Please Follow Instructions

Assignment due> 10/23 by 11 pm…Answer 2 questions 130 words each

need 2 references per answer …1 refererence from the pdf file attach…..1 reference from the internet.

APA style…Use (UMUC, 2013) when you use information from the attach pdf file….I have included the reference

UMUC

Cybercrime Investigation and Digital Forensics

CSEC650

Contents
Topic 1: Scenario …………………………………………………………………………………………………………….. 2

Scenario: Network Investigation at NAI …………………………………………………………………………… 2
Topic 2: Module Introduction …………………………………………………………………………………………….. 4
Topic 3: Network Forensics: An Overview ………………………………………………………………………….. 5

What is Network Forensics? ………………………………………………………………………………………….. 5
Why We Need Network Forensics ………………………………………………………………………………….. 6

Topic 4: Challenges in Network Forensics ………………………………………………………………………….. 8
The Complexities of Network Forensics ………………………………………………………………………….. 8
The Key to Network Forensic Investigations ……………………………………………………………………. 9
Case Study: Birth of the Earth ……………………………………………………………………………………… 11

Topic 5: Botnets …………………………………………………………………………………………………………….. 14
Botnets as a Network Forensic Antagonist …………………………………………………………………….. 14
Types of Botnets ………………………………………………………………………………………………………… 16
Challenges and Protection …………………………………………………………………………………………… 17
Activity: Annihilating the Internet …………………………………………………………………………………… 19

Topic 6: Performing Live Acquisitions ………………………………………………………………………………. 24
Performing Live Acquisitions of Data …………………………………………………………………………….. 24
Techniques to Improve Live Acquisitions of Data ……………………………………………………………. 25

Topic 7: Intrusion Detection and Monitoring ………………………………………………………………………. 26
Relevance to Network Forensics ………………………………………………………………………………….. 26

Topic 8: Summary………………………………………………………………………………………………………….. 27
Glossary ……………………………………………………………………………………………………………………….. 28

UMUC Cybercrime Investigation and Digital Forensics

CSEC650

Topic 1: Scenario

Scenario: Network Investigation at NAI

Network Forensics
CSEC650—Module 7

Network Investigation at NAI
Steve Freeman, a senior network engineer at National Aerospace Industries (NAI),
notices some unusual activity on the company’s Wide Area Network (WAN). Steve
knows that network forensics can help solve cases of data leakage and network
intrusions by performing an in-depth and accurate analysis of the network.

He asks a network forensic investigator to conduct a forensic investigation on the
company’s network. Steve is hoping that the network forensic investigator can help
determine the cause of the unusual activity.

Scenario

Scene 1
Steve Freeman is the senior network engineer at NAI. He notices unusual activity on
NAI’s WAN, which serves about 1,200 users.

Scene 2
Steve: Our company’s network-management system has set off an alarm. There have
been repeated unsuccessful log-ins, and they’re all from Chief Financial Officer David
Thompson’s account.

Steve: I wonder if the simultaneous occurrence of the unusual activity on the WAN and
this alarm is a coincidence. I’d better review the alarm.

Scene 3
Steve: There have been 24 attempted log-ins within a five-hour period, from 1 a.m. to 6
a.m. on July 2.

Steve: This could be a serious security incident. I’ll run this by Judy Maines, our chief
forensic investigator.

Scene 4
A transcript of the conversation between Steve and Judy is reproduced below.

Steve: Hi, Judy. Do you have a moment?

Judy: Sure, Steve.

Steve: I noticed some unusual activity on our WAN. There were 24 unsuccessful
attempts to log in to the CFO’s account. I found this suspicious, so I’m hoping you can
look into the matter.

Judy: It definitely sounds suspicious to me. I’ll take a look.

UMUC Cybercrime Investigation and Digital Forensics
CSEC650

Judy: Before I do that, I’ll see if I can arrange a conference call with Mr. Thompson.

Steve: Good idea. Let me know what happens.

Scene 5
Judy contacts Mr. Thompson’s secretary, who tells her that Mr. Thompson is in Florida
on a family vacation. Given the potentially serious nature of this situation, Judy contacts
him on his cell phone.

Scene 6
A transcript of the conversation between Judy and Mr. Thompson is reproduced
below.

Judy: Hello, Mr. Thompson. I’m sorry to call while you’re on vacation. There were
several unsuccessful log-in attempts from your account. Have you had any log-in
issues?

Mr. Thompson: No, I haven’t logged in to my account for a week. What do you plan to
do now?

Judy: We’re looking into it. I’ll let you know what we find.

Scene 7
Judy: I’m really concerned now. Is a hacker trying to get into the network? Could the
hacker already be inside, or is this just a glitch?

Scene 8
Judy: I’m going to conduct a rigorous network forensic review. I’d also better get our
incident response team involved.

UMUC Cybercrime Investigation and Digital Forensics
CSEC650

Topic 2: Module Introduction

Network forensics is much more complicated than deadbox or file system forensics
because large networks have multiple entry and exit points. Conducting a forensic
investigation on a network is more difficult than analyzing a single computer because of
the complexities of network architectures.

This module focuses on network forensics, its associated concepts, and the challenges
related to network forensics. The first topic is a general overview of network forensics,
including the main approaches to it and the considerations a forensic examiner must
take into account. The second topic explores a series of challenges that are intrinsic to
the special aspects of network forensics. The third topic presents the analysis of a major
threat to network forensic analysis—botnet technology.

