***Welcome to ashrafedu.blogspot.com * * * This website is maintained by ASHRAF***

Posts

    Latest Updates

    Monday, March 25, 2024

    Network session analysis

    Network session analysis

    Network session analysis is a method of monitoring network activity and availability to identify issues, such as operational or security problems. It can also be used to detect malware, such as ransomware. 

    Network traffic analysis (NTA) is a critical tool that helps improve performance, identify threats, and spot abnormalities.

    Common use cases for NTA include:

    • Collecting a real-time and historical record of what’s happening on your network
    • Detecting malware such as ransomware activity
    • Detecting the use of vulnerable protocols and ciphers
    • Troubleshooting a slow network
    • Improving internal visibility and eliminating blind spots

    Benefits of NTA include:

    • Improved visibility into devices connecting to your network (e.g. IoT devices, healthcare visitors)
    • Meet compliance requirements
    • Troubleshoot operational and security issues
    • Respond to investigations faster with rich detail and additional network context

    Some of the use cases for analyzing and monitoring network traffic include:

    • Detection of ransomware activity
    • Monitoring data exfiltration/internet activity
    • Monitor access to files on file servers or MSSQL databases
    • Track a user’s activity on the network, though User Forensics reporting
    • Provide an inventory of what devices, servers and services are running on the network
    • Highlight and identity root cause of bandwidth peaks on the network
    • Provide real-time dashboards focusing on network and user activity
    • Generate network activity reports for management and auditors for any time period

    Wednesday, May 3, 2023

    RSA Algorithm

    The RSA algorithm is an asymmetric cryptography algorithm; this means that it uses a public key and a private key.

    The RSA algorithm is named after those who invented it in 1978: Ron Rivest, Adi Shamir, and Leonard Adleman.


    The following steps highlight how it works:

    1. Generating the keys

    1. Select two large prime numbers, x and y. The prime numbers need to be large so that they will be difficult for someone to figure out.
    2. Calculate n = x x y.
    3. Calculate the totient function: ϕ(n) = (x−1)(y−1).
    4. Select an integer e, such that e is co-prime to ϕ(n) and 1< e < ϕ(n). The pair of numbers (n,e) makes up the public key.
    1. Calculate d such that e.d=1 mod ϕ(n). The pair (n,d) makes up the private key.

    2. Encryption

    Given a plaintext P, represented as a number, the ciphertext C is calculated as:

    C=Pe mod n.

    3. Decryption

    Using the private key (n,d), the plaintext can be found using:

    P=Cd mod n.

    RSA Algorithm Example

    • Choose p = 3 and q = 11
    • Compute n = p * q = 3 * 11 = 33
    • Compute φ(n) = (p - 1) * (q - 1) = 2 * 10 = 20
    • Choose e such that 1 < e < φ(n) and e and φ (n) are coprime. Let e = 7
    • Compute a value for d such that (d * e) % φ(n) = 1.

    One solution is d = 3    since [(3 * 7) % 20 = 1]

    • Public key is (e, n) => (7, 33)
    • Private key is (d, n) => (3, 33)
    • The encryption of P = 2 is C = 27 % 33 = 29
    • The decryption of C = 29 is P = 293 % 33 = 2

    Advanced Encryption Standard algorithm

    The AES algorithm (also known as the Rijndael algorithm) is a symmetrical block cipher algorithm that takes plain text in blocks of 128 bits and converts them to ciphertext using keys of 128, 192, and 256 bits. Since the AES algorithm is considered secure, it is in the worldwide standard.


    The AES algorithm uses a substitution-permutation, or SP network, with multiple rounds to produce ciphertext.

    The number of rounds depends on the key size being used.

    A 128-bit key size dictates ten rounds, a 192-bit key size dictates 12 rounds, and a 256-bit key size has 14 rounds.

    Each of these rounds requires a round key, but since only one key is inputted into the algorithm, this key needs to be expanded to get keys for each round, including round 0.

    Steps in each round

    Each round in the algorithm consists of four steps.

    1. Substitution of the bytes
    In the first step, the bytes of the block text are substituted based on rules dictated by predefined S-boxes (short for substitution boxes).

    2. Shifting the rows
    Next comes the permutation step. In this step, all rows except the first are shifted by one.

    3. Mixing the columns
    In the third step, the Hill cipher is used to jumble up the message more by mixing the block’s columns.

    4. Adding the round key

    In the final step, the message is XORed with the respective round key.


    When done repeatedly, these steps ensure that the final ciphertext is secure.

    Applications of AES:

    Wireless networks are secured using the Advanced Encryption Standard to authenticate routers and clients.

