Contents

Overview of Digital Forensics Reporting

Digital Evidences Tools
Forensics

•Chapter 1: •Chapter 3: Data •Chapter 4: OS and •Chapter 8: Report

Understanding Acquisition Multimedia Writing & Expert
Digital Forensics Forensics Witness
•Chapter 2: Digital •Chapter 5:
Forensics Network Forensics
Investigation •Chapter 6: E-mail &
Process Social Media
Forensics
•Chapter 7: Various
Internet Forensics

1
2
Overview
• Network forensics enable you to determine how an intruder
gained access to a network’s resources and information.
• Live acquisitions to capture an image while a machine is
running.
• Need to understand how to analyze network traffic.

3
Network Forensics

• The process of collecting and analyzing raw network data and

tracking network traffic systematically to ascertain how an
attack was carried out or how an event occurred on a network.
• By spotting variations in network traffic
• Help to track intrusions
• Help to determine whether a network is truly under attack or not.

4
Network Protocols
• 0 to 65,535 ports that could be used
• 1,024 of the 65,535: well-known ports
• Reserved for commonly used applications
• Within that 1,024, recognize top 25 to 50 ports and associated
applications
• The protocols that use ports are transport layer protocols such
as the Transmission Control Protocol (TCP) or User Datagram
Protocol (UDP)

5
Network Protocols (cont.)
• Once an application binds itself to a port, that port can’t be
used by any other application until the connection is
complete.

6
Network Protocols (cont.)
Port Application
21 File Transfer Protocol (FTP)
22 Secure Shell (SSH)
23 Telnet remote login service
25 Simple Mail Transfer Protocol (SMTP)
53 Domain Name System (DNS) service
80 Hypertext Transfer Protocol (HTTP) used in the World Wide Web
110 Post Office Protocol (POP3)
119 Network News Transfer Protocol (NNTP)
123 Network Time Protocol (NTP)
143 Internet Message Access Protocol (IMAP)
161 Simple Network Management Protocol (SNMP)
194 Internet Relay Chat (IRC)
443 HTTP Secure (HTTPS)
• List of ports and service names: https://www.iana.org/assignments/service-names-
port-numbers/service-names-port-numbers.xhtml
7
Basics of Networking and Security
• Be familiar with:
how the following
the types of the type of where they sit in
technologies work
threats they are reporting they regard to
at an operational
designed to catch could provide cyberattacks
level

• Technologies can be:

Physical Virtual Cloud
• A physical appliance • Software or a • Service enabled from
• Passive & inline virtualized appliance the Internet
deployments • Container, docker • Virtual servers installed
within cloud, APIs

8
Basics of Networking and Security
(cont.)
• Variations of software-defined technology
• To replace or complement existing physical, virtual, or cloud
technology
• E.g.: software-defined networking (SDN)
• Segmentation is accomplished through physically or logically
dividing networks though virtual LANs (VLANs), access control
lists (ACLs), or secure group tags (SGTs).
• to understand the environment so that you can identify when devices
that don’t belong within a network segment are identified
• to understand how systems are granted access to identify when such
policies are violated

9
Security Tools
Intrusion Detection and
Firewall Content Filter
Prevention Systems
• Pair with other • Designed to detect • Filter content, which
security capabilities malicious behavior means what type of
such as IDS or IPS • Looking for known data people are
• Forensics value: malicious behavior permitted to access
• Details about characteristics and • Forensics value:
systems crossing a signatures of known • For legal matters
firewall security attacks concerning how
zone or checkpoint • Forensics value: employees use their
• The ability to time, a content
identify potential filter would be very
malicious activity valuable
and log information

10
Security Tools (cont.)
Network Access Control Packet Capturing Sandbox

• Forensics value: • Can give you details on • Identifies a program as

• Key data such as what what happened
devices and people • Forensics value:
are connected to the • A detailed record of
network, to what part the event – a packet
of the network and at capture, understand
what time they each step of an • Forensics value:
connected, what their incident, identify
posture state was what type of data was
transferred, identify
login credentials
suspicious, it could
quarantine that program
to a sandbox and
monitor it within the
controlled environment
• Show specific ports or
protocols used as well
as destinations that
are accessed by a
malicious piece of
software

11
Security Tools (cont.)
Security Information and Threat Analytics and
Honeypot
Event Manager (SIEM) Feeds
• All events sent to this • Threat data from other • A system or
device to be correlated networks can be environment designed
and analyzed pushed into a device so to attract attackers or
• Forensics value: it is better prepared malicious software
• Provide some for threats that could • Forensics value:
correlation to help impact the network it • Learn how the
the analyst put is protecting attacker exploited
together what is seen • Forensics value: the system or what
by different tools • Provide better event ports and
logs and be better applications were
tuned to identify used by identified
potential threats. malicious software

12
13
 Looking for Evidence
• An investigator can find evidence from the following:
From the attack
computer and From internetworking From the victim
From firewalls
intermediate devices computer
computers
An investigator can
find evidence in logs,
files, altered
If the firewall itself configuration files,
This evidence is in was the victim, the files that do not
Evidence exists in
investigator treats match hash sets,
the form of logs, the firewall like any
logs and buffers as
tools, stored stolen
files, and tools. available.
other device when files, Web
obtaining evidence. defacement
remnants, and
unknown file
extensions.

