16.4 Documentation, Collection, and Preservation

16.4 Documentation, Collection, and Preservation

A common approach to collecting digital evidence from the physical layer is using a sniffer. Sniffers put NICs into "promiscuous mode" forcing them to listen in on all of the communications that are occurring on the network.

Because switches prevent one host on the network from monitoring other hosts' traffic, computer intruders often simply monitor traffic to and from the computer they have broken into. Some computer intruders have been known to record themselves unwittingly with their own sniffer when they return to examine the captured traffic. This is analogous to someone setting up a video camera to tape an area, returning to check that the camera is working (recording themselves in the process) and leaving the camera to tape more activities. Obtaining such a recording makes it easier to track an intruder (Figure 16.6).

Figure 16.6: Computers connected at the physical level are vulnerable to eavesdropping.

Other criminals take steps to protect themselves against eavesdropping using encryption. It is virtually impossible to break strong encryption. For example, computer intruders who are aware that investigators might try to monitor sessions will encrypt them using software like Secure Shell (SSH). However, even if data are encrypted, collecting and analyzing the network traffic can be informative. For instance, if hundreds of packets containing encrypted data were traveling between two individuals while one of them committed a crime, the second person may well be an accomplice and there may be probable cause to search the second person's computer or property.

Collecting network traffic using a sniffer can be invasive and resource consuming, very much like wire-tapping and there are strict laws that must be adhered to when intercepting communications as described in Chapter 3. It is possible to limit the invasiveness of this evidence collection method by only recording packet header information, not the contents (a.k.a. payload). Some operating systems come with sniffers (e.g. tcpdump on Linux, snoop on Solaris) but these are not necessarily the best platforms to use. Operating systems like Windows and Linux are not particularly efficient at capturing network traffic on high-speed networks and become overloaded, failing to collect important data. Windows systems may be suitable for 10BaseT segments and Linux may be suitable for 100BaseT networks. The most reliable operating systems for collecting Gigabit network traffic are OpenBSD and FreeBSD (Garfinkel 2002).

16.4.1 Sniffer Placement

Sniffers can be used on a network in a variety of ways - to appreciate the limitations of each approach consider a computer intrusion investigation. After an intruder gains unauthorized access to a Linux host, investigators could use tcpdump on the compromised system to collect network traffic to and from the compromised host. However, using the compromised system to collect evidence may destroy other evidence on the system. Furthermore, the intruder could have modified the tcpdump program to conceal or destroy evidence. Instead, investigators could use a nearby host on the same network segment to monitor traffic to and from the compromised host. However, this approach to collecting network traffic as evidence is only effective when computers are connected with a hub. Recall that a switch prevents one host on the network from monitoring traffic to other hosts.

When a switch is involved, one approach is to utilize a feature in switches called Switched Port Analyzer (SPAN). A SPANned port (a.k.a. mirrored port) enables eavesdropping by copying network traffic from one port on the switch to another. However, a SPANned port only copies valid Ethernet packets, does not duplicate all error information, and the copying process receives lower priority than routine data transmission that may increase dropped Ethernet frames. These shortcomings are a concern when collecting evidence because they can interfere with a complete and accurate copy of the network traffic. To avoid these shortcomings, a hardware tap such as those made by Finisar^[4] or NetOptics^[5] can be used to connect more than one device to the switch port of interest. In this way, a sniffer can collect an exact copy of network traffic and any error information relating to the switch port can also be collected. Error information is important from a documentation standpoint because it shows if any frames were dropped. The main limitation of using a SPANned port or a hardware tap is that the sniffer cannot see local traffic between computers on the same subnet, only traffic entering and leaving the subnet through the switch. Special switches are available that can be configured to give a sniffer access to all traffic passing through the switch, including local traffic.

In the previous discussion, a sniffer was being installed on the same physical network segment as the compromised host. However, a sniffer can be installed at different locations on a network to capture specific information. For instance, if investigators are interested in traffic to and from an individual's home computer, they can install a sniffer on the suspect's Internet Service Provider network. The DCS1000 (a.k.a. Carnivore) used by the FBI can detect which IP address is assigned to a given dial-up user and monitor only traffic to and from that IP address. In other situations, when all traffic entering a large network might contain digital evidence, a sniffer can be placed near the main point of entry to the network such as the Internet border. Some organizations install Argus probes and intrusion detection systems (essentially special purpose sniffers) at such points on their network to detect attempted intrusions and other anomalies. Logs from these systems can be very useful in an investigation and if more organizations maintained such logs it would be much easier to track down offenders. Although an organization may have the legal right to monitor network traffic it may have policies against such monitoring given the potential privacy violation.

Be aware that it is not possible to use a sniffer when connected to a network via a modem. Unlike NICs, modems cannot be put into promiscuous mode. Furthermore, for a sniffer to work, the computer must be on the same network as the computers being sniffed. Since there are only two modems connected to a dial-up connection (one at each end) there are no other computers to sniff.

