Network & Internet Forensics

UNIT - 2
Overview of OSI Model
Introduction to NAT
• NAT (Network Address Translation) is a mechanism where a device performs modifications to the TCP/IP
address/port number of a packet and maps the IP address from one realm to another (usually from private IP
address to public IP address and vice versa).
• This works by the NAT device allocating a temporary port number on the public side of the NAT upon forwarding
outbound packet from the internal host towards the Internet, maintaining this mapping for some predefined time,
and forwarding the inbound packets received from the Internet on this public port back to the internal host.
• NAT devices are installed primarily to alleviate the exhaustion of IPv4 address space by allowing multiple hosts to
share a public/Internet address.
• Also due to its mapping nature (i.e. a mapping can only be created by a transmission from an internal host), NAT
device is preferred to be installed even when IPv4 address exhaustion is not a problem (for example when there is
only one host at home), to provide some sort of security/shield for the internal hosts against threats from the
Internet.
• Despite the fact that NAT provides some shields for the internal network, one must distinguish NAT solution from
firewall solution. NAT is not a firewall solution. A firewall is a security solution designed to enforce the security
policy of an organization, while NAT is a connectivity solution to allow multiple hosts to use a single public IP
address.
• Understandably both functionalities are difficult to separate at times, since many (typically consumer) products
claims to do both with the same device and simply label the device a “NAT box”. But we do want to make this
distinction rather clear, as PJNATH is a NAT traversal helper and not a firewall bypass solution (yet).
Network Information-Gathering Tools
• Nmap Tool. Nmap is an open-source network scanner that is used to
recon/scan networks.
• ZenMAP. It is another useful tool for the scanning phase of Ethical
Hacking in Kali Linux.
• whois lookup. whois is a database record of all the registered domains
over the internet.
• SPARTA.
• nslookup.
• Osintgram.

https://www.geeksforgeeks.org/kali-linux-information-gathering-tools/
Monitoring User Activity
• Sometimes called user activity tracking, user activity monitoring is a
form of surveillance, but serves as a proactive review of end user
activity to determine misuse of access privileges or data protection
policies either through ignorance or malicious intent.
Investigating Routers
• The basics of router forensics are collecting data from the device that
can act as evidence. The standard process involves using issuing
the "show" commands and collecting data such as logs and network
activity data.

Core Analysis
• main memory,
• IO memory, and.
• the PCI memory (if used).
Continue…
• The basics of router forensics are collecting data from the device that can act as evidence. The standard process involves using issuing the
"show" commands and collecting data such as logs and network activity data. Some of this information is detailed below.
• Show Commands

• Most of the required information to be collected from the router will be obtained using the Cisco "show" commands. The main commands
that you need to become familiar with are:

• show clock detail

• show version

• show running-config

• show startup-config

• show reload

• show ip route

• show ip arp

• show users
• show logging

• show ip interface

• show interfaces

• show tcp brief all

• show ip sockets

• show ip nat translations verbose

• show ip cache flow

• show ip cef

• show snmp user

• show snmp group

• show clock detail

Show audit
The Router Security Audit Logs feature allows for the creation of audit trails. If
these are configured, they may be used to track changes that have been made
to a router that is running Cisco IOS software.
• The "show audit" command displays the contents of an audit file. The syntax
of the command is: Show audit [filestat]
• The option, "filestat" is used to displays the rollover counter for the circular
buffer and the number of messages that are received. The rollover counter,
which indicates the number of times circular buffer has been overwritten, is
reset when the audit file size is changed (via the audit filesize command).
This command runs from the privileged exec mode. This command will
create a hash of the information from the "show version" command.

