Network Forensics Flashcards
In network forensics, data collection can be performed using a “Stop, look, and listen” or a “Catch-it-as-you-can” strategy. Concerning the former, select which of the following statements are appropriate.
a. It performs a real-time processing
b. it requires fast processing
c. It requires much larger memory storage than a “Catch-it-as-you-can” strategy
d. Only certain packets are stored
e. All the listened packets are stored
a. It performs a real-time processing
b. it requires fast processing
d. Only certain packets are stored
Which of the following methods can be used to detect whether on a machine there is a sniffer running?
Select one or more:
a. Check for duplicates in the ARP table of a machine.
b. Sending a ping to the suspected machine with a wrong MAC address
c. Check the ping latency
d. Sending a broadcast ARP with a wrong MAC/IP pairing
a. Check for duplicates in the ARP table of a machine.
b. Sending a ping to the suspected machine with a wrong MAC address
c. Check the ping latency
Select among the following, some sniffing tools or software Select one or more: a. Neped b. Wireshark c. Ethereal d. Snort e. Ettercap f. ARP watch
b. Wireshark
d. Snort,
c. Ethereal,
e. Ettercap
Among the following, select the antisniffing softwares or strategies
Select one or more:
a. Wireshark
b. Flooding the network
c. Cyphering the data (PGP, SSH)
d. Snort
e. Add some MAC address permanently in tables
c. Cyphering the data (PGP, SSH)
d. Snort
e. Add some MAC address permanently in tables
Select which of the following softwares and tools can be used to carry on a Man-In-The-Middle attack on a router
Select one or more:
a. Encryption
b. Router Audit Tool (RAT)
c. Ultima Ratio
d. VIPPR
c. VIPPR,
d. Ultima Ratio
Which of the following incidents a DEFR could analyze on a router
Select one or more:
a. The router is infected by a malware performing SYN flood attacks
b. The working state of the router is compromised (DoS)
c. Theft of Information
d. The router is working in promiscuos mode
e. The routing table has been manipulated
b. The working state of the router is compromised (DoS)
c. Theft of Information
e. The routing table has been manipulated
Network-based Intrusion Detection Systems (NIDS) … (select the most appropriate sentences)
Select one or more:
a. … tell if the attack is successful.
b. … raises an alarm during some suspicious network activity.
c. … evaluate network traffic.
d. … monitor a specific protocol.
c. … evaluate network traffic.,
b. … raises an alarm during some suspicious network activity.
Among the following, select the most correct statements concerning Host-based IDS.
Select one or more:
a. HIDS are robust to fragmentation and TTL attack.
b. HIDS can monitor log files, system activities, errors
c. HIDS can detect out-of-band attacks (e.g., juice jacking)
d. HIDS provide a network-wide overview of the attack
e. Maintenance for different HIDS is extremely easy.
a. HIDS are robust to fragmentation and TTL attack.
b. HIDS can monitor log files, system activities, errors
c. HIDS can detect out-of-band attacks (e.g., juice jacking)
Concerning Network-based Intrusion Detection Systems (NIDS), we can state that …
Select one or more:
a. … they work in promiscuous mode.
b. … they do not waste network or CPU resources
c. … they are robust to packet fragmentation and re-assembly
d. … they can experience some problems if the network usage increases.
e. … they are not affected by TTL attacks
a. … they work in promiscuous mode.
b. … they do not waste network or CPU resources
d. … they can experience some problems if the network usage increases.
In signature-based IDS trigger, …
Select one or more:
a. … profiles are dynamic.
b. …it is possible to detect a previously-known attack only.
c. … protection is instantaneous after signature update.
d. … attackers can not pre-configure an IDS-transparent attack.
b. …it is possible to detect a previously-known attack only.
c. … protection is instantaneous after signature update.
In wireless forensics operations, …
Select one or more:
a. … it is necessary to sense multiple frequencies since devices can connect to multiple APS.
b. … storage and processing requirements can be very low for passive devices.
c. … capture time depends on the motion states of the monitored devices
a. … it is necessary to sense multiple frequencies since devices can connect to multiple APS.
c. … capture time depends on the motion states of the monitored devices
The use of honeypot terminals in a network presents some issues. Select the correct ones.
