Network Forensic Report CYB305

Network Forensic Report

PCAP Network Packet Capture Analysis

Last compiled by Sriram Raghavan On the date 5/22/2008

This report provides the details of the forensic analysis performed on the network capture file nforensics.pcap in Brisbane, Queensland Australia

Table of Contents

TOC o "1-3" h z u 1. Executive SummaryPAGEREF _Toc45006 h3 2. IntroductionPAGEREF _Toc45007 h4 2.1 Network Capture File detailsPAGEREF _Toc45008 h4 2.2 Network Components IdentifiedPAGEREF _Toc45009 h5 3. MethodologyPAGEREF _Toc45010 h6 3.1 Tools UsedPAGEREF _Toc45011 h6 3.2 Steps InvolvedPAGEREF _Toc45012 h6 3.3 Handling DataPAGEREF _Toc45013 h7 4. Detailed FindingsPAGEREF _Toc45014 h8 4.1 Important network playersPAGEREF _Toc45015 h8 4.2 Network StructurePAGEREF _Toc45016 h9 4.3 Activity Timeline for 192.168.1.103PAGEREF _Toc45017 h10 4.4 Background evidencePAGEREF _Toc45018 h10 5. Supporting Evidence PresentedPAGEREF _Toc45019 h16 6. ConclusionsPAGEREF _Toc45020 h17 7. Appendix A List of figuresPAGEREF _Toc45021 h19 Evidence 038PAGEREF _Toc45022 h19 Evidence 039PAGEREF _Toc45023 h20 Evidence 040PAGEREF _Toc45024 h21 Evidence 041PAGEREF _Toc45025 h22 Evidence 042PAGEREF _Toc45026 h23 Evidence 043PAGEREF _Toc45027 h24 Evidence 044PAGEREF _Toc45028 h25

Executive Summary The purpose of this report is to analyse and report the contents of a network capture file nforensics.pcap.gz which is an archive containing the network based activities monitored on a given network. This file was extracted to nforensics.pcap file on a local hard drive before carrying out the analysis. The network is reported to contain the activities of an individual operating with an IP address 192.168.1.103 on a host network. The analysis attempts to reconstruct the structure of the network, identify key players in the network and determine all activities leading to and occurring during the reported malicious activity. The analysis was carried out mainly using network forensic tools such as Wireshark ver0.99.7 and pyFLAG ver0.86RC1. Some key findings from the analysis are listed below. Each of these findings has been elaborated with supporting evidence documents in Section 4.4.

There are 6 active components on the 192.168.1.xx subnet. The known IPs are 192.168.1.1, 192.168.1.103, 192.168.1.105 and 192.168.1.121.

Two devices with MAC addresses UscInfor-00-00-02 and UscInfor-00-00-FB did not actively participate in the conversations and can be regarded as irrelevant to the case.

The IP 192.168.1.1 directs several requests to external domains and it is identified as a Cisco Router on the subnet.

Based on the DNS response analysis, the suspect seems to be residing in Australia or New Zealand.

The suspect computer runs Windows NT 5.1 operating system with Mozilla Firefox

1.5.0.7 browser.

Based on the machine name of the suspects computer LAMONT01 and the MSN Hotmail ID lam3rallround@hotmail.com, the suspects name may be Lamont.

The suspect has searched for and obtained a copy of WGET.exe downloaded from http://users.ugent.be/~bpuype/wget.

The suspect was found to have logged into the router and reconfigured the firewall.

During the analysis, the following email IDs were observed:

lam3rallround@hotmail.com

phlatoutphishing@yahoo.com.au

gonnagetphished@gmail.com

The suspect owns the ID lam3rallround@hotmail.com and uses MSN messenger ver7.5.0299 for chat sessions.

The suspects accomplice with Yahoo ID phlatoutphishing@yahoo.com.au was IDed as Mr. Justin Case

Based on the chat sessions analysed, the suspect (lam3rallround@hotmail.com) and Mr. Justin Case (phlatoutphishing@yahoo.com.au) were planning to mirror the National Australia Bank (NAB) and use the mirror as a phishing website.The suspect and Mr. Justin Case send a phishing email to Mr. Ronald Brown with Google Mail ID gonnagetphished@gmail.com

Mr. Justin Case tells the suspect that the phishing website captures bank account and password details before forwarding to the real bank website.

Searching through the strings output file for the search string password revealed that the phishing website had captured Mr. Ronald Brown account details with NAB

Account Number: 408854893

Password: 96Cam

The filter ip.addr == 220.237.83.151 revealed no transactions with suspects IP 192.168.1.103. However, there is a sequence of transactions between the suspects IP and 165.228.133.11 and 200.88.223.98 on port 31337. This is suspicious and the investigator believes that the suspect has tunnelled the access bypassing the firewall on router 192.168.1.1 to 220.237.83.151 on the same port.

