Exam 1 Flashcards
Types of Digital Forensics
Media, Cloud, Network, Mobile, Memory, Audio/Visual, Database/Web Apps, Internet of Things, Reverse-Engineering Malware.
Network Forensics Definition
Sub‐discipline of digital forensics concerned with the monitoring and analysis of computer network traffic for use in cyber crime investigations.
Importance of Network Foreniscs
Network traffic is volatile data
• Lost after transmission
• Stored in memory and not saved to storage media
PCAP
Full Packet Capture files (PCAPs). Contains bit for bit copies of the packets that traversed the network segment.
Netflow Logs
Contains a summary of network traffic over a period of time.
No actual packet content!
Typical Network Traffic Evidence and Analysis
PCAPS, Netflow Logs, Networking Device Logs, Security Appliance Logs.
PCAP Tools
Packet Sniffer, Protocol Analyzer.
Packet Sniffer
Used to place a NIC in “promiscuous” mode to
capture all network traffic packets that traverse the NIC.
Record the packets.
Protocol Analyzer
Used to examine the packets and determine what “type” of data they may contain.
Interpret (“make sense of”) the packets.
Networking Device Logs
Logs created by hubs, switches, and routers of traffic that traversed the device.
Small Buffer window size is a problem (coffee shop logs get lost fast!).
Security Appliance Logs
Firewall/IDS logs of activity.
Only “flagged” or “blocked” special events logged.
Commonly used Network Forensics Tools
TCPDUMP.
Wireshark.
TCPDUMP
Command Line. UNIX‐Based OS. • Sniffer/Protocol Analyzer • Capture Filters • Display Filters • Partial Packet Capturing • Headers, no content • Fast! • Very little overhead • Great for filtering down large PCAPs
Wireshark
GUI • Both UNIX and Windows OS • Sniffer/Protocol Analyzer • Capture Filters • Display Filters • Only Full Packet Capture • Always content • VERY Slow! • Do NOT try to open a very large PCAP with Wireshark!
Networking Definition
The process two or more nodes in the network sharing data over a communication channel.
(Two or more computing devices transmitting bits of data to/from one another over wires/radio waves).
Internet Defintion
The Internet came about as a global system of computer
networking.
• A globally interconnected Wide Area Network (WAN)
• Uses the protocols of the TCP/IP Protocol Suite
Network Model Definition
A network model compartmentalizes problem into subtasks.
• Easier to design protocols and applications to handle smaller subtasks.
• Layer them to work together to get the overall job done.
• Theoretical only to help understand process.
OSI Model
Open Systems Interconnected (OSI) Reference Model. Consists of 7 Layers • Numbered 1‐7 • Upper Layers (5‐7) = Application • Lower Layers (1‐4) = Data‐Flow • Please Do Not Throw Special Pizza Away
OSI Layers
• Please Do Not Throw Special Pizza Away Physical. Data Link. Network. Transport. Session. Presentation. Application.
OSI Model: Layer 1
Physical.
Function: Transmission of binary bits through a medium.
Data Units: Bits
Devices:
• Transmission Medium (Copper/Fiber Optic Cabling and Radio Waves)
• Network Interface Card (NIC)
• Sort of Hubs and Repeaters, Modems
NIC
Network Interface Card.
Interface between the host system and network.
ipconfig shows all NICS.
Responsible for signal transmission on the medium.
Each NIC has its own MAC address.
Doesn’t always match machine it’s own.
Both Layer 1 and Layer 2 device.
Repeater
Takes an input signal and transmits it back out.
• What comes in one port is transmitted out the other port.
Layer 1 device, but not actually used anymore.
Hub
The input signal in any port is broadcast out all others. • A multiport repeater • Broadcasts = no device addressing • Everybody gets everything transmitted • Receiver decides if it's for them
Modem
Stands for Modulator‐Demodulator
• Used to transmit binary bits over wavelength transmission media (instead of electrical impulses).
• Does nothing intelligent, just facilitates movement.
OSI Model: Layer 2
Data Link Layer (PHYSICAL)
Function: Define how systems directly connected on same physical network communicate.
• Defines how data is placed onto the medium (wire/waves).
• Physical Network = Local Area Network (LAN)
• Also performs error detection for Layer 1 transmission errors
• Data Units: (802.3 and 802.11) Frames
• Devices: Switches and Bridges (2 port switch), NICS
MAC Sublayer
Media Access Control (MAC) Sublayer (Layer 2).
• Methods for accessing shared transmission medium.
• Organizes data into frames transmitted as bits by Physical Layer.
Physical addressing schema: MAC Addresses
MAC Address Definition
Physical addressing schema for MAC Sublayer.
• Allows physically connected devices to communicate directly
• No more broadcasting! (most of the time).
Associated directly with NICs (globally unique per NIC.
MAC Address Structure
Six bytes in length
• Typically represented in Hex with bytes separated by dashes.
• Sometimes delimited with colons
• First 3 bytes are Organizationally Unique Identifier (OUI)
• Identifies vendor of NIC
• Last 3 bytes are unique to the NIC
Two Main Layer 2 Standards
- IEEE 802.3 – Ethernet
- IEEE 802.11 – WiFi
- Specify a meaningful way to place data as bits on the wire
- Frames
Frame
Data unit of Layer 2 standards used to more intelligently route data to physically connected devices and
provide some error checking.
