14.4 Connecting Networks using Internet Protocols


14.4 Connecting Networks using Internet Protocols

Like people who do not speak the same language, two hosts using different network technologies cannot communicate directly. So, a host using FDDI cannot communicate directly with a host using Ethernet. There are two methods of enabling communication between hosts using different network technologies: translators and common languages (Figure 14.7). As with the use of professional translators and common languages like Esperanto, in the computer-networking world there are translators (e.g. translating bridges) and common languages - called internet protocols (e.g. TCP/IP, TP-4/CLNP).

click to expand
Figure 14.7: Dissimilar networks connected using a common language to form an internet.

For instance, suppose that Barbara the Bookie decides to connect her servers using FDDI and her workstations using wireless 802.11a technology because it is too difficult to run wires through the concrete walls of the hurricane-proof bunker that houses her network (Figure 14.8). She also wants to use AmTote[12] automated totalisator systems that use Ethernet to connect to racetracks and other sports betting venues. Additionally, Barbara the Bookie wants to connect her network to her Internet Service Provider using an ATM link. These networks are essentially speaking different languages. If Barbara just wanted to connect the AmTote systems with her servers on the FDDI network, it might make sense to use a specialized translator to convert from Ethernet to FDDI. However, when connecting many dissimilar networks it is more efficient to join them using devices with the necessary network interface cards and then use a common internet protocol like TCP/IP that every host can understand. This approach is more flexible and scalable, making it easier to modify and expand the network.

click to expand
Figure 14.8: Barb the Bookie's Network.

Currently, the most widely used internet protocols are the Transport Control Protocol (TCP), the User Datagram Protocol (UDP), and the Internet Protocol (IP). These protocols, along with a few supporting protocols, are collectively referred to as the TCP/IP internet protocol suite - TCP/IP for short. In some respects, TCP/IP is the Internet - currently every host attached to the Internet uses TCP/IP to communicate (Figure 14.9).

click to expand
Figure 14.9: Conceptual depiction of TCP/IP with arrows indicating communication between modules.

To deal with digital evidence on the Internet, digital investigators need a solid understanding of TCP/IP. To understand how TCP/IP works, it is useful to think of it in terms of layers as defined in the Open System Interconnection (OSI) reference model (Figure 14.10). Notably, TCP/IP was developed before the OSI model was formalized and, therefore, does not conform completely to the model. However, there are enough areas of similarity to discuss TCP/IP in terms of the OSI model. A layer model is useful to digital investigators because it provides a framework for understanding evidence, the operation of the technology, how data are created and transported on networks, and associated error, uncertainty, and loss. Examining each layer helps digital investigators develop a mental model of where evidence can be found on networks and how to collect and examine that evidence. They can then apply this generalized mental model to specific networks of any kind.

click to expand
Figure 14.10: A simplified depiction of the Open System Interconnection layers showing where TCP/IP fits.

The OSI reference model divides internets into seven layers: the physical, data-link, network, transport, presentation, and application layers. IP and TCP are network and transport layer protocols, respectively.

Each layer of the OSI model performs specific functions and hides the complexity of lower layers. For example, Barbara the Bookie's Wireless and Ethernet networks occupy the lowest layers of the Internet - the Physical and Data-link layers. A common language like TCP/IP at the Network and Transport layers enables hosts on ARCNET Plus, Ethernet, FDDI, ATM, and 802.11 networks to communicate with each other. The Session, Presentation, and Application layers make it easier for humans to use the network - hiding the inner workings of the lower layers. Provided all networks follow this model, they will be able to interconnect with relative ease.

The OSI reference model is described here briefly and is discussed in more detail in subsequent chapters.

14.4.1 Physical and Data-Link Layers (Layers 1 and 2)

The physical layer refers to the actual media that carries data (e.g. telephone wires, fiber optic cables, radio signals, and satellite transmissions). This layer is not concerned with what is being transported, but without it there would be no connection between computers. While the upper layers enable communication between distant computers, the data-link layer enables basic connectivity between computers that are close to each other. For example, when two hosts are connected by a single wire, the data-link layer puts data into a form that can be carried by the wire and processed by the receiving computer. For instance, hosts connected via modems generally use the Point-to-Point Protocol (PPP) to communicate. Hosts connected using network technologies described earlier in this chapter such as Ethernet use their own cards, cables, and protocols to communicate.[13]

