17.2 Setting up a Network

Previous page
Table of content
Next page

17.2 Setting up a Network

To better understand how all of this fits together, imagine that Henrietta the Hacker wants to set up an Internet caf . Henrietta purchases several computers, a wireless (802.11) access point, and a switch to connect them together using some networking technology (e.g. Ethernet). She also purchases a firewall to filter traffic between the caf network and the Internet. However, she still has to connect her network to the global Internet.

The first step to getting on the map, as it were, is to obtain an IP address on the Internet. Henrietta could apply to a registry like the American Registry for Internet Numbers[11] for a Class C block of IP addresses but it is more cost effective to select an Internet Service Provider that already has a block of IP addresses and will assign her one of them for a fee. One public IP address is sufficient because Henrietta can configure her caf network using one of the private blocks of IP address mentioned earlier (e.g. 10.0.0.0-10.255.255.255, 172.16.0.0-172.31.0.0, and 192.168.1.0-192.168.1.255). Most firewalls can perform Network Address Translation (NAT), enabling the network administrator to connect multiple hosts to the Internet via one public IP address. Henrietta's network is depicted in Figure 17.7.

click to expand
Figure 17.7: Internet caf with several kiosks, Ethernet ports for customer laptops, and a wireless access point connected together with an Ethernet switch and connected to an ISP's router by a firewall performing NAT.

Now, suppose that a customer, Keith the Thief, comes into the caf with his laptop and connects to the Internet through Henrietta's network. When Keith requests any information from the Internet (e.g. a Web page) this information will first pass through Henrietta's ISP and firewall before going to his laptop. Similarly, any information that Keith sends out (e.g. e-mail) will pass through Henrietta's firewall and her ISP's router before reaching the Internet. There are two obvious implications of this arrangement.

First, Henrietta the Hacker could observe and keep a log of all of Keith the Thief's activities. Second, most things that Keith sends through the Internet will indicate that they originated from Henrietta's caf so someone could contact her in relation to his activities on the Internet.

Unfortunately, many NAT devices do not maintain logs of traffic that pass through them, making it more difficult to determine which computer was involved in a crime originating from this type of network. This is why more organizations are using Argus to maintain logs of network activities. Even when it is possible to determine which computer was used in an Internet caf or public library, it can be difficult to associate an individual with the computer. However, it is not impossible as the following cases demonstrate:

CASE EXAMPLE

start example

In 2000, Jeff Vijay, a man who was convicted in 1994 for stalking his ex-girlfriend and her new husband in Michigan, was accused of sending the same couple threatening e-mail messages from a public-access computer at a San Jose library where Vijay's mother worked. The threatening messages had a return e-mail address "<death4u@alumni.com>" and contained language similar to notes and voice mail messages attributed to the man in 1994, including the same threats and misspellings. During a preliminary hearing, a judge ruled that there was not enough evidence in the new case to prove that the suspect had been using the library computer at the time the threatening messages were sent. However, when the case went to trial, the jury quickly concluded that Vijay had sent the threatening e-mails and found Vijay guilty. (Romano, B. "Internet stalking charges dropped" Published Sunday, April 9, 2000, in the San Jose Mercury News

end example

Also in 2000, a University of Iowa student admitted to sending a bomb threat via e-mail as well as several racist e-mail threats. The messages were tracked back to a computer in a campus building and a hidden camera was installed to determine who was sending the messages (Tribune 2000).

17.2.1 Static versus Dynamic IP Address Assignment

One decision that Henrietta had to make when requesting an IP address for her Internet caf was whether to ask the ISP for a static or dynamic IP address. With a static IP address her network would always have the same IP address. One advantage of a static IP address is that it can be assigned a name of her choosing, such as "www.cafe-henrietta.com," enabling her to create a Web site for her Internet caf .[12] If Henrietta did not need a static IP address, a less expensive alternative is to have her ISP assign her with a different IP address periodically. This approach enables an ISP to reassign IP addresses to their customers whenever necessary to make more efficient use of them. This type of dynamic IP assignment has become the norm for many ISPs that provide Internet access to a large number of people. Additionally, within her own small network, Henrietta could use dynamic IP addresses to make it easier for customers to connect their laptops to her network.

