Digital forensics

Spoofing and Anonymization (Hiding Network Activity)

Dimitar Kostadinov
November 24, 2020 by
Dimitar Kostadinov

Introduction

Forensic investigators should always pay heed to the possibility of a cybercriminal to have been using spoofing and anonymizing techniques to cover the tracks left by his digital footprint. To identify such surreptitious activities, they should look for signs of spoofing/anonymization related to the specific IT sphere of any given investigation. If emails are involved, for example, then he should examine the email headers; if MAC spoofing is considered at some moment, all wireless access point activities are to come under investigation.

Learn Network Forensics

Learn Network Forensics

Get hands-on experience analyzing logs, protocols, wireless, web traffic and email for traces left behind by attackers.

Spoofing

In essence, spoofing is a cyberattack that leverages a computer device or a network to trick another computer or network into believing that it is a legitimate entity.

Spoofing is a term that usually denotes a fraudulent activity of disguising communications to obtain access to unauthorized systems or data. Websites, emails and phone calls are some common means for performing this act. It is only logical to conclude that the first two domains above all are of particular interest to investigators involved in digital forensics.

 IP spoofing

This is the most common type of spoofing. It is called IP spoofing because Internet Protocol (IP) packets are intentionally being modified – more specifically, their source addresses – so as to hide the identity of the sender or appear to originate from another computer system. IP spoofing is easy because of:

  • flaws in the routers that prompt them to look for Destination addresses only
  • the fact that changing the source address in IP header is relatively easy

In cases of Distributed-Denial-of-Service (DDoS) attacks, IP spoofing is just a means to an end as it makes the targeted system think that the incoming packets are from a trusted source (i.e. devices or network). In addition, blocking malicious requests based on IP information becomes a very difficult task if the IP address keeps on changing in a random manner. Since the entire action happens at the network level, external signs of tampering are not that visible to the naked eye.

A Man-in-the-Middle (MiM) attack can also employ the IP spoofing to hijack the communications between two computers through altering the packets of one of them and presenting them as legitimate to the other one. This scenario is always possible when someone decides to use an unsecured Wi-Fi network or visit an HTTP website.

Any system that creates trust relationships based on IP address authentication among networked computers could fall prey to IP spoofing. Once a hacker gains a foothold in this ring of trust, it will be not difficult for him to further explore the system simply because all internal IP addresses are trustworthy as a rule.

DNS spoofing

DNS servers transform URLs and email addresses into their corresponding IP addresses. A hacker can perform DNS spoofing if he replaces the IP addresses stored in the DNS server with the IP addresses controlled by him. Once this process is completed on the victim’s device, whenever his owner attempts to visit a particular website, he is redirected to a replica of the website designed by the hacker on the spoofed DNS server. This is usually done for the retrieval of sensitive data (login credentials, banking credentials/banking card information, personal data, trade secrets, etc.).

Watch for the following give-away clues:

  • Poor spelling
  • Incorrect grammar
  • Unnatural sentence structure

MAC spoofing

A MAC address is a unique identifier given to every network interface. Not being sent over the Internet, they are relevant only on the local network to identify communications of each network interface. For example, while you are connected to a certain Wi-Fi access point, everyone simultaneously connected to it can see your MAC address. MAC spoofing is assigning random values to network interfaces for a given session.

ARP spoofing

Address Resolution Protocol (ARP) is a protocol that makes IP addresses into MAC ones for the purpose of data transfers. Through spoofing of the ARP, a hacker can link his MAC to a legitimate network IP address, which would allow him to steal or modify data, as well as even carry out DDoS and MiM attacks.

Email spoofing

Spoofed emails that ostensibly come from a valid source may urge you to reveal sensitive information, transfer money, click on malicious links or open contaminated files. If it sounds familiar to you, that is because it is about the good old phishing attacks. Email spoofing resulted in a $44.6 loss incurred by the European manufacturing giant Leoni AG.

Anonymization

Anonymity is a state where one has no face, no name, no number – no personal identifier whatsoever. It is a solitary person’s wet dream. But is anonymization possible with the all-embracing, ever-growing Internet around us? Perhaps it could be achieved to a certain extent with the help of various tools, techniques and services.

