Network forensics exercise
In September, I was asked to deliver a guest lecture on network forensics to a group of undergraduate criminal justice students with very few format computer science of networking training. This one ranked fairly high in my list of interesting challenges, so I decided to pick up the gauntlet.
The class took place last week and went fairly well. The group was relatively small, but I was able to connect with them and get some interaction going. I started out by asking the people there what "the network" looked like; for illustration purposes, I had brought a patch cable and a switch. At this point, students started to realize that it may be a little problematic to acquire a network patch cable ;)
I proceeded by explaining that a typical network infrastructure has very little persistent data, and that the technology must be prepared ahead of time to capture useful data data is forensically sound. We spoke briefly, and at a very high level, about networking, IP addresses and ports, which flowed into the concept of a "Pen Register and Trap & Trace devices for the network" Enter: netflow".
At this point, it was time for an exercise and I provided the students with two Excel files. One file contained an excerpt from an inventory database, and the other contained 15 minutes of (actual) netflow data from a single sensor. The 15 minute window amounted to a spreadsheet with about 650,000 lines. The assignment was to identify which computers in a specific lab were interacting with Gmail at a specific time. My objective was to show the level of detail that we can obtain by just looking at flow data, AND the sheer size of the data set that we have to deal with.
After netflow, we went on to full packet capture. It was evident very quickly that the students would be wholly unable to deal with that by themselves (remember: these were criminal justice students without much computer science and/or networking experience!). Instead, I demonstrated the solution to a scenario for them that revolved around the theft of a company's intellectual property. The file that was leaked was called 'ProductDesign.zip'.
While preparing for class, I had set up a hypothetical workgroup network with one server and three employees. The server was an email hub (webmail, imap, pop), a secure file storage, and a department directory.
The employees were John- a senior engineer, about to retire on a very small pension, Mary, who just married somebody from the Ukraine, and Janice, an intern pursuing a marketing degree.
The first step towards the solution was inspection of the web server logs. They revealed that exact time that John downloaded the file in question. Further scrutiny revealed that the file was downloaded from Mary's PC.
At this point, I asked for hypothesis. We got some very interesting ones!
However, looking more closely, we can see that Janice's PC might have had a remote desktop connection open to Mary's computer. At this point, we have all three employees as possible suspects.
Going back further in time, we identified that Janice phished Mary and John under the pretense of assisting the IT department with collecting preferred usernames/passwords that would be set after weekend maintenance.
Janice is now prime suspect.
Looking at what happened after ProductDesign.zip was downloaded, we see that less than 10 minutes after one of the downloads, Janice sent an email from her work account to an anon23@evil.local that listed "it is done. I have a copy on my USB disk".
From a network forensics perspective, we have now identified a possible suspect, and pointed out two machines for forensics analysis (Mary's PC and Janice's PC).
The session took about 2 hours and included a tour to a networking closet ;)
All in all, I think the students picked up a few things.
I did save the virtual machines and the packet capture, so if you are interesting in doing something like this, feel free to let me know and I'll see what I can do to get the artifacts to you.