16.4.2 Sniffer Configuration

As noted at the beginning of this chapter, sniffers can capture entire frames, so this form of eavesdropping also collects evidence from the transport and network layers. However, by default some sniffers (e.g. tcpdump^[6]) only capture 68 bytes of each Ethernet frame, resulting in an incomplete copy of network traffic. Therefore, when collecting evidence, it is important to configure whichever sniffer is being used to collect complete frames. Most modern Ethernet networks use maximum frame size of 1514 bytes but higher speed networks such as ATM have larger Maximum Transfer Units (MTU). To ensure that the entire frame is collected, it is generally advisable to configure sniffers with a large maximum value such as 65535 bytes (Ethereal uses 65535 as a default).

When collecting network traffic, the de facto standard is to store the data in a tcpdump file with a ".dmp" extension. For instance, the following command stores all network traffic in a tcpdump file named case 001-04032003-01.dmp and also specifies a maximum size of 65535 bytes:

    examiner1% tcpdump -w case001-04032003-01.dmp -s 65535    tcpdump: listening on eth0    ^C    5465763 packets received by filter    0 packets dropped by kernel    examiner1% md5sum case001-04032003-01.dmp    3bd1154c4f3cb6813c074e404cf9ca10 case001-04032003-01.dmp 

Once the collection process is complete, the MD5 value of the tcpdump file can be calculated to document its integrity and the data can be preserved on CD-ROM or some other write-only medium.

16.4.3 Other Sources of MAC Addresses

As noted earlier, ARP tables contain MAC addresses that can be useful in an investigation. Some organizations keep log ARP information on their network using tools like ARPwatch^[7] to detect suspicious activities such as an individual reconfiguring a host with another IP address to misdirect investigators or ARP table poisoning - a technique for sniffing on switched networks. If there are no such ARP logs, investigators might be able to obtain relevant IP → MAC address associations from the ARP table on a router using a command like show ip arp. Although every host on a network has an ARP cache, the ARP table on a router is the most useful because it contains the IP → MAC address associations for all of the hosts it communicated with recently. As discussed in the previous chapter, the collection of volatile data such as the ARP table can be documented by taking photographs or print screens, cutting and pasting the contents into a file, or using the logging capabilities of a program like Hyperterminal when connecting to routers and other network devices.

Some organizations maintain a list of authorized MAC addresses along with information about the system owners. This information is used for security purposes, making it more difficult for malicious individuals to connect a computer to the network. For instance, MAC addresses are used by the Dynamic Host Configuration Protocol (DHCP is discussed in the next chapter) to assign IP addresses to authorized computers on a network. If the MAC address is not registered with the DHCP server, it will not be automatically assigned an address. This is not foolproof from a security standpoint since the malicious individual could simply configure their computer with an IP address on the network. Therefore, some organizations take the added precaution of configuring their switches and 802.11 Access Points to only accept certain MAC addresses. Again, this is not foolproof since the malicious individual could reconfigure his/her computer with a recognized MAC address but each layer of security makes unauthorized activities more difficult.

These security measures can be useful from an investigative standpoint. If only a limited number of MAC addresses were permitted to connect to a given device, this can limit the suspect pool in an investigation to those authorized computers. Also, even if a DHCP server does not keep a permanent log of each request that it received, it does maintain a database of the most recent requests along with the associated MAC addresses and IP addresses. This DHCP database can be queried to determine the MAC address of the computer that was assigned a given IP address during a given period. For instance, the following DHCP lease shows that the computer with hardware address 00:e0:98:82:4c:6b was assigned IP address 192.168.43.12 starting at 20:44 on April 1, 2001 (the date format is "weekday yyy/mm/dd hh:mm:ss" where 0 is Sunday):

    lease 192.168.43.12 {    starts 0 2001/04/01 20:44:03;    ends 1 2001/04/02 00:44:03;    hardware ethernet 00:e0:98:82:4c:6b;    uid 01:00:e0:98:82:4c:6b;    client-hostname "oisin";    } 

The OUI "00e098" in this MAC address indicates the NIC is made by AboCom Systems, Inc., Taiwan, Republic of China, providing a useful class characteristic.

CASE EXAMPLE

An employee received a harassing e-mail message that was sent from a host on the employer's network with IP address 192.168.1.65. The DHCP server database indicated that this IP address was assigned to a computer with MAC address 00:00:48:5c:3a:6c at the time the message was sent. This MAC address was on the organization's list of MAC addresses but was associated with a printer that had been disconnected to the network. However, examining the router's ARP table revealed that the IP address 192.168.1.65 was being used by another computer with MAC address 00:30:65:4b:2a:5c. Although this MAC address was not on the organization's list, there were only a few Apple computers on the network and the culprit was soon found.

^[4]http://www.finisar.com

^[5]http://www.netoptics.com

^[6]http://www.tcpdump.org

^[7]ftp://ffp.ee.Ibl.gov