The fourth topic deals with the issues related to planning and completing a live
acquisition of network forensic captures. The final topic covers important aspects of how
to use network logs to support a forensic investigation. The module concludes with a
presentation of the important aspects of network intrusion detection and monitoring.

UMUC Cybercrime Investigation and Digital Forensics
CSEC650

Topic 3: Network Forensics: An Overview

What is Network Forensics?

The original purpose of the Internet was to share and disseminate information among
physically separated parties by interconnecting networks. The early forms of networks
required hardwired cabling and Network Interface Cards (NICs). Today, networks range
from very small Personal Area Networks (PANs) to the vast Internet, and each network
level uses various protocols to ensure a smooth and secure flow of information. With
various protocols available for use at the network level, it is important to have a solid
understanding of how networks operate before moving on to forensics.

Most networks use TCP/IP to transmit and receive data from the Internet in a commonly
structured format. In order to transmit data, whole files are broken down into multiple
small data packets with source and destination addresses. As with an envelope being
delivered from one destination to another, a number of technological processes and
human actions exist to ensure accurate, timely, and secure delivery.

In computer networks, routers perform the main phases of delivering data to client
devices. Network forensics, therefore, involves acquiring/capturing, preserving, and
analyzing relatively large amounts of data. Ideally, a highly competent digital forensic
examiner will have an in-depth knowledge of the routers’ performance, as well as
security vulnerabilities and sources of evidence.

UMUC Cybercrime Investigation and Digital Forensics
CSEC650

Topic 3: Network Forensics: An Overview

Why We Need Network Forensics

The Need for Network Forensics
An important question to ask about network forensics concerns its value to an
organization. Network forensics is useful in capturing an attack fingerprint and
performing post attack analysis for security exploits. Using network forensics, a forensic
examiner can analyze historical network traffic. Such analyses help examiners
investigate security attacks. Network forensics helps to reconstruct the sequence of
events that occurred during the breach to get the complete picture.

Cybersecurity attacks have become common these days. A Distributed Denial of Service
(DDoS) attack on Bitbucket.org—a Web-based code-hosting service that relies on
Amazon’s Elastic Compute Cloud (EC2)1—and a DDoS attack on Facebook and Twitter
in August 2011 are headline examples (WildPackets, n.d., p. 3).

In addition, IT professionals commonly use network forensics to do these things
(WildPackets, p. 3):

Enhance network performance.

Improve the organization’s intrusion-detection technologies.

Identify any rogue devices that reside on the network.

Prevent computer malware and network hacks.

Reference: “WildPackets.” Network Forensics 101: Finding the Needle in the Haystack. Retrieved from

https://mypeek.wildpackets.com/elements/whitepapers/Network_forensics101

The Benefits of Network Forensics

Monitoring User Activity
Monitoring user activity is an important aspect of workplace productivity as well as
cybersecurity. For instance, social networking sites are known to create a significant
decrease in worker productivity. As a result, many organizations have implemented
policies that prohibit or minimize such activities (WildPackets, p. 3).

In addition, organizations have policies prohibiting non-work-related activities—such
as online gaming and movie watching—that use network resources. Finally, rogue
network forensics can monitor these types of activities and provide management with
the evidence required to take disciplinary action against employees who violate an
organization’s policies (WildPackets, p. 4).

Reference: “WildPackets.” Network Forensics 101: Finding the Needle in the Haystack. Retrieved from
https://mypeek.wildpackets.com/elements/whitepapers/Network_forensics101

Identifying the Source of Data Leaks
Network monitoring helps to supervise the flow of data and to detect data leaks. If a
data leak occurs in a monitored network, network monitoring can reveal vital
information, such as what and how much data has been leaked (WildPackets, p. 4).

In addition, a digital forensic investigator can identify the root of the problem,
determine whether the leak was intentional or accidental, and trace who or what

UMUC Cybercrime Investigation and Digital Forensics
CSEC650

caused the leak. It is important to secure data because the tangible and intangible
costs of a data leak can run into millions of dollars.

Reference: “WildPackets.” Network Forensics 101: Finding the Needle in the Haystack. Retrieved from

https://mypeek.wildpackets.com/elements/whitepapers/Network_forensics101 .

Analyzing Business Transactions
Audit trails are an extremely useful source of network forensic information. This is
true for all key business transactions and is even more important for systems and
protocols that transmit data in plain text, such as Hypertext Transfer Protocol
(HTTP), File Transfer Protocol (FTP), Telnet, and Structured Query Language (SQL)
(WildPackets, p. 4).

Network administrators are the owners of audit logs, so they bear accountability for
maintaining and archiving these logs, some of which may be initiated by the
organization’s customers. If there are problems with certain business transactions,
network forensic techniques often can be used to resolve them.

Reference: “WildPackets.” Network Forensics 101: Finding the Needle in the Haystack. Retrieved from
https://mypeek.wildpackets.com/elements/whitepapers/Network_forensics101

Identifying the Source of Intermittent Network Performance Issues
A practical application of network forensics is the identification of network
performance issues in an organization’s LAN or WAN through retrospective analysis.
Network forensic tools are more scientific and reliable than traditional troubleshooting
tools, and a timeline analysis can provide the information required to plot and
analyze all detailed and significant network events (WildPackets, p. 4).

Through network forensics, a forensic investigator can answer questions about how
the network performed in a given time period by examining every packet that was
transmitted across the network. Common examples of network traffic include FTP
traffic, Web browsing, e-mail messages, and instant messages.

Reference: “WildPackets.” Network Forensics 101: Finding the Needle in the Haystack. Retrieved from
https://mypeek.wildpackets.com/elements/whitepapers/Network_forensics101 .

UMUC Cybercrime Investigation and Digital Forensics
CSEC650

Topic 4: Challenges in Network Forensics

The Complexities of Network Forensics

In contemporary enterprises, it is important to think about the range of devices that send
and receive data within a company’s network. In addition to traditional computers, many
other devices are in use today—laptops, netbooks, mobile devices, and Small-Scale
Digital Devices (SSDDs), such as the iPad and the Galaxy tablet.

Although most networks are under the control and security of the company, other
networks, such as the cellular network, satellite network, and Internet Service Providers
(ISPs), are external and outside the company’s control. These external networks may
have valuable network forensic artifacts, such as network event logs, system logs, or
information from individual servers. Log files are perhaps the most important sources of
network data because they contain information about devices, Internet activities,
services, and the active state of network data, which can prove to be valuable network
forensic information.

UMUC Cybercrime Investigation and Digital Forensics
CSEC650

Topic 4: Challenges in Network Forensics

The Key to Network Forensic Investigations

To investigate why the system raised an alarm, Judy, NAI’s chief forensic investigator,
decides to call a meeting with Steve and two other members of her team—Calpurnia and
Jean. In this meeting, Judy hopes to discuss the merits of analyzing network logs
because she intends to conduct a log review of NAI’s network to trace the cause of the
alarm.

A transcript of the discussion among Judy and her team is reproduced here.

Judy: Thank you all for taking the time to attend this discussion.

Judy: I’m hoping we can conduct a log review of NAI’s network, and I’d like to hear your
thoughts about the merits of conducting such a review.

Calpurnia: I think it’s a good idea. At the very least, the network logs can provide
information about the evidence trail of network events.

Jean: I agree. The ability to analyze network logs is a big advantage for us.

Steve: It’ll be a big help if we can verify the entry points, personnel involved, and
systems used to access the network.

Judy: Yes, our organization had the foresight to make decisions about how the
information is logged and retained.

Jean: Judy, network log files can be extremely large. I suggest we establish accurate
network log analysis processes, data-retention policies, and toolkits to analyze this
information.

Calpurnia: We can start with the event logs, which provide date-time stamps that can be
essential in developing a timeline analysis for our investigation.

Steve: There are a number of third-party software applications that will allow us to
establish filters of these network logs.

Jean: That should reduce the amount of data in the logs.

Judy: Going forward, I’ll see if we can assign the information security officer’s staff to
review these logs as part of their daily responsibilities and to back up the information
regularly.

Jean: Sounds good. How about using freeware tools to handle the complex and data-
intensive aspects of network log analysis?

Calpurnia: Sure. Many freeware tools provide filtering and data-reduction capabilities.
We can use them to improve our efficiency!

UMUC Cybercrime Investigation and Digital Forensics
CSEC650

Judy: We’ll go ahead with reviewing the network logs. Let’s get to work and keep each
other informed of any developments.

UMUC Cybercrime Investigation and Digital Forensics
CSEC650

Topic 4: Challenges in Network Forensics

Case Study: Birth of the Earth

Background
New England–based Birth of the Earth is a leading manufacturer of outdoor clothing and
footwear. The company uses a WAN to connect more than 850 users across its
corporate offices, call center, and manufacturing plant. Last week, the company’s digital
forensic investigator, Joe Schumer, received a call from the networking group in the
Information Systems department, reporting an active network intrusion at the company.

Methodology
As an experienced digital forensic investigator, Joe used the Investigations Triad
methodology to conduct his investigation. The Investigations Triad method involves
connecting the three main challenges in network forensics: vulnerabilities, intrusion
response, and investigations.

Reference: Caballero, A. Fidge, S. Network Forensics: SIEM, the Investigations Triad, and SANS Top-20

Vulnerabilities. Retrieved from http://megabyteconcepts.com/Documents/ASC_Network_Forensics

Vulnerabilities

Vulnerabilities in IT systems are frequently unknown or are not immediately detected.
Network forensic tools can help identify vulnerabilities and provide detailed information
to the appropriate administrator, whose responsibility it is to fix vulnerabilities.

Intrusion Response
Intrusion response can create a particularly challenging situation for digital forensic
investigators. One of the fundamental questions debated in such investigations is
whether to shut the network down immediately or observe the intruder’s behavior to
gather more evidence. The obvious risk of having the intruder on the network for an
extended period is that he or she can further damage the network. Conversely, tracking
the intruder’s actions can help acquire sufficient evidence to pursue a strong legal case.

Investigations
Investigations can revolve around an employee, a small group of employees, and/or
outsiders. Most investigations begin with an analysis of all available logs and short
interviews of key personnel, followed by the use of commercial or open-source tools to

UMUC Cybercrime Investigation and Digital Forensics
CSEC650

acquire evidence. Finally, the digital forensic investigator examines and analyzes the
evidence.

Try This!

Choose all the correct answers.

Question 1: How did the networking group at Birth of the Earth detect the intrusion in
their network?
a. They analyzed the network logs.
b. They identified data leakage.
c. They replaced computer hardware.
d. They fixed the CEO’s laptop.

Correct Answers: Options a and b

Feedback:
Analyzing network logs and identifying data leakage can help identify network intrusions.

