The theory and practice of Network Forensics
One , Analysis background
Network forensics technology through technical means , Extract electronic evidence such as logs left over from multiple data sources in the process of Cybercrime , Forming evidence chain , Investigation of cyber crime based on evidence chain , Analysis , Distinguish , It is one of the effective ways to solve the problem of network security . at present , Traditional computer forensics models and methods are relatively mature , In the era of big data, we need OSSIM Network forensics analysis of massive data through integrated analysis platform .
Two , Characteristics of forensic analysis
Network forensics is different from traditional computer forensics , Mainly focusing on network facilities , Network data flow and detection of network data in electronic terminals using network services , Arrangement , Collection and analysis , Mainly for *** network service （Web
Services, etc ） Internet crime of . Computer forensics is a typical after evidence , After the event , Only in this way can the relevant computer or electronic equipment be targeted for investigation and evidence collection . The network forensics technology belongs to forensics in advance or in the event , stay *** Before behavior , Network forensics technology can be monitored , Evaluate abnormal data flow and illegal access ;
Due to the diversity of electronic evidence in Network Forensics , Destructibility and other characteristics , Some problems need to be considered in the process of Network Forensics ：
（1） Collect evidence in time according to certain plans and steps , Prevent the alteration or destruction of electronic evidence . Network forensics aims at electronic data in multiple data sources of the network , Can be overwritten or affected by new data , It is very easy to change with the change of network environment or human damage and other factors , This requires the forensics personnel to quickly take evidence in the order of data source stability from weak to strong .
（2） Do not collect data directly on the network or disk to be authenticated . According to the norcard exchange principle , When two objects touch , Matter will exchange or transmit between these two objects . Interaction between forensics personnel and forensics equipment （ Such as the establishment of network connection ） More , The more often , The more likely the system is to change , The more likely electronic evidence is to be altered or overwritten . This requires that you do not change the target machine or the target network environment at will during forensics , Make relevant backup
（3） The forensics tools used must be standardized and certified . Network forensics can be aided by OSSIM This security analysis platform .
There is no uniform industry standard due to different industry levels , It has a certain impact on the credibility of forensics results . This requires forensic personnel to use standard forensic tools . The gadgets you download all over the Internet are not convincing .
The key point of network forensics is the generation of evidence chain , The process is generally hierarchical or object-based , Generally, it can be divided into the determination of evidence , collect , protect , Analysis and report , After each phase is completed, information is provided for the next phase ,
The results obtained in the next stage provide evidence for the evidence collection in the previous stage . Every stage of network forensics is interrelated , This requires that the information be correlated , Mainly implemented by association analysis engine .
Three , Data source of network evidence
The object of network forensics is multiple network data sources that may record the data left over in the process of network crime . Whether people use it or not Web
service , Cloud service or social network service , Both need to include the service provider （ Such as cloud server ）, client （PC, Smart terminal devices such as mobile phones ） And network data flow .
In the process of obtaining evidence through Internet , The first question is to determine what kind of data to capture . According to the method of Computer Forensics , In order to construct the evidence chain accurately , Need to capture all data in the network environment （ adopt SPAN Realization ）.
Four , Network evidence analysis
The beginning of evidence chain in network forensics is that the *** Illegal access data recorded by the website . Because the crime of network service is often based on stealing the authority of network service administrator , therefore , When conducting network forensics work , The first is the investigation of user rights and access points .
The forensics can enter the program management module to investigate the suspicious records of the user account , For example, whether an administrator account is logged in with a universal password , Is there any wrong login record of management account and suspicious file record in the background , Is there a user loaded XSS
Cross Station session
Abnormal script such as script , Conduct boundary data monitoring, such as file upload and download and other user activities . In the process of evidence collection , Analysis of suspicious behavior reflected in electronic evidence , To infer the criminal's *** Methods and information , As the guidance of next evidence collection activities .
After finding suspicious user records , Collect all access records of this user's access point , Including the authority of the authenticated user and the corresponding session management, etc , Log all sessions for this user ID. For suspicious behavior records , Take a screenshot , Recording screen , Solidify evidence into forensics equipment by means of storage, etc , And use Hash Function to calculate the data to get the information summary and save it in the benchmark database . Before evidence analysis , Do it again for the evidence to be analyzed Hash
Calculation , Compare the results of the two , If it is the same, data integrity is not damaged . Analyze and correspond user and session ID
after , It is used as the instruction to collect the records of the user and all the session information in the logs of the network server and application server .
If the suspect in the background application management module has been *** When the suspicious session information cannot be obtained due to deletion of , The main body of evidence collection is to collect and analyze the logs of suspicious access . Suspicious access including abnormal access frequency recorded , Error message processing record , Log audit report , Website redirection , Administrator monitoring alert , Collect crawler records of site information and hidden fields of forms, etc .
