PATTERN DETECTION IN A REMOTE LAN ENVIRONMENT
•
4 j'aime•7,014 vues
A minor thesis submitted by Bruno VALENTIN in part fulfillment of the degree of M.Sc. in Forensic Computing and CyberCrime Investigation with the supervision of Dr. Pavel GLADYSHEV
Recommandé
Contenu connexe
En vedette
En vedette (20)
Similaire à PATTERN DETECTION IN A REMOTE LAN ENVIRONMENT
Similaire à PATTERN DETECTION IN A REMOTE LAN ENVIRONMENT (20)
Dernier
Dernier (20)
PATTERN DETECTION IN A REMOTE LAN ENVIRONMENT
- 5. 1 Introduc<on 1 Introduction As they have fully understood how useful computers and networks can be in the scope of their criminal ac<vi<es, offenders now tend to widely use new technologies. Obviously, because of their illegal business, one of their main concern is to remain anonymous and hidden, not to be iden<fied and arrested by Law Enforcement Units. Internet cafes are providing a public access to everyone who needs to be connected for a short period of <me or who has no personal Internet connec<on. Depending on the countries, the legisla<on regarding the regula<on of cyber cafes is ohen loose. In contrast with the Internet Service Providers , they are ohen not compelled to be in compliance with the legisla<on related to the reten<on of the connec<on data and they are not obliged to iden<fy their customers either. Considering this, offenders ohen use Internet cafes to commit their illegal acts, thinking that they will be protected by a substan<al anonymity. As a ma.er of fact, even if the Police unit in charge manage to subsequently iden<fy the owner of the public IP address from which the offense was commi.ed, determining formally which customer perpetrated it is impossible. Most of the Internet cafes don't keep any informa<on about their customers and don't provide any way to iden<fy subsequently a person who used a worksta<on. No video recording exists except for security purpose. 1.1 Background Over the past few years the French Police had to deal with some cases of kidnapping in which people were abducted and the perpetrators asked the family for a ransom. Concerned by anonymity, the criminals were using Internet cafes to communicate with the family of the hostage. They created an email account on one of the common webmail sites available on the Internet and then used this account to send emails to the rela<ves of the vic<m. As the discussion was going on between the kidnappers and the family, the Police tried to track down the criminals many <mes without succeeding. As a ma.er of fact, since offenders were using a set of internet cafes to connect the webmail, the Police had to perform several opera<ons prior to being in posi<on of arres<ng them. First of all, they had to analyze the full header of the electronic mail sent to the family to get the public 5 of 124 B. VALENTIN – MSC DISSERTATION
- 10. 2 Background 2 Background As seen previously in the introduc<on, the topic of the current document is to set up a solu<on in order to simultaneously intercept a set of local area networks from a remote point of view, and for Law Enforcement needs. This kind of subject ma.er is ohen not published or disclosed since it is considered as sensi<ve by the private companies which are designing on‐purpose equipment and the Law Enforcement Agencies. Though, some white papers have been released publicly by academic ins<tu<ons and private sector. An overview of the current state of art regarding wire tapping has been done to determine how intercep<ons can be implemented for solving the issue exposed in this disserta<on. The white papers and other documents found are introducing the different ways of intercep<ng communica<ons on a IP network. 2.1 Internal versus external interceptions Depending on how accessible the network is to monitor and where the wiretapping equipment can be installed, an intercep<on process can be referred to as internal or external. Internal intercep<on allows the Law Enforcement Agencies to extract the data directly from the internal networks of internet service providers [2‐1] involved in the transmission of the data of interest over the Internet. In this case, the whole traffic of the target is intercepted and delivered to the LEA in its raw format. This is commonly completed using sohware or hardware sniffers capable of dealing with IP traffic. Of course, since it is crucial, from a Law Enforcement prospec<ve, that the target doesn't know they are being monitored, some mechanisms must be put in place to ensure the intercep<on system remains transparent. This means that the system has to be thought of and designed in a secure manner. [2‐1] Unfortunately, in many developed countries, ISPs are ohen reluctant to provide access to their core networks to the LEA. There is usually a strong opposi<on [2‐1] leading to a legal figh<ng between LEA and service providers. When pu_ng in place an internal intercep<on is not feasible, intercep<on must be performed at 10 of 124 B. VALENTIN – MSC DISSERTATION
