Windows Event Logs (.evt and .evtx File Formats)

Traffic Analysis Traffic Forensic Example CIS 6395, Incident Response Technologies Fall 2016, Dr. Cliff Zou [email protected] Acknowledgement http://forensicscontest.com/ Example Anns bad AIM is from this website Puzzle #1 Solution: Anns Bad AIM http ://webcache.googleusercontent.com/search?q=cache:jo JLaZVTPCAJ:forensicscontest.com/2009/09/25+&

cd=1&hl=en&ct=clnk&gl=us&client=ubuntu Puzzle #1 captured file: http:// forensicscontest.com/contest01/evidence01.pcap https://malwerewolf.com/2015/03/network-fo rensics-round-1-anns-bad-aim / Network Forensics: tracking hackers through cyberspace, by Sherri Davidoff and Jonathan Ham, 2012

2 Puzzle #1: Anns Bad AIM from Forensicscontest.com Anarchy-R-Us, Inc. suspects that one of their employees, Ann Dercover, is really a secret agent working for their competitor. Ann has access to the companys prize asset, the secret recipe. Security staff are worried that Ann may try to leak the companys secret recipe, and monitor her computers traffic. Today an unexpected laptop briefly appeared on the company wireless network. Anns computer, (192.168.1.158) sent IMs over the wireless network to

this computer. 1. What is the name of Anns IM buddy? 2. What was the first comment in the captured IM conversation? 3. What is the name of the file Ann transferred? 4. What is the magic number of the file you want to extract (first four bytes)? 5. What was the MD5sum of the file? Open the capture file in Wireshark Q1: What is the name of Anns IM buddy?

The puzzles name has AIM, so Ann must use AOL Instant Messenger First, Filter on Anns IP address Display filter: ip.addr == 192.168.1.158 Where is the AIM traffic? There are no packets labeled as AIM protocol There are many packets labeled as SSL because they use TCP port 443 But, check packet content and you will see

they are not encrypted! So they are not really SSL packets! They are just AIM messages using port 443, in order to make sure AIM traffic can go through most firewalls Most firewalls allow HTTP and HTTPS traffic go through Confirm Ann connects with AOL server? The other IP in those SSL packet is: 64.12.24.50

What is this IP? Use whois command in Linux to check So, the SSL traffic is really AIM traffic AIM protocol decoding? AOL has its own communication protocol, which is complicated Luckily, Wireshark builds AOL protocol in so it can decode AOL traffic! Right-click an SSL packet, choose Decode As Choose TCP port and value of 443, select AIM in

Current field, then click Save Now Wireshark will decode all those port-443 traffic as AIM traffic! Q1: what is the name of Anns IM buddy? Check Packet 25: outgoing to : Sec558user1 Check the AIM messaging section in this packet Now we know Ann is messaging with Buddy Sec558user1

Q2: What was the first comment in the captured IM conversation? Packet#23 is keep alive. No real content Packet#25 content: So, the answer is: Here's the secret recipe... I just downloaded it from the file server. Just copy to a thumb drive and you're good to go >:-)

Q3: What is the name of the file Ann transferred? There are many TCP packets with Anns computer, might be file transfer? Google search found AIM file transfer use TCP port 5190 New display filter: ip.addr == 192.168.1.158 && tcp.port==5190 Q3: What is the name of the file Ann transferred?

Check the first data packet after the three-way handshake (connection setup) packets, it is Packet #112 Look at the binary data section: OFT2 file transfer protocol, file name is: recipe.docx Q4: What is the magic number of the file you want to extract (first four bytes)? Most

protocols can be identified by wellknown sequences of bytes near the zero-offset Almost all file formats have headers with a few zero-offset bytes to uniquely identify them These first few bytes are referred as magic numbers We need to carve out the file recipe.docx from packet capture Carving Out Files Wireshark