Select one or more:
a. Honeypots compromise the safety of the network.
b. If no damage is done by the attack, no legal claim is possible.
c. Since they are designed to be compromised, we can weaken the monitoring on them.
d. Honeypot are illegal in many countries.
b. If no damage is done by the attack, no legal claim is possible.
Traceback softwares ans strategies can resort to different analysis methods. Select the correct ones.
Select one or more:
a. probabilistic packet marking
b. keeping a distributed marking tables for packets
c. monitoring IP and ports of attacking terminals.
d. packet logging
a. probabilistic packet marking
b. keeping a distributed marking tables for packets
d. packet logging
Among the following, select the wrong statement concerning Network-based IDS.
Select one:
a. They require storage and fast processing capabilities
b. They can detect out-of-band attacks
c. They provide a network-wide overview of the attack
d. They are not robust to fragmentation and TTL attack
b. They can detect out-of-band attacks
In signature-based IDS trigger, ___ (select the correct completion)
Select one:
a. ___ initially, false-positive and negative percentages are very high
b. ___ it is possible to detect a new anomaly
c. ___ protection is instantaneous after database update
d. ___ profiles are dynamically updating
c. ___ protection is instantaneous after database update
Put in the correct order the steps of network forensics: Analysis Collection Examination Incident response Identification Preservation Presentation
- Identification - recognizing and determining an incident based on network indicators.
- Preservation - securing and isolation the state of physical and logical evidence from being altered, such as, for example, protection from electromagnetic damage or interference.
- Collection - recording the physical scene and duplicating digital evidence using standardized methods and procedures.
- Examination - in-depth systematic search of evidence relating to the network attack. This focuses on identifying and discovering potential evidence and building detailed documentation for analysis.
- Analysis - determine significance, reconstruct packets of network traffic data and draw conclusions based on evidence found.
- Presentation - summarize and explain drawn conclusions.
- Incident response - The response to an attack or intrusion detected is initiated based on the information gathered to validate and assess the incident.
What are the operating layers in network forensics?
Ethernet analysis
TCP/IP - Router analysis
Internet/Server based analysis
Wireless analysis
Describe the “catch-is-as-you-can” data collection method and how it differs from the “Stop, look and listen” method.
-
Catch-it-as-you-can
- all packets/data are captured
- Large storage needed
- Analysis in batch mode
- Usually at the packet level
- For later analysis
2) Stop, look and listen
- requires a faster processor for incoming traffic
- Each analyzed in memory
- Certain ones are stored
- Usually at the packet level
- Real-time filtering
Difference between Sniffer on shared Ethernet and a sniffer on the Switched ethernet?
Sniffer on shared Ethernet - a machine running a sniffer accepts all the frames regardless of the MAC address (promiscuous mode)
How to detect a sniffer?
- Ping method - send a packet with the IP address of the suspect machine without or with a wrong MAC address. All machines should reject it since MAC does not match. Only the sniffer answers.
- ARP method exploits ARP cache. Sends a non-broadcast ARP, which is cached by a machine in promiscuous mode. Then, send broadcast IP packets with the correct IP but different MAC addresses. Only a machine with the correct MAC address from the sniffed ARP frame will respond.
- Localhost analysis hackers may have compromised your terminal and left sniffers. Use ifconfig and analyze the answer.
- Latency method - most sniffers do some parsing. A huge amount of data is sent through the network, and during the transmission, the suspect machine can be pinged. In promiscuous mode, it parses all packets and therefore, the ping response is delayed. False positives are possible.
- ARP watch - gateway can be spoofed. arpwatch can be used to check the ARP cache of a terminal: look for duplicates. With DHCP there can be many false alarms: increase the IDHCP lease time.
- IDS - snort record IP/MAC pairing of packets. Whenever a mismatch is found, it generates an alert.
Define router forensics.
- Operational troubleshooting
- Log monitoring
- Data recovery
- Data acquisition
List possible attacks on routers.
- Reconnaissance
- Scanning and enumeration
- Gaining access
- Escalation of privilege
- Maintaining access
- Covering tracks and placing backdoors
- DoS attack
- Packet mistreating attacks
- Routing table poisoning
- Persistent attacks
How to gather volatile router data?
