Technical Fundamentals

Report
CASE STUDY : ANN’S RENDEZVOUS
Section 3.2
Network Forensics
TRACKING HACKERS THROUGH CYBERSPACE
THE MISSION
The case: After being released on bail, Ann Dercover disappears! Fortunately, investigators were
carefully monitoring her network activity before she skipped town. “We believe Ann may have
communicated with her secret lover, Mr. X, before she left,” says the police chief. “The packet
capture may contain clues to her whereabouts.”
Challenge: You are the forensic investigator. Your mission is to analyze the packet capture and
gather information about Ann’s activities and plans. The following questions will help guide your
investigation:
• Provide any online aliases or addresses and corresponding account credentials that
may be used by the suspect under investigation.
• Who did Ann communicate with? Provide a list of email addresses and any other
identifying information.
• Extract any transcripts of Ann’s conversations and present them to investigators.
• If Ann transferred or received any files of interest, recover them.
• Are there any indications of Ann’s physical whereabouts? If so, provide supporting
evidence.
THE MISSION CONTINUED
Network:
• Internal network: 192.168.30.0/24
• DMZ: 10.30.30.0/24
• The “Internet”: 172.30.1.0/24 [Note that for the purposes of this case study, we are
treating the 172.30.1.0/24 subnet as “the Internet.” In real life, this is a reserved
nonroutable IP address space.]
Evidence: Investigators provide you with a packet capture from Ann’s home network,
“evidence-packet-analysis.pcap.” They also inform you that in the course of their monitoring,
they have found that Ann’s laptop has the MAC address 00:21:70:4D:4F:AE.
Pg. 135
ANALYSIS: PROTOCOL SUMMARY
•
Begin by taking a high-level look at the packet
• Wireshark > Statistics > Protocol Hierarchy
• Notice the presence of “Bootstrap Protocol”
• Used for DHCP request and response
DHCP TRAFFIC
•
Examine using Wireshark Display Filter
• “eth.addr == 00:21:70:4d:4f:ae and
bootp
• Wireshark automatically looks up the
registered OUI, “00:21:70,” and
displays the corresponding
manufacturer, Dell.
• Can be verified using IEEE
• Request address is 192.168.30.108
• Host name matches Ann
• Router 192.168.31.10
• DNS 10.30.30.20
DHCP CONTINUED
•
Router 192.168.31.10
•
DNS 10.30.30.20
•
Renewal Time Value of 30 minutes
KEYWORD SEARCH
•
Matches seven packets
•
Three contain a conversation with
64.12.168.40 TCP port 587 (SMTP)
•
Four contain a conversation with
205.188.58.10 TCP port 143 (IMAP)
EXAMINE SMTP
•
Use Wireshark’s “Follow TCP Stream” to isolate packets beginning with 2011/05/17
13:33:07.203874
EXAMINATION CONTINUED
•
Notice Ann’s authentication is in plain text:
•
Her credentials are only Base-64-encoded, not encrypted
•
Take note of the sender and receiver:
•
Look at the body of the email:
• Next look at the SMTP packet
•
•
2011/05/17 13:34:16.481132
User: [email protected]
Receiver: [email protected]
EXAMINATION CONTINUED AGAIN
•
Examination of the third packet matching SMTP
using command line
•
Look at the content from 192.168.30.108 (Ann’s
computer) to remote server 64.12.168.40
•
We are interested in the outbound content
reconstruction
•
Notice the From: ID, the To: ID and the body of the
email
•
As the message suggests there is an attachment
SMTP ANALYSIS – ATTACHMENT FILE CARVING
•
$ bless 192.168.030.108.01689 -064.012.168.040.00587
•
Cut the SMTP and MIME protocol information
•
Attachment of greatest interest is labeled
•
Start carving
• After set of 0x0D & 0x0A CRLF
• Carriage-return/linefeed
•
Finish carving
• Just before the second set
•
Save file as “evidence-packet-analysis-smtp3-attachment”
ATTACHMENT FILE CARVING CONTINUED
•
We need to remove the line breaks before decoding the Base64 encoding
•
Use “fromdos” which is part of the “tofrodos” Debian package
• $ fromdos -b evidence -packet -analysis -smtp3 –attachment
•
Decode
• $ base64 -d evidence -packet -analysis -smtp3 -attachment > secretrendezvous.docx
•
Check file type
•
• $ file secretrendezvous.docx
secretrendezvous.docx: Zip archive data , at least v2.0 to extract
Make cryptographic checksums
VIEW THE ATTACHMENT
•
Always work with a copy
MORE CARVING
•
Lets carve the image out of the .docx file
• Start by unzipping the file
• Notice the .png file
• Take the cryptographic checksum
• View a copy of the image
FINDING ANN THE EASY WAY
•
Use NetworkMiner
EASY WAY CONTINUED
•
“NetworkMiner automatically parses headers and displays them along with the body of
each SMTP message. It can also show other types of messages, such as IMs.” Pg 151
•
“The “Files” tab displays files that NetworkMiner automatically carved out of the packet
capture.” Pg 151
SMTPDUMP
•
Use smtpdump to:
• analyze SMTP flow #3 in the packet capture (-f 3)
• extract attachments (-x)
• print the MD5sum (-m)
• print authentication data (-A)
DOCXTRACT
•
Use docxtract to:
•
extract all images from the carved .docx attachment (-x -i)
•
print the corresponding cryptographic checksum (-m)
FINDSMTPINFO.PY
•
Can be used to :
• Print SMTP authentication information
• Extract all messages from the packet capture
• Extract all attachments from the messages
• Print the MD5 sums for each of the attachments
• Extract the files embedded within the .docx file
• Print the MD5 sums for each of the embedded files
•
Pg. 152
Produces reports suitable for professional forensic reports
FINDSMTPINFO.PY CONTINUED
•
Example:
FINDSMTPINFO.PY CONTINUED AGAIN
•
Tool will:
• automatically unzip attached .docx file
• Extract embedded files
• MD5sums
TIMELINE
•
All times listed below occurred on May 17, 2011.