https://www.sans.org/blog/cisco-router-forensics/
Hacking Routers
• Router scanning is a sort of hybrid attack method on both LAN and wireless (added
later) routers that scans organization subnets and then attacks routers it finds.
• Router Scan by Stas’M is a hacking tool that allows hackers to perform router
scanning and has the capability to pull important information about the wireless
router, including access point name (SSID), access point key (password) and even
what encryption method is used by the wireless router.
• This information is gathered two ways— it uses a list of standard passwords to
guess the router password and uses router model-specific vulnerabilities to either
gather the information above or even bypass authorization altogether. Ethical
hackers can use this program to test how attack-ready their password is, get a
better idea of the vulnerabilities of the router model they use and to better
understand how attackers act when using this method to attack their router.
Internet & World wide web threats
• Web threats definition
• Web-based threats, or online threats, are a category of cybersecurity risks that may cause an
undesirable event or action via the internet.
• Web threats are made possible by end-user vulnerabilities, web service developers/operators, or
web services themselves. Regardless of intent or cause, the consequences of a web threat may
damage both individuals and organizations.
• This term typically applies to — but is not limited to — network-based threats in the following
categories:
• Private network threats - impact sub-networks connected to the wider global internet. Typical
examples can include home Wi-Fi or ethernet networks, corporate intranets, and national intranets.
• Host threats - impact specific network host devices. The term host often refers to corporate
endpoints and personal devices, such as mobile phones, tablets, and traditional computers.
• Web server threats - impact dedicated hardware and software that serve web infrastructure and
services.
What are web threats?
• Internet-based threats expose people and computer systems to harm online. A broad scope of dangers fits into this category,
including well-known threats like phishing and computer viruses. However, other threats, like offline data theft, can also be
considered part of this group.
• Web threats are not limited to online activity but ultimately involve the internet at some stage for inflicted harm. While not all
web threats are created deliberately, many are intended — or have the potential — to cause:
• Access denial. Prevention of entry to a computer and/or network services.
• Access acquisition. Unauthorized or unwanted entry into a private computer and/or network services.
• Unauthorized or unwanted use of computer and/or network services.
• Exposing private data without permission, such as photos, account credentials, and sensitive government information.
• Unauthorized or undesired changes to a computer and/or network services.
• In recent years, the landscape of web threats has grown significantly. Technologies like smart devices and high-speed mobile
networks have allowed for an always-connected vector of malware, fraud, and other complications. Also, web adoption in
areas like communications and productivity via the Internet of Things (IoT) has outpaced user security awareness.
• As we continue to rely more on the web for daily living, it will keep exponentially rising as an attractive attack option for
malicious parties. Convenience and a lack of caution around web use are among the top concerns that continue to pose new
risks to privacy and security.
• While targets are typically computer-based, human victims ultimately experience the lasting effects of a web threat.
How do web threats work?
• When a web threat arises, certain circumstances align to make it a point-of-concern.
• Namely, there are a few basic components to any web threat:
• Threat motives give an intentional threat agent a reason or goal to cause harm. Some threat
agents don’t act intentionally or act autonomously and may, therefore, be absent of motive.
• Threat agents are anything or anyone that can negatively impact — with the internet either as a
threat vector or a target itself.
• Vulnerabilities include any human behavior weakness, technology systems, or other resources
that can lead to a damaging exploit or incident.
• Threat outcomes are the negative results of a threat agent acting against one or more
vulnerabilities.
• As these components interact, a threat becomes an attack on computer systems. Threat
motives can include any of the following: financial, surveillance, information, retaliation,
sabotage, and more.
• Threat agents are typically people with malicious intent. By extension, agents may also be anything that is manipulated
into acting in favor of the original threat agent. However, some threat agents
— such as destructive nature events — act entirely without human intervention.
• The types of threat agents include:
• Non-human agents: Examples include malicious code (viruses, malware, worms, scripts), natural disasters (weather,
geological), utility failure (electrical, telecom), technology failure (hardware, software), and physical hazards (heat, water,
impact).
• Intentional human agents: Based on malicious intent. Can be internal (employees, contractors, family, friends,
acquaintances) and external (professional and amateur hackers, nation-state actors and agencies, competitor
corporations)
• Accidental human agents: Based on human error. Similar to intentional threats, this type can include internal and external
agents.
• Negligence-based human agents: Based on careless behaviors or safety oversights. Again, this category can also include
internal and external agents.
• Vulnerabilities may be points of weakness where someone or something can be manipulated. Vulnerabilities can be
considered a web threat and a concern that enables other threats. This area typically includes some form of human or
technical weakness that can lead to penetration, misuse, or destruction of a system.
• Threat outcomes may lead to disclosed private info, deceived users, disrupted computer system use, or seized access privileges. Web
threats often result in, but are not limited to, causing:
• Reputation damage: Loss of trust from clients and partners, search engine blacklisting, humiliation, defamation, etc.
• Operations disruption: Operational downtime, access denial to web-based services such as blogs or message boards, etc.
• Theft: Financial, identity, sensitive consumer data, etc.

