MSC I

Roll No.12

Finding Network Based Evidences

Network based evidences can be collected during: 1. When the offence is ongoing 2. After the crime has been reported. During the course of activity, the network packets are captured using tools such as Wireshark. This is known as sniffing. Network based evidences are crucial evidences which help identify the perpetrator. Network based evidences can be of two types: 1. Volatile 2. Non Volatile Volatile Network Information consists of Open connections Open ports and sockets Routing information and configuration Network interface status and configuration ARP cache

Open Connections: To begin collecting information about open connections and ports, examine the suspicious computer to see if at any type of cable connects it to a network. After establishing all live connections, collect and document the associated IP addresses and open ports. This initial collection of network information may be enough for you to determine whether the security incident was caused remotely or locally. Using the tools in this section, look for the following: Unfamiliar IP addresses and ports Legitimate (established through commands like telnet, ssh, ftp, and netuse) or backdoor connections on abnormal ports A promiscuously configured network card interface

Niranjana.S.Karandikar

Page 1

MSC I

Roll No.12

1. Netstat an displays all open TCP/IP and UDP ports and maps them to the owning application

Niranjana.S.Karandikar

Page 2

MSC I

Roll No.12

2. NTSecurity.nus freeware utility PromiscDetect checks to see if the network adaptor(s) are running in promiscuous mode, which may indicate that a sniffer is running on the suspicious computer. To determine the adapters mode, look at the PromiscDetects output. If the filters returned are set at Directed, Multicast, and Broadcast, the network card interface is not in promiscuous mode.

Niranjana.S.Karandikar

Page 3

MSC I

Roll No.12

3. Netstat anb The native netstat anb command displays a list of current TCP/IP connections. It also displays the protocol of the connection, the local address (MAC address), the IP address, and the connection state.

Niranjana.S.Karandikar

Page 4

MSC I

Roll No.12

4. Nbstat The native nbtstat command can collect information about recent network connections using the NBT (NetBIOS over TCP/IP) protocol. The nbtstat s command displays the session table for the local system with destination IP addresses, which helps you identify mapped connections to shared drives on other computers.

Niranjana.S.Karandikar

Page 5

MSC I

Roll No.12

5. Net The native net command can be used to determine if the local machine has any network shares or is connected to any network shares. It also lists files that have been opened on the local system via a session established with a remote system over NetBios.

Niranjana.S.Karandikar

Page 6

MSC I

Roll No.12

Routing Information: While using tools in this section, collect routing information, be sure to pay attention to the suspicious computers routing table. Make note of added or unfamiliar routes. Also, look at the ARP cache to identify recent connections. 1. Netstat, Route The native netstat and route commands allow you to collect routing information. netstat r displays all volatile active routes for the suspicious computer.

Niranjana.S.Karandikar

Page 7

MSC I

Roll No.12

2. Arp The native arp command displays the following information about the suspicious computers network interface: IP address, MAC address, and type (dynamic or static). The ARP cache also stores the MAC address to IP address translations for the last two minutes [Pierce 03]. The a switch pulls the active ARP cache entries.

Niranjana.S.Karandikar

Page 8

MSC I

Roll No.12

Non Volatile Data: For collection of Non Volatile Data, make an image of the hard disk and back up the registry enteries. Examine registry for LAN configuration if any. Also look into the web browsers history, last visited urls. This information can be accessed through the registry. Once the suspicious IP addresses and domains are found and identified they can be traced using free websites such as www.whois.com , http://www.whatsmyip.org/ , Sams Spade. Other tools for analyzing network based evidences are Back Track, Kali Linux,etc. References: 1. Kevin Mandia, Chris Prosise and Matt Pepe, Incident response and computer forensics, McGraw Hill Publication. 2. First Responders Guide to Computer Forensics, Richard Nolan, Colin OSullivan,Jake Branson, Cal Waits, March 2005.

Niranjana.S.Karandikar

Page 9