Network Forensics Network Forensics Privacy and Security Anchit Bijalwan First edition published 2022 by CRC Press 6000 Broken Sound Parkway NW, Suite 300, Boca Raton, FL 33487-2742 and by CRC Press 2 Park Square, Milton Park, Abingdon, Oxon, OX14 4RN © 2022 Taylor & Francis Group, LLC CRC Press is an imprint of Taylor & Francis Group, LLC Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use. The authors and p ublishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged, please write and let us know so we may rectify in any future reprint. Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers. For permission to photocopy or use material electronically from this work, access www.copyright.com or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. For works that are not available on CCC, please contact [email protected] Trademark notice: Product or corporate names may be trademarks or registered trademarks and are used only for identification and explanation without intent to infringe. Library of Congress Cataloging‑in‑Publication Data Names: Bijalwan, Anchit, author. Title: Network forensics : privacy and security / Anchit Bijalwan. Description: First edition. | Boca Raton : Chapman & Hall/CRC Press, 2022. | Includes bibliographical references and index. | Summary: “Network Forensics: A privacy & Security provides a significance knowledge of network forensics in different functions and spheres of the security. The book gives the complete knowledge of network security, all kind of network attacks, inten- tion of an attacker, identification of attack, detection, its analysis, incident response, ethical issues, botnet and botnet forensics. This book also refer the recent trends that comes under network forensics. It provides in-depth insight to the dormant and latent issues of the acquisition and system live investigation too”— Provided by publisher. Identifiers: LCCN 2021027908 (print) | LCCN 2021027909 (ebook) | ISBN 9780367493615 (hardback) | ISBN 9780367493646 (paperback) | ISBN 9781003045908 (ebook) Subjects: LCSH: Computer crimes—Investigation. | Computer networks—Security measures. | Computer security. | Forensic sciences. Classification: LCC HV8079.C65 B55 2022 (print) | LCC HV8079.C65 (ebook) | DDC 363.25/968—dc23 LC record available at https://lccn.loc.gov/2021027908 LC ebook record available at https://lccn.loc.gov/2021027909 ISBN: 978-0-367-49361-5 (hbk) ISBN: 978-0-367-49364-6 (pbk) ISBN: 978-1-003-04590-8 (ebk) DOI: 10.1201/9781003045908 Typeset in Palatino by codeMantra Contents Preface ..........................................................................................................................................xvii Organization of This Book ........................................................................................................xix Author ...........................................................................................................................................xxi Acknowledgments ....................................................................................................................xxiii Part A Network Forensics Concepts 1. Introduction to Network Forensics .....................................................................................3 1.1 Introduction ...................................................................................................................3 1.2 Network Security ..........................................................................................................5 1.2.1 Evolution of Network Security ......................................................................5 1.2.2 Importance of Network Security ...................................................................6 1.2.3 Basic Terminology for Understanding Network Security .........................6 1.2.4 Features of Network Security Services .........................................................7 1.3 Types of Network Security Attacks ............................................................................8 1.3.1 Active Attack ....................................................................................................8 1.3.1.1 Modification ......................................................................................9 1.3.1.2 Fabrication .........................................................................................9 1.3.1.3 Interruption and Denial of Service ................................................9 1.3.1.4 Replay Attack ....................................................................................9 1.3.1.5 Masquerade Attack ........................................................................10 1.3.2 Passive Attack .................................................................................................10 1.3.2.1 Traffic Analysis ...............................................................................10 1.3.2.2 Message Transmission ...................................................................10 1.4 Network Security Tools ..............................................................................................11 1.4.1 Intrusion Detection System ..........................................................................11 1.4.1.1 Knowledge- or Signature-Based IDS ...........................................11 1.4.1.2 Behavior- or Anomaly-Based IDS ................................................11 1.4.2 Firewall ............................................................................................................12 1.4.2.1 Network-Level Firewall .................................................................12 1.4.2.2 Application-Level Firewall ...........................................................13 1.4.2.3 Proxy Firewall .................................................................................13 1.4.3 Antivirus .........................................................................................................13 1.5 Security Issues .............................................................................................................13 1.5.1 Network Access Control ...............................................................................14 1.5.2 Application Security ......................................................................................14 1.5.2.1 Application Security Process ........................................................15 1.5.3 Email Security ................................................................................................15 1.5.3.1 Antivirus Application on System.................................................16 1.5.3.2 Spam Filters .....................................................................................16 1.5.3.3 Antispam Applications .................................................................16 1.5.3.4 Strong Passwords ...........................................................................16 1.5.3.5 Password Rotation ..........................................................................17 v vi Contents 1.5.4 Wireless Security ...........................................................................................17 1.5.5 Firewall ............................................................................................................17 1.6 Digital Forensics ..........................................................................................................17 1.6.1 Digital Forensics Evolution ...........................................................................18 1.6.2 Digital Forensic Types ...................................................................................19 1.7 Computer Forensics ....................................................................................................20 1.7.1 Computer Forensics Process.........................................................................20 1.8 Network Forensics ......................................................................................................21 1.8.1 Definition ........................................................................................................21 1.8.2 Taxonomy of Network Forensics Tools .......................................................22 1.8.3 Network Forensics Mechanism ...................................................................23 1.8.4 Network Forensics Process ...........................................................................24 1.8.4.1 Authorization ..................................................................................24 1.8.4.2 Collection of Evidences .................................................................24 1.8.4.3 Identification of Evidences ............................................................25 1.8.4.4 Detection of Crime .........................................................................25 1.8.4.5 Investigation ....................................................................................25 1.8.4.6 Presentation .....................................................................................26 1.8.4.7 Incident Response ..........................................................................26 1.9 Computer Forensics vs Network Forensics .............................................................26 1.9.1 Computer Forensics .......................................................................................27 1.9.2 Network Forensics .........................................................................................27 1.10 Network Security vs Network Forensics .................................................................27 1.10.1 Network Security ...........................................................................................28 1.10.2 Network Forensics .........................................................................................28 Questions ................................................................................................................................28 Bibliography ...........................................................................................................................29 2. Cyber Crime ...........................................................................................................................31 2.1 Introduction .................................................................................................................31 2.2 Attack Intentions .........................................................................................................33 2.2.1 Warfare Sponsored by the Country ............................................................33 2.2.2 Terrorist Attack ..............................................................................................33 2.2.3 Commercially Motivated Attack .................................................................33 2.2.4 Financially Driven Criminal Attack ...........................................................33 2.2.5 Hacking ...........................................................................................................33 2.2.6 Cyberstalking .................................................................................................34 2.2.7 Child Pornography ........................................................................................34 2.2.8 Web Jacking ....................................................................................................34 2.2.9 Data Diddling .................................................................................................35 2.2.10 Counterfeiting ................................................................................................35 2.2.11 Phishing ..........................................................................................................35 2.3 Malware ........................................................................................................................35 2.3.1 Definition ........................................................................................................35 2.3.2 History of Malware .......................................................................................37 2.3.3 Classification of Malware .............................................................................38 2.3.3.1 Virus .................................................................................................40 2.3.3.2 Worm ................................................................................................40 2.3.3.3 Logic Bomb......................................................................................40 Contents vii 2.3.3.4 Trojan Horse ....................................................................................40 2.3.3.5 Backdoor ..........................................................................................40 2.3.3.6 Mobile Code ....................................................................................41 2.3.3.7 Exploits ............................................................................................41 2.3.3.8 Downloaders ...................................................................................41 2.3.3.9 Auto Rooter .....................................................................................41 2.3.3.10 Kit (Virus Generator) .....................................................................42 2.3.3.11 Spammer ..........................................................................................42 2.3.3.12 Flooders ...........................................................................................42 2.3.3.13 Keyloggers .......................................................................................42 2.3.3.14 Rootkit ..............................................................................................42 2.3.3.15 Zombie or Bot .................................................................................42 2.3.3.16 Spyware ...........................................................................................43 2.3.3.17 Adware.............................................................................................43 2.3.3.18 Ransomware ...................................................................................43 2.3.3.19 Hacker’s Useful Components and Other Harmful Programs......................................................................................44 2.4 Terminology for the Cyber Attackers ......................................................................44 2.5 Types of Attacks ..........................................................................................................45 2.5.1 Distributed Denial of Service Attack ..........................................................45 2.5.2 Spam ................................................................................................................46 2.5.3 Personal Information Thieving....................................................................47 2.5.4 Click Fraud ......................................................................................................48 2.5.5 Identity Theft ..................................................................................................49 Questions ................................................................................................................................49 Bibliography ...........................................................................................................................50 3. Network Forensics Process Model ....................................................................................53 3.1 Introduction .................................................................................................................53 3.2 Recent Trend in Network Forensics .........................................................................54 3.2.1 Malware Forensics .........................................................................................55 3.2.2 Botnet Forensics .............................................................................................55 3.2.3 Cloud Forensics ..............................................................................................55 3.2.4 Grid Forensics .................................................................................................55 3.3 Life Cycle of Network Forensics ...............................................................................55 3.4 Network Forensics Process Model............................................................................57 3.4.1 Authorization .................................................................................................57 3.4.2 Collection of Evidence ...................................................................................58 3.4.3 Identification of Evidence .............................................................................58 3.4.4 Detection of Crime .........................................................................................58 3.4.5 Investigation ...................................................................................................59 3.4.6 Presentation ....................................................................................................59 3.4.7 Incident Response ..........................................................................................59 3.5 Detection and Investigative Network Forensics Frameworks ..............................60 3.5.1 Detection-Based Framework ........................................................................60 3.5.2 BOT GAD-Based Framework .......................................................................64 3.5.3 System Architecture-Based Framework .....................................................65 3.5.4 Fast Flux-Based Framework .........................................................................65 3.5.5 Mac OS-Based Framework ...........................................................................66 viii Contents 3.5.6 Open Flow-Based or AAFID Framework ...................................................67 3.5.7 P2P-Based Framework ...................................................................................67 3.5.8 Distributed Device-Based Frameworks ......................................................70 3.5.9 Soft Computing-Based Frameworks ...........................................................70 3.5.10 Honeypot-Based Frameworks ......................................................................72 3.5.11 Attack Graph-Based Frameworks ................................................................72 3.5.12 Formal Method-Based Frameworks ............................................................72 3.5.13 Formal Method-Based Frameworks ............................................................72 