Introduction Network Capture File details The extracted PCAP network capture file nforensics.pcap has the forensic parameters as given below. The evidence for these details is provided in Figure 1 extracted from Wireshark ver0.99.7:

Capture length: 10709492 bytes

Format: Wireshark/tcpdump/... libpcap

Packet size limit: 65535 bytes

First packet: 08-OCT-2006 14:09:59 HRS

Last packet: 08-OCT-2006 16:27:38 HRS

Elapsed time: 2 hours, 17 minutes, 38 seconds (8258.972 seconds)

Total packets: 16, 263

Average packets/sec 1.969 packets/sec

Average packet size 642.517 bytes

Average bytes/sec 1265.201 bytes/sec

Computed HASHes nforensics.pcap.gz

MD5: 5E71542623C993F987E477A5ACD6CF9C

SHA1: 10D7EB58E57D2F7D19030F820BEDA7229B2009B6

Computed HASHes nforensics.pcap

MD5: AC569D56768C6F827D24E74D4383BD6D (verified)

SHA1: 13047906924F6F0E7FA3FEE63285C16DF727FD34

Figure 1. Packet capture summary from Wireshark ver0.99.7

Network Components Identified According to the capture summary as provided by Wireshark ver0.99.7, there are 6 distinct Ethernet components. They were determined using the Ethernet Endpoints listed under Statistics as below:

1. AppleCom-78-F9-AF 192.168.1.121 Apple iBook G4 laptop

2. AppleCom-9F-51-76 192.168.1.105 Apple Computer

3. AsustekC-8E-56-84 192.168.1.103 Windows NT 5.1 (en-GB)

Cisco-Li-2A-9F-46

UscInfor-00-00-02

UscInfor-00-00-FB 192.168.1.1 Cisco Router

Based on the statistics report, it appears that the devices UscInfor-00-00-02 and UscInfor-0000-FB were not significantly involved in the conversations tracked on the network capture file and hence can be regarded irrelevant for the remaining part of the investigation. The device with MAC address AsustekC-8E-56-84 was found to have the IP address 192.168.1.103 which was our suspicious individual. Besides this, the device with MAC address Cisco-Li-2A-9F-46 was found to have the IP address 192.168.1.1. This device was also found to direct several packets from the suspects IP address 192.168.1.103 to external websites such as Google Mail, Yahoo, MSN, and several others. This could potentially imply that this device was also functioning as a router in the network. Based on the evidence that there was a sequence of TCP transactions between 192.168.1.103 and 192.168.1.1, this report concludes that the router was also playing host to one or more application services.

Methodology Tools Used The analysis analysed the contents using network forensic tools such as Wireshark ver0.99.7 executing under Windows XP Service Pack 2 on 2.33GHz Intel Core 2 Duo CPU with 1.95 GB RAM and pyFLAG ver0.86RC1 executing on Fedora Linux platform running kernel

2.6.21 on the same system. The findings were later cross verified on another system 1.66 GHz Intel Core 2 Duo CPU with 2 GB RAM running Windows Vista Home Premium Service Pack 1 running Wireshark ver0.99.7. The analysis revealed several external IPs which were resolved using the NSLOOKUP tool connected to HELIOS.isi.qut.edu.au (IP 131.181. 6.4) as the primary DNS server. This was verified with the same service connected to SENTRY.isi.qut.edu.au (IP 131.181.97.10) server. There were several IP addresses that were unresolved by the DNS servers listed above given in Section 4, Table 3 of this report.

Steps InvolvedThe archive was extracted to nforensics.pcap and opened using the Wireshark ver0.99.7 tool in Windows for analysis. The preliminary details regarding the capture were extracted from the Statistics tab which provides the list of all endpoints and conversations taking place at the Ethernet, IP, TCP and UDP layers. The list revealed several external addresses that were resolved using the NSLOOKUP tool at various points during the analysis. Having performed this preliminary analysis, packet capture filters were applied to the Wireshark ver0.99.7 tool to trace transactions of a specific type. This allowed the analysis to focus on the specific aspects to determine the IPs that generated most traffic of a particular type. These filters are based on the syntax directed by the LIBPCAP library that governs the operations of the Wireshark tool. Some of the filters applied included

IP, DNS, UDP, TCP, HTTP, SSL, MSNMS, IGMP, ip.addr == 192.168.1.103, ip.src == 192.168.1.103, tcp && ip.dst == 192.168.1.103, ip.dst == 192.168.1.103, ip.addr == 192.168.1.1, http && ip.dst ==

192.168.1.1, etc.

py FLAG was used to determine the text messages exchanged on the network between suspect (IP 192.168.1.103) and others. The chain of messages traced indicates that the suspect is guilty of attempting to mirror the National Australia Bank (www.national.com.au) and phish the website. The suspects accomplice is the messenger contact phlatoutphishing@yahoo.com.au. The two contacts plan on mirroring the banks website and send a bogus email requesting personal contact information from a person known to hold an account with the same bank. Based on the communication, the NAB server was mirrored and hosted as a phishing website at 220.237.83.151; port 31337 by the accomplice. There is no explicit transaction record between 192.168.1.103 and 220.237.83.151 in PCAP file.

