The document summarizes a presentation on network forensics and lessons learned from the July 2007 London attacks. The presentation covered early adoption of firewalls and DMZs, intrusion prevention systems, the use of fingerprints and DNA in forensics, the 2004 Madrid train bombings and 2005 London bombings. It discussed the police investigation into the London attacks including identifying suspects from CCTV footage and a practice run captured on video. The presentation proposed the use of network monitoring tools as a forensic technique and discussed challenges of detecting slow scan attacks and those using random ports or covert channels.
Long journey of Ruby standard library at RubyConf AU 2024
FIST Enero/Madrid 2008
1. Conferencia FIST Enero/Madrid 2008 @
Sponsored by:
Network Forensics and Lessons Learnt
from the July 07 London Attacks
Geoff Harris
Alderbridge Consulting Ltd
geoff.harris@alderbridge.com
www.alderbridge.com
0044 1423 321900
2. About the Author
Background in Military Communications Design
CEO Alderbridge Consulting formed 1997
ISSA-UK President
UK Government CLAS Consultant
CISSP, ITPC, BSc, DipEE, C.Eng
2
8. Forensics – fingerprints & DNA
Edward Henry appointed as Assistant Commissioner of
Police at New Scotland Yard
and began to introduce his fingerprint system.
The first British court conviction by fingerprints in 1902
8
9. 11 March 2004 – Madrid Train Bombings
10 explosions on 4 commuter trains (cercanías)
killing 191 people and wounding 1,755
9
10. 7 July 2005 - London
3 tube explosions and 1 bus explosion
Entire London Underground system shut down
10
11. Post 7 July 2005 – London Investigations
12 July 2005 Idenitifed three suspects from CCTV footage, a
missing person's report and documents found
in the debris at each bomb site.
Luton railways station is closed as police
investigate a car parked there and believed to
be associated with the suspects caught on
CCTV cameras.
11
12. The Dummy Run
“Police trawl through 80,000 CCTV tapes”
“Ten weeks after the attacks, CCTV footage was released of three of the
bombers setting out on a "practice run".
Mohammad Sidique Khan, Germaine Lindsay and Shehzad Tanweer -
but not Hasib Hussain - met at Luton station at around 0810 BST on
June 28.
12
13. The Dummy Run
Video cameras showed them buying tickets before they boarded a train
to King's Cross, where they arrived at 0855 and made their way to the
Underground network. Police said they were seen at Baker Street at
midday before they returned to King's Cross at 1250, arriving back in
Luton 50 minutes later.
13
14. Detecting The IT Network Attack
• Firewall logs
• System Logs
• IDS – Host IDS & Network IDS
• Correlation of events – SEM tools
Management Overhead - MSS
14
15. Hiding In The Noise
• The Slow Scan
• Random Ports – Random Port Hopping
• Trojan/Covert channels over well used ports
• The outgoing IRC, http, https threat
15
16. “Network CCTV” as a Forensic Tool
Commonly Used Existing Sniffing Products
Microsoft Net Mon
NAI Sniffer
Ethereal
Problem – the ability to capture the moment of attack at the right time
and understand what lead up to the attack
16
17. “Network CCTV” as a Forensic Tool
For the IDS & Network CCTV - NIKSUN NetDetector
Other products such as NetIntercept
17
18. “Network CCTV” as a Forensic Tool
Manchester Leeds
Internet
WAN
London - HQ
Web Mail VPN
Server Server Gateway
Stealth Monitoring LAN (RESTRICTE D)
Server
Server (RESTRICTE D)
Central Security
Server (UNCLASSIFIED)
Security LAN
Trusted LAN (UNCLASSIFIED) Trusted LAN (RESTRICTED)
(RESTRICTED)
Netw ork IDS Sensor
Proposed Netw ork Recorder
18
21. Summary
• CCTV in UK has been highly successful
• Social issues – invasion of privacy
• “Network CCTV” is very powerful as a
forensic tool
• Employee and citizen rights here too
• Threat to corporate and government
networks due to terrorism and espionage
continues to grow
21
22. Creative Commons
Attribution-ShareAlike 2.0
You are free:
•to copy, distribute, display, and perform this work
•to make commercial use of this work
Under the following conditions:
Attribution. You must give the original author
credit.
Share Alike. If you alter, transform, or build
upon this work, you may distribute the resulting
work only under a license identical to this one.
For any reuse or distribution, you must make clear to others the license terms of this work.
Any of these conditions can be waived if you get permission from the author.
Your fair use and other rights are in no way affected by the above.
This work is licensed under the Creative Commons Attribution-ShareAlike License. To view a
copy of this license, visit http://creativecommons.org/licenses/by-sa/2.0/ or send a letter to
Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
22
23. www.fistconference.org @ with the sponsorship of:
Geoff Harris
Alderbridge Consulting Ltd
geoff.harris@alderbridge.com
www.alderbridge.com
0044 1423 321900
23