Switch
Learns the MAC Address of all connected devices
• Maps them to ports in Content Addressable Memory (CAM) Table
• Traffic is forwarded to only the port of the specific destination device
• By destination MAC address
• No broadcasting everything!
OSI Model: Layer 3
Network Layer (LOGICAL)
• Function: Internetworking.
• Logically connecting small physical networks (LANs) to one another
• Routing traffic between these LANs
• Provides a means of fragmenting data to fit fixed sizes
• Data Units: (IPv4 and IPv6) Packets
• Devices: Routers, also Layer 3 switches
IPv4 Addresses
“Logical Address” • Assigned/Maintained by Internet Registries • 4 bytes (32 bits) in length • Dotted‐Decimal Notation • A system’s IP address is made up of: • Network ID (left bits) • Host ID (right bits)
Internet Registries
Internet Assigned Numbers Authority (IANA) oversees IP address allocation assignments
• Part of ICANN
• Delegates this authority to RIRs
ICANN
Internet Corporation for Assigned Names and Numbers
RIRs
Regional Internet Registries
IPv4 Classes
The size of a registered block of IP addresses varies depending on the size of the network.
• The size of the block is determined by the “class” of the block.
Class A: N.H.H.H. (Largest)
Class B: N.N.H.H.
Class C: N.N.N.H.
Private IPv4 Addresses
There are special reserved blocks of IPs for private IP
addresses
• Can be used by anyone without permission from Registries
• Cannot be used to transmit over the Internet
• Can only be used internally within a network
• Network Address Translation (NAT) allows private IPs to communicate across the Internet
NAT
Network Address Translation.
Allows private IPs to communicate across the Internet.
IPv6 Addresses
Gives us more address possibilities.
Been “transitioning” to this since the 90s.
Represented as 8 groups of four hex digits separated by colons.
IPv4/IPv6 Packets
Data unit of Layer 3 that is used to route traffic between physical networks using IP addressing.
The IP Packet is the PAYLOAD of the Layer 2 Frame.
Router
Main Layer 3 device used to route traffic between non‐
physically connected networks by IP address.
• Check to see if traffic is destined for their Network ID
• If yes, forward to the device
• If no, forward to a device that may know where the network with that ID is located.
• They can determine where to forward traffic by their routing table.
OSI Model: Layer 4
Transport Layer.
Function: Setting up end‐to‐end (host‐to‐host) connections
• Data needs to be transmitted in fixed sized segments
• Provides a means of segmenting data and delivering those segments
• Reliability, flow control, and connection‐oriented data stream support (through TCP)
• Provides multiplexing (through port addressing)
• Data Units: TCP Segments or UDP Datagrams
• Devices: N/A
UDP
User Datagram Protocol (datagrams) • Layer 4. • Connectionless • Don’t set up a formal connection, just send the data • Unreliable, send it out and hope they arrive and mostly in order • No Flow Control • Positive: Fast Transmission! • Payload of Layer 3 Packet
TCP
Transmission Control Protocol (segments) • Layer 4 • Connection‐Oriented • Set up formal connection before transmitting data • Reliable, makes sure all data gets to end point, in order, without errors • Retransmit if necessary • Flow Control • Negative: A lot of overhead! • Payload of Layer 3 Packet
Port Addressing
Ports are used for Layer 4 addressing
• Ports give us multiple endpoints on an end‐host for
communications (multiplexing)
• Computer applications can listen on their own ports
• Enables the use of more than one network communicating application at a time
OSI Model: Layer 5
Session Layer.
• Establishes and cleanly terminates communication sessions
• Provides authentication and authorization for sessions
OSI Model: Layer 6
Presentation Layer.
• Translates data from lower layers into a format understandable by the application
OSI Model: Layer 7
Application Layer.
• Protocols used by applications to interface with the user system and network with other applications
TCP/IP Protocol Suite Definition
TCP/IP Model more accurately maps to real‐world
internetworking p.rotocols and services.
Using TCP Transport protocol in conjunction with IP Network protocol.
TCP/IP Protocol Suite Layers
Application Layer (Session, Presentation, Application)
Transport (Transport)
Internet (Network) Also called Network.
Network Access (Physical, Data Link) Also called Data Link or Link.
Data Encapsulation Definition
Frames, Packets, Segments/Datagrams
• Each data unit contains the data from the above layer.
• This is called data encapsulation
Data Encapsulation Process
An application has some data to transmit over the network
• The data is segmented into TCP segments or UDP datagrams for transmission and addressed using ports
• Each segment/datagram is the payload of an IP packet addressed to a logical IP address
• Each IP packet is the payload of an 802.3/802.11 frame addressed to a physical MAC address
• The frame is transmitted as bits across the medium
Network Protocols Definition
Formal standards compromised of rules, procedures, and formats that specify communication over a network.