• Cybercriminals will use almost any vulnerability within an operating system (OS) or an application to conduct an attack. However, most
cybercriminals will develop web threats that deliberately target some of the most common operating systems/applications, including:
• Java: Because Java is installed on over 3 billion devices (that are running under various operating systems) exploits can be created to
target specific Java vulnerabilities on several different platforms/operating systems.
• Adobe Reader: Although many attacks have targeted Adobe Reader, Adobe has implemented tools to protect the program against
exploit activity. However, Adobe Reader is still a common target.
• Windows and Internet Explorer: Active exploits still target vulnerabilities that were detected as far back as 2010 – including MS10-042
in Windows Help and Support Center, and MS04-028, which is associated with incorrect handling of JPEG files.
• Android: Cybercriminals use exploits to gain root privileges. Then, they can achieve almost complete control over the targeted device.
How do internet web threats spread?
• The most concerning internet threats travel the web to attack more systems. These threat
agents often use a mix of human manipulation and technical commands to reach their
targets.
• Web threats of this nature use the internet's many communications channels to spread.
Larger threats use the global internet to respond to threats, while more targeted threats
may directly infiltrate private networks.
• Typically, these threats are distributed through web-based services. Malicious actors
prefer to place these threats in locations where users will often engage with them. Public
websites, social media, web forums, and email are often ideal for spreading a web threat.
• Users are affected when they engage with malicious URLs, downloads, or provide
sensitive info to websites and message senders. This engagement may also trigger
infection and spread of web threats to other users and networks. It’s not uncommon for
innocent users to unknowingly become threat agents themselves.
How to spot web threats
• Despite the unending scope of web-based dangers, it is possible to spot some general traits
of web threats. However, spotting a web threat requires a vigilant eye to catch subtle details.
• Some web threats are clearly of concern to web infrastructure hardware, such as water and
heat. While those are easier to spot, others require careful attention. Any time you are
browsing websites and receiving digital messages are when you should be most cautious.
• Here are some tips to guide you:
• Grammar: Malicious actors may not always carefully craft their messages or web content
when assembling an attack. Look for typos, odd punctuation, and unusual phrasing.
• URLs: Harmful links can be masked under decoy anchor text — the visible text that’s
displayed. You can hover over a link to inspect its true destination.
• Poor quality images: The use of low-resolution or unofficial images may indicate a malicious
webpage or message.
 Types of web security threats
• As mentioned previously, web threats typically include human and technical manipulation in order to attack. Be aware there tends to be overlap between web
threats, and some may occur simultaneously. Some of the most common web threats may include the following.
• Social engineering
• Social engineering involves deceiving users to act unknowingly against their own best interests. These threats usually involve gaining the trust of users to deceive
them. Manipulating users in this way can include:
• Phishing: Posing as legitimate institutions or people to get them to divulge personal details.
• Watering hole attacks: Exploiting popular websites to fool users into exposing themselves to harm.
• Network spoofing: Fraudulent access points that mimic legitimate ones.
• Malicious code
• Includes malware and harmful scripts (lines of computer programming commands) to create or exploit technical vulnerabilities. Where social engineering is the
human side of web threats, malicious code is the technical side. These threats can include but are not limited to:
• Injection attacks: Insertion of harmful scripts into legitimate applications and websites. Examples include SQL injection and cross-site scripting (XSS).
• Botnet: Hijacking a user device for remote, automated use in a network of similar “zombies.” These are used to accelerate spam campaigns, malware attacks, and
more.
• Spyware: Tracking programs that monitor user actions on a computer device. The most common examples are keyloggers.
• Computer worms: Scripts that run, replicate, and spread autonomously without the help of a related program.
• Exploits
• Exploits are intentional abuses of vulnerabilities that may lead to an undesirable incident.
• Brute force attacks: Manual or automated attempts to breach security “gates” and vulnerabilities. This may typically involve generating all possible passwords to a
private account.
• Spoofing: Masking a real identity to manipulate legitimate computer systems. Examples include IP spoofing, DNS spoofing, and cache poisoning.
• Cybercrime
• Cybercrime refers to any unlawful activity conducted via computer systems. These threats often use the web to enact their plans.
• Cyberbullying: Mental abuse of victims using threats and harassment.
• Unauthorized data disclosure involves the release of private information, such as email leaks, intimate photos, and significant corporate data leaks.
• Cyber libel: Also known as online defamation, this can involve attacking individuals or organizations' reputations. This can be done through
