Shared Flashcard Set


Network Forensics
A forensics course in network and digital forensics
Computer Science

Additional Computer Science Flashcards




The OSI Model

-way of sub-dividing network communications into smaller parts called layers

-each layer provides services to its upper layer while recieving services from layer below

-current model has 7 layers

-each layer can yield different types of evidence

Types of Networks








-local area network

-networks that are small in geographic size, spanning a room, building or campus

-most LANs are fixedhardware media connections with fiber optic or copper cable


-wireless local area network

-most common type of network faced in digital forensics

-normally not encrypted allowing for easy piggybacking

-contains computers and devices connected through 802.11 wireless technology

-normally an extension of a hardwired LAN, but can also exist in a wireless only environment



-Metropolitan Area Network

-regional group of networks connected through various technologies such as fiber-optic phone lines, copper cable, microwaves, etc

-generally serve an area of 3-30 miles 

-Huntington has amicrowave network just for cameras which feed back to the police

-Marshall is becoming a MAN


-Wide Area Network

-large network encompassing parts of states,multiple states, countries, the world

-connect several LANs, WLANs, and MANs together

-3G/4G wide area networks

  • has been available to most homes and businesses for 15 years
  • largest WAN, uses standard protocols for communications across TCP/IP
  • seamless communications across different platforms using the same protocol


  • cross-platform  communication within an internal environment
  • usually found in large corporate and retail environments
  • private industry will see this more 
TCP/IP Protocol
  • Transmission Control Protocol/Internet Protocol
  • TCP/IP is the standard for computers to communicate across the internet
  • info is transmitted from a network system in chunks called packets
    • chunks contain both the data to be transferred and info needed to deliver it to the destination
  • TCP/IP sends info via LAN addressing and internetwork addressing
LAN Addressing
  • one way that TCP/IP sends info
  • each node in LAN has a MAC address that is factory programemd into the NIC
    • data packets are addressed to either one of the nodes or all of the nodes
  • common in home networks
Internetwork Addressing
  • one way TCP/IP sends info
  • collection of LANs and/or other networks that are connectedwith routers
    • each network has a unique address and each node on the network has a unique address (combo)
  • IP is responsible for network layer addressing to the TCP/IP protocol
  • websites are on internetwork addressing, can access from any computer anywhere
MAC Addressing
  • Media Access Control address is a unique identifier assigned to network interfaces for communications on the physical network segment
  • used for numerous technologies
  • contained in essentially any device that communicates on a network
  • standard format for MAC addresses in human-friendly form is six groups of 2 hexadecimal digits, separated by hyphens (-) or colons (:), in transmission order
    • e.g. 01-23-45-67-89-ab or 01:23:45:67:89ab
  • may also be three groups of four hexadecimal digits separated by dots. (0123.4567.89ab)
  • each unique device living on a particular network should have its own MAC address
  • it is possible to chage the MAC address on ost of today's hardware 
    • necessary in network virtualization
    • called MAC Spoofing when done as a prank
  • Network Interface Card/controller
  • computer hardware component that connects a device to a network
  • can be wired or wireless
  • comps might have 2 or 3 in them so they can have different addresses
  • can have an antenna, a USB plug which goes into PCI card on comp, uses that to connect to internet
Internet Protocol Addressing
  • a numerical label assigned to each device (E.g. computer, printer) participating in a computer network that uses the IP for communication
  • an IP address serves two principle functions: host or network interface identification and location addressing
  • generally stored as a 32-bit number (IPv4)
  • due to substantial growht and shortage of IP addresses, the 128-bit IPv6 is replacing IPv4
IP AddressClasses
  • 4different address formats/classes concerning the allocation of IP addresses
  • Classes 1-4
  • 255 is the largest number because binary only allows for up to 256
  • can see how big a network is by the IP address
  • IP address are binary numbers and are usually stored in text files and displayed in human-readable notations
IP Address Class 1
  • for large networks with many classes
  • big businesses/companies
  • to
IP Address Class 2
  • for medium sized networks
  • sprint, most reginal stuff
  • to
IP Address Class 3
  • for smaller networks 
  • fewer than 256 devices
  • to
IP Address Class 4
  • multicast addresses
  • addresses reserved for internal traffic
  • multicast = sending the same data out to multiple addresses
  • not used very often
  • to
Static IP
  • an IP address that does not change
  •  used for web servers, websites, and other technologies where the IP is required to stay the same
Dynamic IP
  • IP changes during regular time intervals
  • Dynamic Host Configuration Protocol (DHCP)
  • when the IP address changes, it changes things on the network as well
  • on most home networks, IP address changes every 24 hours!
  • bigger websites like google might have multiple IP addresses from different regions to reduce server overload
  • Dynamic Host Configuration Protocol
  • allows a device to automatically recieve an IP address
  • provides a central database for keeping track of computers that have been connected to the network
  • prevents two computers from accidentally being configured with same IP address
  • businesses have their own DHCP server, homes use an ISP's DHCP server
  • leases IP address to devices for certain intervals of time (from hours to days)
  • DHCP database maintains a list of recent ueries along with MAC and IP addresses
    • once you have MAC,can figure out what device it was because the manufacturer will have records of which MACs are programmed to devices
    • can't say with 100% certainty
  • a mobile IP address may change from tower to tower
Allocation of IP addresses
  • an address pool is set of IP addresses available at any level in the hierarchy
  • at the top level, the IP address pool contains 4 billion addresses, while the sizeof the IPv6 pool has 340 x10 36 addresses
Internet Assigned Numbers Authority
  • entity that oversees global IP address allocation
  • delegats allocations of IP address blocksot regional internet registries (RIR)