Virtual Private Networks (VPNs)

A VPNs creates an information tunnel between the servers of the sender and the receiver of the data, through which the data itself is encrypted. A cyphertext is all a potential attacker will be able to see if he intercepts the communication. Unfortunately, although VPNs are wonderful tools privacy- and security-wise, they also can help cybercriminals evade justice.

Browser extensions

Visiting the encrypted HTTPS versions of websites is a good way to preserve your anonymity. A Firefox, Chrome and Opera extension known as HTTPS Everywhere can help you achieve that goal if the visited websites support HTTPS.

Tor

The Onion Router is an effective solution for hiding someone’s online activity. Similarly to a VPN, Tor utilizes layers of encryption to amass data, and then bounce them around relay points. All layers are gradually removed, along with the metadata, by the time data reaches its intended destination.

Web anonymizers       

Special websites for anonymous browsing that require no additional software – users simply write down the address of the desired site. In return, all the contents of the site will be displayed on the anonymizer’s page. One significant downside of this technology is that it suffers from some technical limitations that hinder the proper access and redirection of bigger sites, especially the ones that come with multimedia information.

Proxy servers

Although they can be used to perform various functions in different IT spheres, proxy servers are a great tool to enforce anonymization in a simpler way. Installation of additional programs is not needed just as it was with the web anonymizers. Users need to enter the proxy server address in the browser settings. Unlike the restrictions associated with the web anonymizers, proxy servers deal well with interactive sites. Nevertheless, proxy servers are limited due to the fact that a proxy cannot be used to access the Internet on your network if it is already used at that exact moment. Some form and level of anonymization users can have with services like residential proxies, anonymous proxies and elite anonymous proxies.

Learn Network Forensics

Learn Network Forensics

Get hands-on experience analyzing logs, protocols, wireless, web traffic and email for traces left behind by attackers.

Conclusion

Under normal circumstances anonymization/IP spoofing is not illegal. It is, however, when it is used for criminal purposes. For instance, a user who wants to protect his legal right of privacy by hiding the IP address could use a VPN service to do that and no one will accuse him of breaking the law. If the same user decides, however, to use his anonymity to perpetrate illegal acts, then the IP spoofing becomes automatically illegal as well, because it is an element that facilitates the crime.

From the standpoint of digital forensic science, then it is evident that spoofing and anonymization techniques can be an obstacle for identifying the identity of the cybercriminals that utilize them.

 

Sources

  1. 8 steps to being (almost) completely anonymous online, CSO
  2. A Guide to Spoofing Attacks and How to Prevent Them, Comparitech
  3. Email Spoofing: What It Is and How To Protect Yourself From It, Lifewire
  4. How to Fix the Internet, The Atlantic
  5. IP Spoofing, Imperva
  6. The Benefits Of Online Anonymity, TheVPNLab
  7. What Is Spoofing? (+6 Types of Attacks to Watch Out For), Learning Hub
  8. Why You Shouldn’t Use MAC Address Filtering On Your Wi-Fi Router, How-To Geek 
Dimitar Kostadinov
Dimitar Kostadinov

Dimitar Kostadinov applied for a 6-year Master’s program in Bulgarian and European Law at the University of Ruse, and was enrolled in 2002 following high school. He obtained a Master degree in 2009. From 2008-2012, Dimitar held a job as data entry & research for the American company Law Seminars International and its Bulgarian-Slovenian business partner DATA LAB. In 2011, he was admitted Law and Politics of International Security to Vrije Universiteit Amsterdam, the Netherlands, graduating in August of 2012. Dimitar also holds an LL.M. diploma in Intellectual Property Rights & ICT Law from KU Leuven (Brussels, Belgium). Besides legal studies, he is particularly interested in Internet of Things, Big Data, privacy & data protection, electronic contracts, electronic business, electronic media, telecoms, and cybercrime. Dimitar attended the 6th Annual Internet of Things European summit organized by Forum Europe in Brussels.