any two nodes featuring valid IP addresses

IP packet

17 MSIDC - CSF - Nuno Santos 2016/17


Routing an IP packet
! IP packet: header + payload
! Header contains several fields: Source IP, Destination IP

IP packet

switch router 195.23.42.21


146.193.41.201

18 MSIDC - CSF - Nuno Santos 2016/17


Format of an IP header

19 MSIDC - CSF - Nuno Santos 2016/17


IP protocol

20 MSIDC - CSF - Nuno Santos 2016/17


But, the sender IP was not expected…

! What we observed: ! What we expected:


! 193.136.128.7 ! 195.23.42.21

Any ideas why?


21 MSIDC - CSF - Nuno Santos 2016/17
Is there a proxy serving web requests?
! Request served by web proxy: a local cache of web pages
Web Proxy

193.136.128.17
IP packet

switch router 195.23.42.21


146.193.41.201

22 MSIDC - CSF - Nuno Santos 2016/17


Let’s validate this hypothesis
! Check the client config ! Check the proxy IP

Yes! It’s a proxy!


23 MSIDC - CSF - Nuno Santos 2016/17
Next step: Investigate the IP packet payload

IP packet
payload
IP packet

24 MSIDC - CSF - Nuno Santos 2016/17


How to parse the IP packet payload?

Need to know
what’s the
transport
protocol of
the payload

25 MSIDC - CSF - Nuno Santos 2016/17


The role of the TCP protocol
! IP is best effort: packets can be dropped by routers along the way
! TCP provides abstraction of stream / flow on top of IP packets
! Ensures packets delivered (1) reliably, (2) in order, (3) without duplicates
Web Proxy

193.136.128.17

TCP flow

switch router
IP packet
146.193.41.201

26 MSIDC - CSF - Nuno Santos 2016/17


Each endpoint maintains sequence number

TCP session establishment


1. Client sends a SYN to the
server. Client sets the
segment's sequence number
to rand value m
2. Server replies with a SYN-
ACK. The ack number is set
to m+1, and the sequence
number that the server
chooses for the packet is
another random number n
3. Client sends an ACK back
to the server
27 MSIDC - CSF - Nuno Santos 2016/17
We can see the entire TCP message exchange

28 MSIDC - CSF - Nuno Santos 2016/17


TCP header layout

29 MSIDC - CSF - Nuno Santos 2016/17


TCP protocol

30 MSIDC - CSF - Nuno Santos 2016/17


Port Numbers

! If a computer is identified by an IP, port numbers


differentiate applications within the same computer
! https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

31 MSIDC - CSF - Nuno Santos 2016/17


Well-known port numbers
! A few examples:

32 MSIDC - CSF - Nuno Santos 2016/17


Next step: Investigate the IP packet payload

TCP packet
payload
IP packet
payload
IP packet

33 MSIDC - CSF - Nuno Santos 2016/17


Contains an HTTP request

34 MSIDC - CSF - Nuno Santos 2016/17


Wireshark lets us follow the TCP stream

Client =>
proxy

Proxy =>
client

35 MSIDC - CSF - Nuno Santos 2016/17


Last missing step: Ethernet frame

IP packet

Link layer
frame

36 MSIDC - CSF - Nuno Santos 2016/17


Link layer: carrier of IP packets within networks

! Ethernet protocol used for client to send IP packet to router


Web Proxy
Ethernet frame
IP packet 193.136.128.17

switch router
146.193.41.201

37 MSIDC - CSF - Nuno Santos 2016/17


Format of Ethernet frame

! MAC addresses are used for message delivery

! The IP packet is enclosed inside the data payload

38 MSIDC - CSF - Nuno Santos 2016/17


Let’s inspect the Ethernet frame of our IP packet

39 MSIDC - CSF - Nuno Santos 2016/17


A case study
! You are the manager of a company and receive a tip
that an employee is using his computer to view images
that violate the company’s computer use policy

! You then hire a forensics investigator to assist in the


matter and, together, decide to monitor the suspected
employee’s activity on the network for the next week

! Goal: see if there is any evidence to support or refute


the claims against the employee viewing images.

40 MSIDC - CSF - Nuno Santos 2016/17


Case study: Search through the packets
! After capturing the packets, search through the
packets to identify images that violate the policy

41 MSIDC - CSF - Nuno Santos 2016/17


Case study: Perform file carving
! Export the
portion of the
payload that
contains the
bytes of the
image

42 MSIDC - CSF - Nuno Santos 2016/17


Case study: Caught in procrastination!
! Exported image created from exported bytes

43 MSIDC - CSF - Nuno Santos 2016/17


Conclusions

! Packet and protocol analysis play a fundamental role


in network forensics

! Typical communications are centered around TCP/IP


protocols, which tend to be structured in network layers

! Packet analysis tools like Wireshark allow us to


interpret the content of individual packets and flows

44 MSIDC - CSF - Nuno Santos 2016/17


References

! Primary bibliography
! [Casey11], Chapter 21, 23.2.2

45 MSIDC - CSF - Nuno Santos 2016/17


Next class

! Web and E-Mail forensics

46 MSIDC - CSF - Nuno Santos 2016/17

You might also like