-Regional Internet Registries

-allocates addresses for a different area of the world

-evolved over time, eventually dividing the world in to 5 different RIRs

5 Different RIRs

1. African Network Information Center (AfriNIC)

2. American Registry for Internet Numbers (ARIN)-US,canada, several parts of Caribbean region, Antarctica

3. Asia-Pacific Network Information Center (APNIC)for Asia, Australia, New Zealand, and neighboring countries

4.Latin America and Carribbean Netowrk Information Center (LACNIC)

5. Reseaux IP Europeens Network Coordination Center (RIPE) for Europe, Middle Eastand Central Aia



-modulates an analog carrier signal to encode digital info

-more commonly found in homes and home offices in the form of DSL modems (uses telephone line) or Cable modem (uses a coaxial cable line)

-converts 1sand 0s sent using frequencies (0=1200 mHz and 1 =2200 mHz) to readable, digital form and sends to computer

-by connecting a wireless network to th emodem, the wireless will send radio waves/frequencies to the computer where the wireless card will translate it


-a physical network node is an active electronic device that is attached to a network, and is capable of sending, receiving, or forwarding information over a communications channel

-it is important to knowhich nodes live on a particular network


-a physical or virtual system dedicated to running one or more such services, to serve the needs of programs running on other computers on the same network

-servers can serve many different functions

    -can run multiple virtual servers on the physical server

-some DNA programs/software run on their own separate servers


-similar to repeaters or networks hubs, devices that connect network segments at the physical network layer

-can analyze incoming data packets to determine if the bridge is able to send hte given packet to another segment of the network (Web filters)

-extends the network out by bridging things together


-Routers forward data packets between networks, creating an overlay internetwork

-a router is connected to two or more data lines from different networks

-when data comes in one of the lines, the router reads the address information in the packet to determine its ultimate location

-the most familiar type of routers are home and small ofice routers that simply pass data, such as web pages and email, between the home and computers and th eowner's cable or DSL modem, which connects to the internet ISP.

-More sophisticated routers connect large business or ISP networks up to the powerful core routers that forward data at high speed along the opticalfiber lines ofthe internet backbone

-switches can connect to many devices to the same network

Network Cabling

-cable is the medium through which information usually moves from one network device to another

-there are several types of cable which are commonly used with LANs

-in some cases, a network will utilize only one type of cable, other networks will use a variety of cable types.

   -cable chosen is related to a networks typology, protoco l and size

-understanding the different types of cable and how they relate to other aspects of a network is necessary to understand the topology of a particular network and what type of forensic analysis can be performed on such a network

Unshielded/Shielded Twisted Pair (UTP/STP) Cable

-twisted paircabling comes in 2 varieties: shielded and unshielded

-Unshielded: most popular, generally best option for school networks

-twisted pair cabling is commonly referred to as "ethernet", "CAT5" or "CAT6" or RJ45 cable

      -CAT 5 and 6 are the same, 6 is faster

POE Cable

-Power Over Ethernet

-phone line provides the power to the device

-trying to design products which only need one cable which will handle power and data

Coaxial Cable

-has a single copper conductor at its center

-transfers signal through the copper line

-a plastic layer provides insulation between the center conductor and a braided metal shield

    -metalshield blocks outside interference from fluorescent lights, motors and other computers

-can sometimes follow coaxialcableto a modem

Fiber Optic Cable

-center glasscore surrounded by several layers of protective materials

-transmits light rather than electronic signals eliminating the problem of electrical interference

     -makes it ideal for environments with lots of electrical interference

      -also has made it the standard for connecting network between buildings, due to its immunity to the effects of moisture and lightning

-has the ability to transmit signals over much longer distances than coaxial and TP

     -broadens communication possibilities (video conferencing, interactive services)

-cost of FOC is comparable to copper, however its more difficult to install and modify

     -10BaseF refers to specs for FOC carrying ethernet

-used as primary backbone cable in larger enterprise networks and as the primary cable to communicate between switches

-can be multimode or single mode

Multimode vs. Single Mode FiOp Cable

Multimode: cable has a larger diameter, however, both cables provide high bandwidth at high speeds



Single Mode: can provide more distance, but it is more expensive.


Network Forensics Seeks to identify methods for...

