Presentation is loading. Please wait.

Presentation is loading. Please wait.

SHARKFEST '09 | Stanford University | June 15–18, 2009 Wireshark is divine! Network Forensics: Wireshark as Evidence Collector Laura Chappell Founder,

Published byJayson Kitts Modified over 9 years ago

Similar presentations

Presentation on theme: "SHARKFEST '09 | Stanford University | June 15–18, 2009 Wireshark is divine! Network Forensics: Wireshark as Evidence Collector Laura Chappell Founder,"— Presentation transcript:

1 SHARKFEST '09 | Stanford University | June 15–18, 2009 Wireshark is divine! Network Forensics: Wireshark as Evidence Collector Laura Chappell Founder, Wireshark University http://www.wiresharktraining.com | laura@wiresharktraining.com Presenter, Wireshark Jumpstart Series http://www.chappellseminars.com | laura@chappellseminars.com SHARKFEST '09 Stanford University June 15 th, 2009 10:45-12:15 www.tinyurl.com/kwvs4n

2 SHARKFEST '09 | Stanford University | June 15–18, 2009 The OHHDL Case Planting the Seed of Social Malware

3 SHARKFEST '09 | Stanford University | June 15–18, 2009 Another Case of Interest Thank goodness they have WEP on this WLAN! Here’s your sense of false security… Enjoy your stay.

4 SHARKFEST '09 | Stanford University | June 15–18, 2009 In this Session Network Forensics 101 Evidence of Reconnaissance Evidence of Breaches LIVE ANALYSIS

5 SHARKFEST '09 | Stanford University | June 15–18, 2009 Evidence of Reconnaissance IP scans (excessive ICMP Type 3/Code 2) OS fingerprinting (ICMP type 13, 15 and 17) OS fingerprinting (ICMP type 13, 15 and 17) Address scans (‘dark IP’ or ‘dark MAC’ hits) Application scans (unusual responses) UDP scans (excessive ICMP Type 3/Code 3) TCP scans (excessive RSTs)

6 SHARKFEST '09 | Stanford University | June 15–18, 2009 Evidence of Breaches Unusual communication pairs Unusual protocols and ports Excessive failed connections Unusual inbound connections Unusual outbound connections Peer-to-peer traffic paths Check out… Statistics > Protocol Hierarchies Statistics > Conversations Filter on DNS Filter on ICMP

7 SHARKFEST '09 | Stanford University | June 15–18, 2009 Now… Enough of this slide stuff…

8 SHARKFEST '09 | Stanford University | June 15–18, 2009 Links High Technology Crime Investigation Association http://www.htcia.org Snooping Dragon Report http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-746.pdf Hacked Hosts: Network Forensics http://www.chappellseminars.com/s-hackedhosts.html Yes – I tweet – “laurachappell” Yes – I blog - feeds2.feedburner.com/InsideLaurasLab Yes – I Facebook – “laurachappell”

9 SHARKFEST '09 | Stanford University | June 15–18, 2009 Thank You! Check out Laura’s live seminars at chappellseminars.com. Help us spread the word! Thanks!

Download ppt "SHARKFEST '09 | Stanford University | June 15–18, 2009 Wireshark is divine! Network Forensics: Wireshark as Evidence Collector Laura Chappell Founder,"

Similar presentations

Routing Routing in an internetwork is the process of directing the transmission of data across two connected networks. Bridges seem to do this function.

Routing Routing in an internetwork is the process of directing the transmission of data across two connected networks. Bridges seem to do this function.
How Does the Internet Work? A Basic Introduction to the Worlds Biggest Computer Network.

How Does the Internet Work? A Basic Introduction to the Worlds Biggest Computer Network.
SHARKFEST '09 | Stanford University | June 15–18, 2009 Tips and Tricks: Case Studies Laura Chappell Founder, Wireshark University

SHARKFEST '09 | Stanford University | June 15–18, 2009 Tips and Tricks: Case Studies Laura Chappell Founder, Wireshark University
Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion.

Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion.
1 Ports and IPv6. 2 Ports Transmission Control Protocol (TCP) or the User Datagram Protocol (UDP), used for communication Generally speaking, a computer.

1 Ports and IPv6. 2 Ports Transmission Control Protocol (TCP) or the User Datagram Protocol (UDP), used for communication Generally speaking, a computer.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
Tactics to Discover “Passive” Monitoring Devices

Tactics to Discover “Passive” Monitoring Devices
TCP-IP Primer David Cozens. Targets Have a basic understanding of Ethernet network technology Be aware of how this technology is applied on the 5000 series.

TCP-IP Primer David Cozens. Targets Have a basic understanding of Ethernet network technology Be aware of how this technology is applied on the 5000 series.
COEN 252 Computer Forensics Using TCPDump / Windump for package analysis.

COEN 252 Computer Forensics Using TCPDump / Windump for package analysis.
2 nd Session M agister K omputer Post-Graduated University of Budi Luhur Ciledug - Indonesia 1 Quiz Chapter 7 LAN Communications Protocols.

2 nd Session M agister K omputer Post-Graduated University of Budi Luhur Ciledug - Indonesia 1 Quiz Chapter 7 LAN Communications Protocols.
TCP/IP Fundamentals A quick and easy way to understand TCP/IP v4.

TCP/IP Fundamentals A quick and easy way to understand TCP/IP v4.
1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?

1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?
Leone From global measurements to local management UC3M: inHome NAT detection RFC recommender ICMP UDP TCP Miguel Ángel Díaz, Francisco Valera.

Leone From global measurements to local management UC3M: inHome NAT detection RFC recommender ICMP UDP TCP Miguel Ángel Díaz, Francisco Valera.
Essential NetTools Pranay Kumar. Essential NetTools  This tool is a set of network tools useful in diagnosing networks and monitoring your computer's.

Essential NetTools Pranay Kumar. Essential NetTools  This tool is a set of network tools useful in diagnosing networks and monitoring your computer's.
Snoop Lab Exercise in examining network traffic. Snoop Lab You will need, in advance, knowledge of: –TCP header format –IP header format –Ethernet address.

Snoop Lab Exercise in examining network traffic. Snoop Lab You will need, in advance, knowledge of: –TCP header format –IP header format –Ethernet address.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Module 8: Concepts of a Network Load Balancing Cluster

Module 8: Concepts of a Network Load Balancing Cluster
Chapter 7 Firewalls. Firewall Definition  A network device that enforces network access control based upon a defined security policy.

Chapter 7 Firewalls. Firewall Definition  A network device that enforces network access control based upon a defined security policy.
1 Some TCP/IP Basics....NFSDNSTELNETSMTPFTP UDPTCP IP and ICMP Ethernet, serial line,..etc. Application Layer Transport Layer Network Layer Low-level &

1 Some TCP/IP Basics....NFSDNSTELNETSMTPFTP UDPTCP IP and ICMP Ethernet, serial line,..etc. Application Layer Transport Layer Network Layer Low-level &
Network Forensics Laura Chappell Sr. Protocol/Security Analyst Protocol Analysis Institute www.packet-level.com.

Network Forensics Laura Chappell Sr. Protocol/Security Analyst Protocol Analysis Institute

Similar presentations

Ads by Google