Klementinus Kennyvito Salim

Forum Based learning : Malware in network analysis

Malware is short for malicious software. It is a software that is made to create destruction or gain valuable information from a computer system or a server.

There are a lot of ways to identify malware using network forensics methodology. One way is using SIEM, security information and event management. This method combines the functions of two approaches : security information management (SIM) and security event manager (SEM), into a singular security management system.

Examples of malware :

First example : worms. A worm is self-replicating type of malware. Hence, worms would spread out really quickly. Worms make other programs and files do the dangerous things. For example, if a person opens an email containing worms, the whole organisation can be infected. There are a lot of ways to solve this problem and prevent worms, such as virus remover.

Second Example : viruses. A computer virus modifies host files and stick to the host file, so when a file is executed, the virus will also execute. Virus is the type of malware to stick to other files, so it is difficult to be solved. There are a lot of antivirus programs that may have trouble getting to detect these viruses. In that case, antivirus ends up blocking the file to be executed or suggest deleting the infected file.

A web proxy acts as a gateway between users and the internet. It has a very high level of privacy as it can deliver anonymous service. Web proxy can also be used for content filtering and caching.

There are three types of web proxies: tunneling, forward , and reverse proxy.

Tunneling proxy: use SSH, HTTPS, or VPN tunnel to evade any outbound filtering or cover up activities. The data transferred here will be encrypted

Forward proxy: processes all outbound web requests from internal server. It has support for content inspection and filtering and also caching.

Reverse proxy: opposite of forward proxy. It hides the identities of the servers. It is for cache static content, content compression, and load balancing, which is to distribute out the load of the server

• Some examples of storage media include ROM, DRAM, Hard Drive, NVRAM
• Switches has the ability to map MAC addresses to switch ports. It can locate physical location of MAC addresses. The switch has a CAM and an ARP table.
• CAM table : storing MAC addresses available on physical ports. It maps mac addresses to physical switch ports and also helps in identifying attackers who are sniffing local traffic, which will appear in the table and thus is volatile
• ARP table : contains information of each MAC address and its IP address.
• Router is used to route network packets, based on the addressed, to other devices or network.
• Firewall is a network security device that monitors traffic going in and out of the network that is place a firewall. It can filter traffic by a set of security rules. The logs contain important information such as connection attempts, applications, and etc.

Forum Based learning : Event log correlation and analysis

Log correlation is a a way that forensics investigator or monitoring team perform to collect logs from all sources in the network and make correlation for those logs to find any incident responses, anomalies and investigations in the network. Even though each sources have different field and format of logs, with log correlation tools such as graylog, splunk and other tools then we can make correlation and analysis.

Network Intrusion Detection and Analysis – HIDS/HIPS is a host-based intrusion detection system/prevention system while NIDS/NIPS is a network-based intrusion detection system/prevention system.

Modes of Detection :

• Signature Based Analysis
• Protocol Analysis
• Behavioral Analysis

Functionality :

• IDS’s are rule based
• Issues alerts
• Configured to capture suspicious packet sequences

There are 2 types of IDS : Commercial (Extreme point NIPS and tipping point IPS) and open source ( NIDS – Snort & Sagan, HIDS – AIDE & Samhain)

• Differences of FM and AM. FM is frequency modulation while AM is amplitude modulation. AM is low powered, different than FM which is high powered
• The evil twin – used to ‘capture’ wireless communications on purpose. It is known as a legitimate Wi-Fi access point to cover up its identity

You can also locate wireless devices, such as knowing its MAC address which is listed, to know the device to look for.

Forum based learning – Statistical flow analysis is one of many steps to find anomalies in the network. By finding statistics of traffic flow, we can see if there are incidents occurring and then prevent it or investigate it further more.

Tools for statistical flow analysis :

• Wireshark
• Tshark
• Pcapcat
• TCcpxtract

Traffic Analysis.

Tools used for for protocol analysis :

• Wireshark – Automatically keeps and displays protocol details within a packet and filters are available. It has number of packets , packet details, packet bytes, and all protocols available
• Tshark – same as Wireshark, but it is a CLI instead of GUI
• Packet Summary Markup Language (PSML) – XML format generator for details of a certain protocol

Protocol Identification Techniques :

• Protocol identification – identify protocols
• Protocol decoding – reading the data
• Exporting fields

Evidence Acquisition – The goals of Evidence Acquisition. The best possible result is proof of absolute fidelity, protection of evidence and zero effects on network environments, . In fact, however, these standards are almost impossible to accomplish, as a zero footprint investigation can not be accomplished and best practices need to be used to minimize the footprint. In addition, verify the validity of proof with cryptographic checksums.

There are many traffic acquisition software that can be used depending on each use case. You can use libcap and there are a lot of libraries included such as Berkeley Packet Filter (BPF) usually use to compare values at layer 2, 3, and 4. You can also use TCPDump and Wireshark.

Acquisition tools : console, SSH, Telnet, TFTP, SNMP, SCP, and web proprietary interfaces.

Forum Based Learning : Capturing digital evidence to create flow analysis, with tools such as Wireshark and tshark.