Professional Documents
Culture Documents
1
2
Overview
• Network forensics enable you to determine how an intruder
gained access to a network’s resources and information.
• Live acquisitions to capture an image while a machine is
running.
• Need to understand how to analyze network traffic.
3
Network Forensics
4
Network Protocols
• 0 to 65,535 ports that could be used
• 1,024 of the 65,535: well-known ports
• Reserved for commonly used applications
• Within that 1,024, recognize top 25 to 50 ports and associated
applications
• The protocols that use ports are transport layer protocols such
as the Transmission Control Protocol (TCP) or User Datagram
Protocol (UDP)
5
Network Protocols (cont.)
• Once an application binds itself to a port, that port can’t be
used by any other application until the connection is
complete.
6
Network Protocols (cont.)
Port Application
21 File Transfer Protocol (FTP)
22 Secure Shell (SSH)
23 Telnet remote login service
25 Simple Mail Transfer Protocol (SMTP)
53 Domain Name System (DNS) service
80 Hypertext Transfer Protocol (HTTP) used in the World Wide Web
110 Post Office Protocol (POP3)
119 Network News Transfer Protocol (NNTP)
123 Network Time Protocol (NTP)
143 Internet Message Access Protocol (IMAP)
161 Simple Network Management Protocol (SNMP)
194 Internet Relay Chat (IRC)
443 HTTP Secure (HTTPS)
• List of ports and service names: https://www.iana.org/assignments/service-names-
port-numbers/service-names-port-numbers.xhtml
7
Basics of Networking and Security
• Be familiar with:
how the following
the types of the type of where they sit in
technologies work
threats they are reporting they regard to
at an operational
designed to catch could provide cyberattacks
level
8
Basics of Networking and Security
(cont.)
• Variations of software-defined technology
• To replace or complement existing physical, virtual, or cloud
technology
• E.g.: software-defined networking (SDN)
• Segmentation is accomplished through physically or logically
dividing networks though virtual LANs (VLANs), access control
lists (ACLs), or secure group tags (SGTs).
• to understand the environment so that you can identify when devices
that don’t belong within a network segment are identified
• to understand how systems are granted access to identify when such
policies are violated
9
Security Tools
Intrusion Detection and
Firewall Content Filter
Prevention Systems
• Pair with other • Designed to detect • Filter content, which
security capabilities malicious behavior means what type of
such as IDS or IPS • Looking for known data people are
• Forensics value: malicious behavior permitted to access
• Details about characteristics and • Forensics value:
systems crossing a signatures of known • For legal matters
firewall security attacks concerning how
zone or checkpoint • Forensics value: employees use their
• The ability to time, a content
identify potential filter would be very
malicious activity valuable
and log information
10
Security Tools (cont.)
Network Access Control Packet Capturing Sandbox
11
Security Tools (cont.)
Security Information and Threat Analytics and
Honeypot
Event Manager (SIEM) Feeds
• All events sent to this • Threat data from other • A system or
device to be correlated networks can be environment designed
and analyzed pushed into a device so to attract attackers or
• Forensics value: it is better prepared malicious software
• Provide some for threats that could • Forensics value:
correlation to help impact the network it • Learn how the
the analyst put is protecting attacker exploited
together what is seen • Forensics value: the system or what
by different tools • Provide better event ports and
logs and be better applications were
tuned to identify used by identified
potential threats. malicious software
12
13
Looking for Evidence
• An investigator can find evidence from the following:
From the attack
computer and From internetworking From the victim
From firewalls
intermediate devices computer
computers
An investigator can
find evidence in logs,
files, altered
If the firewall itself configuration files,
This evidence is in was the victim, the files that do not
Evidence exists in
investigator treats match hash sets,
the form of logs, the firewall like any
logs and buffers as
tools, stored stolen
files, and tools. available.
other device when files, Web
obtaining evidence. defacement
remnants, and
unknown file
extensions.