- 11. 2 Background network access level outside the network of the service provider. Typically, this means that the intercep<on material has to be connected out of the immediate target network, for instance at adjacent networks or public network concentra<on points [2‐1]. This network pertains usually to the network operator, as depicted on the figure below. The systems capable of doing external intercep<ons are ohen designed and commercialised by private companies. As performing an external intercep<on is much more complicated than doing an internal one, such systems tend to be sophis<cated and not officially publicised. In fact, WAN monitoring is considerably not a simple task to complete. It must support a much wider range of network topologies and protocols (PPP, mul<link PPP, Cisco HDLC, frame relay, ATM) [2‐2] and must be able to deal with several levels of protocol encapsula<on. As it was the case already in the internal intercep<on, targets must be unaware that they are under electronic. Therefore, any no<ceable informa<on that could reveal the monitoring process should be avoided [2‐1]. For instance, the “Traceroute” command could show a new router hop in the path from the target to the Internet. Also, degrada<on or interrup<on of service has to be avoided as much as can be by the use of appropriate technologies. In conclusion, any<me it is applicable, internal intercep<on is considerably more straighporward to put in place. Also, the content data resul<ng from this intercep<on can be filtered more effec<vely since IP data is already and does not need to be translated prior to being analysed. 11 of 124 B. VALENTIN – MSC DISSERTATION Illustration 2.1: Typical configuration for xDSL
- 17. 2 Background computa<onally expensive task to search through the packet for matching strings [2‐5]. In conclusion, Deep Packet Inspec<on is a promising technology, now implemented in appliances manufactured by the most popular vendors such as Microsoh, Cisco and Checkpoint. Combining Firewall and IDS in a single equipment eases the configura<on and the management of the system [2‐5]. The Deep packet Inspec<on is mandatory for an intercep<on system to be capable of analyzing the payload of an IP packet to a level necessary to intercept ‐ for example ‐ accesses of a par<cular user to a par<cular web mail service. 2.4 Recording of just Oiltering the trafOic? Depending on the type of intercep<ons to put in place, one ques<on arises. Is it necessary to record and store all the data or is it sufficient to just filter them ? Simson Garfinkel defines an approach that he calls “catch it as you can” [2‐7]. It describes the process of recording every type of packet transmi.ed through the intercep<on system. Since it immediately writes the data to the disk and perform analysis aherwards, this approach requires to use large disks, usually configured as RAID systems. Another way of filtering the data is the approach called “stop, look and listen” [2‐7]. It consists in analyzing the content data in real‐<me as it flows over the network and record the relevant packets only. As a consequence, large disks are not required any more, but analyzing the packets on‐the‐fly can take much computa<onal resources again. This approach was introduced in the 1990s by Marcus Ranum and used to be employed in the FBI wiretapping system called “Carnivore”. Anyhow, the hardware selected for comple<ng the task of intercep<ng the data, mainly depends on the size of the network to monitor. For instance, a 66MHz 486 computer is enough to capture the packets on a 384Kbps DSL link whereas a much bigger computer would be required to do it on a fully‐loaded gigabit network [2‐7]. 2.5 Delivery of the data How the intercepted data has to be delivered to the Law Enforcement Agencies is defined in the ETSI standard and CALEA (Communica<on Assistance for Law Enforcement Act). 17 of 124 B. VALENTIN – MSC DISSERTATION
- 19. 3 Problem Statement 3 Problem Statement 3.1 What is the problem and why it needs to be solved Nowadays, the new technologies are widely used by criminals to exchange informa<on (terrorism, organized crime) or to stay in touch with their vic<ms (blackmailing). Computers are everywhere and offenders now have the skills to use them for their criminal ac<vi<es, whatever they are. When these people have to send emails they know that doing this from an Internet cafe is a good way to remain anonymous and to ensure that they won't be traced back. Anonymity is one of their main concern. Furthermore, they are aware that going repeatedly in the same internet cafe may compromise them. Indeed, the Law Enforcement unit in charge of the case can determine where the mail was sent from by analyzing the header of the email. If the unit gets the reply to the legal request sent to the ISP, it will be able to arrest the perpetrator the next <me he comes to this internet cafe. For this reason, criminals tend to be roaming between several internet cafes, in order to confuse the Police. But they are usually visi<ng the same ones, ohen located in the same area of the city. Most of them do not select a new loca<on each <me they have to connect the Internet. Aher a while, they tend to go again in a cyber cafe visited already. Not all criminals commit their crimes from big ci<es in which a good deal of Internet cafes are located. Some of them also operate from smaller towns. They don't have as many possibili<es when they are roaming between Internet cafes. Most of the <me, the managers of the internet cafes agree to cooperate. It's not that common to face an inves<ga<on case in which even the internet cafe is involved and should be considered as an accomplice of the suspect. Changing internet cafe for each connec<on to the Internet means that the public IP address used by the perpetrator is changing all the <me as well. The criminals are aware of this fact too. In the cases in which there is a need of communica<on between criminals and their vic<ms (e.g. kidnapping), there are very frequently several exchanges of emails between both the two par<es. It is ohen a game of ques<ons and answers in which the Police get many IP addresses involved. 19 of 124 B. VALENTIN – MSC DISSERTATION
- 20. 3 Problem Statement Some Internet cafes are open to the customers 24 hours a day. As suspects are liable to connect the Internet any<me, it is hardly conceivable to think about having a police officer in front of each cyber cafe all the <me. Of course, one can be thinking of pu_ng all the Internet cafes under monitoring. Unfortunately, such internet intercep<ons, whether on the core network of an ISP or locally in the facili<es of a telecommunica<on operator are very expensive and require much efforts to analyze the whole traffic. Indeed, tradi<onal Internet intercep<ons are recording the whole traffic coming from and going to a specific target. It would be useless if the only aim is arres<ng the perpetrator. Further computer forensics will prove he was using the computer for criminal purposes by the <me he was arrested and will determine what he was exactly doing. Internet cafes are some<mes the only loca<on where the perpetrator can be arrested. If the criminal is careful and takes all the precau<ons not to be iden<fied, he never connects the Internet from another type of internet access. That ensures that no personal IP address will be recorded in the log files or in the mail headers of the vic<m. Furthermore, from Law Enforcement prospec<ve, arres<ng a suspect while he is commi_ng his crime, with his hands on the computer is the best way to get undeniable evidences of his culpability and thus to prove he is really involved. Unfortunately, arres<ng a criminal in such condi<ons is not that easy. Indeed, many major problems come up, due to technical restric<ons or misappropria<on of the law. Depending on the countries, no legal provision exist with regards to the public access to the Internet offered by private companies. In France for instance, Internet cafes are not obliged to comply with any legisla<on with regards to the iden<fica<on of their customers. The managers of the Internet cafes are not compelled to ask people for their iden<ty and even if they do, they are not obliged to keep any track of it. It means that if the Police come across an IP address allocated to an Internet cafe by the <me the offense was commi.ed, they cannot simply go to the manager and get the list of the people who were using the computers. From a Law Enforcement prospec<ve, this is a big issue as no subsequent iden<fica<on can be done. The suspect has to be iden<fied and arrested in real‐<me. 20 of 124 B. VALENTIN – MSC DISSERTATION
- 21. 3 Problem Statement Very ohen there is no camera installed in the Internet cafes. Even if there are, they are used for security purpose only and no video recording exists. Again, it is a constraint for the Police to subsequently iden<fy a suspect. If the Police officers can iden<fy the Internet cafe the connec<on was established from and even the worksta<on used, they won't by able to get any picture or video of the criminal. Moreover, most Internet cafes are linked to the Internet via a broadband connec<on with a dynamic IP allocated. Depending on the ISP, it can take much <me ge_ng a reply to the legal request for iden<fica<on sent. Some of them tend to reply not rapidly enough to fit the constraints imposed by a criminal inves<ga<on. If the case is about kidnapping for instance, it is crucial that the loca<on the connec<on is origina<ng from is iden<fied urgently. Furthermore, when the Police receive the reply from the ISP iden<fying the Internet cafe involved, obviously only the public IP is iden<fied as this is the only informa<on the ISP knows of. Some internet cafes are equipped with a huge number of worksta<ons. Every computer is using a private IP and the traffic