Posts Tagged ‘digital forensics’

A Cyber-Investigator’s Introduction to IPv6

Wednesday, July 13th, 2011

This article is a guest post from Jonathan Abolins, who will be leading the next webinar in our Online Investigations Series: “Internationalised Domain Names, Foreign Language Websites, & Investigations.” While the two topics are unrelated, they do have one thing in common: both present previously uncharted challenges for online investigators.

There’s no place like home.
There’s no place like 127.0.0.1. (IPv4 version)
There’s no place like ::1. (IPv6 version)

Introduction

The widely used Internet Protocol (Version 4) – IPv4 – was created approximately 30 years ago and it has served us well. But it’s also showing its age. Back in the early 1980s, it was almost impossible to anticipate the growth in the demand for IP addresses. Now we are running out of IPv4 addresses (”IPv4 address exhaustion”). Also various people have been seeing the need for various improvements in the Internet Protocol.

To address these issues, Internet Protocol (Version 6) – IPv6 – was proposed in the mid-1990s. IPv6 is not yet in wide use but it would be a big mistake to assume that IPv6 cannot affect our networks.

Most operating systems and systems now include IPv6 support by default. There is also the ability to tunnel IPv6 via IPv4 with Teredo, 6to4, etc. For those whose ISPs don’t provide IPv6 connections, there are services, such as Hurricane Electric Free IPv6 Tunnel Broker1, which allow people to tunnel with IPv4 to get to the service that will give them IPv6 connections.

win7_net_ipv6

Example of IPv6 Support in Windows 7

IPv6 is going to become a bigger part of our networking and investigations in the near future. Will our tools and methods be able to handle the changes?

IPv6 vs IPv4: A Few Key Points

Without going into much detail, here are some of the key differences between IPv6 and IPv4:

Number of bits and address space.

  • IPv4 has 32 bits, allowing just over 4 billion addresses. Not even enough to give a unique address to each human being on Earth.
  • IPv6 has 128 bits, allowing 340,282,366,920,938,000,000,000,000,000,000,000,000 unique addresses. This is roughly like giving 252 addresses for every star in the known universe. Not likely to run out of of IPv6 addresses.

Address notation.

  • IPv4 usually uses dotted decimal notation. E.g., 192.168.2.12.
  • IPv6 uses groups of 16-bit hexadecimal numbers separated by colons (“:”). E.g., 2001:04c0:0000:0000:0000:c5ef:0000:0231.
  • The IPv6 addresses can be compacted. So the above example becomes 2001:4c0::c5ef:0:0231.
  • In a mixed IPv4/IPv6, the IPv6 32 bit address can be incorporated into an IPv4 address. E.g., 2001:04c0::192.168.1.1 or ::126.143.54.107 (Note the switch from colon separators to dotted format.)

IP security (IPsec) is built into IPv6, the ability to cryptographically sign the packets.

There are various IPv6 tools for defense (if we know how to use them).

This is barely scratching the surface. The Resources section (below) has IPv6 specifications and other documents for more in-depth information.

Security, Forensics & Investigations Issues for IPv6

As mentioned above, IPv6 has some security features. Also, some IPv6 feature might be helpful in investigations. For example, IPv6 may give the source’s MAC address in some cases. But there are security problems raised by IPv6 and the current networking environments.

The gigantic IPv6 address space means that scanning IPv6 networks with IPv4 methods where we can try each possible IP address is not going to work. It’s possible to scan the entire IPv4 address space this way in several days. Scanning the entire IPv6 address space the same way would take billions of centuries. Even an IPv6 subnet could take over 145,000 years. So we need IPv6 methods, such as neighbour discovery, of finding systems at IPv6 addresses.

Tools designed for IPv4 environments might not properly process IPv6 information. Some log processing applications truncate IPv6 addresses and many may not properly interpret IPv6 traits. Black listing tools may miss problem addresses because they cannot associate IPv6 with IPv4 or IPv4 within IPv6 notation. It is likely that some of the analysis tools for linking data such as IP address associated with crimes might have problems once IPv6 addresses come into play. What else might trip up with IPv6?

Keep in mind too that there are many tools available that can be used for attacking IPv6 systems or for using IPv6 to bypass security. Firewalls set up for IPv4 may ignore IPv6 connections and, thus, fail to protect the internal networks. Detection software may ignore the IPv6 or tunnelling.