Notably, this dynamic assignment can make it more difficult to determine who was using an IP address at a given time. Fortunately for investigators, ISPs often maintain a log of dynamic IP address assignments, listing who was assigned a particular IP address during a specific period.

CASE EXAMPLE

start example

In an extortion case, the offender sent messages through Hotmail from an Internet caf to ensure that the e-mail headers did not contain an IP address that could be connected to him. However, when investigators obtained logs from Hotmail they found that the blackmailer had established and accessed his Hotmail account through a dial-up account. They were able to trace the identity of the offender using information relating to the dial-up account obtained from the ISP.

end example

Services like DynDNS[13] and No-IP[14] provide DNS service for dynamic IP address, enabling Henrietta to select a name like "cafe-henrietta.dyndns.org" and update the dynamic DNS record whenever her dynamic IP address changes. Criminals use dynamic DNS service to run illicit servers using dynamic IP addresses, enabling cohorts who know the name (e.g. "illicit.dyndns.org") to access the server while making it difficult for investigators who do not know the name to locate the server each time the dynamic IP address changes.

Notably, these dynamic DNS records are different from the names that an ISP gives their dynamic IP addresses in their DNS servers. For instance, the following DNS query shows the IP address 151.196.245.139 is assigned one name by DynDNS and another by the ISP (Verizon):

    C:\>nslookup cases.dyndns.org    Name: cases.dyndns.org    Address: 151.196.245.139    C:\>nslookup 151.196.245.139    Name: pool-151-196-245-139.balt.east.verizon.net    Address: 151.196.245.139

This example also demonstrates that some dynamic IP addresses have the abbreviations of cities and/or geographic regions that can be helpful in determining a rough location for an IP address.

17.2.2 Protocols for Assigning IP Addresses

Some networks use the Bootstrap Protocol (BOOTP) and others use the Dynamic Host Configuration Protocol (DHCP) for assigning IP addresses to all hosts, even ones with static IP addresses. These protocols are used to prevent computers from being configured with incorrect IP addresses. Sometimes computers are misconfigured accidentally, causing two computers to interfere with each other. Also, sometimes individuals purposefully assign their computers with someone else's IP address to hide their identity. Using BOOTP or DHCP prevents these situations from occurring by centrally administering IP addresses.

BOOTP and DHCP are quite similar - both require hosts to identify themselves (using its MAC address) before obtaining IP addresses. When a computer is booting up, it sends its MAC address to the BOOTP or DHCP server. If the server recognizes the MAC address it sends back an IP address and makes a note of the transaction in its log file. The server can be configured to assign a specific IP address to a specific MAC address thus giving the effect of static IP addresses.

All of these acronyms can be confusing but the idea is simple. A central computer keeps track of which hosts are using which IP addresses. Under certain circumstances, the log files on these central BOOTP and DHCP servers will show the times a specific computer is connected to and disconnected from the network. This could be used to determine when a computer dialed into a network or when a host that is usually part of the network was turned on and turned off.

[11]http://www.arin.net/registration/index.html

[12]This type of domain name can be obtained through registrars like Network Solutions (http://www.networksolutions.com). Once a domain name has been registered, any ISP can enter it into their DNS servers to associate the name with an IP address on their network.

[13]http://www.dyndns.org

[14]http://www.no-ip.com



Previous page
Table of content
Next page
Digital Evidence and Computer Crime
Digital Evidence and Computer Crime, Second Edition
ISBN: 0121631044
EAN: 2147483647
Year: 2003
Pages: 279
Authors: Eoghan Casey BS MA
BUY ON AMAZON
ADO.NET 3.5 Cookbook (Cookbooks (OReilly))
Strategies for Information Technology Governance
Excel Scientific and Engineering Cookbook (Cookbooks (OReilly))
Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century: Prevention and Detection for the Twenty-First Century
Junos Cookbook (Cookbooks (OReilly))
Python Standard Library (Nutshell Handbooks) with
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy