Network Forensics: The Tree in the Forest

Security professionals are often tasked with the unenviable position of wading through millions of bits of data, the review of thousands of systems, or the evaluation of hundreds of applications.  At the end of the day it is their job to provide the ten thousand foot view of an organization and the highest rated findings that put it at risk.  Information overload is a common theme in today’s society, and management requires the presentation of this material in a digestible manner of typically one page or less.  The ability to provide this service requires what is often referred to as “seeing the forest for the trees.”  In other words, don’t get distracted or bogged down by the minutiae of your discoveries at the risk of overlooking the big picture.

When it comes to computer forensics, however, the tables are flipped.  When an event turns into an incident and management must answer to a board or the company’s shareholders, the ten thousand foot level is no longer adequate.  At this point, every packet that ever crossed your company’s domain becomes suspect, and expectations are set whereby the answers to the questions such as, how did it happen, what damage did it do, where did it come from, when exactly did it occur, and who did it, requires the puzzle to be unraveled and presented in such excruciating detail it would make Melville  take up skim-reading.

Network Forensics:  What are we talking about?

Computer forensics involves the preservation, identification, extraction, documentation, and interpretation of computer data and has its roots in data recovery.  One of my peers recently wrote an article providing a good introductory explanation of computer forensics in his review of a SANS course.   This article dealt primarily with what we term system or file system forensics.  In this discipline, the investigative methodology is employed against a specific file system or operating system.  Analysis is used to identify one of three things:

1. Inculpatory Evidence – That which supports a given theory
2. Exculpatory Evidence – That which contradicts a given theory
3. Evidence of Tampering – That which cannot be related to any theory, but shows that someone tampered with a given system to avoid identification.

The goal of network forensics is the same as above, but it is rooted in network security and intrusion detection. Typically these investigations deal with a much broader range of systems, i.e. an enterprise.  Network forensics grew out of the investigation of cyber attacks, often stemming from malware investigations.  Because this type of investigation deals with the transfer and change of data in real-time, the challenge then becomes how to contain and eradicate the intrusion while still preserving evidence for later use. 

When looking at the descriptions above, you will quickly realize one of the major problems I’ve had with computer forensics in general in the past… it’s reactionary in nature.  The stress during any investigation is extremely high, but when you couple that with the fact that you are already a step behind before you even start, it can often become overwhelming.  The other major problem with computer forensics is the actual trigger that kicks off that reactionary response.  Whether you call it identification or detection, there has to be something in place that triggers the investigation in the first place.  Over the years I’ve seen event notification only get better and better with the implementation of firewalls, intrusion detection/prevention systems, data leak protection, end-point management, and outsourced security monitoring services.  These implementations have provided organizations with the triggers they’ve needed to respond accordingly to incidents, or at least start them down the path toward documenting or outlining an incident response plan.  Unfortunately, if you ask any CIO or CISO what they’re greatest fears are with respect to their information assets, 9 in 10 will likely respond with, “I’m worried about the incidents I don’t even know about, the ones that haven’t been identified by all of the security mechanisms I have in place.”

Moving from Reactive to Proactive

One of the standard recommendations I’ve made to clients over the years has been to implement egress filtering.  It is an easy statement to make, but I’ll be the first to admit that I never really followed up on what it entailed or the level of effort that went into bringing it to fruition.  Forced to think about this a little more, I still believe the recommendation is good, and, for the basis of this article, I think it is also the first step in becoming proactive to threats that exist within your environment.  What this step does is put you in the right mindset for embracing network forensics.  While all of the security mechanisms I mentioned above are great at logging and alerting, unless they can trigger on our biggest concern, they are really only relevant for auditing purposes.  So what is the biggest concern?  The answer is data extraction.  Don’t get me wrong, I don’t want an intrusion to happen in the first place, but going back to the fears of those C-level managers mentioned above, data extraction is top of the list.

With the advances in toolsets and processes deployed in network forensics, we finally have the ability to move from that reactive nature of waiting for security alerts and notifications to a proactive search for anomalies across our environment.  These processes address not only the C-level management fears above, but provide mechanisms for identifying data extraction.  Let’s look at an example  and determine some common things to search for when beginning this process.  For the following example I’m going to use Wireshark as my tool of choice.  Again, this is a good way to get started with network forensics.  Your goal should be able to sniff and analyze packets on the fly, but the best approach is to begin with packet capture files or PCAPs.  Keep in mind that this article isn’t about how to use Wireshark.  If you want additional information you will have to perform additional research on your own.

First we open a PCAP file in Wireshark:

A good place to start looking at your network is DNS.  There are a couple of reasons for this, but typically it deals with the patterns seen when dealing with intrusions, malware, command and control situations, and simple business practice and locations.  For instance, is there any reason a system on your network should be querying China?  For this particular case you can filter for DNS within Wireshark very easily:

As you see from this capture the DNS query is for Singapore.  Right away the hair on the back of my neck starts to rise, but I need to keep looking just to make sure I’m not crying wolf.  It looks like webmail traffic which uses the HTTP protocol, so let’s take a look at that:

When performing forensics just remember that coincidences are unlikely.  Here we have an HTTP “GET” for the same host that showed up in our DNS query, but the real kicker is the User-Agent identified within the header.  I don’t know about you, but I’ve never seen a “Windows+NT+5.1” user-agent.  If this was coming into my network I might not be all that concerned as many attackers attempt to obfuscate their User-Agent in order to see what type of response they’ll get.  But, this is an outbound connection from a system on my network performing these odd requests.  To dig a little further, let’s follow that TCP stream within Wireshark. 

This may not be all that apparent, but you should be able to see that this looks like some sort of script based on the “./”.  There is very little additional information you can glean from this stream even if you were to scroll down. In instances like this it might take more analysis and research on your part.  However, with that additional research you would be able to determine the response uses a “==” at the end of the string which signifies a Base64 encoding is taking place.  Third time is a charm; we now have proof of obfuscation during what would appear to be a normal HTTP session. 

The great thing about this exercise is that by spending a limited amount of time capturing normal traffic on our network, we were able to perform a proactive search for threats against our organization and identify those threats C-level management is concerned about most.  It is very unlikely that you would have received an alert about this particular event, because it looks like normal outbound HTTP traffic.  How many of us are configuring our firewalls and intrusion detection systems to block or alert on something like this?  Of course, Wireshark isn’t the only tool in our arsenal, and there are many others that help you limit the amount of time you spend on exercises like this.  In addition, there are commercial tools out there that provide an extremely powerful, but easy to use graphical interface that can make this job even easier.  The following screenshot shows one of those commercial tools, RSA NetWitness Investigator (there is also a freeware version of Investigator), in action as it filters down and shows a “blackhole exploitation” incident.  Make note of the File Hashes that have been generated in the event this investigation makes it way to court. 

Where to Begin

The following is a brief list of common places in which to begin your own research or investigation:

• The first place to check when performing proactive steps is your local host file.  This is the first place your system will query for a name server to connect to the Internet.
• Review “Users<usernameAppData” within Windows 7.  This is a common container for malware.
• Review sub-domains for things that just don’t appear to be legitimate.
• Pay special attention to DNS.  Determine whether the associated IP address stays consistent
• When performing filters export information for further triage, i.e. within Wireshark you can use File -> Export Objects -> HTTP.  This will  allow you to see what was downloaded and exported.
• Become familiar with common filtering options.  Example: “tcp contains “GET””
• Separate your investigation into manageable pieces.  For example, when you have separate systems or computers, you want to look at each computer separately. Example: ip.addr==172.16.255.2
• Save your filters to make the job easier.  Within Wireshark go to File -> Export Specified Packets.
• Understand common issues, e.g. whenever you see repeated POSTs, you likely have a problem. Example: tcp contains “POST”

Conclusion

This article is by no means an exhaustive “How To” Guide on network forensics and really only scratches the surface.  However, I hope that security professionals and network administrators alike see the benefit of adding just a small amount of time to their day to begin to become more proactive toward eliminating threats within their environment.  At the beginning of this article I alluded to the adage of “seeing the forest for the trees.”  However, I hope what I’ve just shown through the employment of a proper scientific methodology and the right mindset, you can utilize network forensics in a proactive manner that allows you to “find the tree within the forest.”

How to Set Up Wireless Networking With Ubuntu on a G4 PowerBook

Today I’m going to explain how to set up wireless networking on G4 PowerBook running Ubuntu. It’s an oddly specific post that will probably help around two people a year, but since I had to do it recently I figured I would share my process that I use getting this thing working. There’s a lot of mixed instructions on the internet, but many of them don’t work. Also there are several ways to do it, this way is the simplest and easiest way I know of.

This may not work for everyone!

I should say right off that this may not work for everyone. There is a variety of hardware combinations in these old PowerBooks, and it seems like no two are the same. I made notes and did some trial and error a couple years ago on setting this up and that’s where this comes from, but if you have trouble feel free to contact me I’ll try to help.

Also, I’m using Ubuntu Linux 10.04 so instructions will vary with different versions of Linux. I noticed it is easier to set up in 10.04 and new versions of Ubuntu.

Step 1: Find out what kind of card you have

The majority of the cards that come in Apple Powerbooks are Broadcom 4xxx chipsets. To find out which one you have, open a terminal and type in

sudo lspci -vnn -d 14e4:

My machine looks like this:

From this I can see my chip is a BCM 4306 and My PCI ID is 14e4:4320 which a fairly common b43legacy device. Look up your PCI ID on this table on Kernel.org to see what type of driver you need to use.