14
The Need for Established Procedures
• Network forensics examiners must establish standard
procedures for how to acquire data after an attack or intrusion
incident.
• Procedures must be based on an organization’s needs and
should complement the network infrastructure.
• Reference:
• NIST created “Guide to Integrating Forensic Techniques into Incident
Response: https://csrc.nist.gov/publications/detail/sp/800-86/final

15
Securing a Network
• Layered network defense strategy
• OSI layers
• Defense in depth (DiD)
• There are 3 protection strategies:

People Technology Operations

• Hiring and treatment • Firewalls, IDSs • Patches, updates

16
Securing a Network (cont.)
• Testing both networks and servers is important
• Forensic investigator should regularly update his knowledge
about the recent methods and strategies of hackers
• What kind of methods local attackers use to penetrate networks?

17
Developing Procedures for Network
Forensics
• Standard procedure
Use a standard installation image for systems on a network

After an attack occurring, close any gateway

Try to recover all volatile data

Acquire all compromised drives

Compare files on the forensic image (image copy) to the original installation image

18
Developing Procedures for Network
Forensics (cont.)
• Investigate the copied image
Digital
in order to discover if there
Forensics
is any change on the content
• Restore disk drives to
Network recognize how malware that
Forensics attackers have installed on
the system works

19
Reviewing Network Logs
• Monitor inbound and outbound packet at servers, routers,
firewalls and other devices.
• Network logs can show you patterns.
• E.g.: running the tcpdump command-line program
(www.tcpdump.org) ), which can produce hundreds or
thousands of lines of records.

20
21
Network Monitoring Tools
• Splunk (www.splunk.com)
• Spiceworks (www.spiceworks.com)
• Nagios (www.nagios.org)
• Cacti (www.cacti.net)

22
Network Forensics Tools
tcpdump

Argus tethereal

Netdude Wireshark

Network
EtherApe
Forensics NetworkMiner

Tools
Ngrep Snort

Tcpdstat Tcpslice

Tcpreplay

23
Network Packet Analysis
• Network traffic can be captured into a standard format
(packet capture (PCAP)) using packet sniffers:
• tcpdump
• Wireshark
• NetworkMiner
• PCAP files can be parsed and analysed by packet analysis
tools:
• Wireshark
• NetworkMiner

24
tcpdump tethereal
• A command-line • A command line
packet analyser. version of
• Linux: https://www.tcpdump.org/ Ethereal/Wireshark.
• Windows:
https://www.winpcap.org/windum
p/

25
tcpslice
• Extracting information from large Libpcap files.
• Specify the time frame you want to examine
• Concatenates multiple pcap files together, or extracts time
slices from one or more pcap files
• https://github.com/the-tcpdump-group/tcpslice

26
tcpreplay
• An open source utilities for editing and replaying previously
captured network traffic.
• To replay network traffic recorded in Libpcap format.
• Use this information to test network devices, such as IDSs,
switches, and routers.
• http://tcpreplay.appneta.com

27
EtherApe
• A tool for viewing
network traffic
graphically.
• https://etherape.sou
rceforge.io/

28
Netdude
• An easy-to-use interface for
inspecting and analyzing
large tcpdump files.
• http://netdude.sourceforge.net

29
Argus
• A session data probe,
collector, and analysis
tool.
• Real-time flow monitor.
• http://argus.tcp4me.com
/download.html

30
Wireshark
• One of the most popular
network traffic analysis tools.
• It runs on many platforms, is
free, and is used extensively in
industry and for education.
• www.wireshark.org/download.html

31
NetworkMiner
• An open source Network
Forensic Analysis Tool for
Windows (but also works
in Linux / Mac OS
X / FreeBSD).
• Can be used as a passive
network sniffer/packet
capturing tool in order to
detect operating
systems, sessions,
hostnames, open ports
etc. without putting any
traffic on the network.

32
Summary
• Steps must be taken to harden networks before a security
breach happens.
• Being able to spot variations in network traffic can help you
track intrusions.
• Several tools are available for monitoring network traffic, such
as packet analyzers and honeypots.
• Tools such as tcpdump and Wireshark offer support groups and
online training.

33