Digital Forensics Magazine Issue 1

/ LEAD FEATURE
If our simple Web request to http://thedarkvisitor.com/
/ Pharming and Phishing
is similar to the test request that I have just run from my
Get more information on understanding pharming and computer, it will have resulted in 7 TCP connections to four
phishing: http://en.wikipedia.org/wiki/Pharming
different Web server IP addresses (the main Web page
http://en.wikipedia.org/wiki/Phishing
contains images that have to be retrieved from other Web
servers) with 235 packets transferred that together con-
order coming out of the other end. Since HTTP is often used to tained 80,216 bytes. Assuming that, like my computer, yours
transfer large Web pages that won’t fit into a single packet, it is 17 hops away from the destination Web server, each of
is natural for it to use TCP. the 235 packets will have been placed in 17 different frames
Unlike UDP, which simply sends a packet whenever some- as they travelled between source and destination and many
one has any data to transfer, TCP has three phases. First it sets ARP request/reply frames will have been generated as these
up the connection using a ‘three-way handshake’, then it uses devices updated their ARP caches. A reasonable estimate is
the connection to allow both parties to exchange data (i.e. that this one Web request resulted in well over 4,000 frames
the same connection is used both to send and receive data by being transmitted.
each endpoint) and finally the connection in both directions is If we hope to keep our Web browsing private, we can think
closed down. again – 17 other computers know what we requested and
The three-way handshake is shown in Figure 6, which is what was returned, since the contents of our connections are
from the Request For Comment (RFC) 793 that describes TCP. unencrypted, and every computer on each of the 17 networks
The essence of TCP is that each endpoint computer uses a we passed through could potentially use a MITM attack to
number to show how much data it has transferred so far. If I view the contents too.
tell you that I’ve sent 30 bytes and you acknowledge that you
received 30, then everything is fine. If I then say that now the
A reAsonAble estimAte is
total transferred is 40 bytes, but you say that you still only
have 30 bytes from me, then TCP knows to retransmit the
thAt this one Web request
missing data. If the numbers get too far out then TCP will reset
resulted in Well over 4,000
the connection and another connection will have to be set
up. The numbers are called sequence numbers and an initial
frAmes being trAnsmitted
sequence number (ISN) is chosen at random. This protects
against a delayed packet arriving later and interfering with In this article, we have followed the journey of a Web
another connection, and protects against an attacker guessing request from its origins as a URL typed into a browser, through
the number and forging a TCP packet, which would allow him the operating system of the source computer, and through
to hijack the TCP connection. (As the TCP connection is known several intermediate devices on its way to the destination Web
as a session, this attack is called a TCP session hijack – not to server. We’ve seen how ARP and DNS are involved in the route
be confused with cookie stealing session hijacks). that it takes, and how a request is sent over a TCP connection
Following the packets in Figure 6, we can see that device that first has to be synchronised by a three-way handshake.
TCP A sends a packet with a control bit set to show that it is a What appears to most users as a simple click of the mouse
synchronisation packet – a SYN packet – that synchronises the turns out to be a very complicated process involving thou-
connection by sending an ISN. Line 2 shows a reply packet from sands of frames and many networks.
TCP B that acknowledges A’s ISN and sends one of its own; this With so many opportunities for malicious intervention
packet is a SYN-ACK packet. Finally, the connection is set up on and manipulation, evidence of a particular Web request or
line 3 when A sends an ACK to acknowledge B’s ISN. response is not necessarily the smoking gun it might appear
to be. But any request creates ripples in the digital ocean that
TCP A TCP B travel widely and can be spotted, if you know what you’re
1. SYN-SENT > <SEQ=100><CTL=SYN> > SYN-RECEIVED looking for and where to look. /
2. ESTABLISHED < <SEQ=300><ACK=101><CTL=SYN,ACK> < SYN-RECEIVED
3. ESTABLISHED > <SEQ=101><ACK=301><CTL=ACK> > ESTABLISHED
/ Author Bio
Figure 6. TCP three-way handshake (adapted from RFC 793) Dr Tim Watson is the head of the
Department of Computer Technology at
De Montfort University and the leader
Consequently, every HTTP GET request we make is sent by
of its computer forensics and security
setting up a TCP connection between your computer and the
group. With more than twenty years’
destination Web server – we send a SYN, the Web server sends experience in the computing industry and
us a SYN-ACK, and then we complete the connection with an
in academia, he has been involved with
a wide range of computer systems on several high-profile
ACK. The next packet sent on this connection contains our GET
projects and has acted as a consultant for some of the largest
request. Subsequent packets from the Web server will also be
telecoms, power and oil companies. Tim is a regular media
part of this TCP connection, and will contain the Web page we commentator on computer forensics and security.
requested or a response containing an error message.
13
DF1_08-13_Lead Feature.indd 13 30/10/09 4:20:39 pm
Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | Page 6 | Page 7 | Page 8 | Page 9 | Page 10 | Page 11 | Page 12 | Page 13 | Page 14 | Page 15 | Page 16 | Page 17 | Page 18 | Page 19 | Page 20 | Page 21 | Page 22 | Page 23 | Page 24 | Page 25 | Page 26 | Page 27 | Page 28 | Page 29 | Page 30 | Page 31 | Page 32 | Page 33 | Page 34 | Page 35 | Page 36 | Page 37 | Page 38 | Page 39 | Page 40 | Page 41 | Page 42 | Page 43 | Page 44 | Page 45 | Page 46 | Page 47 | Page 48 | Page 49 | Page 50 | Page 51 | Page 52