How to Extract Evidence in Relation to HTTP, FTP, and SMTP Application Layer Protocols - Research Paper Example

? How to extract evidence in relation to HTTP, FTP and SMTP application layer protocols Digital investigation methods are becoming more and more important due to the proliferation of digital crimes and crimes involving digital evidence. There has been extensive research that gathers evidence by collecting and analyzing network traffic data logs. This analysis can be a difficult process, especially because of the high variability of these attacks and large amount of data. Identification and Tracking of online digital identity has been a significant issue around efforts on cyber security. In this paper, I present the techniques used to extract data sent from one host to another over a TCP-based network like the internet using FTP protocol, an e-mail sent over an IP network using SMTP protocol and the one sent over web-based applications using HTTP protocol. Contents Contents 3 1.0Introduction 1 2.0Extracting evidence in relation to HTTP 1 Extraction of Posting Behavior from HTTP Header 1 3.0Extracting evidence in relation to SMTP 2 Header analysis 3 Bait tactics 3 Server investigation 3 Network device investigation 3 Software embedded identifiers 3 Sender Mailer Finger prints 3 4.0Extracting evidence in relation to FTP 3 5.0Conclusion 4 6.0 References 1 1.0 Introduction The network has become the beast way of transferring information to support both personal and business requirements. However, as different services have been enabled across the network environment, the potential for cyber-crime has grown with these. Unfortunately, not only are criminals exploiting this medium to an unprecedented degree but we are now looking at the potential of cyber-warfare or cyber-terrorism who are communicating through these protocols hence need for methods of extracting data from these protocols as a source of evidence. [24] File transfer protocol (FTP) is a network protocol that is used to transfer files from a host server to a client over a TCP-based network such as the internet. It is based on client-server architecture and it uses separate data and control connections between the client and server. [5] Simple Mail Transfer Protocol (SMTP) refers to a protocol that transmission of an e-mail across and IP- based network. However clients in the network use SMTP only for sending messages to a mail sever while for receiving they use POP (Post office protocol) or IMAP (Internet Message Access Protocol). This enables them to access their mail box accounts on a mail sever. HTTP (Hypertext Transfer Protocol) is an application protocol used by distributed and collaborative hypermedia information systems. [19] The HTTP protocol is the basis of World Wide Web (WWW). All Web-based applications rely on this protocol for security and transactions ranging from home banking, e-commerce and e-procurement and to those that deal with sensitive data such as career and identity information. This protocol can also be used to prevent unauthorized viewing of personal, financial, and confidential information over the Web. [20] 2.0 Extracting evidence in relation to HTTP In relation to the amount of content in the web, users need help in finding information of interest, and service providers are required to provide such information. This can be done by estimating the user’s profile i.e. analyzing the behavior of the user when she is online by using access logs in a server. In order to recognize the actual user behavior across many servers, the behavior is analyzed using the flow of data on proxy servers. Some users post their messages on the Web while others just browse web pages and hence an approach has to be made in order to extract both the users’ behaviors. [6] When a user is just browsing web pages, the browser usually sends HHTP GET requests in which the request parameters are described in the URL (e.g., http://search.goo.ne.jp/web.jsp?MT=ntt means that the value of parameter MT is ntt). When the user posts a message, requests and responses are sent by HTTP POST, instead of HTTP GET. Therefore the focus on users’ posting behavior with HTTP POST and a method of extracting user posting behavior from HTTP flow is proposed. [8] Extraction of Posting Behavior from HTTP Header The request parameters of HTTP POST are described in the HTTP body; hence to extract any text it requires the analysis of the HTTP body of each HTTP POST message. However, analysis of a full HTTP body takes longer than that of a header such as HTTP GET hence a method for scanning only HTTP headers in an HTTP POST message is appropriate. [2] Based on the above characteristics, a decision-tree-based method is the quickest and simplest methods for extracting such data. The leaves in a tree are classifications (posting or other behavior) and branches are characteristics to be classified into the classifications. To classify posting behavior, we use the deviance between the tree and actual data (= -2* maximum log likelihood). A smaller deviance means a better tree, i.e., the tree can classify behavior into posting and other. The HTTP header fields are used as explanatory variables and user behavior (i.e. posting and other behavior) is a dependent variable. [3] A decision tree is used for the classification of unknown data. To structure the best decision tree, a log data has to be created for evaluation. This is done by accessing the most popular sites using HTTP POST. [4] 3.0 Extracting evidence in relation to SMTP An e-mail is sent from a computer to a sending server using an SMTP protocol. The sending server performs a look up for the mail exchange record of the receiving server through the Domain Name System (DNS) protocol on the DNS server. The sending sever then establishes an SMTP connection with the receiving server and delivers the e-mail to receivers involved who then downloads it to their computer using either POP3 or IMAP protocols. [17] Extracting evidence in relation to SMTP involves the study of the source and content of an e-mail as the evidence and trying to identify the actual sender and recipient of a message, data/time of transmission, detailed record of e-mail transaction, intent of the sender, etc. It will also involve investigation of metadata, keyword searching, port scanning, etc. for authorship attribution and identification of e-mail scams. [18] There are various approaches that can be applied in the extraction of this kind of evidence from an SMTP protocol. They include; Header analysis The headers in the message contain information about the sender and the path that was traversed. Bait tactics This involves sending an e-mail with http: “” tag having an image source at some computer monitored by the investigator to the sender of the e-mail under investigation containing the real e-mail address. When the e-mail is opened, a log entry containing the IP address of the recipient is recorded on the http server hosting the image and thus the sender is tracked. [19] Server investigation Copies of delivered e-mails and server logs are investigated to identify source of an e-mail message. Also logs maintained by servers can be studied to trace the address of the computer responsible for making the e-mail transaction. Also SMTP servers which store data like credit card number and other data pertaining to owner of a mailbox can be used to identify person behind an e-mail address. Network device investigation This includes investigating the logs maintained by network devices like routers, firewalls and switches to investigate the source of the e-mail message under investigation. It’s usually done when the logs from servers are unavailable. Software embedded identifiers Some information about the creator of e-mail, attached files or documents may be included with the message by the e-mail software used by the sender for composing e-mail. This information may be included in the form of custom headers or in the form of MIME content as a Transport Neutral Encapsulation Format (TNEF). Investigating the e-mail for these details may reveal some vital information about the senders e-mail preferences and options that could help client side evidence gathering. [9] Sender Mailer Finger prints Identification of software handling e-mail at server can be revealed from the Received header field and identification of software handling e-mail at client can be ascertained by using different set of headers like “X-Mailer” or equivalent. These headers describe applications and their versions used at the clients to send e-mail. This information about the client computer of the sender can be used to help investigators devise an effective plan and thus prove to be very useful. [10] 4.0 Extracting evidence in relation to FTP Extracting evidence in relation to FTP can be done using a dynamic analysis tool called PEXT that can reverse engineer a networked application’s underlying protocol by analyzing a collection of packets captured from the application at runtime. [11] One could use PEXT to perform a regression testing by reverse engineering the implementation of a particular protocol and comparing it to another implementation. For instance, one could run two similar applications through the same test cases, then reverse engineer each use of a protocol and then compare the derived state machines. If all the applications are on an FTP protocol, then the protocols should be the same. [10] For extracting data from an FTP protocol, the use of PEXT tool automates the approach to reverse engineering a protocol from a network traffic collected from the application under investigation. This process begins by capturing data from a multiple and different execution traces of the application that is used to implement the FTP protocol. It then uses this captured information to extract an FSM that codifies the features of the protocol used in the execution traces. [12] 5.0 Conclusion It’s clear that digital investigation methods are becoming more and more important due to the proliferation of digital crimes and crimes involving digital evidence. Also in as much as networked applications play a significant role in today’s interconnected world, it is important for software engineers to be able to understand and model the behavior of these applications during software maintenance. Therefore protocol usage needs to be understood so that it becomes easy to extract any data for forensic investigation in any of protocols in use. 6.0 References [1] D. C. Plummer. RFC 826, An Ethernet Address Resolution Protocol --or -- Converting Network Protocol Addresses to 48.bit Ethernet Address for Transmission on Ethernet Hardware. Internet Engineering Task Force, Network Working Group, 1982. [2] Casey, E. (2004). Network traffic as a source of evidence: tool strengths, weaknesses, and future needs. Digital Investigation, 1, 28–43. [3] Electronic Frontier Foundation: How unique is your browser? Privacy Enhancing Technologies Symposium 2010. [4] Fei, B., Eloff, J.H.P., Venter, H.S., & Olivier, M.S. (2005). Exploring forensic data with self-organizing maps. In IFIP int. conf. digital forensics’05 (pp.113–123). [5] Furukawa, T. et al., “Extracting Key Phrases using Topic Diffusion Process in the Blogosphere,” The 21st Annual Conference of the Japanese Society for Artificial Intelligence, pp. 1–4, Jun 2007 [6] Graham, J. (1999). Enterprise wide electronic mail using IMAP, SIGUCCS '99: Proceedings of the 27th annual ACM SIGUCCS conference on User services: Mile high expectations, November, 1999. [7] H. Xia and J.C. Brustoloni, “Hardening Web Browsers against Man-in-the-Middle and Eavesdropping Attacks,” Proc.14th Int’l Conf. World Wide Web (IW3C2), ACM Press, 2005, pp. 489–498. [8] IEEE Std. 802.11, IEEE Standards for Information Technology Telecommunications and Information Exchange between Systems Local and Metropolitan Area Network - Specific Requirements - Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications, 1999. [9] Karagiannis, T., Papagiannaki, K. and Faloutsos, M. BLINC: Multilevel Traffic Classification in the Dark, Proc. ACM SIGCOMM, 2005, pp.229–240. [10] Kruse, W. G., & Heiser, J. G. (2001). Computer forensics: incident response essentials. Addison-Wesley Professional. [11] M. Aron, P. Druschel and W. Zwaenepoel, Efficient support for P-HTTP in cluster-based Web servers, in: Proc. USENIX 1999 Annual Technical Conf., 1999. [12] Menzies, T. et.al., “Data Mining For Very Busy People,” IEEE Computer,” pp. 18-25, Nov,2003. [13] Miyahara, K. et al., “Quantified Estimation Method of User’s Information Interests based on the Web Browsing and its Application to Collaborative Filtering,” Technical Report of IEICE, ET97-115, Mar 1998. [14] Mobasher, B. et al., “Automatic personalization based on Web usage mining,” Communications of the ACM, Volume 43, pp. 142-151, Aug 2000. [15] Montigny-Leboeuf, A.D. Passive Network Discovery for Real Time Situation Awareness, Proc. RTO Information Systems Technology Panel (IST) Symposium\ on Adaptive Defence in Unclassified Networks, 2004, pp.288–300. [16] Morita, M. et al., “Information Filtering Based on User Behavior Analysis and Best Match Text Retrieval,” Proceedings of the 17th annual international ACM SIGIR conference on Research and development in information retrieval, Jul 1994. [17] Natarajan Meghanathan, Sumanth Reddy Allam and Loretta A. Moore. (2009). Tools and Techniques For Network Forensic, International Journal of Network Security & Its Applications (IJNSA), Vol .1, No.1,April 2009. [18] P. Resnick, Ed., RFC 5322, Internet Message Format, Internet Engineering Task Force, Network Working Group, 2008. [19] Song, X. et al., “Identify Opinion Leaders in the Blogosphere,” Proceedings of the sixteenth ACM conference on Conference on information and knowledge management, pp. 971-974, 2007. [20] Tzerefos, Smythe, Stergiou, Cvetkovic, (1997). ‘A comparative study of Simple Mail Transfer Protocol (SMTP), Post Office Protocol (POP) and X.400 Electronic Mail Protocols’ In Proceedings of the 22nd Annual IEEE Conference on Local Computer Networks, pp. 545–554. [21] Umeda, Targeted Attack Detection by Analyzing Characteristics of Electric Mail Header, Bachelor's Thesis, Keio University, 2011. [22] V. X. Duong, A Proposal of a Cross-Browser User Tracking Method with Browser Fingerprint, Bachelor's Thesis, Keio University, 2012. [23] Yamada, K. et al., “Data Mining for Analyzing Histories of Web User Activates,” Technical Report of IEICE, Sep 2005. [24] Y. Uehara, Design and Implementation of User Identification Platform using Device Information, Master Thesis, Keio University, 2012. Read More