Digital Crime Investigation
Digital Crime Investigation
I confirm that I understand my coursework needs to be submitted online via Google Classroom under the
relevant module page before the deadline in order for my assignment to be accepted and marked. I am fully
aware that late submissions will be treated as non-submission and a mark of zero will be awarded
Abstract
The primary objective of information security is confidentiality, integrity and availability.
Over the years, though, information security researchers have found many data shielding
methods that are commonly used on different systems. One data hiding covert channel
technique that emphasizes hiding information about a system, processes, TCP / IP
networking protocols that runs counter to computer policies and regulations. TCP / IP was
found to be vulnerable to covert channel attacks as a protocol suite to specify the data
transmission and communication standards between computers. Such secret networks
often use common protocol vulnerabilities sometimes referred to as steganography of the
network. In addition, I modified the C programming script for TCP data transmission,
parse, and detect covert channels that can be a handy weapon for any forensic
investigator. In addition to the research, Practical solution for which a segment for Proof of
Concept is reserved at the end of this document has been taken into consideration.
Appendix I is full of hidden proof of packets being detected by wireshark.
Contents
1. Introduction......................................................................................................................1
5. Case Study......................................................................................................................6
5.2. Review......................................................................................................................6
7. Conclusion.................................................................................................................... 12
8. References................................................................................................................... 13
9. Appendix.......................................................................................................................14
9.1. Appendix I: Demonstration of Covert TCP and Detection using Wireshark ...........14
9.2. Appendix II: Covert Channels in Transport and Network Layers ........................... 30
Figure 2: Scope of covert channel analysis and data hiding in TCP/IP (Ahsan, 2002) .........3
1. Introduction
Information Security is now the standard for all, directly or indirectly linked to the
network environment. Recent research and development has supported us with
sophisticated computer networks, software and complex innovations. The issue arises with
the development of sophisticated systems for the security of these systems. Security has
become the hot topic of information security with daily news of data breach.
One of the modern developments of computer networks has provided us TCP / IP stack
that defines the connectivity procedures between computer networks. Virtually all the wide
networks and protocols are designed on the basis of TCP / IP protocol series, like internet.
Protocols such as IPsec, Ftp, SSL, TLS are used to maintain security and privacy across
network communications. Work on TCP / IP found that TCP / IP was susceptible to
different types of attacks such as SYN Flood assault, sniffing, session hijacking, death
ping, IP spoofing, code hiding, and more. By creating a covert channel in protocols to send
confidential information, data hiding in TCP / IP is possible. (Adetokunbo A.A. Adenowo,
2013) Because of the loopholes in their design architecture, data can be hidden in different
protocols. Previous research from various sources is reviewed on this subject and data
concealed via the TCP protocol is shown to demonstrate how the red team can use these
commonly employed systems for penetration testing and also cybercriminals for illegal
transfers of information resulting in the epoch of digital crime evolution.
Objectives are:
• With the assistance of research papers, magazines, books from various sources
such as IEEE, SANS, work doors, comprehensive study and research on the TCP /
IP stack.
• Many researchers review, interpret and respond to the same subject.
• Adequate clarification of the TCP / IP interface layers and loopholes on different
protocols such as ICMP, DNS, TCP that rendered them victims of covert channel
assault.
• Clear guidance on mitigating the measures of secret channel attack, which has
become a critical part of any remote forensic investigator.
• Carry out the case study on the subject area in real time to show how to use the
hidden platform for penetration testing.
• Practical, proof-of-concept implementation of the Covert Channel on the widely
used interface to illustrate how often deployed software can be used to move on
secret information.
• Usage of Covert Network for Red Team with the assistance of Case Study during
Penetration Testing.
Figure 2: Scope of covert channel analysis and data hiding in TCP/IP (Ahsan, 2002)
The results of Wolf (2008) can be interpreted as a logical extension of but used with
LAN protocols. Wolf institutes the argument that encryption, used for LAN authentication,
can not secure the proper blocking of unlawful information through hidden networks. The
study denotes that in each network where mutual services are used, the presence of
hidden networks can be assumed. (Mileva, 2000) Through analyzing protocol frame
formats, Author explains the relation between protocol layout and covert storage networks,
as well as the relationship between functional protocol elements and covert timing
channels. The Covert storage channels include lining areas, allocated fields, and unused
fields of the container.
