Messaging Apps Accusation Via Wireless Connection - Essay Example

Messaging Apps Accusation Via Wireless Connection P Introduction In recent years, there has been a rapid increase in the number of cybercrimes; due to the advancement and proliferation of technology (Ponec, Giura, Brönnimann, & Wein, 2007). Network Forensics can help to discover vulnerabilities, monitor the network traffic, and investigate the sources of these attack. Network forensics does not stop the network crime from happenin; rather, it helps the law enforcement entity to collocate the required information or incident response and investigate the crime to arrest the culprit (Pilli, Joshi, & Niyogi, 2011). This report describes a network forensics experiment in which messaging application app behavior is monitored between two devices on the same network; with something that experts call a “sniffer” placed in the network to capture the traffic. Next, the analysis process will be applied to display information about these interaction that occurred between the two devices and the apps. Problem Statement Criminals spend a great deal of time crafting their approaches and developing new techniques to hide their identities. Cyber attacks can involve a large number of hosts; requiring intelligent forensic analysts to reveal the evidence and to link this evidence together (Wang, 2010). The investigator must work with specialized devices such as routers, firewall, IPS and IDS on the network; as well as dealing with a great deal of data to come up with evidence that is reliable, consistent, not misleading, or tampered with to make the case stronger when presented to the court. Moreover network forensics deal with live systems so it will be a challenge, the live analysis must happen close to the same time as the crime (Baggili & Marrington, 2013). Literature Review As Internet usage by individuals and companies increases every day, cyber crime is increasing dramatically. As such, researchers have focused on examining and creating new tools and methods to acquire the data from any digital device format (Ponec, Giura, Brönnimann, & Wein, 2007). Social networking is one of the biggest and fastest growing fields because of the popularity of usage among the people. Social networking allows people to communicate in a fast and enjoyable way. According to a recent survey, the United Arab Emirates ranked first in the world in smart phone usage; with 77% of people using their smart phones for multimedia and 70% for social networks (McNabb, 2013). Methodology There are several approaches for network forensics analysis; depending on the type of case the investigator is handling. It can be summarized in two categories: identify the attack and reconstruction of the attack. Attack identification will help the investigator to know how the attack happened, and who launched it. Attack reconstruction will allow the investigator to recreate the scenario and the action taken by the attacker to attack the target (Wang, 2010). This report will contain the steps for acquiring information from the network and analysis it using network analysis software. The procedure will be on the following: 1) Setup the tools that will be used in the experiment. 2) Capture network traffic and save the captured traffic in a ( PCAP ) file. 3) Analyzing the acquired network traffic file ( PCAP ). A man in the middle attack will be necessary to capture the traffic. We will configure a special wireless access point called “jasager”. This access point will help to answer the ARP ( Address Resolution Protocol ) request. In addition, a bridged connection is required in the investigators computer between Wi-Fi and Ethernet. When the suspects mobile or IPad broadcast searches for public Wi-Fi , the Access point will reply on the request and connect the suspect device to the Access point and the Internet. (troyhunt, 2013) Scenario: A woman reported to the police that she received harassing messages on a social networking application. After coordination between the police and the ISP, police determine that the suspect regularly attends two cafés, where he use the Internet service provided by the coffee shops. In order to start the investigation, we should have a court order to authorize the search. It is important to collect as much information as possible to use it when the suspect is arrested to link the findings with his device. Tools And devises: SN Name Info 1 Jasager Model: MR3201A 2 Wireshark Version: 1.10.2 3 NetworkMiner Version: 1.5.0.0 4 Laptop Running windows 7 or higher Social applications used in the experiment Producer: Configuring Jassager Access point: Step 1: Navigate to: Start Menu | All Programs| Google Chrome| chrome.exe. Step 2: Log in to: 10.110.0.2:1471. Step 3: Enable Karma Service. Step 4: Log in to: 10.110.0.2 Step 5: Navigate to: Network | Networks. Step 6: Enter appropriate IP Address within the range of 10.110.0.X . Step 7: Navigate to: Network | Wireless. Step 8: Enable the Wireless settings and give it appropriate name. Step 9: Navigate to: DHCP . Step 10: Enable the Service and enter appropriate DHCP Settings within the range of 10.110.0.X . Step 11: Save Changes and Apply Changes Configuring Investigator Laptop: Step 1: Navigate to: Start Menu | Control Panel | Network and Sharing Center | Change adapter settings | Wireless Network Connection | Properties | Sharing. Step 2: Enable : Allow other network users o connect through this computers Internet connection. Step 3: Navigate to: Start Menu | Control Panel | Network and Sharing Center | Change adapter settings | Local Area Connection | Properties | Internet Protocol Version 4. Step 4: Enter appropriate IP Address within the range of 10.110.0.X. Capturing Data using Wireshark: Step 1: Navigate to: Start Menu | All Programs | Wireshark.exe. Step 2: Navigate to: Capture | Option . Step 3: Select: Local Area Connection . Step 4: Select: Start to start the capture process . Step 5: Select: Stop to stop the capture process . Step 6: Navigate to: File | Save As| .PCAP Extension. Note: The Capturing Data process was repeated for all the Apps mentioned above. Analyzing Data using Networkminer: Step 1: Navigate to: Start Menu | Computer | Users | Downloads | NetworkMiner_1-5 | NetworkMiner.exe Step 2: Navigate to: File | Open| Select the PCAP File. Step 3: Start analysis the network file. Results SN Program Name Protocol Name Encryption Findings Suspect Mac Address Sniffing Timestamp 1 Wechat SSL* Yes N/A 54:26:96:24:be:80 From Oct 24, 2013 18:59:23 To Oct 24, 2013 19:00:45 2 Tango TLS* v1 Yes Email ID & phone number 54:26:96:24:be:80 From Oct 24, 2013 19:33:30 To Oct 24, 2013 19:36:22 3 MessageMe TLS v1 Yes Image 54:26:96:24:be:80 From Oct 24, 2013 19:26:19 To Oct 24, 2013 19:27:43 4 KaKao Talk TLS v1 Yes Image 54:26:96:24:be:80 From Oct 24, 2013 19:31:20 To Oct 24, 2013 19:32:26 5 Whoshere TLS v1 Yes N/A 54:26:96:24:be:80 From Oct 24, 2013 20:27:00 To Oct 24, 2013 20:32:14 6 WhatsApp TLS v1 Yes N/A 54:26:96:24:be:80 From Oct 24, 2013 21:38:58 To Oct 24, 2013 21:40:16 * SSL is secure communications protocol provide privacy and reliability between two communication to any TCP transmission. (McKinley, 2003) * TLS is a secure communication protocol provide Client/Server applications to communicate in a way that is designed to prevent tempering. (McKinley, 2003) Analysis / Discussion When analyzing the PCAP file, we have selected some keywords related to the programs that are experimental; keywords example ( Whatsapp, and whoshere). This will give us a hint on the servers IP addresses and the MAC addressee so we can narrow the search. In addition we have used another software called Networkminner to help us to read the PCAP, the program can separate the PCAP file into ( files, Images, messages , sessions, and keywords filter). All of the apps that we tested were encrypted, we were unable to read the chat but we got some useful information from apps as the table below: The most interesting app was Tango. Aalthough its encrypted and we were unable to read the chat history we were able to read the parameters and identify the email address and the phone number used in the conversation. This should be considered critical and useful information to the case. Moreover the images that we found are also a great addition to the case. As a network forensic all the traffic captured contains important information such as source, destination and MAC address . Conclusion In conclusion the finding of the experiment was satisfying, the goal of the experiment was to capture entire network traffic but many difficulties accorded such as the demo version of the software which limited the functions in the software. The analyzing process could be done in a better way if a specific program designed to decrypt the encrypted traffic, where most of the programs used where SSL and TSL encrypted. The encryption was new and difficult for us; which required searching articles to understand more about encryption and the types we found in this experiments. Moreover access point “Jasager” is a powerful device but the lacks the information regarding the configuration; thereby requiring a lot of time and effort. In addition access point were disconnecting frequently because of the heat which made us attach a fan in order to support the cooling system in it. Bibliography Baggili, I., & Marrington, A. (2013). Advanced Cyber Forensics, Network Forensics Lecture 4. Dubai, United Arab Emirates. McKinley, H. L. (2003). SSL and TLS: A Beginners Guide. SANS Institute. McNabb, A. (2013, 8 29). UAE is world smartphone leader. Retrieved 10 15, 2013, from http://www.spotonpr.com/: http://www.spotonpr.com/uae-is-world-smartphoneleader/ Pilli, E. S., Joshi, R. C., & Niyogi, R. (2011). Data Reduction by Identification and Correlation of TCP/IP (pp. 276-283). India: International Conference and Workshop on Emerging Trends in Technology. Ponec, M., Giura, P., Brönnimann, H., & Wein, J. (2007). Highly Efficient Techniques for Network Forensics, 150-160. troyhunt. (2013, April 17). Retrieved from The beginners guide to breaking website security with nothing more than a Pineapple: http://www.troyhunt.com/2013/04/the-beginners-guide-to-breaking-website.html Wang, W. (2010). A graph oriented approach for network forensic. Iowa. Read More