The data-link layer has session-like aspects, establishing, maintaining, and terminating point-to-point connections between neighboring machines. Also, the data-link layer uses addresses to direct data but there addresses are only used locally when data are being transmitted between hosts that are not separated by routing equipment.[14] In short, the data-link layer is responsible for local communications between hosts and once routing, large distances, and multiple networks are involved, the network layer takes over. In addition to formatting and transmitting data according to the specifications of the network technology being used (e.g. Ethernet, 802.11, PPP), the data-link layer ensures that data were not damaged during transmission. Without the data-link layer, data would be sent down from the upper layers and would reach a dead end. Computers would not be able to communicate at all.

The physical and data-link layers are a gold mine from a digital evidence perspective. The Media Access Control (MAC) addresses described earlier in this chapter are part of the data-link layer and can be used to identify a specific computer on a network. These addresses are more identifying than network layer addresses (e.g. IP addresses) because they are generally associated with hardware inside the computer (IP addresses can be reassigned to different computers). Switches and other layer 2 network devices may also contain useful information. Additionally, all information traveling over a network passes through the physical layer. Individuals who can access the physical layer have unlimited access to all of the data on the network (unless it is encrypted). Digital investigators can dip into the raw flow of bits traveling over a network and pull out valuable nuggets of digital evidence. Conversely, criminals can access the physical layer and gather any information that interests them.

CASE EXAMPLE

start example

Someone within an organization configured his/her computer with the CEO's IP address and sent offensive e-mail messages, making it appear that the CEO had sent them. As soon as they were informed of the problem, the computer security department started monitoring network traffic that appeared to come from the CEO's IP address in the hope that they would catch the perpetrator in the act. Unfortunately, word of the investigation leaked out and the perpetrator did not repeat the offense. Fortunately, information gathered from a router early in the investigation showed that the CEO's IP address had been temporarily associated with the MAC address of another computer. This MAC address was used to locate the offending computer, which belonged to a disgruntled member of the software development department. An examination of the computer confirmed that it had been involved and the disgruntled employee had been using it at the time the messages were sent.

end example

14.4.2 Network and Transport Layers (Layers 3 and 4)

The network layer is responsible for routing information to its destination using addresses, much like a postal service that delivers letters based on the address on the envelope. If a message must pass through a router to get from one place to another, this layer will include appropriate instructions in the message to help the router direct the message properly. The transport layer is responsible for managing the delivery of data and has some features that are similar to the session layer. For example, the transport layer establishes, maintains, manages, and terminates communications between hosts. The transport layer divides large messages into smaller, more manageable parts and keeps track of the parts to ensure that they can be reassembled or retransmitted when necessary. If desired, the transport layer will confirm receipt of data, like a registered mail service that gives the sender a confirmation when the letter reaches its destination. When data are lost in transit, the transport layer will resend it if desired.

start sidebar

Preview (Chapter 16): It is not especially difficult to access the physical layer and eavesdrop on network traffic. One method of eavesdropping is to gain physical access to network cables and use specially designed eavesdropping equipment. However, it is much easier to gain access to a computer attached to a network and use that host to eavesdrop. With the proper access privileges and software, a curious individual can listen into all traffic on a network. Computer intruders often break into computer systems and run programs called sniffers to gather information. Also, employees can run sniffers on their computers, allowing them to read their co-workers' or employer's e-mail messages, passwords, and anything else that travels over the network.

end sidebar

These session-like functions exist in both the session and transport layers because one long-lasting session between a client and server can consist of multiple, shorter duration TCP connections that are effectively subsessions. While TCP maintains these subsessions, ensuring that individual packets (a.k.a. datagrams) are delivered, the session layer maintains the overall continuity of the connection, hiding the underlying discontinuities from the user. For instance, when an individual connects to a remote file server and establishes an NFS or NetBIOS session, he/she can come back to this connection several hours later and still access the remote server even though the original TCP connection was terminated long ago and a new TCP connection must be established.

start sidebar

Preview (Chapter 17): The transport layer is also responsible for keeping track of which application each piece of data is associated with (e.g. part of an e-mail message or Web page). Port numbers are used to help computers determine what application each piece of data is associated with.

end sidebar

The network and transport layers are ripe with digital evidence. This is largely because these layers play such an important role in internetworking. Addresses on the network layer (e.g. IP addresses) are used to identify hosts and direct information. Technically proficient criminals can alter this addressing and routing information to intercept or misdirect information, break into computers, hide their location (by using someone else's IP address), or just cause general mischief. Conversely, digital investigators can use this addressing information to determine the source of a crime. On Internet Relay Chat (IRC) networks, some criminals shield their IP address, a unique number that identifies the computer being used, to make it more difficult for an investigator to track them down. Another chat network called ICQ purposefully enables their users to hide their IP address to protect their privacy. However, an investigator who is familiar with the network and transport layers can uncover these hidden IP addresses quite easily as described in Chapter 17.