disinformation (deliberate distribution of inaccurate information) or misinformation (mistaken distribution of inaccurate information).
• Advanced Persistent Threats (APTs): Malicious actors gain access to a private network and establish ongoing access. They combine social engineering,
malicious code, and other threats to exploit vulnerabilities and gain this access.
• Typically, web threats refer to malware programs that can target you when you're using the internet. These browser-based threats include a range of
malicious software programs that are designed to infect victims’ computers. The main tool behind such browser-based infections is the exploit pack –
which gives cybercriminals a route to infecting computers that either:
• Do not have a security product installed
• Contain a commonly used operating system or application that is vulnerable – because the user hasn’t applied the latest updates, or a new patch has yet
to be issued by the software vendor
• Kaspersky’s Internet security experts have identified the most active malicious software programs involved in web threats. The list includes the following
types of online threats:
• Malicious websites. Kaspersky identifies these websites by using cloud-based heuristic detection methods. Most malicious URL detections are for
websites that contain exploits.
• Malicious scripts. Hackers inject malicious scripts into the code of legitimate websites that have had their security compromised. Such scripts are used to
perform drive-by attacks – in which visitors to the website are unknowingly redirected to malicious online resources.
• Scripts and executable PE files Generally, these either:
• Download and launch other malicious software programs
• Carry a payload that steals data from online banking and social network accounts or steals login and user account details for other services
• Trojan-Downloaders. These Trojan viruses deliver various malicious programs to users’ computers.
• Exploits and exploit packs. Exploits target vulnerabilities and try to evade the attention of Internet security software.
• Adware programs. Often, the adware will simultaneously install when a user starts to download a freeware or shareware program.
Examples of web threats
• Among the many examples of web threats, here are some of the more well-known examples:
• WannaCry ransomware
• In May 2017, the WannaCry ransomware spread to many networks and locked down countless
Windows PCs. This threat was particularly dangerous because of its worm functionality, allowing
it to spread completely autonomously. WannaCry exploited a native communication language
within Windows to spread this malicious code.
• Celebrity iCloud phishing
• A spear-phishing attack led to the breach of numerous celebrity iCloud accounts. This breach
ultimately resulted in the unauthorized leak of countless private photos from these accounts.
• While the attacker was eventually located and prosecuted, the victims are still suffering from
their intimate photos being made public — without their permission. This has become one of
the most well-known phishing attacks of the decade.
How to protect yourself against web threats
• Most threats are successful due to two main weaknesses:
• Human error
• Technical error
• Full protection from web threats means you will need to find ways to cover these weak points.
• General tips to follow for both end-users and web service providers include:
• Always create backups: All valuable data should be copied and stored safely to prevent data loss in case of an
incident. Websites, device drives, and even web servers can be backed up.
• Enable multi-factor authentication (MFA): MFA allows for additional layers of user authentication on top of
traditional passwords. Organizations should enable this protection for users, while end-users should be sure
to make use of it.
• Scan for malware: Regular scans for infections will keep your computer devices secured. Personal devices can
all be covered through an antivirus solution like Kaspersky Total Security. Enterprise endpoint machines and
computer networks should use this protection as well.
• Keep all tools, software, and OS up to date: Computer systems are more vulnerable when they’ve been
unpatched against undiscovered holes in their programming. Software developers regularly probe for
weaknesses and issue updates for this purpose. Protect yourself by downloading these updates.
• Service providers like website owners and server operators are where true comprehensive security starts.
These parties will need to take precautions for better protection. They can do this by:
• Monitoring web traffic to gauge for normal volumes and patterns.
• Implementing firewalls to filter and restrict unpermitted web connections.
• Network infrastructure distribution to decentralize data and services. This includes aspects like backups for
various resources and geo server rotations.
• Internal probing to investigate for unpatched vulnerabilities. This might, for example, involve self-attacking
with SQL injection attack tools.
• Proper security configuration for access rights and session management.
• Users should protect themselves by doing the following:
• Scan downloads for malware.
• Vet links before clicking, only clicking links if you are positive the destination is safe and trusted.
• Make strong, secure passwords, and avoid duplicates. Use a secure Password Manager to help manage all of
your accounts and passwords.
• Throttle login attempts by triggering account lockdown after a limited number of tries.
• Look out for phishing red flags in texts, email, and other communications.
Messenger Forensics: AOL
• https://flylib.com/books/en/3.210.1.56/1/

