30-07-2012, 03:29 PM
HONEYTRAPS-A NETWORK FORENSIC TOOL
HONEYTRAPS-A NETWORK FORENSIC TOOL.docx (Size: 199.01 KB / Downloads: 37)
Introduction
Computer Forensics:
Computer forensics involves the preservation, identification, extraction, interpretation, and documentation of computer evidence. The field of computer forensics has different facets, and is not defined by any one particular procedure. At a very basic level, computer forensics is the analysis of information contained within and created with computer systems, typically in the interest of figuring out what happened, when it happened, how it happened, and who was involved.
In many cases, the information gathered during a computer forensics investigation is not readily available or viewable by the average computer user. This might include items like deleted files and fragments of data that can be found in the space allocated for existing files, which is known by computer forensic practitioners as “slack space”. Special skills and tools are necessary to be able to obtain this type of information or evidence.
1.2 History of the discipline:
The roots of computer forensics start with the first time a system administrator had to figure out how and what a hacker had done to gain unauthorized access to explore the system. This was mainly a matter of discovering the incursion, stopping the incursion if it was still in progress, hunting down the hacker to chastise him or her, and fixing the problem.
The field of computer forensics began in the 1980s, shortly after personal computers became a viable option for consumers. In 1984, an FBI program was created. Known for a time as the Magnetic Media Program, it is now known as the Computer Analysis and Response Team (CART). Shortly thereafter, the man who is credited with being "the father of computer forensics" began work in this field. His name was Michael Anderson, and he was a special agent with the criminal investigation division of the IRS. Anderson worked for the government in this capacity until the mid 1990s, after which he founded New Technologies, Inc., a leading computer forensics firm.
Where as in 1999, the team analyzed 17 terabytes of data; by 2003 the group examined 782 terabytes of data in just one year. With advances in computing and the proliferation of Internet access around the globe, the role of computer forensics began to play a more important role for law enforcement officials. With the advent of smartphones and PDAs, the ways in which computer forensics may operate have become even more important as criminals have a multitude of options for using computing devices to break the law.
Why Computer Forensics:
Evolution:
For years, computer and network security experts (whitehats) have fought to stay ahead of computer criminals (blackhats). As black hats became more skilled and computers became more powerful, conventional security measures became less effective. This perpetual action-response reaction cycle evolved into a new field of study known as Computer and Network Forensics (CNF). CNF is the art of discovery and retrieval of information about computer related crime in such a way that the gathered information is admissible in court.
There are two sides to CNF efforts. The first is to assess the impact of the malicious or suspect act or acts. In order to bring a computer criminal to justice, it must be possible to show that sufficient damage has been done so that the act can be accurately classified as a crime. Often, there is an economic threshold associated with statutes that govern computer crime.
The second part is to gather information that legally binds the act or acts that caused the damage to the perpetrator. This is the better known aspect of computer crime investigation; the standard "Who dun' it" component. In response to innovative computer criminals, CNF techniques have become highly sophisticated and CNF tools are increasingly effective. In addition to putting computer criminals in jail, CNF techniques have enabled whitehats to learn valuable information about blackhats' techniques and methods and to formulate protection and defense mechanisms, tools, and techniques.
Until recently, the relationship between CNF and mainstream computer and network security techniques has been vague at best. By their nature, security efforts traditionally depend on actions that are taken before an attack to protect resources or information from malicious access or use. This is done through access control techniques, encryption, and vulnerability assessment mechanisms.
Alternatively, CNF traditionally has had a different focus from both of these two perspectives. First, CNF is concerned with gathering information about attacks and perpetrators rather than directly protecting resources or information. Consequently, the second fundamental difference is that CNF has historically dedicated its efforts to actions taken after-the-fact, i.e. after malicious or suspicious activity has occurred, rather than activity that occurs before or during attacks.
The related concepts of deception security, Honeypots, and Honeynets [HN] have been the subject of organized investigation for several years. We coin the term "honeytraps" to reflect the tools that fall into any of these categories. Honeytraps allow us collect information about blackhat activities without putting a real system at risk.
HoneyTraps:
What is HoneyTraps:
Honeytraps are systems (Honeypots or Honeynets) that are designed to be compromised. Honeytrap is a network security tool written to observe attacks against TCP services. As a low-interactive honeypot, it collects information regarding known or unknown network-based attacks and thus can provide early-warning information.
Honeypots are host systems that attract intruders to enter the host by emulating a known vulnerability. Essentially, they are modified production systems that create contained environments where intruder actions can be more safely monitored and documented. Their main goal is to capture and analyze data in order to learn about the blackhat community.
Honeypots are a highly flexible security tool with different applications for security. They don't fix a single problem. Instead they have multiple uses, such as prevention, detection, or information gathering.
An example of a honeypot is a system used to simulate one or more network services that you designate on your computer's ports. An attacker assumes you're running vulnerable services that can be used to break into the machine. This kind of honeypot can be used to log access attempts to those ports including the attacker's keystrokes. This could give you advanced warning of a more concerted attack.
A honeynet is a network set up with intentional vulnerabilities; its purpose is to invite attack, so that an attacker's activities and methods can be studied and that information used to increase network security. A honeynet contains one or more honeypots, which are computer systems on the Internet expressly set up to attract and "trap" people who attempt to penetrate other people's computer systems.
Although the primary purpose of a honeynet is to gather information about attackers' methods and motives, the decoy network can benefit its operator in other ways, for example by diverting attackers from a real network and its resources.
In addition to the honey pots, a honeynet usually has real applications and services so that it seems like a normal network and a worthwhile target. Applications within a honeynet are often given names such as "Finances" or "Human Services" to make them sound appealing to the attacker.
Honeytraps Used For Forensics?
With the introduction of honeytraps, the face of information gathering changed, putting whitehats in the offensive rather than the defensive mode. The purpose of honeytraps is to gather intelligence about the enemy to learn the tools, tactics, and motives of the blackhat community [HN]. To date, the information collected in honeytraps has not been intended for presentation in court. In order to use the information collected in honeytraps to prosecute the blackhat there are numerous legal issues to deal with.
As we discussed earlier, when an intruder is attracted (no matter how subtle that attraction may be) into a honeytrap, the honeytrap owner assumes liability for the actions the intruder taken on the honeytrap.