Computer intruders often use programs that access and manipulate the network and transport layers to break into computers. The simple act of gaining unauthorized access to a computer is a crime in most places. However, the serious trouble usually begins after a computer intruder gains access to a host. A malicious intruder might destroy files or use the computer as a jump off point to attack other systems or commit other crimes. There is usually evidence on a computer that can show when an individual has gained unauthorized access. However, clever computer intruders will remove incriminating digital evidence.

It is important to note that many of the activities on the application layer generate log files that contain information associated with the network and transport layers. For example, when an e-mail message is sent or received, the time and the IP address that was used to send the message are often logged in a file. Similarly, when a Web page is viewed, the time and the IP address of the viewer are usually logged. There are many other potential sources of digital evidence relating to the network and transport layers. A clear understanding of these layers can help digital investigators locate and interpret these sources of digital evidence.

14.4.3 Session Layer (Layer 5)

The session layer coordinates dialog between hosts, establishing, maintaining, managing, and terminating communications. For example, the session layer verifies that the previous instruction sent by an individual has been completed successfully before sending the next instruction. Also, if the connection between two hosts has been lost, the session layer can sometimes reestablish a connection and resume the dialog from the point where it was interrupted.

The clearest implementation of the session layer is Sun's Remote Procedure Call (RPC) system. RPC enables several hosts to operate like a single computer - sharing each other's disks, executing commands on each other's systems, and sharing important system files (e.g. password files). On UNIX, the Network File System (NFS) and Network Information System protocols depend on RPC. Microsoft uses its own RPC system to enable hosts to share resources. Commands like showmount on Unix and nbtstat on Windows can be used to display information relating to these kinds of sessions provided they are still active. Also, as noted in Chapters 10 and 11 remnants of such sessions can sometimes be found in configuration files and in unallocated space of a hard drive. However, these kinds of sessions are often temporary and it can be difficult to determine later when they were established or used unless an intrusion detection system, such as NetFlow logs, Argus logs, or some other form of network logging mechanism, recorded the activity.

CASE EXAMPLE

start example

An organization feared that a competitor stole intellectual property from one of their Windows file servers but could find no evidence on the system to confirm their suspicions. The Security Event log did show a suspicious remote logon using an Administrator account but the log did not record the intruder's IP address. Also, it was not clear from the Event logs whether the intruder had downloaded the proprietary information. Fortunately, an intrusion detection system had not only recorded the IP address of the intruder but also captured the associated network traffic. This network traffic revealed that the intruder connected from the competitor's network, had used an Administrator account to establish a NetBIOS session with the file server, and had downloaded the proprietary data to a computer.

end example

Given the limited amount of session-related information that persists on computers and networks, it is not covered separately in this text. Instead, digital evidence relating to sessions is presented in the context of other network layers that may record the activity.

14.4.4 Presentation Layer (Layer 6)

When necessary, the presentation layer formats and converts data to meet the conventions of the specific computer being used. This reformatting is necessary because not all computers format and present data in the same way. Some computers have different data formats and use different conventions for representing characters (ASCII or EBCDIC). This is analogous to an exclusive restaurant or club that requires men to wear jackets and ties and will provide these items of clothing to those who do not have them to make them "presentable." Without the presentation layer, all computers would have to be designed in exactly the same way to communicate. Rather than design all computers to process data in exactly the same way, presentation layer protocols have been developed to facilitate communication (e.g. OSI's ASN.1 and Sun's XDR). This layer does not have much evidentiary value and will not receive further attention in this text.