-collecting volatile data from network systems

-collecting non-volatile data from network systems

-collecting live data from networksystems

7 Layers of OSI Model

Top To Bottom

1. Application

2. Presentation

3. Session

4. Transport

5. Network

6. Data Link

7. Physical

Physical Layer
  • the bites and bytes of the whole transmission
  • helps in transmitting data bits over a physical channel
  • has a set of predefined rules that physical devices and interfaces on a network have to follow for data transmission to take place
  • bit level transmission is sometimes where you can find a good portion of the evidence
Data-Link Layer
  • it controls error in transmission by adding a trailer to the end of the data rame
  • determines if a packet or not a real packet and that it follows everything it is supposed to follow
  • computer software or hardware that can intercept and log traffic passing over a digital network or part of a network
  • put NICs in promiscuous mode and collect digital evidence at the physical level
  • WPA is encrypted but you can still capture packets, might not be able to make sense of data in the packets, but you can get MACs and figure out where its coming from
  • WEP encryption can be broken if you collect around 100,000 packets
  • collect traffic from the network and transport layers other than the physical and data-link laer
  • most sniffers also serve as a traffic-analysis tools
  • tool that allows the sniffing of network packets and make statistical analysis of these dumps
  • operates by putting the network and into promiscuous mode
  • may be used to measure the response time, packet loss %, and view TCP/UDP connection establishment and termination
  • mainly linux based
  • reports consists of: captured packet count, recieved packet count, "dropped by kernel" count
  • have to run in a command prompt fashion (not point and click friendly)
  • sniffer
  • flavor of TCPdump for windows
  • can captured with command: C://Windump-wfilename.dmp, packets are stored in the C drive with teh file name and can be analyzed with notepad
    • will capture until you tell it to stop
  • C://Windump-wfilename.dmp-s 65535: command can be used to specify the size of the ethernet packet to be captured
  • need to find the correct interface number of the computer's ethernet device and insertthat into the comand
  • -w option can be used to output packet information to a text file instead of printing the packets on screen.
    • useful for including info in logs or use in admin/assignments
  • a network protocol analyzer for UNIX and windows
  • allows user to examine data from a live network or from a capture file on a disk
  • the user can actively browse the captured data, viewing hte summary and detailed info of each packet captured
  • mostly all point and click and very user friendly
  • can set up rules and filters for color coding
  • FREE!
  • captures and archives network traffic so you can analyze problems as soon as they are detected
  • correlates user sessions and reconstructs files transmitted or received over the network, giving you immediate evidence of misbehavior
  • can discover security breaches, points of regulatory non-compliance, network problems, and shift your focus from finding problems to fixing htem
  • monitors network activity and is capable of capturing and analyzing packets on any ethernet network
  • does a good job of figuring out where the IP is coming from (the flag on the side)
    • might not be a specific residence, but might give the region and you can contact the person in that jurisdiction
Softperfect Network Sniffer
  • network protocol analyzer/sniffer
  • interface is simlar to FTK
Evidence Gathering at the Data-Link Layer
  • MACs are associatedwith the hardware/data-link layer
  • ARP table of a router is convenient for investigating network attacks, contains IPs associated with respective MACs
  • DHCP database
DHCP Database
  • maintains a list of recent queries, along with MACs and IPs
  • documentation of DHCP database is done by:
    • photographing the PC screen
    • screenshot of table saved to disk
    • exportDHCP logs to external media
Network Layer
  • responsible for sending info from source to a destined address across various links
  • adds logical addresses of the sender and receiver to the header ofthe data
Transport layer
  • ensures that the whole message sent by the source has reached its destination
  • oversees the error control and flow control in between transmission
  • tries to keep the packets uniform and make sure all parts are there, if not, it doesn't let them go through
Authentication Logs
  • evidence gathering at network/transport layer
  • show accounts related to particular events
  • store the IP address of the authenticated user
Application Logs
  • Evidence gathering at network/transport layers
  • storage of auditing info including info produced by the applicaiton activity
  • web server logs help identify the system which was used as a means to commit the crime
  • only the admin has the privilege to access these logs
  • tells what apps are running
Evidence Gathering at network/transport layer
  • authentication logs
  • application logs
  • OS logs
  • network device logs
Operating System Logs
  • network/transport layers
  • maintains log of events such as errors,system reboot, shutdown, security policy changes, group management
  • before logging-bear in mind what to log, otherwise it can result in over-collection of data, making it difficult to trace the event
Network Device Logs
  • network/transport layer
  • devices such as routers, firewalls,are configuredto send a copy of their logs to a remote server, as hte memory of those devices is low
  • these logs can be used as evidence for particular investigations on that network
  • primary focus is on expanding the efficiency of gathered info
  • enables organizations to recognize and respond to the network activity promptly
  • by presenting the data at the app level, it elliminates the need for low level packet inspection
Snort Intrusion Detection System
  • versatile, lightweight and useful detection system
  • logs packets in either TCPdump binary format or in snort's decoded ASCII format
  • plug-ins allow the detection and reporting subsystems to be extended
  • available plug-ins include database logging, small fragment detection, portscan detection, and HTTP URI normalization
  • very intuitive and advanced
  • can detect anomalies in the traffic
IDS Policy Manager
  • de facto standard for managing Snort rules on Windows
Evidence Gathering at the Application Layer
  • network shares
  • network-attached storage devices
    • usually run off an app known as hypervisor
  • server/client email
    • can take from domain end or machine end
  • server/client applications
Documenting Evidence from Networks
  • if logs are small, print out and test
  • document evidence gathering process by mentioning name of person who collected evidence, from where it was collected
    • also process used t collect evidence and reason
  • more complex when evidence is gathered from systems which are on remote locations
Three Fundamentals of Evidence Reconstruction for Investigations
  • Temporal Analysis
  • Relational Analysis
  • Functional Analysis
Temporal Analysis
  • a fundamental of evidence reconstruction
  • helps to identify time and sequence of events
  • very risque to base your entire case on temporal analysis because times can alwas be off
Relational Analysis
  • a fundamental of evidence reconstruction
  • helps to identify the link between the suspect and the victim with respect to the crime
  • matching IP address to logs/items to create a relationship
Functional Analysis
  • a fundamental of evidence reconstruction
  • helps to identify events that triggered the crime
  • what was used? what computers? what IP address?
  • what was the function of what was used to commit those crimes?
Legal Considerations
  • Constitutional Standards
  • Statutory Provisions
  • Policies and Procedures concerning investigations and  industry-specific acts
Federal Laws Pertaining to Network Investigations
  • 4th Amendement
  • Wiretap Act
  • Pen Register and Trap and Trace Statute
  • Privacy Protection Act
  • Computer Fraud and Abuse Act
  • Digital Millenium Copyright Act of 1998
  • USA Patriot Act of 2001
  • Child Pornography Act
  • Electronic Communications Act
Fourth Amendement
  • initially included in the bill of rights because the british soldiers and militia would go into a person's house and do whatever they pleased
  • protects individuals from unreasonable searches and seizures 
  • Two primary requirements are: Does the person have a reasonable expectation of privacy in the place or thing being searched and 2) a warrent must be obtained i protections under the 4th amendment apply (unless an exception exists)
Two Requirements of the 4th Amendment