• https://www.tmeic.com/use-cookies-and-access-analysis-tools

• https://
www.foxtonforensics.com/blog/post/web-page-reconstruction-for-for
ensic-analysis
Important Tools
• SNORT
• Snort is the foremost Open Source Intrusion Prevention System (IPS) in the
world. Snort IPS uses a series of rules that help define malicious network
activity and uses those rules to find packets that match against them and
generates alerts for users.
• Snort can be deployed inline to stop these packets, as well. Snort has three
primary uses: As a packet sniffer like tcpdump, as a packet logger — which is
useful for network traffic debugging, or it can be used as a full-blown
network intrusion prevention system. Snort can be downloaded and
configured for personal and business use alike.
• https://www.snort.org/downloads
TCPdump
• tcpdump is a data-network packet analyzer computer program that runs
under a command line interface. It allows the user to display TCP/IP and
other packets being transmitted or received over a network to which the
computer is attached. Distributed under the BSD license, tcpdump is 
free software.
• Tcpdump works on most Unix-like operating systems: Linux, Solaris, 
FreeBSD, DragonFly BSD, NetBSD, OpenBSD, OpenWrt, macOS, HP-UX 11i,
and AIX. In those systems, tcpdump uses the libpcap library to capture
packets. The port of tcpdump for Windows is called WinDump; it uses 
WinPcap, the Windows version of libpcap.
• https://www.tcpdump.org/
Live Acquisition of Network Traffic
• https://
pratum.com/blog/454-why-consider-live-acquisition-for-your-next-digital-fore
nsics-case

• Domain Name Owner

• Who is the domain owner? Domain names are owned by whoever first
registered the web address with an accredited registrar, such as
Domain.com. In order for that person to maintain ownership, they have to
pay registration fees and ensure that all of their contact details are up to date.
• https://who.is/
• https://www.domain.com/blog/find-a-domain-name-owner/