Even many commonly used network tools can fail unless we have the right versions of the tools and suitable network connections. For example, here’s a part of a sample SMTP e-mail header with a reference to the IPv6 address of 2001:470:0:64::2:

From ipv6@he.net Tue Nov 23 09:51:00 2010
Return-Path:
Received: from ipv6.he.net (ipv6.he.net [IPv6:2001:470:0:64::2])
by Duncan-Server.duncan (8.14.3/8.14.3/Debian-9ubuntu1) with
<…>

Try “ping 2001:470:0:64::2” and it will likely fail. If you have ping6, it might work but not if your network connection doesn’t support IPv6. Same for traceroute and various other tools. Nslookup, dig, and whois work better. (Example of an IPv6 whois lookup via the ARIN Web site) But they are not enough for our security & forensics toolkit.

The most critical security & investigatory challenge is getting up to speed with IPv6.

Conclusion

IPv6 has much to offer. It is also outpacing many of the tools and methods for securing IPv4 networks and investigating activities on the networks. Our tools, methods, and our understanding of IPv6 will need to adapt.

Resources

IETF, RFC 2460 – Internet Protocol, Version 6 (IPv6) Specifications.
The Internet Society. Internet Issue – Ipv6.
Klein, Joe. Collection of IPv6 Security presentations. These presentations are an excellent resource for understanding the security issues with IPv6. Joe Klein is a great resource in this field.
Leinwebe, James. IPv6 and the future of network forensics. UW-Madison Information Security Team. June 6, 2011.
Nikkel, Bruce J. An introduction to investigating IPv6 networks. July 19, 2007 [Originally published by Elsevier in Digital Investigation: The International Journal of Digital Forensics and Incident Response, Vol. 4, No. 2 (10.1016/j.diin.2007.06.001)]

Wikipedia entries
Ipv6
IPv4 address exhaustion
List of IPv6 tunnel brokers

Wireshark Wiki. Sample PCAP Captures – Ipv6 and Tunneling.

Acknowledgements: Many thanks to Joe Klein, Joshua Marpet, and Jeremy Duncan for their insights and help.

Tracing IP Addresses: Some Background

Wednesday, October 14th, 2009
Tools like traceroute show the many data packet paths across the Internet.

Tools like traceroute show the many data packet paths across the Internet.

Everyone uses the Internet, says Gary Kessler, instructor of upcoming “Tracing IP Addresses” webinar—but few people understand how it actually works. And while investigators don’t need to know how the telephone system works to get a warrant for phone records or even wiretapping, the Internet is far more complex–but far more accessible to the investigator.

“Computer forensics starts ‘under the hood’,” he explains. The investigator must know about file allocation tables, storage space on a hard drive or other digital device, and so forth, before being able to use the appropriate tool to recover evidence.

And because the Internet figures into so many forensic examinations—those involving child pornography, cyber bullying and harassment, etc.—it is one of the working parts “under the hood.” “No longer are there standalone computers,” says Kessler, “so conducting online investigations involves the application of some forensic principles.”

Tying digital evidence to individuals

These include both legal and technical aspects. “Investigators need to be able to understand the networking clues left on the computer,” says Kessler, “such as where to look, and how the clues can mislead. For example, the email header doesn’t prove who sent the email, but it can indicate where the email came from.”

In fact, he adds, everything in digital forensics is about finding patterns of behavior. “When taken together, those patterns can lead a reasonable person to what a suspect did,” says Kessler. “Digital forensics provides exculpatory or incriminating information which might take an investigation in a direction it may not otherwise have gone.”

In the case of IP tracing, this can even include geolocation. “An IP address can provide a general location from where an individual accessed email, for example,” says Kessler. “In one homicide investigation, this was key when the suspect denied an email account was his. Not only was the account established as his, but the IP addresses also showed the account being accessed from locations which coincided with his business trip calendar.”

Seeing evidence from every angle

Kessler says there are few misunderstandings about IP address tracing, but that investigators don’t always correctly interpret the evidence. “As an example, a traceroute showing data packets going from Point A to Point B will show a different set of addresses than the packets going back from Point B to Point A,” he explains, “which could be interpreted as a completely different route. The investigator has to know how to interpret the information, which is simply the same route being reported in a different way.”

The takeaways from Kessler’s webinar: how IP addresses relate back to online activities, along with tools that show how addresses relate to Web domains, how the domains relate to individuals, and how IP addresses relate to geographical locations.

In addition, Kessler will cover how criminals use the same tools. “An investigator uses the tools in a criminal case, but a hacker uses them to discover vulnerabilities,” he explains. So in all, while IP address tracing may seem trivial, it is important in any case with a networking component.

Learn more: register for the Tracing IP Addresses webinar today!

Christa M. Miller is Vere Software’s marketing/public relations consultant. She specializes in law enforcement and public safety and can be reached at christa at christammiller dot com.

Image: curiouslee via Flickr