Question 2: Select the network(s) that network forensic tools and investigative
techniques can be useful with.
a. Local Area Network (LAN)
b. Personal Area Network (PAN)
c. Wireless network
d. Wide Area Network (WAN)

Correct Answers: Options a, b, c, and d

Feedback:
Network forensic tools are useful with all types of computer networks.

Question 3: Which term refers to a type of record that should be kept for all business
transactions and is often useful to digital forensic investigators?
a. General journal
b. Audit trail
c. Purchase requisition
d. Inventory listing

Correct Answer: Option b

Feedback:
Audit trails document the flow of business transactions on a step-by-step basis.

Question 4: What type of process is a network forensic investigation?
a. Proactive
b. Experimental
c. Reactive
d. Educational

Correct Answer: Option c

UMUC Cybercrime Investigation and Digital Forensics
CSEC650

Feedback:
Most network forensic investigations are reactive in nature because they respond to an
internal investigation, network intrusion, or criminal investigation.

Question 5: Network forensic tools are used to conduct digital investigations. Select
another situation in which network forensic tools can be used.
a. Training users about cybersecurity awareness
b. Diagnosing network performance issues
c. Testing antivirus signatures
d. Evaluating IT personnel performance

Correct Answer: Option b

Feedback:
Network forensic tools can be very useful in helping network administrators and
engineers diagnose network performance problems.

UMUC Cybercrime Investigation and Digital Forensics
CSEC650

Topic 5: Botnets

Botnets as a Network Forensic Antagonist

Introduction
Botnets, or robot networks, are one of the most serious and insidious threats facing the
computing community today. Since their emergence in the late 1990s, botnet attacks
have increased in severity, frequency, scale, scope, and sophistication. With botnets
demonstrating robust and advanced capabilities, the lack of standardized and effective
investigative procedures for battling them poses huge challenges for forensic engineers.

Bot
A bot is an autonomous application that is often malicious in nature, such as a piece of
code that allows an attacker to commandeer a computer without the owner’s knowledge.
Bots turn the victim’s computer into a robot or “zombie” that the attacker can control
remotely.

Botnet
A botnet is a collection of computers infected by bots. A botnet is formed by running
software, which is usually installed via drive-by downloads that exploit Web browser
vulnerabilities, ActiveX controls, plug-ins, or any other applications that a computer
requires to browse the Internet. Bots can control viruses, worms, Trojan horses, or
backdoors under a common command-and-control infrastructure.

Botnet Attacks
Botnet attacks can have serious consequences, such as financial loss, including
regulatory noncompliance fines and litigation fees associated with the theft of sensitive
second- and third-party data or intellectual property leakage; damage to reputation; and
the time and costs associated with preventing, detecting, and resolving attacks of fraud,
DDoS, and spam. (EdgeWave, 2011).

Reference: (n.d.) EdgeWave iPrism Technology. ThreatDefender.com. Retrieved from
http://www.threatdefender.com/Web-Filter-Technology.asp

How Botnets Work
A bot herder or botmaster controls botnets remotely, usually through an Internet Relay
Chat (IRC), which is a form of real-time communication over the Internet, or peer-to-peer
(P2P) networking communications. Often the command-and-control takes place via a
server known as the command-and-control server (C&C), over a network, or through a
unique encryption scheme for stealth and protection against detection or intrusion into
the botnet network. A bot typically runs hidden and uses a covert channel standard, such
as Instant Messaging (IM), to communicate with its C&C server.

The Botnet Life Cycle
The life cycle of a botnet typically includes four phases: spread, infect, command and
control (C&C), and attack.

UMUC Cybercrime Investigation and Digital Forensics
CSEC650

Spread
In the spread phase, the bots propagate to form many botnets and infect systems
through varied means, such as spam and download of malicious code. The goal of this
phase is to infect a system. The bot herder attempts either to trick the user into installing
malicious code or to exploit vulnerabilities in the user’s system.

Infect
Once malicious code is installed on a user’s computer, the malicious code uses various
techniques to infect the system and to hide its presence. These well-established
techniques range from polymorphism (the code changes with every new instantiation), to
rootkitting (the stealthy installation of malicious software), to actively targeting the
protective measures (for example, the antivirus software, the intrusion detection or
intrusion protection system [IDS/IPS], and the firewall).

Command and Control
Botnet C&C servers use a number of protocols, such as IRC, P2P, and HTTP, to
communicate and control the bots. Social networking sites are prime targets for botnet
C&C servers.

Attack
The final phase of the life cycle, the attack, involves the distribution of spam that is
carrying the infection, targeted DDoS, and/or fraudulent activities. When the attack is
successful, the size of the botnet can increase exponentially.

UMUC Cybercrime Investigation and Digital Forensics
CSEC650

Topic 5: Botnets

Types of Botnets

Attackers have different motives for using botnets. The most common incentives,
however, are financial gain and destruction.

Fraud
Fraud can take many forms and can be committed through many media, including
“snail mail,” wire, and telephone. Fraud is also committed over the Internet in various
forms. For example, identity theft is one of the fastest-growing crimes on the Internet
which is commonly initiated by bogus e-mail messages generated and sent by bots
via spam. Bots can also harvest personal information through multiple fake Web
sites by masquerading as popular auction Web sites, online money-transfer sites, or
banks.

Spamming
Bots can spam a compromised computer via a generic proxy protocol for TCP/IP-
based networking applications. Some bots can also implement a special function to
harvest e-mail addresses and other personal information.