Handling Data

Figure 2. Protocol Hierarchy captured with Wireshark ver0.99.7

Packet Type Number of packets Requests Technique Responses Technique

ARP 110 89 Arp 21 arp

IP 16153 - -

TCP 15884 Not calc. Not calc.

UDP 268 - -

DNS 224

HTTP 1113 542 http &&

ip.src ==

192.168.1.xx

POST 527 http &&

ip.src !=

192.168.1.xx

continuation

dest unreachable

BROWSER 20 - -

SSL 647 64 ssl (client

+ server hello) 579 ssl (647 4 dest

unreachable)

64 hello

MSNMS 671 - -

Table 1. Decomposition of different packet types from capture

Based on the statistics given in table 1, the network was predominantly TCP traffic based. The Wireshark tcp filters reveal significant amount of TCP request responses to IP addresses 192.168.1.103 and 192.168.1.1. Since the machine with IP 192.168.1.1 appears to be a Cisco Router, this report concludes that 192.168.1.103 was the major contributor to this traffic. Besides, significant browsing has also been detected under Wireshark using the filter http to external websites which is cross verified with pyFLAG Network forensic analysis. Evidence is presented in Evidence File ID 12, 14 and 15 given in Section 5 Table 4 in this report.

IP Address As Sender As Receiver

192.168.1.103 6713 9437

192.168.1.1 231 213

192.168.1.121 5 0

192.168.1.105 0 0

192.168.1.111 0 0

Table 2. Decomposition of IP traffic (Inbound & Outbound)

It is evident from the information presented in Table 2 that 192.168.1.103 was the most prominent player in the network activity captured on 08th OCT 2006. Activity seen on the IP 192.168.1.1 can be attributed to its role as a router on the network.

Detailed Findings Important network players 1. AppleCom-78-F9-AF 192.168.1.121 Apple iBook G4 laptop

2. AppleCom-9F-51-76 192.168.1.105 Apple Computer

3. AsustekC-8E-56-84 192.168.1.103 Windows NT 5.1 (en-GB)

4. Cisco-Li-2A-9F-46 192.168.1.1 Cisco Router

In order to determine the IP addresses of the different MAC devices on the network, the investigator examined the source and destination addresses on the Ethernet and IP packets being exchanged over this network. This examination was then correlated with the findings between the two layers of source and destination addresses. This revealed that devices with

MAC addresses AsustekC-8E-56-84, AppleCom-78-F9-AF and AppleCom-9F-51-76 owned the IP addresses 192.168.1.103, 192.168.1.121 and 192.168.1.105 respectively. While the device with MAC address Cisco-Li-2A-9F-46 was detected with multiple IP addresses during this examination, NSLOOKUP service revealed that several IPs belonged to external domains and hence, this device must have acted as a router of the packets. As a result, this report confirms the identity of this device as a Cisco Router with IP address 192.168.1.1. Evidence is presented in Evidence File ID 1 9 and 38 41 given in Section 5 Table 4 of this report.

Network Structure

Figure 3. Possible Network Structure based on reconstruction from nforensics.pcap

Based on the forensic analysis of the packets captured, the possible network structure is illustrated in Figure 1. The several DNS requests directed to 192.168.1.1 indicates that this machine was a DNS server to the network. Besides, there are several external websites visited which at the MAC layer are directed through this machine in question. Hence, this report concludes that the machine was a Cisco Router. Based on the TCP transactions between this machine and suspect 192.168.1.103, this report infers that applications such as firewall.sh and cgi-bin/webif.sh have been running on this machine. This is observed by selecting the filter tcp && ip.addr == 192.168.1.1 between packets numbered 6960 and 7189. The investigator opines that the machine was executing a firewall application to which suspect user had administrative access. It is unclear if the suspect acquired this access legally or illegally.

Activity Timeline for 192.168.1.103 Packet

Number Activity Destination Inference

1 Google Search, Australia 66.102.7.99 Searching for info

39, 81 Search result: how to mirror website 66.102.7.99 Seeking how to mirror websites

109 htdig.binarycompass.org 216.52.244.214 Seeking how to mirror websites

98 Search result: wget win32 binary 66.107.7.99 Searching for wget.exe

198 users.ugent.be/~bpuype/wget/ 157.193.40.15 Attempting to download wget.exe

1023 ak.imgag.com 198.142.23.81

1073 rad.msn.com 207.68.178.16 Logging into MSN mail server

1388 kiwi.planetmirror.com 203.16.234.91 Mirror site for download

6945 Google Search, Australia 66.102.7.99 Searching for info

6964 Cisco Router 192.168.1.1 Reconfiguring firewall

7213 NO LOOKUP 165.228.133.11 Tunnelled transactions to phishing website hosted at 220.237.8.151 on port 31337

7286 national.com.au 203.57.240.101 Mirroring NAB website

8091 forecastfox.accuweather.com 32.114.14.11 Searching for weather forecast Brisbane

9887 au.yimg.com 198.142.23.22 Communicating with Yahoo messenger server

10728 yahoo.com 68.142.213.132 Communicating with Yahoo server

10790 yahoo.com 209.73.168.74 Communicating with Yahoo server

11607 NO LOOKUP 12.129.210.46 UNKNOWN

13386 codetel.net.do 200.88.223.98 Tunnelled transactions to phishing website hosted at 220.237.8.151 on port 31337

13596 national.com.au 203.57.241.101 Mirroring NAB website

14994 iprimus.net.au 210.50.7.243 UNKNOWN

Table 3. Activity Timeline based on network forensic analysis and event reconstruction

Note: Only distinct IP addresses with different time stamps are mentioned on the table. Each IP has a sequence of following TCP/HTTP packets following it which is not captured in this table. Packet numbers provided in the table indicate the first occurrence of the transaction.

