If you have the budget, you can purchase additional programs that will do any of the previously discussed commands for you, usually with a convenient GUI. Two of the tools we use most often are Neotrace and Netscan Pro (the latter was shown previously in Figure 2-8). Both can do a traceroute for you, but Neotrace overlays a map and attempts to geographically plot the traceroute. This is a sexy feature, but its utility is questionable. It appears to map based on the zip code that the domain names are registered to. It would be more useful if the map could accurately show where the intermediate routers are located, but it should be apparent to you by now that this information is not available. Both programs are chock-full of capabilities. The NetScanTools Pro version obviously has a few more features, but for tracking purposes either will do nicely.
Essential NetTools (shown in Figure 2-18) is a set of network tools that are especially useful when investigating Microsoft networks. It includes
Figure 2-18 Essential NetTools
NBScan: A fast multithreaded NetBIOS scanner for locating computers that are sharing resources on the network. Instead of having to manually check each system on the network individually (nbtstat a 220.127.116.11, nbtstat a 18.104.22.168, and so forth), simply enter a beginning address and an ending address and let NBScan run nbtstat for you.
NATShell: A user-friendly interface for the popular NetBIOS Auditing Tool (NAT) network-auditing utilities.
NetStat: Displays all of a computer's network connections and monitors external connections to a computer's shared resources.
You will find this handy set of utilities useful when you examine networks using Windows file-sharing or Samba on Unix.9
Figure 2-19 Default and user-defined whois databases
Figure 2-20 Typical SmartWhois output
SmartWhois is designed to help inexperienced researchers find whatever information is registered on the Internet for specific IP addresses, so it comes with the most popular whois servers configured by default. Experienced users can define their own choices, making this a useful tool even for those who are accustomed to running whois from the command line.
After you physically locate what you believe to be your suspect's computer, verify that its IP and machine name match that of your suspect. If the suspect computer is a Windows 9X computer, use winipcfg from either the Run box (accessible by choosing Start | Run) or from a command prompt. The initial output is shown in Figure 2-21. A drop-down window at the top of the IP configuration enables you to choose the network adapters that you want to display configuration for. In Figure 2-21, we are looking at the PPP (Point to Point Protocol) dial-up adapter, which is the default whenever PPP is configured. To access any of the other adapters, such as the network card, just drop down the list by clicking on the down arrow.
Figure 2-21 Initial winipcfg window
Whatever you do, do not click on the Release All button! If the computer is using DHCP, clicking on Release All wipes out the IP address, and depending on the network's configuration, you most likely will not get the same address back if you click on Renew All. Click the More Info button to access the information shown in Figure 2-22.
Figure 2-22 Extended winipcfg information
In the window shown in Figure 2-22, we not only see the IP address and the MAC address, but also the computer's name (in the Host Name field), and whether or not the computer is using DCHP (if static, meaning that the IP address was manually configured instead of being automatically obtained from the DHCP server, the Lease Obtained and Lease Expires fields will be blank). If there are IP addresses next to the Primary or the Secondary WINS Server fields, you can probably check them to see if the IP address was logged at the time of the incident.
Intrusion Detection Systems (IDS)
Intrusion detection systems, usually abbreviated IDS, are automated mechanisms that are intended to monitor specific subsystems, providing an alarm when a suspected unauthorized event is detected. Although IDS has many practical problems, the programs are increasingly popular, and in 2000, at least one Internet intruder was captured and brought to justice with the assistance of an IDS. At the time of this writing, IDS isn't necessarily a technology that every forensic technician needs to be familiar with, but during the next few years, it not only could become a standard tool in the detection of Internet intrusions, but could be routinely used to gather evidence used for successful prosecutions.
IDS is applied in one of two places: It is either network based or host based. Network-based systems are a specialized form of network sniffer. A network IDS sits on a network segment, viewing all traffic sent to every host on the segment, looking for evidence of unauthorized activity. It is common practice to have a single centralized intrusion detection engine that provides logging, and alarm functions based on the data provided by multiple remote sensors, each located on a different LAN segment. Even on switched networks, at least one port on the switch can usually be con-figured to provide all of the data being sent to each of the individual ports, which is where the sensor may be placed.
Host-based IDS places the detection capability on a single host, although the trend in host-based IDS is also to centralize the logging and alerting functions. Most business units resist having some other business unit looking over their shoulder and prefer not to have another organization place security software on their computers. Host-based IDS also tends to be more expensive because more devices have to be monitored. Although they are not as convenient to install and operate as network-based IDS, the host-based systems are generally more accurate, having fewer false positives and catching a higher percentage of actual misuses.
Intrusion detection systems are usually categorized as detecting either specific events or changes in patterns. Both types have their advantages and disadvantages. Event detection systems monitor for specific sequences of events, or sequences, that are characteristic of attempts to gain unauthorized access to a system. A simple example is a system that alerts when a specific number of failed login attempts have occurred. Commercial network-based IDS might alert when it detects a sequence of characters used to perform a buffer overflow attack against a Linux lpd daemon. These systems are dependent upon an up-to-date database of attack patterns. Although they may be able to log any arbitrary event type, they cannot alarm on events that are not in their database. Most commercial network IDS products at the time of this writing are of this type, and like the users of anti-virus software, the users of these products regularly download updated attack fingerprint databases from the publisher. Host-based IDS, such as the Tripwire product discussed in Chapter 11, work by regularly checking the consistency of system files, alerting whenever a security-relevant file has been changed. It is usually not practical to perform such a check on every host within an organization, but on those hosts that do have their files checked for consistency, intrusions are virtually always detected.
The other IDS model, the one that detects changes in patterns, is sort of an arti-ficial intelligence thing. The theory is that instead of limiting a detection engine just to the population of known attack types, you create a system that is sufficiently sophisticated to recognize anomalous behavior and alert whenever something happens that is outside of normal parameters. For instance, say a specific person normally accessed his or her account between the hours of 9 a.m. and 7 p.m. An IDS tracks and learns this normal behavior, and if the user were to access the account in the middle of the night, the IDS would notify the security administrator that an unusual event had occurred. Obviously, such a system is more prone to false alerts than one that is based on hostile event fingerprints, but it has the significant advantage of being able to detect brand-new attack forms. Research on such systems has been ongoing for at least ten years, and most commercial products rely on finger-print databases.
While the idea of capturing cyber criminals in the act should be an appealing one to most computer forensic types, widespread use of such products won't have a huge effect on what investigators do. The biggest advantage to the investigator is that IDS systems provide new and convenient forms of event logging. Once an attack or illegal activity is suspected, the logging or recording function on an IDS can be used to monitor and record the suspect's behavior.
Information Sources on IDS
If you are interested in doing some further research in IDS, several excellent books are available. Stephen Northcutt's, Network Intrusion Detection is the best hands-on guide for an analyst. In fact, it's a helpful book for a number of network security issues, and you should probably read it if you want to learn more about network protocol attacks and their analysis. Rebecca Bace's Intrusion Detection (Indianapolis: Macmillan Technology Series, 2000) is more theoretical, like a college textbook, making it a nice contrast to Northcutt's book. She describes the philosophy and architecture of IDS more comprehensively and provides a complete overview of the last ten years of relevant IDS research.
If you would like to use a network Intrusion Detection System but can't afford one of the commercial applications, you should take a look at Snort.11