1) Does the person affected have a reasonable expectation of privacy in the place or thing to be searched?



2) if protections under the 4th apply, then law enforcement must obtain a warrant unless an exception exists

Katz v. US
  • a guy used a payphone and gov't was trying to prosecute him on something so they wiretapped the pay phone
  • court ruled that Katz had a reasonable expectation of privacy on the pay phone and gov't had no right to tap it
Exceptions to 4th
  • Consent (from owner)
  • Exigent circumstances
  • Search incident to arrest
  • Inventory search
  • plain view 
Exigent Circumstances
if someone's life is in danger, don't need warrant/legal documents for seizing the electronic devices
Search Incident to Arrest
  • because of fleeting nature of cars, they aren't always restricted by needing a warrant
  • if cell phone was found in a vehicle, courts are currently saying you can't search the phone!  but you can hold/seize it , just have to get a warrant to actually search it.
US V. Thomson
  • Search Incident to Arrest
  • fight or appeal based on search done in the trunk of a vehicle, he claimed he had an expectation of privacy for the locked trunk
Inventory Search

have t submit a list of what you seized to the court within 10 days (have to do the same for internet searches)


Plain View Doctrine
  • If it is in plain view, it's fair game to be seized
Considerations when preparing a warrant (general)
  • What criminal offense is being investigated
  • specifically where the search will take place
  • What is expected to be found
  • How you know it is there (most important!)
    • do you have enough probable cause?
  • Why is it relavent to the crime?
Wiretap Act
  • Title III of Omnibus Crime Control and Safe Streets Act of 1968
  • applies to internet and network investigations and focuses on the interception of the content of communications while the communications are in transit and governs the disclosure of intercepted communications
    • wiretapping a telephone
    • real-time network monitoring
    • sniffer software
  • How they caught Don Draper!
To ensure Compliance with Wiretap Act, Determine whether:
  • the communication to be monitored is one of the protected communications defined in the statute
  • the proposed surveillance constitutes an "interception" of the communication
  • if both conditions are present, consult your local prosecutor or legal advisor for guidance
  • basically, make sure you have probable cause before you do anything
Pen Register and Trap and Trace Statute
  • 18 U.S.C. 3121
  • governs the real-time acquisition of dialing, routing, addressing, and signaling information relating to communications
  • does NOT cover acquisition of content of communications
  • only covers transactional information about communications
  • came about because feds were wiretapping tons of phones during the 60s
Privacy Protection Act
  • during investigations, consider: 1) is the material covered by PPA?  
  • PPA covered material:
    • work material created for the purpose of disseminating to the public through a public form of communication (what wikileaks is using to fight)
    • protected info becuase its for public, "press material"
    • an author working on a product, trying to protect that material until it is released to the public
    • IPhone4 case
  •  2) documentary materials possessed  for the purpose of disseminating to the public through a public form or communication
PPA's prohibition on the use of a search warrant does not apply when....
  1. Materials searched for or seized are contraband, fruits, or instrumentalities of the crime
  2. there is reason to believe that the immediate seizure of such materials is necessary to prevent death or serious bodily injury
  3. probable cause exists to believe that hte person possessing the materials has committed or is committing a criminal offense to which the materials constitute the offense except for the possession of child pornography or certain government info
  4. civildamages are the exclusive remedy for violation of PPA. PPA does NOT contain a provision to suppress evidence obtained in violation of the act
Computer Fraud Act
  • 18 U.S.C. 1030
  • intended to reduce hacking of computer systems and to address federal computer-related offenses
  • governs cases with a compelling federal interest, where computers of the federal government or certain financial institutions are involved, where the crime itself is interstate in nature, or where computers are used in interstate and foreign commerce
Digital Millenium Copyright Act of 1998
  • endeavors to balance the interests of internet service providers and copyright owners when copyright infringement occurs in the digital environment
  • DMCA protects internet service providers from liability for copyright infringement by their users, if the ISP meets certain statutory requirements
    • take certain steps when it recieves notice that infringing material resideson its network
    • adopt and implement a policy that provides for termination in appropriate circumstances of users who are repeat infringers, and accomodate measures to identify and protect copyright works
    • protects only the ISP, NOT the users of the system who infringe copyright
USA Patriot Act of 2001
  • in response to increased terorrism activity
  • gives feds greater authority to track and intercept communications, both for law enforcement and intelligence purposes
Electronic Communications Privacy Act
  • provides customers and subscribers of certain communications service providers with privacy protections
  • Two Subsets: 1) Title 1: Title III Wiretap Act and 2) Title II- stored communications act 
  • applies when a law enforcement agent seeks certain information from a service provider of electronic communications service or remote computing service, including:
    • subscriber information
    • transactional information
    • content
Stored Communications Act
  • Title II of ECPA
  • addresses voluntary and compelled disclosure of "stored wire and electronic communications and transactional records" held by third-party ISPs
ECPA-Subscriber Info
  • Easiest to Get
  • may use a subpoena, if allowed by state law, to obtain info relating to the identity of a customer/subscriber, the customer/subscriber's relationship with the service provider, and basic session connection records
    • extensive info such as logging info of email addresses of people a customer corresponded during prior sessions not available
  • subpoena with notice can allow the discovery of same evidecne as a 2703(d) order and should be utilized when seeking this type of info
ECPA-Transactional Information
  • Medium in terms of obtaining
  • need to obtain a court order under 18 USC 2703(d) to compel a provider to disclose more detailed, non-content subscriber and session info, commonly referred to as transactional info, about the use o the services by a customer/subscriber.
  • Account activity logs that reflect what IP addresses the subscriber visited over time
  • e-mail addresses of others from whom or to whom the subscriber exchanged email
  • which credit cards were used
  • DOESN'T release anything about what exactly they were doing or content
  • Hardest to get
  • ECPA distinguished between communications in storage that have already been retrieved by the customer or subscriber and those that have not
  • distinguishes between retrieved comms that are held by an elect.comms service, which can be public or private, and those held by a remote computing service which only provides service to the public
Prior Notice to Subscriber
  • subpoena or 2703(d) court oder to compel a public service provider to disclose the contents of stored comms that have been retrieved or comms that are unretrieved but have been on the server more than 180 days by a customer or subscriber
  • in both cases, LE is required to either give prior notice to the subscriber or comply with delayed notice provisions of section 2705(a)
    • LE can also use a search warrant which does not require notice to the subscriber to obtain this information
Un-Retrieved Communications
  • if held for 180 days or fewer comms have the highest level of protection under ECPA
  • LE may seek a search warrant to compel the production of un-retrieved comms in storage with a service provider
  • no prior notice to customer/subscriber is required if info is obtained with a search warrant 
Voluntary Disclosure of Electronic Communications
  • providers ofservices not available to the public may freely disclose both contents and other records relating to stored communications
  • ECPA imposes restrictions on voluntary disclosures by providers of services to the public, but it also includes exceptions to these restrictions
  • timliness is critical, first thing you want to do because a person's online info can change at any given time and you want to preserve the evidence before they change it/remove it/etc
  • federal statute but local and state agencies can use it to preserve documents too
  • when recieved and signed, they are required by law to take whatever info they have and hold it for 90 days (they don't give it to you, they just hold it)
  • must be something that has happened in the past, thye can't actively preserve stuff
  • most agencies use an administrative or grand jury subpoena to obtain digital info
  • yields BASIC info such as account info, method of payment, assigned IP numbers, account logins, session times, and possibly even contents of historic emails
  • limited by privacy rights set forth in ECPA
  • requirements vary widely within jurisdictions
  • different private organizations ma have specific requirements
  • when drafting a subpoena, specifically define evidence sought without excluding significant info
Court Orders
  • known as a "d" order
  • not very widely used as an official, must be able to state with "specific and articulable" facts that there is a reasonable belief that the targeted information is pertinent to the case
  • still helpful to obtain more than just subscriber inf data such as internet transactional info or a copy or suspect's private data/home page
Search Warrant
  • requirements vary depending on the jurisdiction
  • in all cases, probable cause that a crime was committed and that evidence or contraband of that crime exists in a specific location you wish to search should be articulated
  • particular evidence or contraband to be seized should be described as well
  • during execution, if evidence is discovered that is not described in the warrant, consider obtaining an additional or extended warrant
  • general term for a variety of harmful software designed to attack computer systems, networks or data
  • derived from combining words "malicious" and "software"
  • also used to describe viruses
  • good majority comes from russian hackers
  • most forms become installed on systems after inadvertent action of unsuspecting user
  • can comprimse a computer through:
    • infected email/email attachment
    • phony website disguised as legitimate site
    • executablefiles masked as image files, media, etc
Types of Malware
  • Worms
  • Viruses
  • Rootkits
  • Keystroke Loggers
  • Spyware/Adware
  • Botnets
  • malware that propagates through a network of computers, usually by flaws in a computer OS
    • generally windows based systems
  • can pass through systems without any action by end-user
  • attempt to generally exploit flaws in OS
  • developers will take previous worms and mesh them together with newer worms and it will try to use as many exploits as it can
  • have to know how passwords work or get through via backdoors