Background evidence The capture file is forensically secure verified by the MD5SUM of the uncompressed file against the report provided. Besides, the investigator has also secured this copy with the SHA1SUM of the same file. Refer to Section 2.1 for details.

All communication has taken place between 2:09:59 PM and 4:27:38 PM on OCT the 8th 2006. The evidence is presented in Section 2.1 on Network Capture File Details.

There are 6 active components on the 192.168.1.xx subnet of which one of them is a Cisco router (IP 192.168.1.1) and one is the wanted suspect (IP 192.168.1.103) computer running Windows NT 5.1 and one is an Apple G4 iBook laptop (IP 192.168.1.121). We infer this information by selecting Endpoints in Statistics tab and correlating this information with the ARP packets using arp filter in Wireshark ver0.99.7. Evidence ID 1 and 2 given in Table 4 give a list of all Ethernet conversations and endpoints detected in the network and Evidence ID 3 gives the list of ARP traffic in the network.

Using the filter dns && ip.src == 192.168.1.121 reveals exactly one packet to destination 224.0.0.251. The info contents of this packet indicate that the source machine (IP 192.168.1.121) is an Apple iBook G4 which is an Apple Laptop computer. Evidence ID 18 in Table 4 providing the list of DNS queries is provided in support of this argument.

Using the arp filter in Wireshark ver0.99.7 and by selecting the Endpoints in Statistics tab, this report observes that the number of packets transmitted from them is negligible. This report concludes that the devices with MAC addresses UscInfor-00-00-02 and UscInfor-00-00-FB did not participate actively in the network. Evidence ID 2 and 3 in Table 4 are presented in support of this argument.

The filters ip.dst == 192.168.1.105 and ip.dst == 192.168.1.121 reveal no packets on Wireshark which leads this report to believe that these machines did not receive any packets during the period. This was verified with pyFLAG by browsing thru the virtual file system using the inbuilt network filters.

The filter ip.src == 192.168.1.105 reveals no packets and this indicates that this machine did not actively participate in the network.

The filter ip.src == 192.168.1.121 reveals exactly 5 packets of which none are of suspicious nature. These are routine ENIP packets (broadcast) and one IGMP packet requesting to leave group. This report concludes that this machine also did not actively participate in the network during the period of network capture.

Using the filter dns && ip.addr == 192.168.1.105 and dns && ip.addr == 192.168.1.105 does not reveal packets which would indicate that these machines hosted any application services. In other words, no server applications were detected on these machines.

Using the dns filter, the packets reveal several DNS requests directed to 192.168.1.1. Besides, most of these requests have originated from the suspect computer. We infer that a DNS service was executing on 192.168.1.1 and the suspect has visited several external websites. Evidence ID 18 in Table 4 lists the DNS queries in the network.

The filter tcp && ip.addr == 192.168.1.1 reveals several transactions between 192.168.1.1 and 192.168.1.103. On analysing the contents of these packets (analysis of the HTTP/1.1 GET packets), this report observes that applications including firewall.sh and cgi-bin/webif.sh have been executing on

192.168.1.1. This report believes that 192.168.1.1 has been executing a firewall that was reconfigured by the suspect. Evidence ID 20 and 21 in Table 4 listing the TCP requests and responses exchanged between 192.168.1.1 and 192.168.1.103 are presented in supported of this argument.

Using the filter http && ip.src == 192.168.1.103 and analysing the HTTP/1.1 GET packets reveal that the HTTP User agent is Mozilla Firefox 1.5.0.7 browser. Further, most responses direct the browser to Australian websites. This indicates that the subnet may be present in Australia or New Zealand. This implies

that the suspect (192.168.1.103) is residing in Australia or New Zealand. Evidence ID 14 in Table 4 listing the HTTP requests generated from 192.168.1.103 is presented in evidence. Evidence ID 23 and 23 providing the load analysis on the network support this argument.

The suspect visits several external websites including Google mail, Yahoo, Live Messenger, etc. There are several IP addresses directed through 192.168.1.1 which NSLOOKUP shows are belonging to external sites. This information can be correlated with packets displayed using filter dns && ip.addr == 192.168.1.103. There is one-to-one correspondence between the number of requests to external websites generated by suspect to router and the DNS responses back to suspect. Evidence ID 18 in Table 4 filtered with Source IP 192.168.1.103 is presented in evidence. Evidence ID 23 and 23 providing the load analysis on the network support this argument.