Link Layer Protocols
IEEE 802.3 (Ethernet)
IEEE 802.11 (WiFi)
Address Resolution Protocol (ARP)
IEEE 802.3
Ethernet
IEE Standards (not actually Protocols)
Specifies Link Frame contents for wired communications
• Standardizes cabling and interface requirements
• Standardizes auto-negotiation to allow backwards compatibility
IEEE 802.11
WiFi
IEE Standards (not actually Protocols)
• Specifies Link Frame contents for wireless communications
• Standardizes frequencies and modulation techniques
ARP
Address Resolution Protocol (ARP)
• ARP maps logical IPv4 addresses to their corresponding physical MAC addresses
• Logical address to physical address mapping
• How we know a system’s MAC address on a physical network.
• Link Layer (2) Protocol
ARP Process
- Devices on the same physical network can directly forward traffic by MAC address
- ARP packets are encapsulated in payload of a frame
- Considered Link Layer b/c this is LAN‐based protocol
- Broadcast MAC address to find who’s it is.
- Two types of ARP packets: Requests and Replies
LAN
Local Area Network (physical) Small, privately setup and maintained, high speed network covering a small geographic area. Wireless LAN (WLAN) = WiFi.
WAN
Wide Area Network (logical)
• Very large with no geographic restrictions, commonly connecting LANs together
• “Logical” networks
• May be private for enterprise (using leased lines)
• May be publicly accessible by anyone (THE Internet)
What if the IP we request isn’t on our local network?
- The router will see the ARP request (its broadcast)
- The router will check its routing table for a path to the IP and respond with its (the router’s) MAC address if it has a path
ARP Cache
- End systems have an ARP Cache
- Dynamically populated by recently resolved ARP requests for faster future transmissions
- May also be made to contain some static entries
Network Layer Protocols
Internet Protocol (IPv4 and IPv6) Internet Control Message Protocol (ICMP and ICMPv6)
Internet Protocol (IPv4 and IPv6)
Protocols for routing traffic between physical networks
(internetworking)
• Route and deliver packets to target based on IP addressing
Internet Control Message Protocol (ICMP and ICMPv6)
- Sends error messages and operational information to network devices
- ICMP datagrams are encapsulated in the payload of IPv4 packet
- Like ARP, it is considered a Network Layer protocol despite being encapsulated within a Network Layer packet because it is strictly IP based (no Transport Layer or App Layer roles here)
Important ICMP Types
- Type 8 (Echo Request) and Type 0 (Echo Reply)
- Type 3 (Destination Unreachable)
- Type 11 (Time Exceeded)
ICMP: Type 8 and Type 0
- Type 8 (Echo Request) and Type 0 (Echo Reply)
- Test reachability of a host by IP address
- Ping utility
ICMP: Type 3
- Type 3 (Destination Unreachable)
* Router informs source host that the requested destination is unreachable
ICMP: Type 11
- Type 11 (Time Exceeded)
- Notify source host that IP packet’s Time‐to‐Live (TTL) value reached zero without reaching destination
- Traceroute utility
TCP Flags
- TCP Segment contains a “flags”
- Synchronize (SYN): Used to establish a connection
- Acknowledge (ACK): Acknowledge receipt
- Push (PSH): Push data to receiver
- Reset (RST): Used to reset a connection
- Final (FIN): Release the connection
Application Layer Protocols
DHCP and DHCPv6 DNS HTTP and HTTPS File access protocols: FTP, SMB Mail protocols: SMTP, IMAP, POP Remote access protocols: Telnet, SSH, RDP, VPNs
DHCP and DHCPv6
Dynamic Host Configuration Protocol Application Layer Protocol Dynamically assign IP addresses to hosts on a network UDP port 67 (server) UDP port 68 (client) 4 main DHCP operations: DORA
DNS
Domain Name System
Application Layer Protocol
Translate Domain Names to IP Addresses
Primarily uses connectionless UDP Transport protocol
UDP port 53 (sometimes can use TCP port 53)
Resolves human‐friendly names to their IP addresses that are actually used for network communication
HTTP and HTTPS
Hypertext Transfer Protocols
Application Layer Protocols
File Access Protocols
Application Layer Protocols
File Transfer Protocol (FTP)
Server Message Block (SMB)
Mail Protocols
Application Layer Protocols
Simple Mail Transfer Protocol (SMTP),
Internet Message Access Protocol (IMAP)
Post Office Protocol (POP)
Remote Access Protocols
Application Layer Protocols
Telnet, Secure Shell (SSH)
Virtual Private Networks (VPNs)
Remote Desktop Protocol (RDP)
DORA
4 main DHCP operations:
Discovery, Offer, Request, Acknowledge (DORA)
DHCP Operations
DORA
Client sends DHCP Discovery to broadcast address to find the Server
• Server sends DHCP Offer to offer an available IP address
• Client sends DHCP Request to accept the offe, or to suggest a preferred IP
• Server sends DHCP Acknowledgement to allow the Client to start using the IP address
DHCP Scope
A range of IP addresses that a DHCP server is
configured to assign
DHCP Lease
Received by the DHCP client to use the assigned
IP address for a fixed amount of time
• Near end of lease, client sends another DHCP Request
• Unless the IP has been reassigned, the server will grant a new lease (Acknowledge)