To install this, I’ll need to extract the firmware from a Windows driver. I’ll use b43-fwcutter for this purpose:

sudo apt-get install b43-fwcutter

During the installation you’ll see the following screen:

Select “Yes” and the script will download and extract your firmware.

Now go to

System > Administration > Hardware/Additional Drivers

And you’ll see the following:

Restart your computer.

Once you reboot, you will that there are a couple arrows at the top right corner of the screen (Ubuntu 10.04) and once you click on it, it will drop down your menu:

From there you want to either click on your network if you see it, or click to connect to hidden wireless network.

Once you select your network you’ll see the following screen:

Enter your information and you’re ready to go! It’s that easy.

Summary

It’s definitely a bit more difficult with other cards and operating systems, but out of the 3 Ubuntu G4s I’ve set up like this they both used this process. In Yellow Dog I had to install a few apps and build a shell script on startup to accomplish this same task. Fun Stuff!

If you have an questions, leave them in the comments and I’ll attempt to help out.

More info on driver installation options for Ubuntu

How to Install a Wireless USB Network Card on Raspberry Pi

I’m going to show you how to install a wireless networking card on your Raspberry Pi. I’m using the ultra cheap Ralink wireless card, but the instructions are similar for any Wireless Device.

Update Your System

For this tutorial I’m using Raspian. This is a great beginner OS for the Pi and quite easy to use.

You’ll want to make sure you’re at least wired in so you can do an update:

sudo apt-get update
sudo apt-get upgrade
sudo apt-get autoremove

Get Started

We’re going to do this from SSH, though it’s easier to do from the desktop. But you got a Raspberry Pi to learn didn’t you? Many people use their pi strictly over SSH and don’t run a desktop at all. I have decided to include those kinds of instructions rather than do it the graphical way.

1. Plug in your USB device and find it

Once plugged in, again we’ll look at our USB devices:

lsusb

It looks like in my case it’s installed, so now we’ll make a copy of the WPA supplicant file:

sudo cp /etc/wpa_supplicant/wpa_supplicant.conf /etc/wpa_supplicant/wpa_supplicant.conf.bak

Now open up the file:

sudo nano /etc/wpa_supplicant/wpa_supplicant.conf

And add the following:

network={
    ssid="[YOUR NETWORK SSID]"
    psk="[YOUR NETWORK PASSWORD]"
}

It should look like this:

Now, save the file. CTRL + X - Save “Y”

Start up Your Adapter

Now we need to stop the wlan service:

sudo wpa_action wlan0 stop

Then bring it back up:

sudo ifup wlan0

Test Connectivity

sudo wpa_cli status

You should see something like this:

If not, double check your network SSID and Password, that’s the most common problem. You may have a card that isn’t supported by the Raspberry Pi, if not get a new one! They’re super cheap and well worth it.

(Optional) - If You End up Needing a Driver

Sometimes there are issues that prevent you from loading the drivers for your card. Much of the firmware comes with raspian, but if not you’ll have to find the drivers for it. You’ll need a Windows machine to get the drivers you’ll need (at least for Ralink).

Insert the device and run the driver disk provided. Then after successfully installing it, open up your control panel, and select the properties of the device:

Click on “driver details”

This will show you the location of the driver files to copy off the machine, you can put them on a USB stick and put them on your Pi from there.

Get The Drivers off the USB Stick The Hard Way

I put the driver files on a USB stick. Getting them from the desktop is really easy, but what if you only have SSH access? Don’t fret. With Raspian it should automount just fine, you only need to find it.

Run the following command to list your USB devices:

lsusb

Now, you want to see all the disks that are attached to your system:

sudo fdisk -l

As you can see in my case, my USB stick is mounted at /dev/sda1 so the device is connected to my pi. But where is it?

mount

There it is! Under /media/MYLINUXLIVE but that probably won’t be your folder, it will show the drive label you gave it when you formatted it. (I happen to use and love the LinuxLive program whenever I can).

Now I can just look for the drivers on the disk and copy them to a folder in my home directory:

cd ~
mkdir usbdriver
cp -r /media/MYLINUXLIVE/driver/* usbdriver/

Now the files are copied, safely unmount the drive:

sudo udisks --unmount /dev/sda1
sudo udisks --detach /dev/sda

Now you’ll have the drivers you need, but keep in mind the device may not be supported at all.

Conclusion

I hope this has helped to show you how to install a wireless USB card on the Raspberry Pi. Raspian has a lot of firmware already built in and a lot of USB Wifi adapters are supported right out of the box. Wpa_supplicant makes things really easy. I decided to show how to do it from the prompt for those who want to learn more about the prompt, or install from SSH.

The Raspberry Pi is all about learning so I encourage you to experiment with this stuff as much as possible. The worst that will happen is you’ll need to reinstall the OS. Remember, you’re learning Linux at the same time which opens a lot of doors for your projects. Enjoy!