Digital Forensics in Computer and Cellular Networks Pascal Scho¨ttle July 19, 2009 Seminararbeit Ruhr-Universita¨t Bochum Chair for Communication Security Prof. Dr.-Ing. Christof Paar Abstract The goal of this paper is to give an introduction to the field of digital forensics (also known as computer forensics) in computer and cellular networks. Due to the fact that the number of crimes done with electronic devices such as computers or cell phones is increasing the need for more research in this area of investigation is obvious. Even classical crimes like fraud or money laundering leave electronic traces and to safe these traces can hold good evidence against criminals. Instead of classic investigation, which has a long history and good pre- defined methods, computer crime investigation is a relatively new science with a lot of different approaches and frameworks. First of all the term digital forensic and its use in nowadays science will be ex- plained. The terms digital evidence and digital investigations are introduced. Digital forensics is the main part of computer crime investigation and the ques- tion that rises is what kind of information can be used to prove someones guilt. What kind of traces of a possible attacker holds against him and how it can be proved that this data was not changed since the attack. The problem here is clear when considering cases in courtroom. You can not blame someone a crime with speculations and unproven facts. Furthermore you do not want the alleged criminal to argue that maybe the data you are using against him could have been altered. This questions and problems arise in computer and cellular networks as well and are topic of actual discussions. To fully understand where and why criminals or suspected criminals leave traces in networks, this paper gives a short introduction to widespread network tech- nologies before demonstrating how forensic methods can be applied to networks in general first and later specialized with different network protocols and layers of the OSI reference model respectively. Contents 1 Introduction 1 1.1 System Preservation . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.2 Search for Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.3 Event Reconstruction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.4 Summary and Outlook . . . . . . . . . . . . . . . . . . . . . . . . 3 2 Network Basics 5 2.1 The most widespread network technologies . . . . . . . . . . . . . 5 2.1.1 Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.1.2 IEEE 802.11 (Wireless) . . . . . . . . . . . . . . . . . . . . 6 2.1.3 Cellular Networks . . . . . . . . . . . . . . . . . . . . . . . 6 2.2 Connecting Networks . . . . . . . . . . . . . . . . . . . . . . . . . 6 2.3 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 3 General Forensic in Networks 9 3.1 Preparation, Identification and Preservation . . . . . . . . . . . . 9 3.2 Filtering and Evidence Recovery . . . . . . . . . . . . . . . . . . . 11 3.3 Reconstruction Phase . . . . . . . . . . . . . . . . . . . . . . . . . 12 3.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 4 Forensic Applied to Computer and Cellular networks 14 4.1 Ethernet - Data-link and physical layer . . . . . . . . . . . . . . . 14 4.2 TCP/IP - Transport and network layer . . . . . . . . . . . . . . . 15 4.3 The Internet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 4.3.1 The World Wide Web . . . . . . . . . . . . . . . . . . . . 16 4.3.2 Email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 4.3.3 Other Networks . . . . . . . . . . . . . . . . . . . . . . . . 16 4.4 Positioning in Cellular Networks . . . . . . . . . . . . . . . . . . . 16 4.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 5 Conclusion 18 1 Introduction The goal of this section is to introduce the terms Computer Crime, Digital Evi- dence and Digital Forensic Analysis and show their basic concepts. There are two aspects of Computer Crime, which are defined by the worlds lead- ing computer forensic equipment company DIBS [DIB] as follows: • A criminal act in which a computer is essential to the perpe- tration of the crime. • A criminal act where a computer, non-essential to perpetration of the crime, acts as a store of information, concerning the crime. This is to say that not only the crimes committed directly with a computer belong to this field of offense but also crimes where evidence could be found on computers or networks without necessarily using those devices to actually com- mit the crime. CASE EXAMPLE If the police has a certain suspect in a homicide, the investigation of his computer may reveal certain details about his contact to the victim (e.g. emails and chats), or even research about how to get rid of a corpse. The analysis of the suspects cell phone may refute his alibi or also give details about contact between suspect and victim. With this definition it becomes obvious which important role digital crime anal- ysis has nowadays and that its role in crime investigation will not decrease but more likely increase in the oncoming years. There is nearly no imaginable crime in which no computer or network can be involved. Therefor, besides the increasing number of electronic fraud or crimes committed directly with a computer, the branch of digital investigation will be- come more important for classical evidence collection and crime investigation. The term Digital Evidence describes all the information that can be gained from electronic devices. This can be storage