  • Morris Worm, Melissa Worm, I Love You Worm, Storm Worm, Conficker Worm
Morris Worm
  • first internet worm to gain major public attention
  • financial damages between 100k-10 million
  • went after a lot of banking/financial institutions and would start deleting stuff
  • got in through a simple password exploit
Melissa Worm
  • promised access to pornographic websites on the newsgroup
  • infected Win95, Win98, and NT
  • estimated damage of 80 mil
I Love You Worm
  • 2000
  • propagated on Win by users opening attachment that read "Love-Letter-For-You.txt.vbs  (vbs covered up)
  • simplest of viruses
  • worm attempted to email every address in address book 
  • replaced allpicture, music & video files with copies of itself
  • damages of 100 mil- 10 bil (lost time, files, info)
Storm Worm
  • infected computers with msg attachemnt that read "230 dead as storm batters Europe"
  • allowed automatic propagation to install botnet program
  • code for worm changed every 30 mins
  • infected 50 million computers
  • programmers responsible have not been identified
  • did not hit US very much, mostly europe
Fuzzy Hashing
searches for light files that have the same hash value (what anti-viruses do)
Conficker Worm
  • 2009
  • aka "downup"
  • installed remote software that "phoned home" every so often to ask for instructions
  • infected computers by using combined malware techniques used in past worms/malware
  • never really caused any damage, but probably was most feared virus in media
  • probably a test run of a large hacking group to see what they could do
  • require some user action to spread from one system to another
  • user prompts it t happen by opening emial attachemnts, unknowingly changed admin settings to allow it to happen, etc
  • commonly spread through email attachments,but can spread by other means
  • many operate by making users believe email or file is from legit source
  • attempt to take control of a computer system by attaching themselves to a portion of the OS and then concealing their existence
  • installs itself through open ports and can mask itself as traffic from a certain software program
  • usually consists of a program or several programs that obscure the fact that a system has been compromised
  • many rootkits acts as a "trojan" giving a backdoor for other malicious software such as worms and/or viruses
Types of Rootkits
  • Hypervisor
  • Kernel
  • Library 
  • Application 
Hypervisor Rootkits
  • the boot sequence/process of a machine
  • alters the boot sequence to install a rootkit and fly under radar of OS
  • more a hardware/BIOS level hack
Kernel Rootkit
  • underlying files below theOS
  • linuxhas a ton of rootkits because the kernel is open source, easy to access and free
Library Rootkits
  • alters system files to get into the system
  • goes into program or windows system files
  •  malware that appears, to the user, to perform a desireable function, but in fact, facilitates unauthorized access to the user's computer system
  • NOT self-replicating which distinguishes them from viruses and worms
  • requires interaction with a hacker to fulfill their purpose
  • the hacker need not be the individual responsible for distributing the trojan horse
  • it is possible for hackers to scan computers on a network using a port scanner in hte hope of finding one with a trojan horse installed
  • designed to allow a hacker remote access to a computer system to do many things (modify, delete, upload, download, install, keystrokelog, etc)
Keystroke Loggers
  • practiceof noting (or logging) the keys struck on a keyboard, typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored
  • there are numerous keylogging methods, ranging from hardware- and software- based to electromagnetic and acoustic analysis
  • look like USB drives
  • spyware is used to collect info on comp of an unsuspecting user for a variety of purposes
  • some spyware will collect info on the website a person visits (cookies)
  • can collectpersonal info such as SSNs, passwords,etc
  • excessive amounts of spyware can degrade performance of a PC by using up memory, processes,and CPU cycles
  • any software package that automatically plays, displays, or downloads advertising material to a computer while a specific application is being used (e.g. IE)
  • separate from spyware in that it collects web browsing history and then sends the data to a host to file browsing habits of a user. This is used to target popups based on the user's browsing habits
  • a network of infected computers that can communicate with each other to coordinate attacks or other actions
  • many PCs infected by botnets do not appear infected at all because the botnet may remain for months if not years before being activated
  • computers infected with dormant bots are called "zombies" because they are constantly requesting instructions for the next process
  • botnet networks can be used to send spam, propagate spyware, or launch denial of service attacks (most important!!!!!!!!!)
David Kernell
exploited Sarah Palin's yahoo account
Social Engineering
  • the act of manipulating people into performing actions or divulging information 
  • typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system acess; in most cases the attackernever comes face-to-face with the victim
  • pretexting, phishing, baiting, quid pro quo, social recon
  • social engineering
  • act of creating and using an invented scenario (the pretext) to persuade a targeted victimto release info or perform an action and is typically done over the telephone or internet
  • more than a simple lie as it most often involves some prior research or set up and the use of pieces ofknown information (e.g. for impersonation: date of birth, SSN, last bill amount) to establish legitamacy in the mind of the target