Based on the search of strings from Evidence ID 10 in Table 4, the following information is available about the suspects cookie at the Google Australia server:

Windows NT 5.1 en-GB

Gecko/20060909 Firefox/1.5.0.7

PREF_ID 0c44975525448bce

TM 1067755592

LM 1067755593

S GmLb8HCXA5UevkgY

The suspect has attempted to search for how to mirror website recovered from the pyFLAG network forensic analysis using HTTP filters. Evidence ID 12 in Table 4 listing the contents of the HTTP transactions is presented in evidence. Evidence can also be obtained from Evidence ID 18 searching for DNS requests to Google Search with search strings how to mirror website.

The frequency of multiple DNS requests generated within a short span of time

(several instances detected) using the filter dns && ip.addr ==

192.168.1.103 indicates that the suspect was running several parallel sessions of the browser simultaneously. It is unclear whether these sessions were generated from multiple different browser windows or the same browser windows with multiple tabbed sessions. Evidence ID 18 in Table 4 is presented in evidence.

The suspect has attempted to search for wget win32 binary recovered from the pyFLAG network forensic analysis using HTTP filters. Evidence ID 12 in Table 4 listing the contents of the HTTP transactions is presented in evidence. Evidence can also be obtained from Evidence ID 18 searching for DNS requests to Google Search with search strings wget win32 binary.

The sequence of several requests to websites such as addons.mozilla.org, www.fsf.org, www.apache.org, fpdownload.macromedia.com, titus.planetmirror.com indicate that the browser used by the suspect was being updated dynamically by downloading active contents to display web pages. Correlating this information with the MSN chat sessions, it indicates that the suspect was searching for GNU WGET.EXE tool which is used to download content from the Internet over HTTP/HTTPS/FTP protocols. Evidence ID 18 and 19 listing the DNS queries and responses are provided in evidence.

Based on the HTTP request analysis and the NSLOOKUP service, the suspect has also spent considerable time on browsing thru the Akamai Technologies webpage (http://ak.imgag.com and http://deploy.akamaitechnologies.com). However, when the investigator visited these web pages, the content indicated the presence of a GIF file which could not be displayed in either Mozilla Firefox or Internet Explorer on the investigators machine.

Using the filter browser && ip.src == 192.168.1.103, the packets displayed contain the NetBIOS Datagram service which lists the source name as LAMONT01 Workstation/Redirector. The name of the machine may contain some clues to the name of the user (suspect) of this computer.

The filter msnms displays the packets using this protocol to communicate using MSN instant messenger. Evidence ID 11 in Table 4 listing the contents of the MSN chat conversations between the suspect (IP 192.168.1.103) and Yahoo ID phlatoutphishing@yahoo.com.au is presented in evidence. Examining the MSN messenger service contents shows the existence of at least one chat session during the capture. Further, the parties involved indicate that the communication is between the suspect and external websites. Chat stream contents contained in Evidence ID 26 37 in Table 4 support this argument.

The behaviour observed above indicates that the suspect has been actively communicating with other parties on the Internet. The NSLOOKUP service showed that the external website addressed belonged to YAHOO, GOOGLE, MSN MESSENGER and PHX.GBL domains. Based on some further verification, PHX.GBL was also found to belong to MSN MESSENGER domain. Besides, the service was also unable to reference few websites which can be attributed to dynamic IP address allocation employed on several domain servers for load balancing.

The NSLOOKUP results returned for several MSN web services are different from the data determined from the analysis using Wireshark ver0.99.7. These were not detected by the Network level Name resolution protocol used internall by Wireshark ver0.99.7 or by pyFLAG 0.86RC1

During the analysis, the following messenger clients were communicating detected on the MSNMS protocol in Wireshark:

lam3rallround@hotmail.com

phlatoutphishing@yahoo.com.au

Besides, there is a reference to a particular individual known to the suspect having an account with NAB. The suspect and his accomplice send a phishing email to this individual with email ID gonnagetphished@gmail.com

Evidence for the first two discoveries is presented in Evidence ID 16 and 17 in Table 4 listing the incoming and outgoing MSN chat conversations and the third discovery is observed by search Evidence ID 10 for the phlatoutphishing

The suspect owns the ID lam3rallround@hotmail.com and uses MSN messenger ver7.5.0299 for chat sessions. This is discovered by analysing the MSN message packets in Wireshark ver0.99.7 using msnms filter and checking the Info contents of the packets. This is also confirmed as displayed in the strings output of the capture file. Evidence ID 16 and 17 in Table 4 are presented in evidence. Chat stream contents contained in Evidence ID 26 37 in Table 4 support this argument.

Based on the chat session analysis, there doesnt appear to be any talk sessions established while chatting over the messenger chat session. Evidence ID 16 and 17 in Table 4 are presented in evidence.

