Part 2: Digital Forensics for the Aspiring Hacker (Network Forensics)

 Greetings once more, my apprentice hackers!


I started a new series on digital forensics lately to demonstrate to potential hackers what a forensic investigator may observe and do when looking into a cyberattack. The second part of that series, which focuses on network forensics, is available now. Stated differently, what, and how, can a network forensic investigator discover about the attacker during an investigation?


Step1: Get Wireshark

While there are several tools available for network analysis and research, Wireshark is the most commonly used tool for this purpose. You can get this free network analysis tool from this link. It has been ported to Windows, Unix, OS X, and Linux. Better yet, if you use BackTrack, there's no need to download anything because it's integrated into the program.


You can start Wireshark from the BackTrack menu by going to BackTrack -> Information Gathering -> Network Analysis -> Network Traffic Analysis and click on Wireshark.




Step2: Grab a Live Capture

The next step is to launch Wireshark, which can perform live captures in addition to analysis on pcap and other capture files. Have a live capture, please. A window similar to the one below will open when you select Capture from the menu at the top.


Select the active interface, which in this case is eth0, as I'm running it on a wired connection.


Step3: Our Problem

This is the issue that we are dealing with.

Our client has been complaining that his PC is acting strangely. His browser is constantly switching to a website informing him that he needs to purchase an antivirus program and that there is a virus on his machine. Everybody has witnessed this at some point.

His computer is also functioning slowly and a lot of advertisements are always popping up. There is a virus on this system. Let's try to figure out what this situation is all about.


Step4: Live Capture

We start by sniffing the traffic on the network and we can see the live packets go by like that below.


Take note of the three windows in Wireshark. Each packet is displayed, along with some basic information, in the upper pane. We can view every single bit and byte of the packet headers in the middle pane. The packet contents are displayed in both ASCII and hexadecimal on the bottom window.


Step5: Remote Attempts

The packets are listed in the order that they arrive in the far left column. Now let's examine packet 147. Somewhere on the Internet, we can observe a messenger packet from a gadget. By clicking on it, let's examine this packet in more detail. When we do, its features show up in a white window in the middle.


Nothing occurs since the messenger service is deactivated on this network. By examining the subsequent packet, an ICMP "Destination Unreachable" packet seeking a messenger connection that was returned to the IP, we can confirm it. This behavior is questionable.


Step6: Filter the Traffic

We must filter the traffic because there is so much of it passing by so that we only see the traffic that interests us. Clicking on traffic between 216.49.88.118 reveals that this address is a McAfee antivirus update (see the mention of mcafee.com in the ASCII section at the bottom of the window).

We can filter out this traffic so that it doesn't appear when we examine it because it is not hazardous. In this instance, our goal is to view any traffic that does not originate from the IP address 216.49.88.118. The filter window can be filled using the following filter. The background of the window will become green when the syntax is correct. To exclude an IP address, use the following syntax:

!ip.addr == 216.49.88.118


We have now blocked any traffic from an innocent address from appearing in our view. This makes it easier for us to concentrate on the other, possibly harmful traffic.

We have effectively filtered off the traffic going to and coming from McAfee, as seen in the snapshot below.




Step7: DNS Query

Let's now examine a few packets below. This screenshot demonstrates how the computer of our customer (216.148.227.68) displays a "standard query" to virtumonde.com via the DNS protocol in the second packet. This raises suspicions!


If we scroll down to packet 386, we can see our client's host goes out to the virtumonde.com server and requests a download. When we click on this packet and expand its HTTP protocol in the middle window, we can see "updates.virtumonde.com\r\n."


This is VERY suspicious activity, which suggests that our client's system is most likely reporting back to its home server after becoming infected with spyware or a rootkit.

As we continue to delve into the nuances of hacking and forensics, my budding hackers, don't forget to check back!

Comments

Post a Comment

Popular posts from this blog

Avoid Being Discovered! How to Prevent Data Forensics from Accessing Your Hard Drives

Image
The arrest of twenty-five Anons in Europe and South America, along with rumors of an FBI sweep on the east coast of the United States, make the situation for hackers precarious. I've been asked a number of concerns in the last few days concerning the removal of private information from hard drives. Concepts appear to cover a wide spectrum, from microwaves to magnets and all in between. I'll now go over some basic information on data forensics, including its operation and precautions you can take.  Anon frequently removes files from his computer, but it only tells half the story—the deleted files are still present. And when his door is kicked in and the FBI grabs his hard drive, they will have access to everything if the negligent anon doesn't take action to remedy that. Be not so anonymous. Computer Forensics: What Is It? The Individuals on CSI? The gathering, preserving, analyzing, and presenting of evidence pertaining to computers is known as computer forensics. In conclu
Read more

Part 3: Digital Forensics for the Aspiring Hacker: Recovering Deleted Files

Image
 My tenderfoot hackers, welcome back! I recently began a new series on digital forensics to help tenderfoot hackers from being detected and ultimately, incarcerated. In this installment of that series, we will look at recovering deleted files. This is important to hackers because you need to know that even when you delete files on your computer or on the victim's computer, a forensic investigator can usually recover them. Windows File System's As the majority of the victims' systems are probably Windows-based, let's concentrate on Windows systems and their file systems. Older Windows systems may still use the FAT filesystem, while the majority of modern Windows systems use the NTFS filesystem. Actually, if you are using a flash thumb drive, it is most likely formatted using the outdated FAT file system, which enables you to use it with ANY operating system, including Mac OS X and Linux. NTFS The "new" Windows, Windows NT (thus, NT File System), was being devel
Read more

Expert Predictions for the Cybersecurity Industry for 2024: Part I

Image
 The experts of My1Login, i-confidential, and OSP Cyber Academy share their forecasts for the year ahead in the first section of our roundup. As 2023 comes to an end, cybersecurity professionals should look into their crystal balls to see what the security industry might expect in the coming year. Experts from My1Login, i-confidential, and OSP Cyber Academy share their forecasts for the year ahead in the first section of our roundup. CEO of My1Login Mike Newman: Cloud migration will increase attack surface Organizations have been transforming over the past year, and more of their data and apps are now stored in the cloud. Although this has increased service availability and efficiency, it has also increased the corporate attack surface. Simultaneously, companies are moving their whole corporate directory to the cloud, usually using Microsoft Entra ID platforms. Due to the requirement for manual, password-based authentication, many of the applications that were previously connected with
Read more