Presentation is loading. Please wait.

Presentation is loading. Please wait.

COEN 252 Computer Forensics Collecting Network-based Evidence.

Published byTyrone Wheeler Modified over 8 years ago

Similar presentations

Presentation on theme: "COEN 252 Computer Forensics Collecting Network-based Evidence."— Presentation transcript:

1 COEN 252 Computer Forensics Collecting Network-based Evidence

2 Why Surveillance to confirm suspicion, to accumulate evidence, to identify co-conspiritors.

3 Goals Examine suspicion of incident. Accumulate additional evidence. Verify scope of compromise. Identify additional parties involved. Determine a timeline.

4 Network Monitoring Event Monitoring Looks for certain types of packets representing events. Trap-and-Trace Monitoring Non-content monitoring. Date, Time, Protocol, Source, Destination Full-Content Monitoring Get complete packages.

5 Network Monitoring System Match technologies and capabilities to the situation. Goals of network surveillance. Ensure proper legal standing. Acquire proper hardware and software. Ensure the security of the platform. Evaluate the network monitor.

6 Network Monitoring Goals Watch traffic to and from a specific host. Monitor traffic to and from a specific network. Monitor a specific person’s actions. Verify intrusion attempts. Look for specific attack signatures. Focus on a specific protocol.

7 Network Monitoring Tools Match hardware power to the task. T3 need 1GHz processor, 1GB RAM Implement proper chain of custody for backup storage. Match software properties to the task. OS Remote access? Silent Sniffer? Capture files in portable format? Technical skills needed for monitor. Amount of data

8 OS for Sniffing Robust implementation of TCP/IP. SSH for remote access. Simple to disable services. Simple to run local firewall.

9 Remote Access Network connection. Second network adapter. VLAN SSH Firewall restricts IP addresses. Modem /”Out of Band” communications User ID / password Calls from specific phone numbers.

10 Silent Sniffing Antisniffers test for cards in promiscuous mode. Sniffers providing name-lookup make DNS queries. Sniffing machines have a higher response rate if the network is flooded. Incorrect implemented TCP/IP stacks react to packets with correct IP address but wrong ethernet address. Physically disable traffic from the card.

11 Data File Formats Capture files have different formats. Proprietary formats can lock you in. We will use windump and ethereal. Free Work well. Runs on most platforms.

12 Deploying the Network Monitor Switches Use MAC address to send traffic only to destination machines. Switched Port Analysis (SPAN) allows one switch to transmit all traffic to one switch port.

13 Deploying the Network Monitor Physical Security Physical Access => Logical Access. Chain of Custody: Capture files need to be authenticated.

14 Evaluating the Monitor Check Load. Check File System.

15 Trap-And-Trace Monitors only IP header and TCP header, but no content. Legal Issues: Without user supplied data, less privacy violation for corporate users. Without user supplied data, less need for a warrant. Tcpdump to screen protects private data.

16 Full-Content-Monitoring Sniffers can capture complete packages. Use a filter to block out noise. Protect capture files to maintain chain of custody. (file naming, scripting, md5)

17 Network-Based Logs Most network traffic leaves an audit trail. Routers, firewalls, servers, … maintain logs DHCP log IP leases Firewalls offer logging. IDS can capture part of an attack. Host-based sensors detect alteration of libraries Login attempts are logged.

Download ppt "COEN 252 Computer Forensics Collecting Network-based Evidence."

Similar presentations

Ethical Hacking Module VII Sniffers.

Ethical Hacking Module VII Sniffers.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
COEN 252 Computer Forensics Remote Sniffer Detection.

COEN 252 Computer Forensics Remote Sniffer Detection.
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.

11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
Packet Analyzers, a Threat to Network Security. Agenda Introduction The background of packet analyzers LAN technologies & network protocols Communication.

Packet Analyzers, a Threat to Network Security. Agenda Introduction The background of packet analyzers LAN technologies & network protocols Communication.
1 Eastern Michigan University Asad Khailany, Eastern Michigan University Dmitri Bagatelia, Eastern Michigan University Wafa Khorsheed, Eastern Michigan.

1 Eastern Michigan University Asad Khailany, Eastern Michigan University Dmitri Bagatelia, Eastern Michigan University Wafa Khorsheed, Eastern Michigan.
Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:

Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.

Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Chapter 12 Network Security.

Chapter 12 Network Security.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Sniffing the sniffers - detecting passive protocol analysers John Baldock, Intel Corp Craig Duffy, Bristol UWE.

Sniffing the sniffers - detecting passive protocol analysers John Baldock, Intel Corp Craig Duffy, Bristol UWE.
Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
Secure Network Design: Designing a Secure Local Area Network IT352 | Network Security |Najwa AlGhamdi1 Case Study

Secure Network Design: Designing a Secure Local Area Network IT352 | Network Security |Najwa AlGhamdi1 Case Study
Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.

Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.

Similar presentations

Ads by Google