is routed to the Internet through the public IP of the router/gateway. Internet cafes usually have a basic network infrastructure. They are not equipped with a filtering and logging appliance such as a proxy server. A proxy would allow the Police to make a correspondence between the requested URL and the private internal IP address of the worksta<on on which it was requested. For instance, if the Police know that the suspect was using Yahoo webmail at a specific moment, they could analyze the logs of the proxy and make a selec<on of all the computers connected to this web site at the <me the connec<on occurred. As it is some<mes impossible to guess which worksta<on was used, it can take a considerable amount of <me analyzing every computer in a forensic perspec<ve. It can take <me also searching for keywords on every hard disk to determine which one contains the evidences related to the criminal ac<vi<es of the user. Some<mes it is not even possible, as some Internet cafes are equipped with an auto re‐installa<on process that restores a generic system image on the hard disk when the client logs off. In some cases, the whole system is virtual and runs completely in memory. It is even more complicated to find digital evidences if the computer is examined subsequently. All these technical and judicial issues make the inves<ga<on longer and more complex than it should be in an ideal world. 21 of 124 B. VALENTIN – MSC DISSERTATION
- 22. 3 Problem Statement Nonetheless, some solu<ons can be thought of to ease and make it quicker to iden<fy and arrest a criminal connec<ng the Internet from Internet cafes. 3.2 Existing solutions 3.2.1 Niksun NetDetectorLive In terms of network detec<on, a private company named Niksun provides an autonomous appliance allowing to monitor both the incoming and outgoing network flows in real‐<me. This equipment called NetDetectorLive (tm) can capture the network traffic and simultaneously search for non‐authorized pa.erns in transmi.ed packets with regards to the internal policy of a company. The main purpose of this equipment is to be used in the scopes of intellectual property protec<on and outbound content control. This appliance makes it possible for the administrator of a network to be informed in real‐<me of policy viola<ons, par<cularly about sensi<ve content like R&D and financial informa<on for instance. Although it has not been designed specifically as a lawful intercep<on product, this equipment includes some of the func<onali<es that could be required to address the problem described in the previous chapter. NetDetectorlive provides real <me archiving of data and allows reconstruc<on of the content in its context aherwards. For instance, it can store all email messages or instant messages for a later search. Furthermore, it is capable of categorizing and reconstruc<ng most of the standard protocols sessions (smtp, pop, imap, web, instant messaging, hp , p2p) as well as intercepted documents transmi.ed through the network (office documents, text files, PDF files, embedded images). Each <me an incident is detected on the network an event is generated and an alarm is issued. Detected incidents are logged in a database to allow subsequent filtering and analysis. 22 of 124 B. VALENTIN – MSC DISSERTATION Illustration 3.1: NetDetectorLive Appliance From Niksun
- 24. 3 Problem Statement 3.2.3 Blueye project Finally, with regard to keyword based network sniffing, a project has been ini<ated by the BL7 group and made available for download for windows and Linux under GPL2 license on their website [323‐1] . This project called Blueye Layer 7 sniffer aims at detec<ng keywords in a high‐rate network stream (wired or wireless links) in real‐<me. Ini<ally, this project has been designed to allow the administrators to monitor the backbone of their private company for security reasons. For instance, it can be used in the field of intellectual property defense to prevent internal users to send sensitive content outside the corporate network without being noticed. Filtering rules can be defined and the configuration of blueye can be changed by modifying a set of text files. So far, no graphical user interface exists to perform this task. As soon as user‐defined keywords are detected, this layer 7 sniffer uses them to extract valuable and relevant informa<on, rebuilds fragmented TCP session and stores them on the hard disk of the computer. It can also issue some alerts by email on relevant events. All the logged packets are stored as PCAP files and also indexed in a MySQL database for later iden<fica<on and retrieval. The system is scalable to fit the needs of intercep<ng a mul<‐sites network as well. For this purpose, it can be deployed as a distributed infrastructure composed of several front‐ ends and one back‐end which stores all the records in a centralized database. Although Blueye is just a piece of sohware and doesn't have anything to do with hardware equipment, it relies on ninjabox plaporms to sniff the network flow. Ninjabox plaporms are commercialized by a UK‐ based company named Endace. Ninja plaporms are basically 3U appliances equipped with 2 intel xeon dual core CPU and 4GB of internal memory. They come with 2 built‐in 1Gb/s network ports. They are also equipped with a RAID array composed of eight 250GB hard drives for an overall capacity of 2TB. 3.2.4 Drawbacks of existing solutions The exis<ng solu<ons iden<fied have all been designed with a specific goal and for a special use. However, they all provide some func<onali<es that are needed and useful for solving the current issue of 24 of 124 B. VALENTIN – MSC DISSERTATION Illustration 3.3: blueye logo