Based on the chat sessions analysed, the suspect (lam3rallround@hotmail.com) and an accomplice (phlatoutphishing@yahoo.com.au) were planning to mirror the National Australia Bank (NAB) and use the mirror as a phishing website. The TCP/HTTP sessions tracked indicate that the suspect has spent significant effort in mirroring the website and reconfiguring the router for this task. Based on the analysis, it appears that the suspect (lam3rallround@hotmail.com) modified the firewall configurations to grant access to the phishing website hosted by his accomplice

(phlatoutphishing@yahoo.com.au). The actual hosting is done on latters machine with IP 220.237.83.151; port: 31337. Evidence ID 11 listing the MSN chat contents between lam3rallround@hotmail.com and phlatoutphishing@yahoo.com.au is presented in evidence. Chat stream contents contained in Evidence ID 26 37 in Table 4 support this argument.

Using the filter ip.addr == 220.237.83.151 interestingly revealed no packets. It is possible that this address bypassed the router (if this is at all possible) based on the router firewall reconfiguration the suspect had performed.

Based on this IP address, the investigator searched using the filter tcp.port ==

31337 which revealed two transaction sequences from suspects IP 192.168.1.103 with IP addresses 165.228.133.11 and 200.88.223.98. This indicated that the suspect was operating these services from the port 31337 which showed up as destination ports in Wireshark ver0.99.7.

While searching the strings output file for the search string 31337, the search returned several HTTP GET requests directed to 220.237.83.151 on port 31337. This was very suspicious and the investigator believes that the suspect reconfigured the router 192.168.1.1 to tunnel all requests on 192.168.1.103 on port 31337 to the phishing website hosted on 220.237.83.151 on port 31337. Evidence is presented in Evidence ID 10 searching for the search string 31337.

It was determined that the IP 165.228.133.11 transacting with 192.168.1.103 on port 31337 executed a Macintosh OS X with Mozilla Firefox 1.5.05.

The two suspects also send out an email to an individual who they know holds an account with NAB. The individual was determined to have a Google Mail account with ID gonnagetphished@gmail.com. Evidence is presented in Evidence ID 10 in Table 4 by searching for gonnagetphished and phlatoutphishing

Based on the machine name LAMONT01 and the suspects MSN Hotmail ID lam3rallround@hotmail.com, this report believes that the suspect may have a name (first or middle or last) as Lamont. This report suggests that investigations run the records past people with the name Lamont having prior criminal record for an ID hit.

Having determined the contact IDs, the investigator performed a search on the string

gonnagetphished and phlatoutphishing in the Evidence ID 10 in Table 4 while revealed the following identities:

gonnagetphished@gmail.com was IDed as Mr. Ronald Brown

phlatoutphishing@yahoo.com.au was IDed as Mr. Justin Case

The ID was determined based on examining the text contents of the email sent to Mr. Brown by Mr. Case who had set up the phishing website. The names appeared immediately before the IDs listed on the text which indicates that this information was stored in Yahoo contact list on the Yahoo server.

Mr. Justin Case tells the suspect that the phishing website is designed to capture the users account and password details before redirecting to the original bank website. This evidence is presented in Evidence ID 10 by searching for the search stringpassword.

Based on this information, the investigator further analysed the strings output file and observed that Mr. Ronald Browns bank account information could have been phished by the website. The account number 408854893 and account password 96Cam were retrieved from the strings output file. This could potentially incriminate the suspect and Mr. Justin Case if it can be verified that these are indeed account holders bank information. Evidence is presented in Evidence ID 10 searching for the search string password which revealed the data: action=validate&userid=408854893&password=96Cam&loginButton=Login

Using the networking filters used internally by pyFLAG ver0.86RC1, the investigator browsed to the entire chat sessions which clearly indicate the intent to phish the said banks website. Evidence ID 11 in Table 4 is presented in evidence. Chat stream contents contained in Evidence ID 26 37 in Table 4 support this claim.

The suspect has searched for and obtained a copy of WGET.exe which is a malware detection tool downloaded from http://users.ugent.be/~bpuype/wget. While this activity is not illegal, it becomes suspicious under the context of phishing activities reported during analysis. Evidence ID 14 and 15 listing the HTTP requests and responses from and to the suspect IP 192.168.1.103 is provided in support of this argument. Evidence ID 12 supports this claim.

The suspect has logged into the NAB website and spent considerable time downloading data. This is inferred from the HTTP packet contents in the transaction. Based on the analysis, it appears that the suspect attempted to mirror the website on to the local machine. Evidence ID 14 and 15 listing the HTTP requests and responses from and to the suspect IP 192.168.1.103 is provided in support of this argument.

The suspect has visited the IPRIMUS website. This could indicate that the suspect intended to obtain a connection with the ISP or probably already had a connection. Evidence ID 14 and 15 listing the HTTP requests and responses from and to the suspect IP 192.168.1.103 is provided in support of this argument. Evidence ID 12 supports this claim.