    AES plays a huge role in securing website server authentication from both client and server end. With both symmetric and asymmetric encryption being used, this algorithm helps in SSL/TLS encryption protocols to always browse with the utmost security and privacy.

    AES is also used to transfer files between associates in an encrypted format. The encrypted information can extend to chat messages, family pictures, legal documents, etc.


    DES(Data Encryption Standard) Algorithm

    The DES algorithm takes the plain text of 64-bit as input & produces a ciphertext of 64-bit using a key of 56 bits. Initially, a 64-bit key length is used but an 8-bit is discarded.

    The (DES) Data Encryption Standard Algorithm was developed by the IBM team in the 1970s.

    The National Institute of Standards and Technology (NIST) later adopted this algorithm.

    The DES encryption algorithm uses symmetric keys, which means that the same key is used for encrypting and decrypting the data.

    DES Algorithm Steps

    • The initial permutation (IP) function receives the 64-bit plaintext block.
    • The IP is performed on plaintext.
    • The IP then makes two halves of the block that has been permutated. The two halves are known as left plan text (LPT) and right text (RPT).
    • All LPTs and RPTs are encrypted 16 times.
    • The LPT and RPT are joined, and then the final permutation (FP) is performed on this block.
    • The 64-bit ciphertext is now ready.

    In the encryption process (step 4), there are five stages:

    • Key transformation
    • Expansion permutation
    • S-Box permutation
    • P-Box permutation
    • XOR, and swap

    In the decryption process, the same algorithm is used with the order of the 16 keys reversed.

    The DES algorithm is used whenever a not-very-strong encryption is needed. It can be used in random number generators or even as a permutation generator.

    One of the most important practical applications of the DES algorithm is to create triple DES legacy systems with three keys.

    Thursday, April 6, 2023

    Email header - analyzing email header

    Email Header

    The email header is a code snippet in an HTML email, that contains information about the sender, recipient, email’s route to get to the inbox and various authentication details. The email header always precedes the email body.

    Purpose of email header:

    • Providing information about the sender and recipient. An email header tells who sent the email and where it arrived. Some markers indicate this information, like “From:”  sender’s name and email address, “To:” the recipient’s name and email address, and “Date:” the time and date of when the email was sent. All of these are mandatory indicators. Other parts of the email header are optional and differ among email service providers.
    • Preventing spam. The information displayed in the email header helps email service providers troubleshoot potential spam issues. ESPs(email Service Providers) analyzes the email header, the “Received:” tag, in particular, to decide whether to deliver an email or not.
    • Identifying the email route. When an email is sent from one computer to another, it transfers through the Mail Transfer Agent which automatically “stamps” the email with information about the recipient, time and date in the email header. 

    Analyzing an Email Header

    To analyze it, you need to find the email header and examine the lines of interest to you. All the code from the beginning, until the <body> tag, represents the header. Here is the list of what you can find in the email header:

    Received: lines. They show the address of the computer that received the email, as well as other computer’s addresses that an email may have been transferred through. Unlike other email header elements, Received: lines can’t be forged.

    MIME-version. Multipurpose Internet Mail Extensions are an Internet standard that extends the format of email by supporting text and non-text attachments like audio, video, images, message bodies with multiple parts, etc.

    Message-ID. The message-ID is a globally unique identifier used in email. Message-IDs have a specific format that is generated for a specific email address and message, thus, no two messages have the same Message-ID.

    DKIM Signatures. DomainKeys Identified Mail confirms the sender’s authenticity by connecting the domain name with the email. DKIM is the technology that helps to reduce spam and phishing and allows companies to vouch for their email messages.

    Srutinizing e-mails (Investigation Using Emails/email forensics)

    email forensics/ Srutinizing e-mails (Investigation Using Emails)

    Emails play a very important role in communications and have emerged as one of the most important applications on internet. They are a convenient and easy mode for sending messages as well as documents, not only from computers but also from other electronic gadgets such as mobile phones and tablets.

    The negative side of emails is that adversaries(criminals) may leak important information about a company through emails.

    Hence, the role of emails in digital forensics has been increased in recent years. In digital forensics, emails are considered as crucial evidences and Email Header Analysis has become important to collect evidence during forensic process.

    An investigator has the following goals while performing email forensics −

    • To identify the adversary(criminal)
    • To collect necessary evidences
    • To presenting the findings
    • To build the case

    Challenges in Email Forensics

    An email forensic investigator may face the following challenges during the investigation

    1. Fake Emails

    The biggest challenge in email forensics is the use of fake e-mails that are created by manipulating and scripting headers etc. In this criminals also use temporary email which is a service that allows a registered user to receive email at a temporary address that expires after a certain time period.