- connect to console port; cable and laptop with terminal emulation software
- Record System Time and determine who is logged on
- Save router configuration
- Review routing tables and detect malicious static routes modified by an attacker
- View ARP cache looking for evidence of IP and MAC spoofing
How to process router forensics? Choose the correct ones:
a. Reboot the router
b. Access router through the console
c. Run configuration commands
d. Record all your console session, including actual and router time
e. Run show commands
g. Access the router through the network
h. Record volatile information
i. Rely only on persistent information
DOs
b. Access router through the console
d. Record all your console session, record actual time and router time
e. Run show commands.
h. Record volatile information
What is the common log formats? Select correct ones: a. CVE b. NCSA c. ELF d. NCI
b. NCSA
c. ELF
Describe shortly intrusion detection systems and how they differ from each other.
There are four types of IDS:
- Network Intrusion Detection System (NIDS) monitor the network layer by evaluating network traffic -> sniffers (looking for anomalies).
- Host-based Intrusion Detection Systems (HIDS) operate directly on the computer hosts by the monitoring system.
- Protocol-based Intrusion Detection Systems (PIDS) monitor a specific protocol.
- Application Protocol-based Intrusion Detection System (APIDS) focus on some applications.
How we can do this? -> Firewalls, IDs, computer workstations, anti-virus, databases, end-user applications.
Usually, they do not work jointly.
Select correct statement about HIDS
a. HIDS based on the specific machine, they work locally.
b. NIDS detects attacks, and HIDS tells if they were successful.
c. They can detect attacks that are not visible on the network level.
d. HIDS detects attacks, and NIDS tells if they were successful.
e. It has 2 interfaces: monitor interface (MI) and command and control interface (CCI)
f. it doesn’t do not depend on the resources of host machines (no waste of network and CPU capabilities; no OS compatibility issues).
g. it can be fooled by splitting packets into multiple chunks (which are reassembled at the receiving host) or manipulating the TTL.
a. HIDS based on the specific machine, they work locally.
b. NIDS detects attacks, and HIDS tells if they were successful.
c. They can detect attacks that are not visible on the network level.
What are the problems in NIDS?
- Bandwidth - Network probes must receive all network traffic, reassemble that traffic, and analyze the traffic. Network size can increase as well: the NIDS system must scale.
- Packet fragmentation and reassembly -Hackers conceal their activity from NIDS by fragmenting their packets: the packet needs to be reassembled (first to last or last to first) to be analyzed. No problem if no overlapping occurs: hackers send overlapped packets.
- TTL manipulation
- Encryption - data can not be seen if encrypted: place sensors outside the encrypted channel.
How does an attacker perform a TTL manipulation attack?
§ TTL field of TCP/IP packets specifies how long a packet should be considered valid (1-255). § Each time a packet passes through a router, TTLçTTL -1
§ TTL = 0, the packet is discarded.
§ Attacker sends packet with low TTL to create fake traffic
hiding attacking packets (high TTL)
Define IDS trigger mechanisms and their difference.
Anomaly detection (Profile based) - analyzes computer activity and network traffic looking for anomalies.
Anomaly - deviation from what is defined as normal (by the system administrator) -> user group profile.
Misuse detection (Signature-based) - use signature files to detect intrusive activity.
Select correct one about IDS triggers
- Profile-based
- Signature-based
a. Intruders do not know if they generate alarms
b. Profiles are dynamic
c. Detect internal
d. High initial prep time
e. Files created on known attack
f. Given the files, protection is instantaneous
g. Easier to understand and configure
h. Hard to understand
i. Defining normal behaviour can be difficult
j. With constant updates as users’ habits change
k. Inability to detect new or unknown attacks
l. Inability to detect variations of known attacks
m. No protection during training
n. Signature database administration
o. Sensors must maintain state information
Anomaly detection (Profile based) Proc: 1. Intruders do not know if they generate alarms 2. Detect internal attacks 3. Profiles are dynamic
Cons:
- High initial prep time
- No protection during training
- With constant updates as users’ habits change
- Defining normal behaviour can be difficult
- False positives, false negatives
- Hard to understand
Misuse detection (Signature-based) Pros: 1. Files created on known attack 2. Given the files, protection is instantaneous 3. Easier to understand and configure
Cons:
- Inability to detect new or unknown attacks
- Inability to detect variations of known attacks
- Signature database administration
- Sensors must maintain state information
What are the traceback solutions?