Supporting Evidence Presented Evidence

Identifier Content Content Source Filename MD5 HASH SUM

1 List of Ethernet endpoints Wireshark ver0.99.7 Ethernetendpoints.xml eea937c53b56eb96 ee486e9791f0ff1a

2 List of Ethernet conversations Wireshark ver0.99.7 Ethernetconversations.

xml b53e021a646a1015 28effd3f421f5b72

3 Packet contents of

ARP Wireshark ver0.99.7 arp-packetdisplayed.txt 789608c5e84e821f

318d33bf6e134182

4 List of IPv4 endpoints Wireshark ver0.99.7 IPv4endpoints.xml f635897664b394ad 4af4360a66254c68

5 List of IPv4 conversations Wireshark ver0.99.7 IPv4conversations.

xml df45c6db52730d5e 12a7c0aefece459d

6 List of TCP endpoints Wireshark ver0.99.7 TCPendpoints.xml ca8f1b7fd171591c 93408e6d15b793ac

7 List of TCP conversations Wireshark ver0.99.7 TCPconversations.

xml 039c0e2d86966fae ce8e0ccf76f06dda

8 List of UDP endpoints Wireshark ver0.99.7 UDPendpoints.xml 345939a014052e79

0011211f7e9f0efd

9 List of UDP conversations Wireshark ver0.99.7 UDPconversations.

xml 00033f3948222b43 a015d11ea268b41e

10 Strings output on PCAP file strings on Linux stringsoutput.txt 0eb8d6cafc89a811 a6e4f26b7b6483d9

11 Messenger Chat session pyFLAG

ver0.86RC1 chatsession.xml 2ccf422b2ad9d72e

8cd769945adb4460

12 HTTP session pyFLAG ver0.86RC1 httpsession.xml 9355b648a802ba09

3c88e7598362e5f8

13 CSV XML

conversion website

list Internet Conversionwebsite.txt 33d01211c0864e44 a69e95c9cb2a8113

14 Packet contents of all HTTP requests from suspect Wireshark ver0.99.7 ipsrc1921681103http-reqcompressed.txt 9c3a6bc4a46b0c58

2ec9a87242074f61

15 Packet contents of all HTTP responses to suspect Wireshark ver0.99.7 ipdst1921681103http-respcompressed.txt d7445ef44c4f2658 17dbe05156082038

16 Packet contents of MSN messenger

traffic from suspect Wireshark ver0.99.7 ipsrc1921681103msnmscompressed.txt 1a99ac4213783c41

786d2b01481fdc9a

17 Packet contents of MSN messenger traffic to suspect Wireshark ver0.99.7 ipdst1921681103msnmscompressed.txt 0ef1bc04229cd222

3c09855aa69dfe26

18 Packet contents of

DNS queries to

Router Wireshark ver0.99.7 ipdst19216811-dnsquerycompressed.txt 7d8047afdddb413c eee30c04172d1302

19 Packet contents of DNS responses from Router Wireshark ver0.99.7 ipsrc19216811-dnsresp- 6dcb1f190c69ddb0 bb16d1cab6c327c5

compressed.txt 20 Packet contents of

TCP traffic from

Router Wireshark ver0.99.7 ipsrc19216811-tcpreq-

compressed.txt f6bdf4e7ac0c24af 91c1f4639ecde1b1

21 Packet contents of

TCP traffic to

Router Wireshark ver0.99.7 ipdst19216811-tcprespcompressed.txt 43885819273489c1

0f8a1a9589d04418

22 Load analysis on PCAP file Wireshark ver0.99.7 graphanalysis.

txt e36791efd10a546a c05837cb4f8b3bbb

23 Load analysis on

PCAP file with

HTTP filter Wireshark ver0.99.7 httpgraphanalysis.

txt 7fdf9fe496f39ef1

4c3a94832addb89b

24 Load analysis on

PCAP file with

MSNMS filter Wireshark ver0.99.7 msnmsgraphanalysis.