  • social engineering
  • technique of fraudulently obtaining prviate information
  • phisher sendsan email that appears to come from a legitimate business-a bank, credit card company, requesting "verification" of info and warning of some dire consequence if not provided.Email usually contains a link to a fradulent web page that seems legit-with company logos and content- and has a form requesting everything from a home address to an ATM card's pin
IPod Mechanic Scam
  • Nicholas Arthur Woodhams from Kzoo, MI set up a shop online to repair Ipods
  • abused Apple's advance replacement program by guessing ipod serial numbers back with visa-branded gift cards 
  • repeated process over 9000 times and then resold "replacements" at heavily discounted prices 
  • uses physical media and relies on the curiosity or greed of the victim
  • the attacker leaves a malware infected floppy disk,CD-ROM, or USB flash drive in a location sure to be found (desk, elevator, sidewalk, parking lot, classroom), gives it a legitimate looking and curiosity-piquing label, and simply waits for the victim to use the device
Quid Pro Quo
  • Social Engineering
  • this-for-that attack
  • attackercallsrandom numbers at a company claiming to be calling back from technical support. Eventually they will hit someone with a legit problem, grateful that someone is calling back to help them. The attackerwill"help" to solve the problem and in the process have the user type commands that give the attacker access or launch malware
  • kevin mitnick-famous quid-pro-quo hacker
Social Recon
  • Social Engineering
  • involves finding out specific info on individuals by various means
    • search engines
    • social networking sites
    • gov't databases/online records
    • topix
    • digital images
Tom Berge
  • Social Recon
  • used aerial photos of towns across the world to pinpoint museums, churches and schools across south london with lead roof tiles (darker color)
  • used ladders and abseiling ropes to strip the roofs and tookthe lead in a stolen vehicle to be sold for scrap
Internet Website Exploits
  • e-commerce
  • weak/unprotected code
  • search engine exploits
  • divulging info on webpages & social networking sites
  • 2009
  • go to Domino's pizza site and order a medium one-topping pizza, then enter coupon "bailout"
  • 11,000 total scams ($77,000)
Jackpotting the iTunes Store
  • group of UK based DJs provided 19 songs to distributor TuneCore who put them for sale on iTunesand Amazon
  • once online, DJs opened acounts with 1500 stolen or cloned US and british credit cards to buy their albums over a couple of monhts
  • boosted their chart rankings resulting in even more sales and increased royalties for the DJs
Weak SQL code
gives access to a customer, patient database
a hacker program which contains a multitude of programs and tools for hackers including anti-forensics tools
  • centralized network of online communities, featuring free online classified advertisements-with section devoted to jobs, housing, personals, for sale, services, community, gigs, etc
  • popular site for stalkers and prostitutes/escorts
  • allows users to contact other members, maintain those contacts, and share online content and media with those contacts
  • also used for dating and discovering new events, bands and hobbies
  • users may share videos, photos, messages and comments with other members via their profile and their network
  • video sharing website on which users can upload and share videos
  • although site is scanned and content is filtered, there are instances of illicit conduct that may be uploaded before it is flagged by admins and/or other youtube users
Second Life
  • 3D social networking site that uses user-created avatars to communicate through text and/or voice chat
  • your avatar can walk/fly/interact with other avators
  • crimes such as sexual exploitation, stalking, and even the trading of child porn have occurred in second life
  • free social networking site and micro-blogging service that enables its users to send and read messages as "tweets"
  • senders can rstrict delivery to those in their circle of friends, or by default,allow open access
  • people can link their facebookto their twitter account, and if they delete their facebookaccount you can still find stuff on twitter that might be up and public
  • continues to be a forum for younger people (mostly teens) to host their profiles and communicate with others
  • world's largest social networking site (750 million users)
  • continues to change the way people communicate and stay in contact
  • online forum for self-expression, communication,and some might say, voyerism
Investigations of Myspace/Facebook
  • good tool for investigators
  • they are online places where people write about themselves, what htey are doing, where they are and what their interests are
  • there is an endless list of data on social networking sites that can be useful to criminal defense investigation
  • screen recording and editing software
  • live captures of the monitor to record what you are doing
  • some investigators use it to record what they are actually doing during the investigation
  • good for websites!
Edward Muscare
  • 77 year old registered sex offender who posted numerous videos to youtube and maintained tweets (was prohibited from contact with comp)
  • one conviction in florida and one in SC
Internet Relay Chat
  • MIRC 
  • you are invited to chat rooms and chat with people of like interests
Association with Wireless AP and Device
  • if the wireless device can communicate by passing network packets between teh access point, then it is associated
  • association may take place by either of the following:
    • MAC filtering
    • Pre-Shared Key
  • if active traffic is being sent between the access point and the associated device, your wireless forensic laptop can display network statistics!
MAC Filtering