•
13:32:01.419886—Packet capture begins
•
13:32:03.166396—First DHCP Request from 00:21:70:4d:4f:ae (Ann’s computer)
•
13:32:03.167145—DHCP ACK from 192.168.30.10 to Ann’s computer, assigning
00:21:70:4d:4f:ae the IP address 192.168.1.108 with a 1-hour lease time.
•
13:33:05.834649--13:33:07.847758—First SMTP conversation. Email sent from Ann’s
computer with sender [email protected] and recipient [email protected]
•
13:34:15.110657--13:34:17.204721—Second SMTP conversation. Email sent from Ann’s
computer with sender [email protected] and recipient [email protected]
•
13:35:15.504697--13:35:23.263802—Third SMTP conversation. Email sent from Ann’s
computer with sender [email protected] and recipient [email protected]
•
13:35:23.263802—Packet capture ends
Pg 154
THE CASE THEORY
•
Ann Dercover connected her laptop (“ann-laptop”) to the network on May 17, 2011, at
13:32:03. Her computer was probably manufactured by Dell.
•
At 13:33:05, Ann sent email from her AOL account, [email protected], to
[email protected], asking the recipient, “Hey, can you hook me up quick with that fake
passport you were talking about?”
•
At 13:34:15, Ann sent email from her AOL account, [email protected], to
[email protected], informing the recipient, “Sorry—I can’t do lunch next week after
all. Heading out of town. Another time!”
•
At 13:35:15, Ann sent email from her AOL account, [email protected], to
mistersekritx@ aol.com, with the message, “Hi sweetheart! Bring your fake passport and
a bathing suit. Address attached. love, Ann.” The email had a .docx attachment that
contained an address and a map.
Pg 155
CHALLENGE QUESTION RESPONSES
•
Provide any online aliases or addresses and corresponding account credentials that may
be used by the suspect under investigation.
• Based on our SMTP analysis, there are indications that Ann Dercover uses the email
address [email protected], and that her password is “s00pers3kr1t.”
•
Who did Ann communicate with? Provide a list of email addresses and any other
identifying information.
• We have seen that [email protected] sent emails to the following recipients:
• [email protected][email protected][email protected]
RESPONSES CONTINUED
•
Extract any transcripts of Ann’s conversations and present them to investigators.
• Here is a quick summary of Ann’s conversations, sent via SMTP:
SMTP Message #1
Sender: [email protected]
Recipient: [email protected]
Date [beginning of SMTP conversation]: May 17, 2011 13:33:05
Subject: need a favor
Message [formatting removed]: Hey, can you hook me up quick with that fake
passport you were talking about? - Ann
Attachments of interest: None
Pg. 155
RESPONSES CONTINUED AGAIN
•
•
SMTP Message #2
Sender: [email protected]
Recipient: [email protected]
Date [beginning of SMTP conversation]: May 17, 2011 13:34:15
Subject: lunch next week
Message [formatting removed]: Sorry—I can’t do lunch next week after all. Heading
out of town. Another time! - Ann
Attachments of interest: None
SMTP Message #3
Sender: [email protected]
Recipient: [email protected]
Date [beginning of SMTP conversation]: May 17, 2011 13:35:15
Subject: rendezvous
Message [formatting removed]: Hi sweetheart! Bring your fake passport and a
bathing suit. Address attached. love, Ann
Attachments of interest: secretrendezvous.docx
Pg. 156
AND AGAIN
•
If Ann transferred or received any files of interest, recover them.
• We recovered one Office Open XML Document (.docx) file, attached to Ann’s email
to [email protected]
• The MD5 checksum of the .docx file was:
• 9049b6d9e26fe878680eb3f28d72d1d2
• The SHA256 checksum was:
• 24601c174587be4ddfff0b9e6d598618c6abfcfadb16f7dd6dbd7a24aed6fec8
•
Pg 156
The document began with the text, “Meet me at the fountain near the rendezvous point.
Address below. I’m bringing all the cash.” This was followed by a PNG image of a map
with an address.
AND AGAIN
•
Are there any indications of Ann’s physical whereabouts? If so, provide supporting
evidence.
• The document that Ann sent to [email protected] indicates that she would like
to meet him at the following address:
Playa del Carmen
1 Av Constituyentes 1 Calle 10 x la 5ta
Avenida
Playa del Carmen , 77780 , Mexico
01 984 873 4000
•
Pg 156
Of course, there is no guarantee that Ann and/or the email recipient ever traveled to this
location. Perhaps Ann was trying to throw us off her trail!
THE NEXT STEP
•
Conduct further analysis on the packet capture to see if there are more emails, web
traffic, etc.
•
If there is sufficient evidence, a warrant might be in order to monitor Ann’s email account
and / or open her account using her credentials and investigate her past email activity.
Disclaimer: All information and data pulled directly from this book.
Pages 135 - 157
Works Cited
Davidoff, S., & Ham, J. (2012). Network Forensics Tracking Hackers Through Cyberspace.
Boston: Prentice Hall.

similar documents