txt a2d6afff9e4524de efc1a1916718bc77

25 Streams and packet numbers map pyFLAG ver0.86RC1 Mynotes.txt facbe03b464cd5c5 6db4434757cbbf84

26 Packet contents of stream S133 pyFLAG ver0.86RC1 S133.txt 51a2af8bbde05c22 a90772337196bb2f

27 Packet contents of stream S134 pyFLAG ver0.86RC1 S134.txt 8e43a0be6ad22d58

6ac7db26070cb15a

28 Packet contents of stream S170 pyFLAG ver0.86RC1 S170.txt 6b5a46d80285e890 fafcf8bfa69dde8c

29 Packet contents of stream S171 pyFLAG ver0.86RC1 S171.txt 8ac46f011244a2d4

6fcd51a19780667b

30 Packet contents of stream S232 pyFLAG ver0.86RC1 S232.txt eff476a4cd84a99e 10e4af3805b19d60

31 Packet contents of stream S233 pyFLAG ver0.86RC1 S233.txt c3931bf4b5b14340 14a621bc858fbdb1

32 Packet contents of stream S331 pyFLAG ver0.86RC1 S331.txt 82fc890c10252f5a

86b29455cac0b0b3

33 Packet contents of stream S332 pyFLAG ver0.86RC1 S332.txt c28a23396e8ce5c5 8eca53be6dc8d43e

34 Packet contents of stream S362 pyFLAG ver0.86RC1 S362.txt 9c8451a41b50b274

101f401e81a90ab7

35 Packet contents of stream S713 pyFLAG ver0.86RC1 S713.txt bedc0feb5f99d73e 26600263f70b5560

36 Packet contents of stream S716 pyFLAG ver0.86RC1 S716.txt d4dab25e7b8c7834 8baf29186d489842

37 Packet contents of stream S1106 pyFLAG ver0.86RC1 S1106.txt 42f4e22fec06db5a c4409292d235ea86

Table 4. Tabulated list of evidence supporting the Forensic report

Conclusions This report concludes that the suspect (IP 192.168.1.103) was planning to mirror the National Australia bank website along Mr. Justin Case (Yahoo ID: phlatoutphishing@yahoo.com.au). While it was Mr. Justin Case who hosted the phishing website, the report suspects that the aforementioned individuals have a track record for performing such illegal activities in the past. The report also believes that the suspect may have a first name/ middle name/ last name as Lamont detected from the machine name LAMONT01 from the NetBIOS datagram. The forensic analysis revealed that the suspect performed chat sessions with Mr. Justin Case using MSN ID lam3rallround@hotmail.com. Further, the suspect and his partner Mr. Justin Case have got together to plan and send out a phishing email to Mr. Ronald Brown with Google Mail ID gonnagetphished@gmail.com. According to the Australian Law HB-171, phishing is a punishable offence and there is sufficient evidence to track and arrest the suspect for further questioning. One should begin examining all public IP addresses within Australia under the subnet 192.168.1.xx and identify the actual subnet that was active during that period on 08th OCT 2006. This may be determined by checking past router logs (on the said date) at strategic points in Australia where the traffic bunches up. Based on the potential damage such activities can create, it is advisable to request Yahoo Australia to monitor the activities of the Mr. Justin Case with Yahoo ID phlatoutphishing@yahoo.com.au to come up with a location match. When a match is found, Mr. Justin Case may be arrested on charges of phishing and brought in for further questioning, possibly regarding similar activities in the past.

Appendix A List of figures Evidence 038

Description: Conversations tab under Statistics listing all Ethernet components detected on the Network. This was obtained using Wireshark ver0.99.7. The figure lists 6 distinct

Ethernet components of which two devices with MAC addresses UscInfor-00-00-02 and UscInfor-00-00-FB were not active. The most active device on the network was device with MAC address AsustekC-8E-56-84 followed by Cisco-Li-2A-9F-46.

Evidence 039

Description: Conversations tab under Statistics listing all IP addresses detected on the Network. This was obtained using Wireshark ver0.99.7. Multiple IPs were detected of which 4 belong to the network that was monitored under the 192.168.1.xx subnet. Major portion of the remaining IPs belonged to external domains such as Google, Yahoo, MSN, etc. The most active IP was 192.168.1.103 which was determined as the suspect IP and this is associated with MAC address AsusTekC-8E-56-84.

Evidence 040

Description: Conversations tab under Statistics listing all TCP components detected on the Network. This was obtained using Wireshark ver0.99.7. The analysis shows that there were several TCP transactions for the suspect IP 192.168.1.103 on port numbers > 5000 which indicates that the suspect visited custom websites. Based on the chat conversations, this report observes that the websites could be mirrored from standard websites to lure Internet browsers for phishing.

Evidence 041

Description: Conversations tab under Statistics listing all UDP components detected on the Network. This was obtained using Wireshark ver0.99.7. Based on the transactions taking place in the UDP space, it appears to be mainly DNS request response pairs exchanged between 192.168.1.103 and 192.168.1.1 (Router). No suspicious traffic was observed.

Evidence 042

Description: HTTP load distribution pattern with http filter on the Statistics tab listing all TCP components detected on the Network. This was obtained on the HTTP load distribution under Statistics tab using Wireshark ver0.99.7. The tool was enabled to perform name resolution on the network layer listed in the View tab under Name Resolution. The sequence of websites listed is approximate to the actual sequence as recovered from the analysis.

Evidence 043

Description: HTTP load distribution pattern with ip.src == 192.168.1.103 filter on the Statistics tab listing all TCP components detected on the Network. This was obtained on the HTTP load distribution under Statistics tab using Wireshark ver0.99.7. The tool was enabled to perform name resolution on the network layer listed in the View tab under Name Resolution. The sequence of websites listed is approximate to the actual sequence as recovered from the analysis.

Evidence 044

Description: List of all TCP destinations with ip.src == 192.168.1.103 filter on the Statistics tab listing all TCP components detected on the Network. This was obtained on the

Destinations under Statistics tab using Wireshark ver0.99.7. This figure shows that the suspect predominantly maintained TCP transactions on the HTTP port. However, there are several ports with port numbers > 5000 listed. This leads to suspect the fact that the suspect hosted mirrored websites for phishing. The tool was enabled to perform name resolution on the network layer listed in the View tab under Name Resolution. The sequence of websites listed is approximate to the actual sequence as recovered from the analysis.