Distributed Denial of Service Attacks
Botnets are often used to carry out Distributed Denial of Service (DDoS) attacks on
computer systems or networks. A DDoS attack causes a loss of service to users,
including the loss of network connectivity and services, by consuming the bandwidth
of the victim network or by overloading the computational resources of the victim
system.

Sniffing Traffic
Bots can use packet sniffers to watch for and retrieve sensitive clear-text data, such
as usernames and passwords, passing by a compromised computer.

Keylogging
Attackers use keylogging to retrieve encrypted sensitive data that sniffers cannot
decrypt. By monitoring each keystroke a user types on his or her keyboard, an
attacker can obtain a variety of user-specific information.

Spreading New Malicious Code
Because all bots implement mechanisms to download and execute a file via HTTP or
FTP, botnets usually spread new bots. They can also spread e-mail viruses, Trojans,
worms, and other malicious code.

UMUC Cybercrime Investigation and Digital Forensics
CSEC650

Topic 5: Botnets

Challenges and Protection

Challenges of Handling Botnets
The expertise of investigators who handle botnets varies from organization to
organization. Some organizations use advanced techniques, and others may have
insufficient knowledge and tools to handle any type of botnet analysis. These differences
reiterate the need for standardization, coordination, and corroboration of competencies
among digital investigators and jurisdictions.

The need to improve the speed and quality of botnet investigations requires the
development of a systematic approach and investigative toolset to handle botnets. This
means that forensic investigators should examine botnets at both the local level and the
network level.

Botnets are constantly evolving. For example, they have moved from a centralized C&C
structure to a distributed one, thereby increasing the complexity of network- and local-
level investigations. The botnet infection and the control mechanism on infected hosts
are generally quite similar, straightforward, and stable in nature. Therefore, relevant
digital traces from a local machine can be collected to supplement any subsequent
network-level investigation (Law, Chow, Lai, &Tse, 2009, p. 162).

Reference: Law Y.W, F., Chow, K.P., Lai K.Y., P., TseK. S., H. A Host-Based Approach to BotNet
Investigation? Center for Information Security & Cryptography. Retrieved from
http://www.cs.hku.hk/cisc/forensics/papers/09_05 .

Polymorphism
Polymorphism is a condition in which bots change with every instantiation so that
they always appear to be new.

Rootkitting
Rootkitting is the stealthy installation of software called a rootkit, which is activated
each time a user boots up the system. Rootkits are difficult to detect because they
are activated before the system’s operating system has completely booted.

Periodic Communications
A botnet communicates with its controller only periodically. Therefore, the low
volume of communication makes it more difficult to analyze.

Retaliatory Denial of Service
Live investigations involving retaliatory DoS attacks can cause botmasters to expand
their attack and cause even more damage. Retaliatory DoS attacks are risky and
generally should be avoided unless the digital forensic examiners feel there is value
in pursuing them.

Distributed Denial of Service
A botnet can cause packet flooding from numerous external IP addresses against an
organization’s network. Packet flooding can exceed a server’s capacity and
overwhelm or crash the system.

UMUC Cybercrime Investigation and Digital Forensics
CSEC650

Fast Flux
Botnets use a Domain Name Server (DNS) technique called fast flux to hide phishing
and malicious code delivery sites behind an ever-changing network of compromised
hosts acting as proxies. Fast flux makes bot networks more resistant to discovery
and countermeasures through a combination of peer-to-peer networking, distributed
command and control, Web-based load balancing, and proxy redirection.

Encrypted Channels and Code
The use of code-hardening techniques increases complexity for reverse engineering.
Code obfuscation, encryption, and encoding further hide the true nature of the
malicious code.

Botnet Protection
The most common approach to protecting networks against botnets is to use several
firewalls and a layered security approach. Such protection may include full-fledged
security systems covering all levels of the network, from individual computers to the
servers, LANs, and external connectivity to the Web.

Other methods to protect networks include installing intrusion detection systems and
protection at the gateway to e-mails serves, and disabling unused ports used for FTP
applications and IRCs, which are the applications most commonly used for
communication with the bot herder. Isolating infected computers from the network
immediately after an attack is detected, and educating users via training and security
awareness are also protection mechanisms.

UMUC Cybercrime Investigation and Digital Forensics
CSEC650

Topic 5: Botnets

Activity: Annihilating the Internet

It’s time to end the electronic age and save the world from its wired and impersonal
existence. Let’s cut some wires, spread infection, and herald destruction—but in good
faith. You are the chosen one! You are hereby crowned Botmaster.

Phase I: Organizing Your Botnet Technology
You are now Botmaster, and it is your responsibility to begin annihilating the Internet!
You have a budget of $1,500 to fund your dastardly deeds. Your first step will be to
establish a command-and-control structure, which will allow you to gain the largest
amount of information possible. As everyone knows, information is money!

Get started!

Welcome to the malware factory!

Carry out all necessary steps to acquire the tools you will need in your toolbox.

Step 1: Select the malware you want to create for annihilation. Keep in mind your
budget and your goal of producing an appropriate impact!
a. Virus: $100 Low Impact
b. Worm: $250 Low Impact
c. Trojan Horse: $400 Low Impact
d. Rootkit: $750 High Impact

Step 2: Select the distribution mechanism for your malware.
a. Through a rogue distribution of a popular software program: $200
b. Via a downloadable game: $250
c. Through a Web browser: $175
d. As an e-mail attachment: $125

Step 3: How about customizing your malware to make it unique? Select a tool from the
options below.
a. Code Monster: $200

The Code Monster will allow you to develop and customize your malware code. You
can choose to combine your malware with existing programs to develop superlatively
malicious software.

b. Web Map: $250
Use the Web Map to keep track of your work. You can configure the Web Map to
notify you when your malware infects new computers, to track the activities of other
hackers, and to identify new targets to attack. Your targets can include private- and
public-sector computers and Web sites. The Web Map comes equipped with various
resources, such as the results of passive scans of networks.

c. Malware-Gro Toolkit: $275
Use the Malware-Gro Toolkit to determine the size of your botnet. You can even
begin small and then grow, depending on your interest and the amount of damage
and chaos you want to create. The Malware-Gro Toolkit has built-in tools to destroy
huge sections of cyberspace.

UMUC Cybercrime Investigation and Digital Forensics
CSEC650

Step 4: Time to create the program to launch the attack!

Phase II: Selecting Your Victim

You have created your malware. Now it’s time to select your first victim! Read the
victim’s profiles and the chat transcripts below. Then select a victim to launch the
attack.

Zombie 1: Rob Flower
Rob is an elderly man who lives in a retirement community. He uses the Internet to
communicate with his children, who live abroad.

Zombie 2: Gareth Owen
Gareth is a young IT professional. He has recently been hired as a software developer.

Zombie 3: Martha Booth
Martha teaches at a university in the United Kingdom. She teaches economics and uses
the Internet to keep up with current economic news and developments.

Zombie 4: Michael Thomas
Michael is a college student. He uses the Internet to stay connected with his friends and
to learn about new technology. An avid blogger, he usually blogs about music, travel,
and changing technological trends.

A transcript of the chat between the Botmaster and Martha/Gareth is below.

Botmaster: Hello! I am Botham. I work as a travel agent. Are you interested traveling to
exotic destinations?

Martha/Gareth: I do not talk to strangers, Botham. I hope you don’t mind.

A transcript of the chat between the Botmaster and Rob/Michael is below.

Botmaster: Hello! I am Botham. I work for a travel agent. Are you interested in traveling
to exotic locations?

Rob/Michael: Yes, I am.

Botmaster: Great! I love traveling too, and was hoping to meet people on the Internet
who share my interests.

Rob/Michael: Hmm.

Botmaster: So…do you travel budget or luxury?

Rob/Michael: Budget. I’d love to go on a luxury vacation.

Botmaster: In that case, here’s a trade secret! You must check out this Website we use.
It has special weekly offers on five-star resorts.

UMUC Cybercrime Investigation and Digital Forensics
CSEC650

Rob/Michael: Really? Can you send me the link?

Botmaster: Sure. Here it is: www.travelabroad.com. I know you will enjoy it. I use it all
the time.

Rob/Michael: Thank you for your suggestion. Nice to meet you in cyberspace!

Botmaster: You too. I hope your next trip is really fun.

Feedback if you selected Rob or Michael as your victim:
Congratulations!

You have infected the victim’s computer with your malware.

Feedback if you selected Gareth or Martha as your victim:
Operation failed!

The chat transcript indicates that this person will not be an ideal victim. Select another
victim.

Phase III: Retaliation by the Infected Zombie
You will now step into the shoes of the victim. Look at the incident from the victim’s
perspective.

The victim’s train of thought is reproduced below.

Victim: I cannot believe it. I have all kinds of unauthorized charges on my credit cards,
and someone has dipped into my checking account, too.

Victim: Could I have been the victim of a botnet attack? I remember reading about how
victims of botnet attacks lose their personal identity and financial security.

Victim: I’m sure I didn’t share my bank or credit card details with anyone.

Victim: Hmm … the withdrawals from my account began a couple of days after I visited
that travel Website.

Victim: The site was really useful, and I booked my next vacation almost for free.
However, they say there’s no such thing as a free lunch. Is it possible my computer is
infected with some type of malware?

Victim: I’m angry at myself for not being more careful. I never thought I was a gullible
person, but I’m going to have to be more careful.

Victim: I would love to track that person down while I try to clean up this mess I’ve
gotten myself into. I’d better start by educating myself before I do any more chatting
online!

UMUC Cybercrime Investigation and Digital Forensics
CSEC650

Learn More
Test your knowledge of botnets by answering the following questions.

Question 1: Select the best methods to protect a system from botnet attacks.
a. Disable unused ports.
b. Establish several firewall layers.
c. Install an intrusion detection system.

Correct Answers: Options a, b, and c

Feedback:
All of these methods help protect your computer system from botnet attacks.

Question 2: The botnet life cycle involves four key steps. Select the steps in correct
order of occurrence.
a. Command and control, spread, attack, and infect
b. Attack, spread, infect, and command and control
c. Spread, infect, command and control, and attack
d. Infect, command and control, spread, and attack

Correct Answer: Option c

Feedback:
The proper sequence of steps in the botnet life cycle is: spread, infect, command and
control, and attack.

Question 3: Which of the following malicious goals can botnets accomplish?
a. Spamming
b. Fraud
c. Antivirus protection
d. DDoS attacks

Correct Answers: Options a, b, and d

Feedback:
Spamming, fraud, and DDoS attacks are common malicious goals of botnets.

Question 4: What challenges do digital forensic investigators face in detecting botnets?
a. Polymorphism
b. Fast flux
c. Covert channel communications
d. Rootkitting

Correct Answers: Options a, b, c, and d.

Feedback:
Polymorphism, fast flux, covert channel communication, and rootkitting are all
challenges for digital forensic investigators in detecting botnets.

UMUC Cybercrime Investigation and Digital Forensics
CSEC650

Question 5: What are common terms for the individual who controls a botnet?
a. Network engineer
b. Botmaster
c. Bot herder
d. Script kiddie

Correct Answers: Options b and c

Feedback:
Botmaster and bot herder are the most common terms for a person who controls a
botnet.

Question 6: Select a tool that one can use to track down a botmaster.
a. Traceroute
b. Wireshark
c. Pingplotter
d. Whatsup

Correct Answer: Options a, b, c, and d

Feedback:
All of these tools provide the ability to trace traffic from one’s computer back to the
sending computer.

UMUC Cybercrime Investigation and Digital Forensics
CSEC650

Topic 6: Performing Live Acquisitions

Performing Live Acquisitions of Data

Network forensic projects involving live acquisition of data are widespread. Conducting a
live acquisition of data is helpful in large companies, where taking a network offline to
collect forensic information can have an enormous impact on the company’s production.
It is important, then, that cybersecurity professionals understand the precautions needed
to perform a live acquisition of network data.

Coordination
It is essential to coordinate the authorization and acquisition approach with the
organization’s network engineering group. This will minimize the potential adverse
effects of working with live data, such as data corruption and system crashes.

Coordination with other IT professionals is essential with any digital investigation, and
even more so with live acquisition because the risks involved are exponentially higher
than with other forensic procedures like deadbox analysis or reviewing a smartphone for
forensic information.

Timing
Timing is another crucial aspect of acquiring live network data. Event logs, e-mail
messages, and data files are the most important forensic information needed in an
investigation. It is essential to ensure that all legal procedures and precautions are taken
to use the data. Permissions can be obtained from internal legal counsel and law
enforcement officials.

UMUC Cybercrime Investigation and Digital Forensics
CSEC650

Topic 6: Performing Live Acquisitions

Techniques to Improve Live Acquisitions of Data

Digital forensic researchers have identified several methods to improve the live
acquisition of network data. Judy conducts a presentation to teach her team members
techniques for improving the live acquisition of data.

Recommendation 1: Position the collector as close as possible to the source
of information.
The physical and the logical distance of the source of information must be
considered. The collector should be close as possible to the evidence source, both
physically and logically. Proximity will help minimize latency, potential loss of
evidence, and authenticity of the evidence.

Recommendation 2: Perform write blocking of the evidence.
Perform write blocking of data to maintain the integrity of the evidence. Write
blocking can be done with one-way Ethernet cables or by using a read-only FTP
client device. In addition, write blocking should be performed in front of a witness,
and both the procedures and the results should be documented. The documented
data will serve as verification of the data’s integrity.

Recommendation 3: Define workable boundaries to collect relevant data.
Define workable boundaries so that the investigator collects relevant data. Due to the
nature of high-speed networks, data travels faster than it can be fully captured in a
live environment. Coordinating with an organization’s IT staff to develop some filters
and other technical controls is helpful.

Recommendation 4: Ensure that documentation requirements are met.
Nickell (2006) makes seven specific recommendations for documentation:

1. Diligence on the forensic investigator’s part
2. Adherence to accepted methods and procedures
3. Precise data showing what was collected or, in some cases, not collected
4. Start and end timestamps
5. Additional technical information, such as lower-level protocol information or

headers
6. Notation of any errors or lost or corrupted data
7. Other meta information, such as the investigator’s name, case ID, and

case/evidence descriptions

Reference: B. Nickell (2006). “Improving Evidence Acquisition from Network Sources,” Digital Investigation:
The International Journal of Digital Forensics and Incident Response, Vol. 3, No. 2.

UMUC Cybercrime Investigation and Digital Forensics
CSEC650

Topic 7: Intrusion Detection and Monitoring

Relevance to Network Forensics

A very important and challenging aspect of forensic investigations involves intrusion
detection. It is important to determine when to monitor a network, and how much
monitoring to do, before taking an aggressive action in a digital forensic investigation.
There are no steadfast rules about how to monitor a network intrusion and when to bring
down your network to stop the intrusion from penetrating deeper into your network.

One of the core challenges forensic investigators face is balancing the need to have
sufficient evidence against the intruder with the need to stop the intrusion. The more
evidence you gather, the stronger your legal case will be. On the other hand, the longer
you allow the intruder access to your network in order to gather evidence, the higher the
risks to your network. With practical experience comes greater knowledge in dealing with
these important considerations.

Popular commercial tools like Ethereal, NetIntercept, and others act as aids to the
forensic investigation.

UMUC Cybercrime Investigation and Digital Forensics
CSEC650

Topic 8: Summary

We have come to the end of Module 7. The key concepts covered in this module are
listed below.

Network forensics is useful in capturing an attack fingerprint, performing post
attack analysis for security exploits, and analyzing historical network traffic.

Network forensics can help monitor user activity, identify the source of data
leaks, analyze business transactions, and identify the source of intermittent
network performance issues.

Log files are an important source of network data because they contain
information about devices, Internet activities, services, and the active state of
network data that can be valuable network forensic information.

The Investigations Triad methodology is an investigative technique that involves
connecting the three main challenges in network forensics: vulnerabilities,
intrusion response, and investigations.

A bot is an autonomous application that is often malicious. A computer attacked
by a bot is known as a robot or a zombie. A collection of computers infected by
bots is known as a botnet.

The life cycle of a botnet typically includes four phases: spread, infection,
command and control (C&C), and attack.

Some challenges encountered while dealing with botnets include polymorphism,
rootkitting, periodic communications, retaliation, denial of service, distributed
denial of service, fast flux, and encrypted channels and code.

The most common methods of protecting networks against botnets are using
several firewalls and a layered security approach, installing intrusion detection
systems and protection at the gateway to e-mail servers, disabling unused ports,
and isolating infected computers.

Conducting a live acquisition of data is helpful in collecting forensic information. It
should be done in coordination with the organization’s IT department.

UMUC Cybercrime Investigation and Digital Forensics
CSEC650

Glossary

Term Definition

Audit Log An audit log is a list of all system-based activities, including the
user ID, time of activity, workstation ID, and other information.

Audit Trail Audit trail is the ability to trace system activities to their original
source of input, entry, transfer, or termination on the system.

Backdoor A backdoor is a remote access point for software; it allows remote
connectivity. Though originally intended for debugging purposes,
backdoors are currently used for remote command-and-control
actions.

Bot A bot is a computer program that is used to rapidly carry out a
large number of automated and repetitive tasks on the Internet,
usually in a cybersecurity attack.

Bot herder A bot herder, also known as a botmaster, controls botnets
remotely and tricks a victim into installing malicious code on a
computer.

Botnets A botnet is a group of robots, or compromised computers, running
automatically. Often, the victims whose computers are part of the
botnet are unaware of the invasion.

Command-and-Control A command-and-control system provides for command and
control of system components, such as other computers.

Deadbox Forensics Deadbox forensics is an expression that refers to forensic analysis
of laptops and PCs that are not actively connected to a live
network.

Denial of Service Denial of Service (DoS) or Distributed Denial of Service (DDoS)
attacks use “zombie” servers to flood a target site with large
volumes of traffic. This flood of traffic consumes all of the target
site’s network or system resources and denies access to
legitimate users.

Distributed Denial of
Service

In a distributed denial of service attack (DDoS attack), a
computer’s resources are made unavailable to its user when
several compromised systems flood it with useless data.

Fast Flux Fast flux is a Domain Name Server (DNS) technique used to hide
phishing and malicious code delivery sites behind compromised
hosts that act as proxies.

File System Forensics File system forensics is the forensic analysis of an individual
computer’s file system and operating system components.

FTP File Transfer Protocol (FTP) is an application protocol that uses
the TCP/IP protocol (or the Internet) to transfer files between
computers.

HTTP Hypertext Transfer Protocol (HTTP) transmits Web pages to
clients.

Internet Relay Chat Internet Relay Chat (IRC) is a form of communicating over the
Internet using private messages, chats, or group discussions.

UMUC Cybercrime Investigation and Digital Forensics
CSEC650

Term Definition

Intrusion Response Intrusion response is the response by an individual cyberforensic
investigator or incident response team to a network-based
intrusion.

Investigations Triad
Method

The Investigations Triad method involves connecting the three
main challenges in network forensics: vulnerabilities, intrusion
response, and investigations.

Network Forensics Network forensics is a forensic process involving multiple devices
on a computer network.

Personal Area
Networks

A Personal Area Network (PAN) enables communication between
computers, TVs, MP3 players, personal digital assistants (PDAs),
and smartphones that are within a few feet of each other.

Pingplotter Pingplotter allows the user to trace the path of packets across the
Internet.

Polymorphism Polymorphism is a condition in which bots change with every
instantiation, so they always appear to be new.

Rogue Network
Forensics

Rogue network forensics is used to describe the practice of using
network forensic techniques to perform malicious activities.

Rootkitting Rootkitting is the stealthy installation of software called a rootkit,
which is activated each time a user boots up a system.

Small-Scale Digital
Devices

Small-scale digital devices are devices that are analogous to
embedded systems.

Structured Query
Language

Structured Query Language (SQL) is a data-manipulation
language that is the de facto standard used to manage actual data
in relational database management systems.

Telnet Telnet enables remote use and supervision of systems. Network
administrators monitor and control systems remotely using Telnet.

Traceroute Traceroute traces the path of packets across an IP network. An
intruder uses traceroute to map routers for known destinations
around the targeted system.

Whatsup Whatsup is a network-monitoring software.

Wireshark Wireshark is a free and open-source packet analyzer. It is used for
network troubleshooting, analysis, software and communications
protocol development, and education.

Write Blocking Write blocking is a forensic technique used to avoid altering the
state of the source computer, in order to create a forensically
sound image of that computer.

Zombie A zombie is a computer that is remotely controlled by a bot herder
or botmaster in a botnet.

1. What are two items to consider when creating a malware analysis environment?

Could malware detect and react differently if a potential malware analysis tool/environment is detected? Give two possible examples.

UMUC (2013), Network Forensics, Cybercrime Investigation and Digital Forensics. Retrieved from http://tychousa5.umuc.edu/CSEC650/1202/csec650_07/assets/csec650_07

2. Give an example of an incident where it was discovered that a RAT was found in a corporate network.

Identify one method a forensic investigator may use to identify a potential RAT program?

UMUC (2013), Network Forensics, Cybercrime Investigation and Digital Forensics. Retrieved from http://tychousa5.umuc.edu/CSEC650/1202/csec650_07/assets/csec650_07

Turn in your highest-quality paper
Get a qualified writer to help you with

“ Please Follow Instructions ”

Get high-quality paper

NEW! AI matching with writer

Still stressed with your coursework?

Get quality coursework help from an expert!

Order now