  •  a security access control methodology whereby the 48 bit (12 character length) assigned to each network card is used to determine access to teh network
  • only certain MAC addresses are allowed to connect
Pre-Shared Key (PSK) or Use of Encryption 
  • PSK is a shared secret which was previously shared btwn the two parties using some secure channel before it needs to be used
  • such systems almost always use symmetric key cryptographic algorithms
  • the characteristics of this secret key are determined by the system which uses it; some system designs require that such keys be in a particular format
    • it can be a passowrd, a passphrase, or a hexadecimal string
    • secret is used by ll systems involved in the cryptographic processes used to secure the traffic btwn the systems
    • term is used in WIFI encryption such as WEP or WPA, where both the wireless AP and all clients share the same key
  • since one weak point of the crypto system is the encryption algorithm's key, the strength of the key is important, and since hte strength of a key is in part dependent on its length, it is important to choose a key whose length is cryptographically secure
Search Warrants for Wireless Networks
  • SW application (affidavit) shoudl include proper language to perform on-site examination of computer and wireless related equipment
  • conduct a forensics test only on equipment that you are permitted to do so
  • having a warrant allows you to monitor the network (At federal level, with title 3 wiretap)
  • when doing search warant, include equip you are going to be using.
Penetration TEst
  • more of a private sector term, seeing how deep you can get into a network without being stopped, how much info can be taken before something/someone stops you
Points to Consider (Wireless)
  • penetration tests
  • consult with legal about curtilage
  • external wireless access points with signal coverage that overlaps the search warrant scene (how many?)
  • which devices connect or are actively connected to associated APs?
  • the approx. range (footprint) and signal strength of the examiners wireless network card (NIC)
Things to NOT overlookwhen testing the wirless network
  • take pictures of the modem/server that you find, these can be considered physical evidence
  • a visual inspection of broadband modems will quickly determine if a WAPis physically connectd
  • be able to determine ifa home network utilizes a cable, DSL, or another method to connect
  • if a wireless accesspoint is physically located, the inital goal is to determine its associated devices by directly connecting to it via a network cable
    • unplug and disconnect from network first!!!
Direct Connectto WAP
  • will either be or
  • need a network cable plugged between the laptop and the WAP
  • determine if the laptop has to be assignedan IPaddress to actively sniff the network
    • in many cases you don't need one 
    • don't want one!!!
    • if WAP is DHCP enabled, then the laptop will automatically be assigned an IP in the same network range
    • if DHCP NOT enabled, you need to assign the IP address to your laptop that is in the same class
  • once you get the IP address of hte WAP, try connecting it using a web browser
    • go to browser and try one of two addresses mentioned above
  • a login window will pop up
    • most of the time suspects will forget to change default admin password  (can look these up)
  • if you are successful in logging in, you should see home screen taht will display various menus
    • in these menus you can view connected devices, TCP/IP settings, encryption keys, etc
WAP Settings
  • important to record all info regarding security settings, AP status, device name, IP address, and MAC addresses of attached devices
  • since you are conected over LAN to the WAP, a "ping sweep" can reveal other connected systems on the network
    • Nmap can be used to perform the ping sweep and other functions related to scanning
Sniffing Between WAP and Devices
  • your laptop is placed between the WAP and associated devices in promiscuous mode
  • in this mode your laptop captures all info flowing within the range
  • tools like wireshark will "sniff" all of teh traffic travelling within the wireless network (given you are connected to the network)
  • you can use nmap in conjunction with wiresharkand netstumbler to find out more detailed information about your network 
  • searching for networks
  • Kismet, Netstumbler, Wireshark, Nmap
  • can be used to see what traffic is passing through a given wireless and/or wired network
  • generally not effective withs ecurednetworks (this is where programs like backtrack and metasploit come into play)
  • can break encryptions to wireless access points
  • used to carry out port scanning, OS detection, version detection,ping sweep,and many other things
  • scansa large numberofmachines at one time
  • it can carry out all types of port scanning techniques
  • method to find live hosts on a network
Nmap Command -sP-v
  • replace 255s with known IP range
  • result of above scan will show all the live hosts on the same subnet
  • the vendor and MAC address info will be displayed on screen

Nmap Command -sS-

  • replace 255s with known IP address
  • finds more info on a specic address
  • wired equivalent protection
  • uses 128 bit encryption
  • would have to capture about 100,000 packets just to get enough data to try and decipher the password
Passive Attack
  • eavesdropping on the networktraffic can be considered a passive attack
  • difficult to snese because there is no logging mechanism
    • come into open network, sniff traffic, and leave, don't need an IP address
  • an administrator using SHCP on a wireless networkcoudl detect that an authorized MAC address has acquired an IP address in the DHCP server logs
  • an eavesdropper can easily seize the networktraffic using tools suchas TCPdump, wireshark, or airsnort
Supporting users have an ad free experience!