media like hard disks, network logs, cell phone logs, emails and so on. One of the main problems of Digital Evidences is that most of them are volatile and there is always a possibility for the perpetrator to erase them. Due to this 1.1 System Preservation 2 Figure 1.1: The three major phases of digital investigation according to [Car05] fact, the time within which the evidences are secured is more important in Digital Investigation than it might be in classic investigation. Digital Forensic Analysis is divided into two main branches. The first one is Physical Storage Media Analysis and the second Network Analysis. This paper focuses on the second branch. However, the two branches cannot be separated completely, so there will always be comments about looking on storage media for evidences which support or refute a hypothesis made. One of the standard works on Digital Forensic Analysis is Brian Carrier´s File System Forensic Analysis [Car05]. Although, as the title indicates, its main aspect is the File System there are some basic ideas that can be applied to Network Forensics as well. In Figure 1.1 the three major phases, as indicated in [Car05], can be seen. These are the System Preservation-, Evidence Searching- and Event Reconstruction Phase. As Figure 1.1 indicates these three phases do not need to occur one after another but there are trackbacks from every phase to the previous. 1.1 System Preservation This phase is always the first thing to do once a digital crime is detected or even assumed. As with classic crimes the first act of investigation is to preserve the crime scene. This is the main aspect of this phase. In classic crime investigation you can close of the crime scene, e.g. a house or flat, but it is more difficult to follow this approach in digital investigation. Here it is difficult to shut down a network or computers without altering data. As with classic crime scenes it should be tried to avoid every change of the evidences. It has to be tried to copy and save all informations contained in the network or on physical storage devices without changing them. It is important to have a proof that the data was not changed during the investigation process. One approach to achieve this is to compute a cryptographic hash sum of the data, which would indicate a change of them later. 1.2 Search for Evidence Now, after the crime scene is preserved, the next step is to look for evidences. As a digital crime is assumed the digital investigator creates hypotheses which 1.3 Event Reconstruction 3 can either be supported or refuted by evidence found in the data. It is a major aspect not only to look for evidence that supports a specific hypothesis because the hypothesis always could be wrong. The main methods for searching for evidence are: • to look at log files, e.g., those of routers or other network components, • search for altered data, e.g., again with cryptographic hash sums, • lookingforrootkits, e.g., bycheckingthelowlevelsoftheoperatingsystem, • search the file system for ominous files. CASE EXAMPLE from [Car05] Consideraserverthathasbeencompromised. Westartaninvestigationtodeter- mine how it occurred and who did it. During the investigation, we find data that werecreatedbyeventsrelatedtotheincident. Werecoverdeletedlogentriesfrom the server, find attack tools being installed on the server, and numerous vulnera- bilities that existed on the server. Using this data, we develop hypotheses about which vulnerability the attacker used to gain access and what he did afterwards. Later, we examine the firewall configuration and logs and determine that some of thescenariosinourhypothesesareimpossiblebecausethattypeofnetworktraffic could not have existed, and we do not find the necessary log entries. Therefore, we have found evidence that refutes one or more hypotheses. 1.3 Event Reconstruction The third and last phase of the digital investigation process is to use the collected evidencestoreconstructwhathashappenedinthesystemornetwork. Todothis, it is necessary to correlate various evidence, maybe even from different sources, to get a proof of the one hypothesis that stands last. For this phase it is important tohaveaknowledgeoftheoperatingsystemsandthenetworkbasicsofthedigital components involved in the crime. To understand how an operating system or the network components work is essential to come to a clue what the hints are indicating. 1.4 Summary and Outlook In summary, the procedure of investigating a digital crime is very similar to the procedure of investigating a classic crime. First of all, there is the crime scene which has to be preserved. Than, there is the search for evidence and finally the result of this search is to reconstruct the events happened at the crime scene. The main difference is the problem of time. In digital networks as well as on stand- alone systems, the danger of data being altered is more likely than with classical crimes. Usually the perpetrator has to undertake own actions to dispose most 1.4 Summary and Outlook 4 of his traces on a classical crime scene whereas in digital crime scenes the traces and evidences are often automatically overwritten by the overlying system after some time. So, if the recognition of a crime takes very long or the preservation of the crime scene is not done right away, there is a good chance for the perpetrator that his traces are gone altered, deleted and thus not useful anymore. Due to this, the first act of every digital investigation has to be to preserve evidences as fast as possible. To fully understand where the traces an attacker may leave are, the investigator has to understand the crime scene. For this, Chapter 2 gives a short overview over network technologies. Chapter 3 shows how forensic methods can be applied to networks in general and Chapter 4 applies methods directly to the different layers of a network. Chapter 5 concludes this paper. 