    2. Spoofing

    Another challenge in email forensics is spoofing in which criminals used to present an email as someone else’s. In this case the machine will receive both fake as well as original IP address.

    3. Anonymous Re-emailing

    Here, the Email server strips identifying information from the email message before forwarding it further. This leads to another big challenge for email investigations.

    Techniques Used in Email Forensic Investigation

    Email forensics is the study of source and content of email as evidence to identify the actual sender and recipient of a message along with some other information such as date/time of transmission and intention of sender. 

    Some of the common techniques which can be used for email forensic investigation are

    • Header Analysis

    Email headers contain essential information, including the name of the sender and receiver, the path (servers and other devices) through which the message has traversed, etc. The vital details in email headers help investigators and forensics experts in the email investigation.

    • Server investigation

    Email servers are investigated to locate the source of an email. For example, if an email is deleted from a client application, sender’s, or receiver’s, then related ISP or Proxy servers are scanned as they usually save copies of emails after delivery. Servers also maintain logs that can be analyzed to identify the computer’s address from which the email originated.

    • Network Device Investigation

    In some cases, logs of servers are not available. This can happen for many reasons, such as when servers are not configured to maintain logs or when an ISPs refuses to share the log files. In such an event, investigators can refer to the logs maintained by network devices such as switches, firewalls, and routers to trace the source of an email message.

    • Sender Mailer Fingerprints

    X-headers are email headers that are added to messages along with standard headers, like Subject and To. The x-originating-IP header can be used to find the original sender, i.e., the IP address of the sender’s computer.

    • Software Embedded Identifiers

    Sometimes, the email software used by a sender can include additional information about the message and attached files in the email. For example, it can be found in Multipurpose Internet Mail Extensions (MIME) content as a Transport Neutral Encapsulation Format (TNEF) or custom header. An in-depth analysis of these sections can reveal vital details related to the sender, like the MAC address, Windows login username of the sender and much more.

     

     

     

    HTTP Protocols

    HTTP Protocols

    HTTP (Hypertext Transfer Protocol) is the underlying communication protocol of World Wide Web. HTTP functions as a request–response protocol in the client–server computing model.

    HTTP has four versions — HTTP/0.9, HTTP/1.0, HTTP/1.1, and HTTP/2.0. The common version in use is HTTP/1.1 and the future will be HTTP/2.0.

    HTTP/0.9 — The One-line Protocol

    • It is initial version of HTTP, a simple client-server, request-response, telenet-friendly protocol
    • Request nature is single-line (method + path for requested document)
    • Methods supported by this version is GET only
    • Response type is hypertext only
    • Connection  is terminated immediately after the response
    • No HTTP headers (cannot transfer other content type files), No status/error codes, No URLs, No versioning

    HTTP/1.0 — Building extensibility

    • Browser-friendly protocol
    • Provided header fields including rich metadata about both request and response (HTTP version number, status code, content type)
    • Response is not limited to hypertext (Content-Type header provided ability to transmit files other than plain HTML files — e.g. scripts, stylesheets, media)
    • Methods supported are GET , HEAD , POST
    • Connection is terminated immediately after the response

    HTTP/1.1 — The standardized protocol

    • This is the HTTP version currently in common use.
    • Introduced critical performance optimizations and feature enhancements — persistent and pipelined connections, chunked transfers, compression/decompression, content negotiations, virtual hosting (a server with a single IP Address hosting multiple domains), faster response and great bandwidth savings by adding cache support.
    • Methods supported are GET , HEAD , POST , PUT , DELETE , TRACE , OPTIONS
    • Connection is long-lived

    HTTP/2.0

    With Upgrade header introduced in HTTP/1.1, it is possible to start a connection using a commonly-used protocol, such as HTTP/1.1, then request that the connection switch to an enhanced protocol type like HTTP/2.0 or WebSockets.

    HTTPS

    Hyper Text Transfer Protocol Secure (HTTPS) is the secure version of HTTP. It uses SSL/TLS for secure encrypted communications.

    An HTTPS connection can protect the data transfer from the man-in-the-middle attacks and common security threats by providing bidirectional encryption for communications between a client and server.

    Although HTTPS is secure by its design, the SSL/TLS handshake process consumes a significant time before establishing an HTTPS connection. It normally costs 1–2 seconds and drastically slows down the startup performance of a website.

     

     

    Network session analysis

    Network session analysis Network session analysis is a method of monitoring network activity and availability to identify issues, such as ...