Packet and Protocol

Analysis
Section II. Basic Forensic Techniques and
Tools

CSF: Forensics Cyber-Security

MSIDC, Spring 2017
Nuno Santos
 Summary

! Packet and protocol analysis

2 MSIDC - CSF - Nuno Santos 2016/17

 Recall from last class
! How to interpret a network trace?
! A network trace is a linearized bit-copy of collected
data exchanged over the network

010101101011110000…
Network trace file

Computer network

! Need to understand some basic networking concepts

3 MSIDC - CSF - Nuno Santos 2016/17

 Started with a practical example
! Accessed URL: http://www.publico.pt

Internet

! Collected network trace on a local file

4 MSIDC - CSF - Nuno Santos 2016/17

 Basic concepts involved
Sender Receiver
Protocols
HTTP
TPC/IP
HTTP GET
index.htm

Packets
IP Address
IP Address

Internet

Network Infrastructure

5 MSIDC - CSF - Nuno Santos 2016/17

 Connected across multiple networks
! Computers are not wired directly but linked through
interconnected networks (IP = Internet Protocol)
Network 2
Network 1
Network 3

switch router 195.23.42.21

146.193.41.201

6 MSIDC - CSF - Nuno Santos 2016/17

 Within a network, computers use MAC addresses

! Media Access Control address (MAC address)

! Unique identifier assigned to network interfaces for
communications at the data link layer of a network segment
! Used as network addresses for Ethernet and WiFi

! Can be used to track traffic

source within a network
! Packets sent to the Internet do not
contain MAC addresses

! Can be used to classify the type

of machine
! Due to its internal structure
! http://www.macvendorlookup.com/
7 MSIDC - CSF - Nuno Santos 2016/17
 Our focus today
Sender Receiver
Protocols
HTTP
TPC/IP
HTTP GET
index.htm

Packets
IP Address
IP Address

Internet

Network Infrastructure

8 MSIDC - CSF - Nuno Santos 2016/17

 Packet and Protocol Analysis

9 MSIDC - CSF - Nuno Santos 2016/17

 Coming back to our network trace

10 MSIDC - CSF - Nuno Santos 2016/17

 Packet sniffing and packet sniffers
! Packet sniffing is the act of looking at packets as
computers pass them over networks

! Packet sniffing is performed using packet sniffers

! These programs are designed to capture raw data as it crosses the
network and translate it into a human readable format for analysis
! Can be used to capture only relevant packets

! Packet sniffers range from simple, command-line

programs, like tcpdump, to complex programs with GUI

11 MSIDC - CSF - Nuno Santos 2016/17

 Packet sniffers: Tcpdump
! tcpdump is the
granddaddy of all open tcpdump
source packet sniffers
libpcap

! Uses libpcap, which

contains a set of system-
Network device driver
independent functions for
packet capture and
network analysis
! Also used by Wireshark Network
device

12 MSIDC - CSF - Nuno Santos 2016/17

 Packet example

13 MSIDC - CSF - Nuno Santos 2016/17

 Packet network layers
! Packets are encoded according to network layers
! Each layer plays a role in abstracting out details of lower levels

Increasing
network
layer

14 MSIDC - CSF - Nuno Santos 2016/17

 Layers are packaged “inside” each other

Increasing
network layer

15 MSIDC - CSF - Nuno Santos 2016/17

 Wireshark lets us navigate across each layer

Increasing
network
layer

16 MSIDC - CSF - Nuno Santos 2016/17

 The IP protocol layer
! IP protocol: provides for sending / receiving IP packets
between any two nodes featuring valid IP addresses

IP packet

17 MSIDC - CSF - Nuno Santos 2016/17

 Routing an IP packet
! IP packet: header + payload
! Header contains several fields: Source IP, Destination IP

IP packet

switch router 195.23.42.21

146.193.41.201

18 MSIDC - CSF - Nuno Santos 2016/17

 Format of an IP header

19 MSIDC - CSF - Nuno Santos 2016/17

 IP protocol

20 MSIDC - CSF - Nuno Santos 2016/17

 But, the sender IP was not expected…

! What we observed: ! What we expected:

! 193.136.128.7 ! 195.23.42.21

Any ideas why?

