Network Forensics: When Network Forensics: When conventional forensic analysis conventional forensic analysis

is not enoughis not enough

Manuel Humberto Santander Peláez

GIAC GCFA Gold, GNET Silver, GCIA Gold

Network Security PerimeterNetwork Security Perimeter

• Firewalls

• NIDS/NIPS

• VPN Concentrator

• NAC (Switches)

• Antivirus

• Antispyware

• Content Filtering

Network Security PerimeterNetwork Security Perimeter

Firewall Switch (NAC)

VPN Concentrator

NIDS

Security Event Correlator

Network ForensicsNetwork Forensics

• Capture, recording and analysis of network events

• Need to discover source and type of network attacks

• Big amount of logs and traffic

• Network Security Perimeter devices gives lots of interesting info

Network ForensicsNetwork Forensics

• Network traffic gives evidence of attacks like:– Exploit attacks

– Virus breach attempts

– MITM

• Valuable if possible to correlate to computer breaches.

• Can find the missing information on a computer attack (“missing puzzle”)

Billing Information Change Billing Information Change using a network attackusing a network attack• Colombia Utility Company is the biggest

utility company in all Colombia

• Massive change of billing amount on 10000 installations, about 40% less on each invoice

• Once invoice is delivered, no change can be made (Law 142 of 1994 Colombian Congress)

• Where was the breach? How can this be prevented?

Billing Information Change Billing Information Change using a network attackusing a network attack• Billing process is a daily batch process

• 98% of invoices were altered

• Billing Calculations are done by stored procedures on the database

• First evidence gathered was report of users executing the offending transactions on the application (August 25/2007)

Billing Information Change Billing Information Change using a network attackusing a network attack

Billing Information Change Billing Information Change using a network attackusing a network attack

Same result obtained on every computer analyzed from the obtained table

Billing Information Change Billing Information Change using a network attackusing a network attack• IDS alerts showed ARP address change for main

router several times, No firewall or NAC alert• Found 4970 alerts for August 25/2007• Investigation showed a local desktop machine

claimed to be the router for the whole network segment

• All billing department people in that segment logged on the application

Billing Information Change Billing Information Change using a network attackusing a network attack

Billing Information Change Billing Information Change using a network attackusing a network attack

Oexplore access time matches the first access at the database. Passwords found cracked by Cain.

Billing Information Change Billing Information Change using a network attackusing a network attack

Billing Information Change Billing Information Change using a network attackusing a network attack

Lessons LearnedLessons Learned

• Network Forensics completes computer forensic evidence when evidence found inside computers doesn’t give enough clues.

• Network Forensics evidence must be correlated with the evidence found in computers to be valuable.

• Security Perimeter devices gives valuable information if well configured.