14
The Need for Established Procedures
• Network forensics examiners must establish standard
procedures for how to acquire data after an attack or intrusion
incident.
• Procedures must be based on an organization’s needs and
should complement the network infrastructure.
• Reference:
• NIST created “Guide to Integrating Forensic Techniques into Incident
Response: https://csrc.nist.gov/publications/detail/sp/800-86/final
15
Securing a Network
• Layered network defense strategy
• OSI layers
• Defense in depth (DiD)
• There are 3 protection strategies:
16
Securing a Network (cont.)
• Testing both networks and servers is important
• Forensic investigator should regularly update his knowledge
about the recent methods and strategies of hackers
• What kind of methods local attackers use to penetrate networks?
17
Developing Procedures for Network
Forensics
• Standard procedure
Use a standard installation image for systems on a network
Compare files on the forensic image (image copy) to the original installation image
18
Developing Procedures for Network
Forensics (cont.)
• Investigate the copied image
Digital
in order to discover if there
Forensics
is any change on the content
• Restore disk drives to
Network recognize how malware that
Forensics attackers have installed on
the system works
19
Reviewing Network Logs
• Monitor inbound and outbound packet at servers, routers,
firewalls and other devices.
• Network logs can show you patterns.
• E.g.: running the tcpdump command-line program
(www.tcpdump.org) ), which can produce hundreds or
thousands of lines of records.
20
21
Network Monitoring Tools
• Splunk (www.splunk.com)
• Spiceworks (www.spiceworks.com)
• Nagios (www.nagios.org)
• Cacti (www.cacti.net)
22
Network Forensics Tools
tcpdump
Argus tethereal
Netdude Wireshark
Network
EtherApe
Forensics NetworkMiner
Tools
Ngrep Snort
Tcpdstat Tcpslice
Tcpreplay
23
Network Packet Analysis
• Network traffic can be captured into a standard format
(packet capture (PCAP)) using packet sniffers:
• tcpdump
• Wireshark
• NetworkMiner
• PCAP files can be parsed and analysed by packet analysis
tools:
• Wireshark
• NetworkMiner
24
tcpdump tethereal
• A command-line • A command line
packet analyser. version of
• Linux: https://www.tcpdump.org/ Ethereal/Wireshark.
• Windows:
https://www.winpcap.org/windum
p/
25
tcpslice
• Extracting information from large Libpcap files.
• Specify the time frame you want to examine
• Concatenates multiple pcap files together, or extracts time
slices from one or more pcap files
• https://github.com/the-tcpdump-group/tcpslice
26
tcpreplay
• An open source utilities for editing and replaying previously
captured network traffic.
• To replay network traffic recorded in Libpcap format.
• Use this information to test network devices, such as IDSs,
switches, and routers.
• http://tcpreplay.appneta.com
27
EtherApe
• A tool for viewing
network traffic
graphically.
• https://etherape.sou
rceforge.io/
28
Netdude
• An easy-to-use interface for
inspecting and analyzing
large tcpdump files.
• http://netdude.sourceforge.net
29
Argus
• A session data probe,
collector, and analysis
tool.
• Real-time flow monitor.
• http://argus.tcp4me.com
/download.html
30
Wireshark
• One of the most popular
network traffic analysis tools.
• It runs on many platforms, is
free, and is used extensively in
industry and for education.
• www.wireshark.org/download.html
31
NetworkMiner
• An open source Network
Forensic Analysis Tool for
Windows (but also works
in Linux / Mac OS
X / FreeBSD).
• Can be used as a passive
network sniffer/packet
capturing tool in order to
detect operating
systems, sessions,
hostnames, open ports
etc. without putting any
traffic on the network.
32
Summary
• Steps must be taken to harden networks before a security
breach happens.
• Being able to spot variations in network traffic can help you
track intrusions.
• Several tools are available for monitoring network traffic, such
as packet analyzers and honeypots.
• Tools such as tcpdump and Wireshark offer support groups and
online training.
33