3.5.14 Network Monitoring Framework ................................................................72 Questions ................................................................................................................................74 References ...............................................................................................................................74 4. Classification of Network Forensics .................................................................................77 4.1 Introduction .................................................................................................................77 4.1.1 Signature-Based or Misuse Detection ........................................................77 4.1.1.1 Monitoring ......................................................................................78 4.1.1.2 Capturing (Avoidance of Packets Drop) .....................................78 4.1.1.3 Notification ......................................................................................78 4.1.1.4 Software Initiation .........................................................................78 4.1.1.5 Multiperspective Environment ....................................................79 4.1.2 Anomaly-Based or Hybrid Detection .........................................................79 4.1.3 Comparative Difference between Signature- and Anomaly-Based Detection ............................................................................79 4.2 Detection and Prevention System .............................................................................80 4.2.1 Detection System ............................................................................................80 4.2.2 Prevention System .........................................................................................81 4.3 Types of Network Forensics Classification ..............................................................82 4.3.1 Payload-Based Identification ........................................................................83 4.3.1.1 Deep Packet Inspection .................................................................84 4.3.2 Statistical-Based Identification .....................................................................87 4.3.2.1 Heuristic Analysis ..........................................................................87 4.4 Network Forensics Analysis Classification .............................................................88 4.4.1 Signature-Based Classification ....................................................................88 4.4.2 Decision Tree-Based Classification ..............................................................88 4.4.3 Ensemble-Based Classification ....................................................................89 4.4.3.1 Voting ...............................................................................................91 4.4.3.2 Adaptive Boosting ..........................................................................91 4.4.3.3 Bagging ............................................................................................91 4.5 Implementation and Results ......................................................................................92 Questions ................................................................................................................................93 References ...............................................................................................................................93 Part B Network Forensics Acquisition 5. Network Forensics Tools .....................................................................................................97 5.1 Introduction .................................................................................................................97 5.2 Visual Tracing Tools ...................................................................................................98 5.2.1 NeoTracePro ....................................................................................................99 Contents ix 5.2.2 VisualRoute .....................................................................................................99 5.2.3 Sam Spade .....................................................................................................100 5.2.4 eMailTrackerPro ...........................................................................................100 5.3 Traceroute Tools ........................................................................................................100 5.3.1 Text-Based Traceroute .................................................................................101 5.3.2 3D-Based Traceroute ....................................................................................101 5.3.3 Visual Traceroute .........................................................................................102 5.4 Monitoring Tools .......................................................................................................102 5.4.1 Packet Sniffer Tool .......................................................................................102 5.4.1.1 Wireshark ......................................................................................102 5.4.1.2 Argus..............................................................................................103 5.4.1.3 TCP Dump .....................................................................................104 5.4.1.4 OmniPeek ......................................................................................104 5.4.2 Intrusion Detection System (IDS) ..............................................................106 5.4.2.1 Zeek ................................................................................................106 5.4.2.2 SNORT ...........................................................................................106 5.4.3 Finger .............................................................................................................107 5.4.3.1 Nmap ..............................................................................................107 5.4.3.2 POF .................................................................................................108 5.4.4 Pattern-Based Monitoring Tool ..................................................................108 5.4.4.1 NGREP ...........................................................................................109 5.4.4.2 TCPXTRACT .................................................................................109 5.4.5 Statistics-Based Monitoring System ..........................................................110 5.4.5.1 NetFlow .........................................................................................110 5.4.5.2 TCPstat ...........................................................................................110 5.5 Analysis Tools ............................................................................................................110 5.5.1 Open-Source Tool ........................................................................................111 5.5.1.1 NetworkMiner ..............................................................................111 5.5.1.2 PyFlag .............................................................................................111 5.5.2 Proprietary Tools .........................................................................................111 5.5.2.1 NetIntercept ..................................................................................112 5.5.2.2 SilentRunner .................................................................................112 Questions ..............................................................................................................................116 References .............................................................................................................................116 6. Network Forensics Techniques ........................................................................................119 6.1 Introduction ...............................................................................................................119 6.1.1 Conventional Network Forensics Technique ...........................................120 6.1.2 Advanced Network Forensics Technique.................................................120 6.2 Conventional Network Forensics Technique ........................................................120 6.2.1 IP Traceback Technique...............................................................................120 6.2.1.1 Link State Testing .........................................................................121 6.2.1.2 Input Debugging ..........................................................................121 6.2.1.3 Controlled Flooding .....................................................................122 6.2.1.4 ICMP Traceback ............................................................................122 6.2.1.5 Packet Marking Techniques ........................................................123 6.2.1.6 Source Path Isolation Engine ......................................................123 6.2.1.7 Payload Attribution ......................................................................124 6.2.2 Intrusion Detection System ........................................................................124