1.2. Review
The IBM X Force Team takes advantage of Covert Channel by sharing encrypted
file during Penetration Testing without disturbing the Blue Team. With the aid of the secret
stream, the red team successfully sent the report to port 80. It means Red teams have the
advantage of having only one way through, while blue teams are responsible for securing
both in and out avenues. (Poudel, 2019) This one-sided advantage means that police
need to keep a close eye on attack tactics, techniques and processes before cyber
criminals manipulate secret networks and commit crime through them.
Appendix I is shown with a complete covert demo utilizing wireshark. Full evidence of it is
included in Appendix I.
Transport layer renders packets secure. The source IP address can be spoofed as the
intended recipient of the hidden message. The three-way handshake of TCP is the critical
area of study in this field. The twelve fields of the TCP header include many that are
scarcely tested, and others that are entirely random. (James Gimbi, 2012) For example, a
32-bit TCP sequence number defines the position of the first byte of the string. It is
possible to spoof the source ip in this layer to provide false information as well as secret
data showing fertile location in the transport layer for covert channel attack.
Physical layer like ethernet is highly usable within a LAN network. The low-level protocol
such as ARP which operates in this network to map ip to mac email. Network tunneling
can be created inside the LAN using ARP. ARP's invisible source requires data to be
processed within a LAN network. Because the ARP protocol is always efficient, like hiding
information in ARP, token ring, PPP, and being virtually undetected.
4. References
Ahsan, K. (2002) Covert Channel Analysis and Data Hiding in TCP/IP. Masters Thesis.
James Gimbi, D.J.P.L.a.B.Y. (2012) A Covert Channel Over Transport Layer SourcePorts.
Kwecka, Z. (2006) Application Layer Covert Channel Analysis and Detection. Honour
Llamas, W.B.a.D. (2015) Covert Channel Analysis and Detection with Reverse Proxy
Servers using Microsoft Windows. Thesis. Scotland: gray world School of Computing,
Napier University.
Mileva, A.a.B.P. (2000) Covert Channels in TCP/IP Protocol Stack. Central European
Poudel, R. (2019) Covert Channel and Data Hiding inTCP/IP. Technical Report.
Sbrusch, R. (2019) Network Covert Channels: Subversive Secrecy. SANS, III, pp.1-20.
Let the wireshark be shot so that it can collect the data from the network.
Let's just begin collecting the packet. We'll do it in the local interface here and we'll tell
loopback (Lo) and continue collecting the packets.
As can see the sending of data. As it flows in, can see what the message is because it’s
sending character at a time. And ' H ' is the first word, ' I ' is the second character, and then
space is there, so on.
It can get some bug that haven't shown in the screenshot above while running it, the bug is
Ipv6 traffic just disregard it. And as the packet is TCP, so filtered the packet as TCP and
now it just shows TCP packet as shown above. Since the destination is 127.0.0.1 and the
source is unknown, i.e. 43.95.43.1, it goes well as wireshark caught the packets
successfully.
Now, let’s jump into the filed IP ID to see the details that already listed why we're moving to
the filed IP ID. We can see what we have got is the first byte is ‘48’ and second byte is ‘0’.
The first byte we can see there is ‘H’ and the second byte is just empty its ‘0’
By shooting the above image, we can see our entire message generated in text.txt file and
the message is "Hi I am Bidhan." At the same time, as shown in the figure above, you can
see the byte used by the character in the IP ID sector.
The table above is one of the right combinations of 6-bit code areas. It can be interpreted
as follows: from the end of the communication one end of the virtual link wants to complete
the interaction (FIN=1) and at the same time send an acknowledgment (ACK is set). The
traveling flag is also set as the same end tells the receiving carrier to move the data to
their respective application layer automatically. Since the URGbit is not enabled, the
Urgent Pointer (16 bit) sector of the TCP header shown in the above figure is redundant
and can therefore be used to have a secret data path.
Similarly, there are redundancy requirements for all possible cases where the URG bit is
not set, rendering the urgent pointer area redundant. It is also necessary to combine the
SYN bit set with either the ACK bit set or the URG / PSH set to 1. Therefore, the remaining
bits are worthless for the protocol-enabling possibilities of distributing covert data via TCP
header.