Please see attached. Answer questions and follow the instructions

Notes:

• All answers must be in complete sentences for full credit.

• Reminder: Experiment with these tools in VMWare. Use of some of these tools outside a closed environment for the purpose other than this lab is not sanctioned and may be in violation of policy or law.

Objective:
The purpose of this exercise is to give you experience with some networking concepts essential for network forensics.

Terms:

ARP-Address Resolution Protocol. ARP is used to find the hardware address of a host. (IP addresses are translated to MAC addresses.)

DNS-Domain Name System. The DNS translates host names into IP addresses.

ICMP-Internet Control Message Protocol. ICMP is used to send networking error messages. Ping uses ICMP.

RST-Reset a connection.

SYN-Synchronize. Request a web service. ACK-Acknowledge. Acknowledge the request.

TCP-Transmission Control Protocol. This is a protocol used for transferring files across the Internet.

Three-way handshake: When a client requests an internet service, a SYN request is sent to the host. The host responds with a SYN-ACK. When the client receives the SYN-ACK, the client responds with an ACK.

Software to Install:

• NirSoft

  • Go to: http://www.nirsoft.net/web_browser_tools.html

  • Download and install the Cookie viewer tool (IECookieViewer)

  • Read the information provided on the website prior to downloading and installing the programs

• Wireshark

  • If it is not installed on your computer already, you can download it from http://www.wireshark.org/ .

• Keylogger

  • Go to: http://www.spyarsenal.comand download Golden or Family KeyLogger.

  • Decompress the files if necessary.

  • You will have to disable the AntiVirus auto-protect before you can run the software.

Packet Sniffing:

Wireshark is a packet sniffer. We will use it to capture and analyze network traffic. If it is not installed on your computer already, you can download it from http://www.wireshark.org/ .

First, you need the IP address of the machine you are working on. Do you remember how to do this? Go to Start->Run… and type in:

command

ipconfig

exit

Hint: In the lab you will need to cd to C:\Windows\System32

Note your IP address. In the lab, this will be the third number that appears (Local Area Connection: 192.168.1.X). ________________________________________

Run Wireshark (Start->Programs->Wireshark).

• Choose Capture->Options

• Be sure Intel ® ProAdapter 100MT (or whatever your Ethernet adapter is) is selected from the drop-down menu.

• Be sure the Capture packets in promiscuous mode check box is selected. (Promiscuous mode means that Wireshark will read all the network traffic routed through this machine, whether it is intended for this machine or not.)

• Choose the update list of packets in real time check box

• Choose to stop after 500 packets.

• Accept other default settings.

Next we are going to have you generate some traffic for you to look at by going to a very simple test page.

• Open a browser and go www.amazon.com

  • Select books from the dropdown

  • Search for Computer Forensics

  • Select a book, change the quantity to 3 and Add to Cart

Back in Wireshark, choose: Stop.

Double click on each packet to examine its contents. Did you find the name you entered? If not, you can try searching…

Searching packets:

• Select: “Find a packet…” icon.

• Choose: String

• Filter: Type in POST

• Select: “Packet Details.”

• Choose: Find

This is telling Wireshark to locate packets where data was entered on a website. A busy network will generate a lot of traffic, so using filters and searches will help you locate packets of interest quickly.

Let’s try eavesdropping on LAN traffic. This time:

• Choose Capture->Options

• Be sure Intel ® ProAdapter 100MT (or whatever server adapter is installed) is selected from the drop-down menu.

• Be sure the Capture packets in promiscuous mode check box is selected.

• Choose the update list of packets in real time check box

• Choose to stop after 500 packets.

• Accept other default settings.

• Choose Start

• Try pinging your Virtual Machine from your “regular” computer

Try some experiments on your own! Make a request of a web page and see if you can capture the [SYN], [SYN, ACK], [ACK] sequence of packets as the three way handshake is completed.

Internet Explorer (IE) Cookies and History:

A cookie is a file created by a web browser that is saved to the client machine. Cookies are often used to save settings and track usage. There are a number of freeware tools you can use to read the cookie log files. To make this experiment easier, open Internet Explorer and choose Tools-> Internet Options->Privacy-> Advanced ->Accept all cookies. Browse a couple of websites in Internet Explorer to be sure some cookies have been saved.

Run Nirsoft and view the cookies on your system.

Poking around:

Launch SSH and log in to your mason.gmu.edu account to explore some Unix networking commands:

Netstat: View active IP Sockets:

>/usr/bin/netstat –a|more

Configures or displays network interface parameters:

>/usr/sbin/ifconfig -a

ARP –Address Resolution Protocol (lists a table of hosts and IP addresses)

>/usr/sbin/arp -a

Software Keylogging:

Go to: http://www.spyarsenal.com/keylogger/ and download Home KeyLogger. Decompress the files if necessary. You will have to disable the AntiVirus auto-protect before you can run the software.

In the lab:

Norton Users->Right click the Norton icon in the System Tray and deselect "Enable Auto-Protect". 

Symantec Users->Programs->Symantec Client Security->Symantec Antivirus->Configure->File System Auto Protect (Disable)

1) Run the FamilyKeyLogger-setup. Experiment with this program. Then answer Review Questions 6-8. Make sure you know how to make the icon visible in the system tray and view the log.

Try some experiments on your own!