2 Network Basics As mentioned in Section 1.3, it is indispensable for a digital investigator to know the field he is investigating in. Hence, it is necessary to give a little background on how digital networks work to review the most important network protocols. 2.1 The most widespread network technologies As it can be seen in Figure 2.1, there are many interfaces and protocols through which Local Area Networks (LANs) can communicate with each other. Nowa- days, almost every LAN is connected to the Internet where the definite standard is the TCP/IP language. Due to the fact that the first step of a digital crime investigation is to look for traces in the LAN before extending the search to the Internet, here is a short overview on the most widespread technologies for LANs. Figure 2.1: Dissimilar Networks connected via Internet (see [Cas04]) 2.1.1 Ethernet After several stages of development Ethernet is the most widespread technology used in private and corporate LANs. It uses Carrier Sense Multiple Access with Collision Detection (CSMA/CD) to coordinate communication of the different 2.2 Connecting Networks 6 hosts in a network. CSMA/CD is a ”listen before acting” access control. This means that every host which wants to communicate over the shared network resource first listens to check that the resource (e.g. networking cable) is not occupied by another host and only sends data if the resource is available. There are a lot of standards for different Ethernet- Revisions, which all have different purposes. The most widespread are 100BaseT and 1000BaseT because they are very cheap and easy to install. 2.1.2 IEEE 802.11 (Wireless) The IEEE 802.11 standard summarizes various standards for Wireless LANs (WLAN). In these standards, the hosts, which do not necessarily have to be computers but also cell phones or PDAs, communicate with the Wireless Access Point (AP) using radio signals. Those APs are connected either to a wired net- work, e.g., an Ethernet, or directly to the Internet. The limitations of 802.11 in contrast to the wired networks are distance, speed and interference. There will be problems with the connectivity if a host is not within a certain distance of an AP or if there is a barrier between the host and the AP that blocks radio waves. 2.1.3 Cellular Networks To overcome the limitations mentioned in the previous section, the use of cellular networks for data communication becomes more widespread and more available. For this, the cellular networks, which were originally intended to establish phone- to-phone connections for telephone calls, now operate more and more as packet- switched networks to connect to the Internet or even directly to LANs. But like with the connections build for telephone calls, the packet-switched connection makes the cellular phone or the PDA to connect to a cell site which is connected to the Internet and is responsible for routing the connections and the packets. Those cell sites keep logs which are used, e.g., for billing and maintenance but are also a good source for digital investigation. 2.2 Connecting Networks Due to the various technologies mentioned in Section 2.1 and the different ways those technologies work, they can not communicate directly with each other. To enable this, the Internet protocol has been introduced to provided a common language for the LANs to communicate with each other. The most common Internet protocols are the Transport Control Protocol (TCP), the User Datagram Protocol (UDP) and the Internet Protocol (IP). Together (with a few supporting protocols) they are known as the TCP/IP internet protocol suite and are the de facto standard for nowadays communication on the Internet. 2.3 Summary 7 For a better understanding of TCP/IP and consequential a better idea where to find evidences in digital investigation and digital forensics respectively, it helps to look at the different layers defined in the Open Standard Interconnection (OSI) reference model (Figure 2.2). In this model there are different layers defined and each layer can contain informations, traces and evidences. Figure 2.2: A simplified description of the Open System Interconnection (OSI) layers (see [Cas04]) As it can be seen in Figure 2.3, different applications can be reduced to first TCP or UDP and then to IP. This paper is too short to go into the details of all the layers but an example of how a web browser accesses the Internet, seen with the layers of the OSI model can be seen in Figure 2.4. Network tools (see Chapter 4), that intercept network traffic, can capture all the information that come from each layer and all of these informations can be good evidence for digital forensic. 2.3 Summary It is essential for digital investigation and digital forensic analysis to understand the basics of nowadays networks. The differentiation between local area networks and wide area networks, mainly the Internet, is very important and also to un- derstand the interfaces between those two. The following sections describe how the evidence can be found within the different network technologies presented in this section.
Description: