This book includes a plain text version that is designed for high accessibility. To use this version please follow this link.
/ LEAD FEATURE
Frame header Packet header Segment header Application data
(MAC addresses) (IP addresses) (port numbers) (e.g. DNS request)
Segment
Packet
Frame
Figure 2. Data encapsulation
putting it inside another package, called a frame, which uses it has to send a request to a DNS server, so that the name
another address – a Media Access Control (MAC) address – to of the Web server we want to access is resolved to its IP ad-
uniquely identify the network interface of the next hop device. dress. The IP address of one or more DNS servers is stored
So, we need three addresses: port number, IP address and the on your machine and the browser retrieves the fi rst of these.
MAC address of the fi rst step of the journey. And we’ll need DNS servers listen on User Datagram Protocol (UDP) port 53,
another three addresses to ensure that the response gets so the browser constructs a UDP segment addressed to port
back to us. Your operating system will take care of the return 53. Hang on, I hear you cry, a segment? We’ve had packets
addressing, and it will also supply the MAC address of the fi rst and frames and now a segment, what do they all do? Well, a
step of the journey for us, as soon as we tell it the destination IP segment is simply another type of digital package: segments
address; but we don’t have that yet. To get it, your browser will contain application data and are addressed to ports (i.e.
need to use another important distributed system. This is the they are addressed to a process on the destination com-
Domain Name System (DNS). puter with a return address of a process on the originating
computer). As Figure 2 shows, segments are placed inside
/ Internet Telephone Directory packets, which use IP addresses to identify which devices
Your browser has to construct another request – a DNS request are communicating. A packet is repeatedly placed inside,
– to ask a DNS server to resolve the name of the Web server into and then removed from a succession of frames as it travels
an IP address. To understand DNS it’s best to think of it as work- from device to device, making its way from its source to its
ing like an online telephone directory. You look up the name of fi nal destination.
the person you want to contact and the directory supplies you As we follow the journey from browser to Web server and
with the number that you need to use to contact them over the back again, we’re concentrating on three questions: How
(telephone) network. On the Internet, it’s IP addresses rather does the entire process work? What opportunities are there
than telephone numbers that you need. for an attacker to subvert the process? Where might we find
forensically significant artefacts? We’ve mentioned that an
FROM THE SAFETY OF YOUR
attacker might use malware to manipulate the Web request
process on the originating host – every forensics investiga-
COMPUTER, WE’RE ABOUT TO
tor worth her salt knows about the Trojan defence and the
ENTER THE DANGEROUS,
importance of showing that submitted evidence takes into
account any malware on the system. Of course, there will
COASTAL WATERS OF YOUR
be a number of pieces of information on the host to help
LAN AND THE WILD SEAS OF
reconstruct what has gone on there. But now, in pursuit of
an IP address for the destination Web server, we are about
THE INTERNET
to send a DNS request inside a segment, in a packet, and
enveloped in a frame, over the network (see Figure 3). Just
The IP address of at least one DNS server has been confi g- as every forensic investigator knows where to look for evi-
ured on your computer. This happens either statically or dynam- dence on a seized computer; we also need to understand
ically when the computer is powered up, typically via a Dynamic the forensic artefacts created by network activity that exist
Host Confi guration Protocol (DHCP) request for a DHCP server outside the originating computer. If an attacker can trick
to give it an IP address, DNS server addresses, default gateway, your device into wrapping its packet in a frame addressed
and a variety of other useful information. Since most personal to his computer, he can intercept the packet, look inside,
computers are confi gured to use DHCP, this is another com- and modify it if necessary before forwarding it on to its
mon point at which an attacker can strike, supplying details of destination. He can also spoof a reply. If we don’t know
a rogue DNS server or gateway that will resolve the Web server where to look for evidence, how will we be able to counter
names you send into the IP addresses of malicious Web servers, a defence based on the malicious interception of network
unrelated to the intended destination. traffic? From the safety of your computer, we’re about to
Let’s recap. We want to visit http://www.thedarkvisitor.com/ enter the dangerous, coastal waters of your LAN and the
and your browser needs a destination IP address. To get this, wild seas of the Internet.
10 Digital / ForensicS
DF1_08-13_Lead Feature.indd 10 29/10/09 5:06:28 pm
Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52
Produced with Yudu - www.yudu.com