- 26. 3 Problem Statement party to deal with the content. As the connec<ons can occur from various internet cafes in a short period of <me, a distributed infrastructure has to be put in place. It is important that, as soon as a new loca<on has been iden<fied, a monitoring probe is plugged on the network to detect further connec<ons made from this loca<on. Apart from Blueye project, the commercial solu<ons don't provide this func<onality. All the other exis<ng appliances are provided as autonomous probes which are performing the filtering process for themselves. It is also a major need to have a graphical user interface available to allow a regular user to configure the system without specific knowledge in terms of computers and networks. This GUI should allow the ability to add probes, loca<ons, recipients and manage the cases easily. Blueye project does not come with a graphical user interface and has to be configured through a set of text files. Finally, the cost is one of the major issue encountered when Law enforcement agencies have to deal with Internet intercep<ons. Because these equipments are very advanced in terms of hardware configura<on, they are all very expensive and exceed the price a common Police Unit can afford for pu_ng in place an electronic supervision of the ac<vity at an Internet cafe. It is barely conceivable to install one of those appliances in every internet cafe to put under monitoring. The global cost of the inves<ga<on would be colossal. Only the most important and sensi<ve inves<ga<ons would make it possible to use these kind of network intercep<ons. For this reason, and to get more flexibility, a cheaper solu<on has to be thought of. 3.3 Requirements As stated, handling an inves<ga<on case in which the offender connects the Internet from a cyber cafe leads for Law Enforcement to face various issues that make the iden<fica<on and arrest more complicated. In order to take those issues into considera<on and to solve these problems, a technical solu<on can be designed. It needs to have some specific func<onali<es and characteris<cs. 3.3.1 reliability Criminal inves<ga<ons are ohen very important and sensi<ve in terms of content. To avoid missing any relevant informa<on related to the current inves<ga<on, the infrastructure need to be highly reliable. 26 of 124 B. VALENTIN – MSC DISSERTATION
- 31. 3 Problem Statement For instance, if the central server is hosted in the facili<es of a private company (data center), the employees may poten<ally have access to all the computers of their customers. Even if the central server is a dedicated computer, used by no other customer, it should not be assumed that no one will ever gain access to the hard drives of this computer. In fact, if one of the drives has a physical failure, the provider will replace it. But no one can guess in advance what this hard drive will become aherwards. What will happen if the hard disk gets repaired and is allocated to another customer ? Basic forensic technique and data carving opera<ons applied on the drive will allow this new customer to find data related to a criminal inves<ga<on. This would not be suitable at all in terms of confiden<ality with regards to judicial material. Therefore, encryp<on is a possible solu<on to protect the sensi<ve data from a non‐legi<mate access. Even if it doesn't protect them from a network access while the server is up and running, it is a good preven<on against off‐line analysis and data restora<on techniques used directly on the hard disk itself. For security to be increased slightly, the computer needs to be protected against illegal uses from the network as well. Indeed, the access to the sensi<ve data should be restricted to the administrator or the authen<cated and allowed users. The system is not intended to be a public service on the internet, open to any user. Instead, it is expected to be a private solu<on limited to Law Enforcement Agencies. From a technical point of view, it means that it should be protected by a firewall and that the service should not use well known ports which are very sensi<ve to port scanning. It should be configured rather to operate with ports that won't be guessed easily. Another important