21 MSIDC - CSF - Nuno Santos 2016/17
 Is there a proxy serving web requests?
! Request served by web proxy: a local cache of web pages
Web Proxy

193.136.128.17
IP packet

switch router 195.23.42.21

146.193.41.201

22 MSIDC - CSF - Nuno Santos 2016/17

 Let’s validate this hypothesis
! Check the client config ! Check the proxy IP

Yes! It’s a proxy!

23 MSIDC - CSF - Nuno Santos 2016/17
 Next step: Investigate the IP packet payload

IP packet
payload
IP packet

24 MSIDC - CSF - Nuno Santos 2016/17

 How to parse the IP packet payload?

Need to know
what’s the
transport
protocol of
the payload

25 MSIDC - CSF - Nuno Santos 2016/17

 The role of the TCP protocol
! IP is best effort: packets can be dropped by routers along the way
! TCP provides abstraction of stream / flow on top of IP packets
! Ensures packets delivered (1) reliably, (2) in order, (3) without duplicates
Web Proxy

193.136.128.17

TCP flow

switch router
IP packet
146.193.41.201

26 MSIDC - CSF - Nuno Santos 2016/17

 Each endpoint maintains sequence number

TCP session establishment

1. Client sends a SYN to the
server. Client sets the
segment's sequence number
to rand value m
2. Server replies with a SYN-
ACK. The ack number is set
to m+1, and the sequence
number that the server
chooses for the packet is
another random number n
3. Client sends an ACK back
to the server
27 MSIDC - CSF - Nuno Santos 2016/17
 We can see the entire TCP message exchange

28 MSIDC - CSF - Nuno Santos 2016/17

 TCP header layout

29 MSIDC - CSF - Nuno Santos 2016/17

 TCP protocol

30 MSIDC - CSF - Nuno Santos 2016/17

 Port Numbers

! If a computer is identified by an IP, port numbers

differentiate applications within the same computer
! https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

31 MSIDC - CSF - Nuno Santos 2016/17

 Well-known port numbers
! A few examples:

32 MSIDC - CSF - Nuno Santos 2016/17

 Next step: Investigate the IP packet payload

TCP packet
payload
IP packet
payload
IP packet

33 MSIDC - CSF - Nuno Santos 2016/17

 Contains an HTTP request

34 MSIDC - CSF - Nuno Santos 2016/17

 Wireshark lets us follow the TCP stream

Client =>
proxy

Proxy =>
client

35 MSIDC - CSF - Nuno Santos 2016/17

 Last missing step: Ethernet frame

IP packet

Link layer
frame

36 MSIDC - CSF - Nuno Santos 2016/17

 Link layer: carrier of IP packets within networks

! Ethernet protocol used for client to send IP packet to router

Web Proxy
Ethernet frame
IP packet 193.136.128.17

switch router
146.193.41.201

37 MSIDC - CSF - Nuno Santos 2016/17

 Format of Ethernet frame

! MAC addresses are used for message delivery

! The IP packet is enclosed inside the data payload

38 MSIDC - CSF - Nuno Santos 2016/17

 Let’s inspect the Ethernet frame of our IP packet

39 MSIDC - CSF - Nuno Santos 2016/17

 A case study
! You are the manager of a company and receive a tip
that an employee is using his computer to view images
that violate the company’s computer use policy

! You then hire a forensics investigator to assist in the

matter and, together, decide to monitor the suspected
employee’s activity on the network for the next week

! Goal: see if there is any evidence to support or refute

the claims against the employee viewing images.

40 MSIDC - CSF - Nuno Santos 2016/17

 Case study: Search through the packets
! After capturing the packets, search through the
packets to identify images that violate the policy

41 MSIDC - CSF - Nuno Santos 2016/17

 Case study: Perform file carving
! Export the
portion of the
payload that
contains the
bytes of the
image

42 MSIDC - CSF - Nuno Santos 2016/17

 Case study: Caught in procrastination!
! Exported image created from exported bytes

43 MSIDC - CSF - Nuno Santos 2016/17

 Conclusions

! Packet and protocol analysis play a fundamental role

in network forensics

! Typical communications are centered around TCP/IP

protocols, which tend to be structured in network layers

! Packet analysis tools like Wireshark allow us to

interpret the content of individual packets and flows

44 MSIDC - CSF - Nuno Santos 2016/17

 References

! Primary bibliography
! [Casey11], Chapter 21, 23.2.2

45 MSIDC - CSF - Nuno Santos 2016/17

 Next class

! Web and E-Mail forensics

46 MSIDC - CSF - Nuno Santos 2016/17