14.4.5 Application Layer (Layer 7)

The application layer provides the interface between people and networks, allowing us to exchange e-mail, view Web pages, and utilize many other network services. Without the application layer, we would not be able to access computer networks. Because the application layer is essentially the user interface to computer networks, it is the most widely used layer and so can be awash with evidence of criminal activity. On this layer, e-mail, the Web, Usenet, Chat rooms, and all of the other network applications can facilitate a wide range of crimes. These crimes can include homicide, rape, torture, solicitation of minors, child pornography, stalking, harassment, fraud, espionage, sabotage, theft, privacy violations, and defamation.

It is no secret that there are national and international pedophile rings, so it should be no surprise that these rings use the Internet. Nonetheless, the amount of evidence of child abuse on the Internet and the numbers of pedophile rings using the Internet has astonished the most veteran crime fighters.

CASE EXAMPLE (UNITED STATES v. ROMERO 1999):

start example

Richard Romero was charged with kidnapping a 13-year-old boy with the intent to engage in sexual activity. Romero befriended the boy on the Internet, initially posing as a young boy himself. Romero persuaded the boy to meet him at a Chicago hotel and travel with him to Florida. After the boy's mother alerted police of her son's absence, a taxi driver reported driving Romero and the boy to a bus station and investigators were able to arrest Romero before he and the boy reached their destination. The FBI found child pornography on Romero's computer and evidence to suggest that Romero frequently befriended young boys on the Internet.

end example

In addition to depositing digital evidence on the Internet, recall from Part 2 of this text that many programs leave corresponding traces of network activities on personal computers that can point to or be correlated with evidence on the Internet. Web browsers often keep a record of all Web pages visited and temporary copies of materials that were viewed recently. Some e-mail applications retain copies of messages after they are deleted. The process of analyzing common forms of digital evidence on the Internet is covered in Chapter 18.

There are many other Internet applications each with their own investigative and evidentiary challenges and benefits. For example, Hotline Server is a very compact program that enables individuals to turn their personal computers into servers that provide a variety of services including file transfer and chat. Using a Hotline Client, anyone on the Internet can connect directly to a host running the Hotline server to upload or download files. Access to a Hotline Server can be password restricted. This is very similar to a Bulletin Board System (BBS) but is much easier to use. There is currently no reliable way to find Hotline Servers that people want to keep secret - and this makes it more difficult to detect illegal activity. Also, because no central servers are involved, the only evidence of a crime is on the individual computers involved. Fortunately, the Hotline Server can keep a record of every IP address that connects to the server, and every file that is downloaded or uploaded will be noted. This can be a useful source of digital evidence. One should look carefully at every new computer application encountered to determine what kind of digital evidence it can provide as described in Chapter 10.

14.4.6 Synopsis of the OSI Reference Model

Figure 14.11 shows how various things fit into the OSI reference model. We can see how the OSI model applies to the Internet by looking at how a Web browser accesses the Internet (Figure 14.12).

click to expand
Figure 14.11: Graphical synopsis of the OSI reference model.

click to expand
Figure 14.12: How a Web browser accesses the Internet as seen through the OSI model.

Tools such as NetIntercept can be used to capture network traffic and extract portions for analysis such as the Web page in Figure 14.13. Note that the right section of the screen displays each layer of the Web page traffic from the Ethernet frame (layers 1 and 2), to the IP datagram (layer 3), TCP header (layer 4), HTTP portion (layer 7), and ultimately the contents of the Web page itself.

click to expand
Figure 14.13: NetIntercept (http://www.sandstorm.com) showing components of a Web page both in OSI layers and content recovered from network traffic.

[12]http://www.amtote.com

[13]A hub joins hosts at the physical level whereas a switch joins them at the data-link layer. When computers are connected with a hub it is as though they were connected with a single wire and any one of them can easily eavesdrop on the network traffic of all other connected hosts. Conversely, switches use MAC addresses to direct traffic to just the intended computer, making eavesdropping more difficult.

[14]Some routers can direct traffic between two machines on the same physical network segment using their MAC (layer 2) addresses thus avoiding the delay that would be caused by peeling away the layer two encapsulation to see the IP (layer 3) addresses. Notably, this only works for machines directly connected to the router - data destined for distant hosts must be routed using their IP addresses because the router cannot easily discover their MAC addresses.




Digital Evidence and Computer Crime
Digital Evidence and Computer Crime, Second Edition
ISBN: 0121631044
EAN: 2147483647
Year: 2003
Pages: 279

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net