Approach We can directly use wireshark to carve out a file But, it is suitable only for small-size file From data transfer packet#112, right click to follow TCP stream, The duplex connection flow will show up (both directions) We are interested in the file transferred

out from Annns computer 192.168.1.158 So only need the half-duplex flow from source IP of 192.168.1.158 (12kBytes) Carving Out Files Wireshark Approach Select the correct traffic direction, and select save data as Raw, then Save as to save it to recipe.docx But,

this file still contains protocol exchange info/content We need to remove those unrelated stuff Carving Out Files Wireshark Approach Use a Hex Editor to edit the saved file You can use any free hex editor I use Be.HexEditor (GUI-based, Free):

https://sourceforge.net/projects/hexbox/files/hexbox/Be.HexEditor% 201.6.0 / Find the start of the receipt.docx file: Need to know the start magic number of docx Google docx file signature, the link: Carving Out Files Wireshark

Approach Delete all bytes before the PK.. (50 4b) Now the file is readable by Word! So the magic number is 50 4b 03 04 Q5: What was the MD5sum of

the file? Go to Kali Linux VM on your machine: Thus the files MD5sum is: 8350582774e1d4dbe1d61d64c89e0e a1 Carving Out Files tcpxtract

Extract and reconstruct TCP stream payload data based on file signatures (magic numbers) Kali Linux does not have it, but you can install it Carving Out Files tcpxtract Tcpxtract contain file signatures for many file types, including

PK.. .docx actually uses zip format Use tcpxtract to extract all files from trace The firt 00000024.zip file between IP 1.158 and 1.159 should be the recipe.docx Network Forensic Tool Networkminer Commercial

software, but has a simplified free version http://www.netresec.com/? page=NetworkMiner By loading the trace file, Networkminer extracted the file without any problem But, it only interprets the few protocols it understands

Recently Viewed Presentations

  • The Constitution - Winthrop University

    The Constitution - Winthrop University

    Added to the Constitution in 1791 in order to gain support from the Anti-Federalists, who believed that the new Constitution gave the national government too much power. North Carolina and Rhode Island refused to ratify the Constitution without the promise...
  • Purpose of Devices

    Purpose of Devices

    Betty Botter bought some butter,but, she said, the butter's bitter;if I put it in my batterit will make my batter bitter,but a bit of better butterwill make my batter better.So she bought a bit of butterbetter than her bitter butter,and...
  • Public Choice through Mobility - Wayne State University

    Public Choice through Mobility - Wayne State University

    Tiebout Model Assumptions Jurisdictional Choice -Households shop for what local governments provide. Information and Mobility - Households have perfect information, and are perfectly mobile. No Jurisdictional Spillovers What is produced in Southfield doesn't affect people in Oak Park.
  • LES MALFORMATIONS URO-GENITALES ANOMALIE DE MIGRATION DES TESTICULES

    LES MALFORMATIONS URO-GENITALES ANOMALIE DE MIGRATION DES TESTICULES

    LES MALFORMATIONS URO-GENITALES ANOMALIE DE MIGRATION DES TESTICULES Définition Arrêt de migration ou migration aberrante d'un ou 2 testicules entre la région lombaire et le scrotum Cryptorchidie : Arrêt de migration du testicule sur son trajet normal Ectopie : Migration...
  • Re-Envisioning High School CS and Getting it Taught

    Re-Envisioning High School CS and Getting it Taught

    In progress: Framework: First two levels (Big ideas & Key concepts) Still to come: Framework: Third level (Enduring understandings) Curriculum/Materials Test AP GSC's Big Ideas 1. Computing is a creative activity that draws on a wide variety of fields, such...
  • Elder Abuse in Akwesasne Territory

    Elder Abuse in Akwesasne Territory

    Adams. Akwesasne Mohawk, Wolf clan, 1917-1999. Basket, 1985. Sweetgrass. Mary Adams learned to make baskets from her mother and grandmother. Adams made baskets all her life, and in 1980 she was chosen to produce a basket for Pope John Pall...
  • Excel Chapter 3 - faculty.ccc.edu

    Excel Chapter 3 - faculty.ccc.edu

    Inserting a Row. Right-click row heading 21, the row below where you want to insert a row, to display the shortcut menu and the Mini toolbar. Click Insert on the shortcut menu to insert a new row in the worksheet...
  • Invisible Powers and Places

    Invisible Powers and Places

    WORD FOR THE JOURNEY. Ephesians 6:10-12 Finally, be strong in the Lord and in the strength of His might.Put on the full armor of God, so that you will be able to stand firm against the schemes of the devil....