aspect, in terms of security is the stealth of the solu<on. As said before, it is recommended that the customers of the Internet cafe don't no<ce that the traffic is filtered and analyzed in real‐<me. Thus, the local modules used on‐site need to be invisible from the user perspec<ve. The modules should not appear on the path to the Internet. The users should believe they are connected directly to the Internet, with no addi<onal hop. It will prevent unauthorized access a.empts as it will be very difficult for the users to guess there is a probe installed and what its IP address is. Finally, the last thing to take into considera<on in terms of security is the physical equipment itself. Even if this module is installed with the coopera<on of the manager of the Internet cafe, it should easily be 31 of 124 B. VALENTIN – MSC DISSERTATION
- 33. 3 Problem Statement 3.3.7 Legality Lastly, the adopted solu<on should match the legal system of the country it is deployed in. In order to ease the use of this system in terms of legal restric<ons, it needs to be a detec<on and repor<ng system instead of an intercep<on solu<on. This point is crucial as na<onal regula<ons regarding intercep<on of telecommunica<ons are ohen very restric<ve. Thus this system won't record the traffic and won't keep any track of the user data. Only some monitored strings will cause alerts to be issued to the law enforcement. This system should be a binary one. The only important point is “Is any occurrence detected or not” ? If it is, the event should be reported urgently to the Police officers in charge of the case since the criminal is currently connected and has to be arrested without delay. Obviously, if the na<onal legisla<on of the country requires that the Police Unit obtains a warrant or an authoriza<on from a judge prior to pu_ng a probe in place, this installa<on should be done with regards to the local legal provisions. 33 of 124 B. VALENTIN – MSC DISSERTATION
- 34. 4 Adopted Approach 4 Adopted Approach The previous sec<ons iden<fied the issues encountered by Law Enforcement Agencies in catching a roaming perpetrator and the func<onali<es a good system would require. This chapter defines an approach to solve the problems that come up by building a cheap detec<on and alert system for Local Area Networks. 4.1 Overview of overall architecture As the sec<on 3.3 iden<fied the necessity of building a centralized system, the solu<on is composed of two main components. The first one, called “central server” is located on the Law Enforcement side. The second one is iden<fied as “probe” and has to be installed in‐situ on each loca<on to be remotely monitored. The key point of the selected infrastructure is the central server which has the responsibility of managing 34 of 124 B. VALENTIN – MSC DISSERTATION Illustration 4.1.: Diagram of the overall architecture
- 35. 4 Adopted Approach the whole infrastructure. This computer has to stay in contact with the probes on a permanent basis in order to be able to update and monitor them all on demand. The probes are composed of regular and cheap SOHO routers which have been modified and updated especially for this project. Each probe has been flashed to replace its firmware with a mini Linux opera<ng system in order to be able to implement the features required for the fulfillment of this project. An ordinary computer such as a laptop could have achieved the same bridging and sniffing func<onali<es as long as an addi<onal network card has been provided. But with regards to the constraints on the cost of the overall solu<on, it was apparent choosing cheap equipment, already equipped with mul<ple network cards was more appropriate. 4.1.1 The central server The central server is the core of this architecture. It has to perform various tasks and implement several func<onali<es, on a permanent basis. Therefore, it is crucial that this server remains on‐line all the <me and stays accessible by the probes all the <me. 1 Hosting Thus, one of the primary considera<on about this server is hos<ng. Indeed, as the whole infrastructure is organized around a central server that has to be reachable all the <me, how this computer is hosted is essen<al for the system to work. There are actually two types of solu<ons that can be used to host such a computer. The first one consists in hos<ng the server in Law Enforcement facili<es. It requires that the link connec<ng the premises to the Internet has a high bandwidth, dedicated to this purpose. This connec<on should be provided by the ISP with a sta<c IP address. This point is crucial because the probes are going to use the IP address of the server as the end for the virtual private network tunnel. This type of hos<ng can bring privacy and security as the physical access to the server can be restricted. It is also a cheap solu<on as a broadband access is nowadays very affordable for any unit. 35 of 124 B. VALENTIN – MSC DISSERTATION