No matter where you go, your computer leaves footprints on the network. When you connect to the network, logon to your workstation, or surf the web, these activities leave trails throughout your employer or ISP’s network– even when the administrators are not deliberately trying to monitor your activity.
Forensic analysts traditionally focus on hard drive analysis, but hard drives are not always accessible, and they don’t tell the full story. Savvy investigators also include the network environment. Recently I’ve been co-authoring a class on Network Forensics (SANS Sec558), and I’ve been building lab networks, collecting evidence for the class exercises, and practicing network forensics in-depth. Here are a few ways that investigators reconstruct computer activity using network forensics.
Web Surfing: Many organizations use web proxies to improve web surfing performance. As it happens, web proxies maintain a log of web requests and even copies of web pages (for a limited period of time). Forensic investigators can use graphical tools such as Sarg to analyze web proxy logs and view a list of client’s browsing history. Investigators can even extract pages themselves from the web proxy cache with common tools such as wget.
By analyzing web proxy logs, investigators can reconstruct browsing history, view downloads, recover social networking information, identify external email accounts, and even obtain usernames and passwords (which are sometimes included in URLs). Web proxies result in faster web browsing and help lower network congestion. As a side effect, they also accumulate logs which record your web browsing history.
Laptop/Mobile Device Tracking: Investigators can identify a specific laptop even when its IP address changes, and even if it moves to a different network. The network card in your computer has a unique address assigned to it by the manufacturer called the Media Access Control (MAC) address. When you connect your laptop to a hotspot or company network, your network card broadcasts its unique MAC address, and the DHCP server then assigns an IP address to your network card.
Forensic analysts can use DHCP server logs to track which IP addresses belonged to which network cards at a given time. By default, your MAC address also reveals information about the manufacturer, so forensic analysts can infer whether your laptop contains, for example, an Apple-manufactured network interface.
There’s a catch: You can change your network card’s MAC address. It’s actually fairly easy to do, even though most people don’t bother. A MAC address is really about as reliable as using hair color to describe a suspect. Much of the time, it’s accurate, and it takes conscious effort to change– but with a little effort it can be modified. You can even change the MAC address so that it looks as though your network card was made by a different manufacturer. If someone purposefully changed their MAC address, that would make it harder to link network activity to their specific network card.
Logon History: In order to comply with regulations such as HIPAA (as well as standard security best practices), organizations frequently configure workstations to send records of events to central logging servers, which collect and store logs from many workstations all in one place. Typically, central logging servers store login times, failed login attempts, and commands that are executed with administrative privileges (the specifics vary depending on the organization). The workstation must be preconfigured to send logs to the central logging server. My favorite log analysis tool is Splunk. By analyzing a central logging server, forensic investigators can track when you logon (or when you mess up your password), when you run privileged commands, or take other noteworthy actions.
Network traffic: Forensic investigators who are monitoring active connections can collect all network traffic to and from a specific computer, without the user ever knowing. There are many ways to monitor network traffic. If investigators have the support of network administrators, then the administrators can simply set up a SPAN port on a router, mirror all traffic, and filter for interesting bits. Some companies do this all the time, filtering for malicious traffic, proprietary data, or even keywords that might indicate employees are angry. Wireless networks are even easier to analyze. Since wireless access points are hubs, every client can potentially capture traffic destined for any other system– or all systems. Tools such as Wireshark and tcpdump are useful for capturing network traffic (investigators: if you use tcpdump, remember to set the snaplength to zero for full packet contents).
Here are a few things forensic investigators can do with raw traffic captures:
- File carving: Investigators can actually carve files out of raw network traffic and reconstruct file transfers. If you upload a JPG to a web site, send an email attachment, or download an MP3, anyone who has captured your network traffic can reconstruct your file. Tools such as tcpxtract are helpful for this purpose. Investigators can also view images and other file formats in real time as they are transferred across the network, using tools like driftnet.
- Instant message reconstruction: If you’re not encrypting your instant messages, then they are quite easy to see as they travel across the network. One of my clients once half-jokingly said that he considered deploying a scrolling sign in the lunchroom which broadcast everybody’s IMs, in order to reduce the amount of IM usage.
- Email reconstruction: Emails are rarely encrypted as they traverse the network. Much like instant messages, the text is trivial to read. Investigators don’t even need to go to the trouble of reconstructing files: you can simply run “strings” on raw packet captures and dump the output to a file (I recommend always checking both ASCII and Unicode output). If you’re feeling more interactive, you can also view the raw traffic in a hex editor and read the ASCII output.
- Web surfing reconstruction: Perhaps your organization doesn’t have a proxy server, or the forensic investigator doesn’t have access to it. With access to captured traffic from your computer, investigators can extract your web browsing activity, full page content, and form submissions.
Forensics and privacy are two sides of the same coin. Both investigators and everyday citizens benefit from understanding the types of personal information that companies, hotspots and ISPs routinely store, and how activity can be tracked and reconstructed.
Check out our three-day class: SANS Sec558: Network Forensics, scheduled to run this June at SANSFIRE in Washington, DC. We’ll do lots of advanced, hands-on exercises in which we analyze a virtual network, and spend a full day working as investigative teams to solve a crime. Hope to see some of you there!
|PGP-signed text: 2009-03-16 (current)|