The biggest difficulty of collecting and analyzing log information lies in how to retrieve the required information from the huge data of the website , Network forensics technology mainly adopts two ideas of log reduction and manual neglect to screen . Log reduction is mainly based on the crime information such as the time when the crime occurred as the screening information for log screening . in addition , You can find specific *** means
Traces left . When *** Around the time, a system vulnerability was announced, or at that time *** When the technique is in fashion , This kind of targeted investigation method will achieve better results .
The analysis of website log is Web The main application of forensics in the web server , besides , Forensics can also use other technologies as auxiliary means to help complete the evidence chain .
Five , Forensics for network data flow
Network forensics needs to monitor network environment information and network flow , Capture and analyze data packets . The information of network environment mainly depends on OSSIM In the system IDS Etc . This series of tools can be used for network information collection and network security monitoring ,IP/MAC
Address analysis and location , Monitor TCP/UDP Port and DHCP list ,SMTP Activity records, etc . In terms of network packet capture , Technologies used include Libpcap library ,PF_RING
Interface , Using system call directly .
In the captured network flow , Network packets are displayed in the order they are transmitted over the network , Relevant network forensics tools can reorganize these packets , Organize these packets into transport layer connections between two network connection points . Although many forensics tools can analyze the original data without reorganization , However, this will cause the loss of non-standard port protocol and the problem of unable to deal with the interference of data coding and encrypted transmission .
The research of correlation analysis in network forensics is mainly due to the network *** Behavior is often distribution , volatile , Therefore, the identification of the results needs to combine the data obtained from various evidence collection facilities and evidence collection techniques to conduct correlation analysis to understand the correlation, causal relationship and mutual confirmation of the results , To refactor the process .
It's obviously not realistic for this situation to be completely analyzed manually , So we can use open source OSSIM The platform is realized . In this way, you are faced with multi latitude and large perspective data analysis ,
Using multi data latitude association analysis , For example, if the firewall detects that abnormal business logic files are uploaded to the host at the same time Hids Abnormal business detected CGI
generate , Most likely *** User is using file upload vulnerability to upload suspicious Webshell（ from Snort Responsible for analysis ）
. Take the above detection rules as the given rules , Building a rule model , Forming rule pattern set , And then analyze the evidence set .
Six , Evidence collection cases
In order to let you understand all kinds of network forensics methods , stay 10 Many years Unix/Linux Published by the author in operation and maintenance experience 《Unix/Linux Network log analysis and traffic monitoring 》 In a Book ,
Twenty one common network faults are illustrated , Each case provides a complete background of the fault , Happen , Development , And the final troubleshooting process . Its purpose is to maintain network security , Flexible use of open source tools , To solve all kinds of complex faults in the actual operation and maintenance work .
Here are some wonderful cases ：
Case 1 ： Flash Segmentation Fault Why
Case 2 ： Who moved my film
Case 3 ： To encounter DNS fault
Case 4 ： Website encounter DoS***
This case describes the denial of service of a website *** after , Administrator Xiao Yang is normal compared with firewall / Log in abnormal state , And cooperate with the existing flow monitoring system data , Investigate the disguised IP address , Through various means DDoS*** The process of active defense .
Case 5 ：“ Too embarrassed ” firewall
Xiaojie, the administrator, found that the firewall failed in a patrol inspection , With in-depth investigation, it is found that the free space of firewall is zero . Through a large number of router and firewall logs comparison , come to conclusion ： This is *** A network developed by *** Caused by . What happened to Xiaojie's managed network ***, such *** How to succeed ?
Case 6 ： Containment Solaris back door
Administrator Zhang Li discovers UNIX More than one appears in the system at the same time inetd process , This alerted him , In the subsequent investigation and evidence collection, a large number of log records of login failure were found , What's wrong with the system ?
Case 7 ： Encounter overflow ***
Case 8 ： True and false root Account number
Case 9 ： by rootkit Feel the pulse
Case 10 ： When the webpage is tampered with
Case 11 ：UNIX A record of catching insects
Case 12 ： Leaked layoff list
Case 13 ： Background database encounter SQL injection
Case 14 ： General programmers SQL injection
Case 15 ： Repair SSH Server Vulnerability
Case 16 ： Innocent “ Springboard ”
Case 17 ：IDS System encounter IP Fragment ***
Case 18 ： Outwit the unexpected
Case 19 ： Wireless network suffered ***
Case 20 ： Wireless venue “ unexpected guest ”
Case 21 ：“ mysterious ” Encrypted fingerprint of
Because of the limitation of space, we will not elaborate one by one , Readers can go to Xinhua Bookstore and library to get the details of the book .
Seven , Epilogue
at present , Network forensics technology has not been unified , Relatively complete network forensics process , This leads to the lack of unified evidence collection tools and corresponding evaluation indicators . But through years of research, development and application OSSIM System discovery , This system can solve some problems in network security Forensics .