.

Question on forensic investigation of core switches

<<

blueaxis

Newbie
Newbie

Posts: 44

Joined: Fri Sep 09, 2011 9:20 am

Post Tue Sep 27, 2011 5:43 pm

Question on forensic investigation of core switches

Hello All - I would like to hear how this is solved in the forensics world. Let's say I have a host computer that is rooted on a large network. After doing some analysis at the network layer and other log analysis we identified a particular host by its internal ip adress that is acting maliciously. From this information how do you track down which physical machine it is? who the assigned user is? and where it is physically located?
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Tue Sep 27, 2011 8:00 pm

Re: Question on forensic investigation of core switches

Depends on the switch and router. My answer assumes a Cisco environment (router and switch) If you know the IP you would also know what the default gateway is. Go to that gateway and run: show arp which will show you the matching MAC address for the IP.

Take that MAC address and go to the switch that is listed from the show arp that matches the MAC & IP. On that switch run: show mac-address table address 00:00:DE:AD:BE:EF This will tell you what port the host is on. Map it to the patch panel and its a wrap. Almost all routers and switches will map the ARP to IP so depending on the topology, the syntax may differ.

Your organization could benefit by diagramming your network out. How things interconnect, etc., there are plenty if low cost and free tools to do so e.g.: http://www.manageengine.com/products/op ... ort-mapper it will save time and future headaches. I have some monstrous based scripting using expect and shell scripts with SIEM appliances to do pre and post-response analysis.

One thing you would always want to keep in mind is taking a methodical approach to analyzing what is going on. Always treat everything as a real world case. Anything you do may taint potential evidence so make sure you have a checklist and follow that check list to ensure you cover all angles. I would google terms like +CERT +incident response +guidelines and anything along those terms to get a concise idea of what to do and how to do it before you end up potentially corrupting evidence, etc.
<<

blueaxis

Newbie
Newbie

Posts: 44

Joined: Fri Sep 09, 2011 9:20 am

Post Tue Sep 27, 2011 9:13 pm

Re: Question on forensic investigation of core switches

That seems like quite a bit of task involved.

I was assuming may be the solution would be something like - looking up the DHCP server database and identifying which login/mac has been assigned that particular ip. Do you have any thoughts if that approach is possible?
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Tue Sep 27, 2011 9:22 pm

Re: Question on forensic investigation of core switches

That only gets you the MAC/IP address. You'd still have to do what Sil said and match the mac to a specific switch port. This also assumes the box uses DHCP. Is there a NAC or NPS in the mix?

It's really not as bad as it sounds and those switch port mappers, like the one he showed you, work great.
<<

blueaxis

Newbie
Newbie

Posts: 44

Joined: Fri Sep 09, 2011 9:20 am

Post Wed Sep 28, 2011 4:49 pm

Re: Question on forensic investigation of core switches

I am curious to know how the switch port mapppers work internally. I did some google search but couldn't really find much on how they work. Do they work on wireless networks too?
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Wed Sep 28, 2011 4:51 pm

Re: Question on forensic investigation of core switches

SNMP usually.
<<

the_Grinch

User avatar

Newbie
Newbie

Posts: 45

Joined: Tue Jan 13, 2009 4:24 pm

Post Thu Oct 06, 2011 2:46 am

Re: Question on forensic investigation of core switches

I had a customer put in a ticket in regards to getting a duplicate IP notification when he came in one morning (he sends the ticket in at 9:00 pm that night).  He wanted us to track it down, so I went into the logs of the server he specified and it listed the mac address of the computer.  Took the Mac and went to the DHCP server, found out it was his laptop (the name of the laptop was his first initial lastname).  So that is always an option depending on how you name your PCs...
BS-CST Security+

Blog:  http://havewire.blogspot.com/
<<

Triban

User avatar

Hero Member
Hero Member

Posts: 620

Joined: Fri Feb 19, 2010 4:17 pm

Post Thu Oct 06, 2011 8:54 am

Re: Question on forensic investigation of core switches

Both HP and Cisco have some great management utilities built in to determine the port location of a source MAC address.  Takes less than a minute to find the source.  Now lets say your wireless closet is a frickin mess and it will take you more time to locate the patch panel number hunting through spaghetti, well then you can go to DHCP and search for the MAC/IP record and match it to the host, some folks can easily find a host if they know their staff well enough.  If you are in the 1000s, well it might be more difficult.  Keeping good network documentation is key. 
Certs: GCWN
(@)Dewser

Return to Forensics

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software