Question on forensic investigation of core switches

[blueaxis]

Hello All - I would like to hear how this is solved in the forensics world. Let's say I have a host computer that is rooted on a large network. After doing some analysis at the network layer and other log analysis we identified a particular host by its internal ip adress that is acting maliciously. From this information how do you track down which physical machine it is? who the assigned user is? and where it is physically located?

[sil]

Depends on the switch and router. My answer assumes a Cisco environment (router and switch) If you know the IP you would also know what the default gateway is. Go to that gateway and run: show arp which will show you the matching MAC address for the IP.

Take that MAC address and go to the switch that is listed from the show arp that matches the MAC & IP. On that switch run: show mac-address table address 00:00:DE:AD:BE:EF This will tell you what port the host is on. Map it to the patch panel and its a wrap. Almost all routers and switches will map the ARP to IP so depending on the topology, the syntax may differ.

Your organization could benefit by diagramming your network out. How things interconnect, etc., there are plenty if low cost and free tools to do so e.g.: http://www.manageengine.com/products/oputils/switch-port-mapper.html#switch-port-mapper it will save time and future headaches. I have some monstrous based scripting using expect and shell scripts with SIEM appliances to do pre and post-response analysis.

One thing you would always want to keep in mind is taking a methodical approach to analyzing what is going on. Always treat everything as a real world case. Anything you do may taint potential evidence so make sure you have a checklist and follow that check list to ensure you cover all angles. I would google terms like +CERT +incident response +guidelines and anything along those terms to get a concise idea of what to do and how to do it before you end up potentially corrupting evidence, etc.

[blueaxis]

That seems like quite a bit of task involved.

I was assuming may be the solution would be something like - looking up the DHCP server database and identifying which login/mac has been assigned that particular ip. Do you have any thoughts if that approach is possible?

[cd1zz]

That only gets you the MAC/IP address. You'd still have to do what Sil said and match the mac to a specific switch port. This also assumes the box uses DHCP. Is there a NAC or NPS in the mix?

It's really not as bad as it sounds and those switch port mappers, like the one he showed you, work great.

[blueaxis]

I am curious to know how the switch port mapppers work internally. I did some google search but couldn't really find much on how they work. Do they work on wireless networks too?

[cd1zz]

SNMP usually.

[the_Grinch]

I had a customer put in a ticket in regards to getting a duplicate IP notification when he came in one morning (he sends the ticket in at 9:00 pm that night).  He wanted us to track it down, so I went into the logs of the server he specified and it listed the mac address of the computer.  Took the Mac and went to the DHCP server, found out it was his laptop (the name of the laptop was his first initial lastname).  So that is always an option depending on how you name your PCs...

[3xban]

Both HP and Cisco have some great management utilities built in to determine the port location of a source MAC address.  Takes less than a minute to find the source.  Now lets say your wireless closet is a frickin mess and it will take you more time to locate the patch panel number hunting through spaghetti, well then you can go to DHCP and search for the MAC/IP record and match it to the host, some folks can easily find a host if they know their staff well enough.  If you are in the 1000s, well it might be more difficult.  Keeping good network documentation is key.