ChronosIP is the new name for a forensics product by 3DN and SURFnet called ‘UserTracking 2′. At 3DN we believe that UserTracking 2 may have been too far ahead of the technology curve at the time, it’s name was too unappealing and it’s scope was not general enough. Apart from that, 3DN has now come to believe that forensics tools need to be marketed and backed by a large corporate partner because of the potential liabilities involved, so instead of publishing UserTracking 2 as a purely opensource product, we will split the product in an opensource variant that people could play with or use for their own personal experimenting, while we will also try to find a partner for the commercial variant of ChronosIP.
In the following article we will describe some of the technology used in UserTracking 2 and add some of the new stuff we intend to implement in the commercial version. This article is written for an audience with a deep technical knowledge of networking protocols or management that will be in contact with law enforcement in case of a forensics request.
ChronosIP Intro
When you’re a manager of an IT Department of a large organisation with full access to the internet or you’re a security administrator in the same organisation, you either have been in the hot seat or you will be in the hot seat at some point in the near future. That hot seat is the moment where law enforcement visits your organisation, informs you that criminal activity has been detected from within your organisation, at a certain time and from a certain IP address, and then asks you to give them the information they need to make a case against the offender.
A lot of organisations nowadays cannot provide law enforcement with sufficient information to make a case. At some point in the future however, law enforcement will hold it against you that not knowing the law is no excuse for not being held liable. That’s where your seat will start to get very hot indeed. So how are you going to prepare for this situation?
The Possibilities
There’s a chance that, when in the hotseat, a skilled administrator can still find out who was logged in on the IP address at said time. Most organisations have Microsoft Windows on the desktop environment and in this situation it’s not very hard to browse through the domain’s login logs to find out the neccesary information. Alternatively, perhaps your organisation keeps track of the DHCP logs and MAC addresses and a match to a user is relatively easily made. SynchroIP was originally written for a wireless infrastructure that utilizes the networking protocol 802.1x to allow people access to layer 2 of the network based on their credentials. In this situation it’s easy for example to match the MAC address to a username.
However, we’re making a classical law enforcement thought mistake here; A criminal will often try to cover his tracks! So finding an offender by methods that can easily be tricked could lead you to the wrong person. It is for example not very difficult to spoof the MAC address of a NIC. It is not very difficult to change the IP address that has been assigned to you, even though measures may be in place to prevent such situations. An ironic remark during the early phases of the UserTracking 2 project was ‘well we can simply scan our DHCP logs correct, we’ll catch at least 95% of all IP address/MAC couplings’. True enough, but usually we will not be interested in those 95%, unless we’re dealing with a dumb criminal (SynchroIP does not discard this possibility however).
So, how quickly you will be able to get out of the hotseat depends mostly on what your infrastructure is like. Do you have a fully 802.1x authenticated network? Do you keep all your DHCP logs or your Windows Domain controller logs? Do you have port security enabled to prevent people inside your network from changing their MAC or IP address? Do you frequently scan the router’s ARP tables to get snapshots of MAC/IP couplings? Or do you even sniff all ARP replies on your network through a Cisco SPAN port? Chances are that you will be able to answer the law enforcement officer then, but how long will it take to search through all these records? After all, the hot seat is not a place you want to be in at all, but it’s certainly not a place you want to stay in for a long time while your system administrators search through the enormous logfiles.
The above is just a small sample of measures that you can take, it’s obviously not a full set of measures and in the future even much better technologies may be developped.
ChronosIP
ChronosIP is not a tool that dynamically alters your infrastructure to a perfect setup for you. If you’re looking for the holy grail of forensics, keep looking but you won’t find it. ChronosIP can however utilize many different resources in order to let Time/IP/username triplets promote through a state diagram of reliability. A DHCP log entry could be considered rather worthless but if it’s all we have, why not record it? Perhaps sometimes shortly after somebody has been assigned an IP address by the DHCP server we could ping the IP address, check the router’s MAC/IP table and check if it correlates to the just recorded triplet. For UserTracking 2 we’ve developped a state diagram:
This state diagram shows a few states which we’ll see coming back in ChronosIP. In this particular diagram we see ‘PENDING’, ‘OBSOLETE’, ‘DHCP’, ‘SNMPWALK’ and ‘ARPDAEMON’ in order of reliability. We won’t go into detail on explaining these states at this time but ‘in order of reliability’ is very relevant; UserTracking 2, with it’s fixed state diagram, had a relibility degree of IP/MAC couplings. A coupling in the state ‘ARPDAEMON’ for example is a state where a network sniffing process has just seen an ARP reply from the MAC address, saying it’s a certain IP address. A rather reliable state indeed.
ChronosIP will build on the state model we’ve developped in UserTracking 2 but it will make the state model dynamic. In UserTracking 2, each of the states (some combined) were monitored by separate processes, conceivably even on entirely different machines. In ChronosIP we will continue doing this but each process should first claim it’s states with the ChronosIP message handler. Each of these states should be assigned transition events that will that promote the triplets to a next state. The processes should also indicate the reliability levels of the states to the ChronosIP message handler. In this way we create an extendable state diagram and all a vendor that invents some new technology would have to do to make it’s technology ‘ChronosIP aware’ would be to write a process that registers (and later on monitors the events) the states it provides.
The reason 3DN decided to make UserTracking 2 into a partially commercial product has something to do with the above. Commercial plugins can be written by vendors, thus creating value for those vendors. A basic ChronosIP will still be made available by 3DN to the opensource community with a set of states that give good functionality and a way for opensource developpers to build additional plugins for their own network setup.
Plugins
3DN is currently unravelling UserTracking 2 to it’s ChronosIP shape. This means a few things:
- First a decent portal-like look needs to be put on the ChronosIP website. The stable UserTracking 2 website looked decent on the SURFnet site but in it’s layout had very little space left for documentation, news articles, support etc. On top of that, the site got hit by a rather dramatic outage which caused (and still causes) it to be offline. SURFnet appears to have abandoned the project a little bit and very little effort is spend to help it get back up and running again. This is fine as ChronosIP will move forward mostly independant of SURFnet. The unstable development website on 3DN has also had it’s fair bit of misfortune but will be the starting point for the new website.
- After a decent homepage has been set up, a repository at SourceForge will be created and the code of UserTracking 2 will be submitted to it. This is where the real rebranding will start to happen and where a few opensource plugins will be released to the public.
- 3DN will attempt to find a sponsor with a strong trackrecord in networking and security to become a commercial reseller of ChronosIP. Unfortunately it’s still a fact of life, and maybe rightfully so, that big companies don’t buy software from tiny little one-man companies. The two points before this one show why. A tool like ChronosIP needs continuity and most of all it needs a strong company to position itself to deal with potential liabilities.