Logging packets as key routers and later mining them for attack path reconstruction
Packet-marking places part or the complete address of the router into the IP packet randomly with a fixed probability or only once deterministically.
There are also Hybrid traceback approaches that integrate packet marking and packet logging to achieve the advantages of both the techniques:
Match traceback solutions with related features
- Logging packets
- Packet-marking
- Hybrid traceback
a. distributed link list traceback (DLLT): router marks a packet, stores current IP address and packet ID in the marking table
b. hierarchical IP traceback system (HITS)
c. hybrid single packet IP traceback (HIT)
d. autonomous management network (AMN): monitoring manager receives requests from sensors.
e. deterministic packet marking (DPM)
f. deterministic edge router marking (DERM)
g. probabilistic packet marking (PPM)
h. fast internet traceback (FIT): uses a fragment of the hash, the number of fragments and a distance field
i. advanced and authenticated packet marking (AAPM): 8-bit hash of the address
j. source path isolation engine (SPIE): hash of multiple fields in the packet.
k. algebraic packet marking (APM): algebraic techniques to calculate 15-bit marks as points on polynomials.
l. logging and deterministic packet marking (LDPM)
- Logging packets
- source path isolation engine (SPIE): hash of multiple fields in the packet.
- autonomous management network (AMN): monitoring manager receives requests from sensors. - Packet-marking
- probabilistic packet marking (PPM)
- advanced and authenticated packet marking (AAPM): 8-bit hash of the address
- algebraic packet marking (APM): algebraic techniques to calculate 15-bit marks as points on polynomials.
- fast internet traceback (FIT): uses a fragment of the hash, the number of fragments and a distance field
- deterministic packet marking (DPM)
- deterministic edge router marking (DERM) - Hybrid traceback
- distributed link list traceback (DLLT): router marks a packet, stores current IP address and packet ID in the marking table
- hierarchical IP traceback system (HITS)
- hybrid single packet IP traceback (HIT)
- logging and deterministic packet marking (LDPM)
Select Network forensics analysis tools for wireless forensics:
a. Wireshark
b. Sandstorm NetIntercept
c. shark
d. Niksun NetVCR
e. Netcat
f. Trust Network Forensics
g. grep, tcpdump
h. Ethereal
i. Hunt
j. Snort
Commercial:
b. Sandstorm NetIntercept
d. Niksun NetVCR
f. Trust Network Forensics
Open-source:
a. Wireshark
g. grep, tcpdump
c. shark
In wireless forensics with enough data and a proper tool, encrypted traffic can be overcome.
a. True
b. False
True
Collecting enough wireless traffic leads to the estimation of the WEP key (a.w.a. WEP+, …)
In wireless forensics with enough data and a proper tool, encrypted traffic can be overcome.
a. True
b. False
True
Collecting enough wireless traffic leads to the estimation of the WEP key (a.w.a. WEP+, …)
Define Network forensics operations.
-
Multi-sensors data fusion - collect the logs from all network security products, deployed in the entire network and perform data fusion.
- packet analyzers (Wireshark / tcpdump)
- intrusion-detection systems(snort),
- routers,firewalls,log servers,etc.
- alerts generated by IDS,
- statistics from protocol analyzers and attack information by observing various threshold values
Dempster-Shafer’s theory for information fusion determines the validity of the attack.
2. Identification of Attack Events - A large amount of memory and storage is usually required; network events useful for investigative requirements need to be identified and an effective mechanism is to be in place to identify attack features from the traces.
- Attack Reconstruction - Important events involving intruders’ interaction with the compromised system are reconstructed and the methodology of the attackers is analyzed.
- Traceback and Attribution - determining the origin of a packet.
Techniques based on packet marking, packet logging or hybrid approaches.
Attribution relies on analyzing the data packets transmitted, applications being run, and protocols violated.
- Incident Response - traffic patterns are observed and are to be launched immediately when the alerts begin; the attacker must not be aware of the response. Detection and validating the incident by reviewing pertinent logs, network topology, etc.
It determines the vulnerability exploited in the compromise of a system and enforces protection against exploitation of the same on other systems. It develops a strategy regarding containment, eradication, recovery, and investigation.
Eavesdropping on cabled and wireless networks: provide a description of the main shipping strategies and their countermeasures
Describe the different IDS that can be integrated in a network. Discuss their characteristics, advantages and disadvantages
