Presentation is loading. Please wait.

Presentation is loading. Please wait.

Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal © 2005, CCH INCORPORATED 4025 W. Peterson Ave.

Published byJoel Daniels Modified over 8 years ago

Similar presentations

Presentation on theme: "Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal © 2005, CCH INCORPORATED 4025 W. Peterson Ave."— Presentation transcript:

1 Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal © 2005, CCH INCORPORATED 4025 W. Peterson Ave. Chicago, IL 60646-6085 http://tax.cchgroup.com A WoltersKluwer Company

2 Chapter 14Forensic and Investigative Accounting2 Hacker Defined A hacker is generally defined as an individual or group whose intent is to gain access to a computer network for malicious purposes.

3 Chapter 14Forensic and Investigative Accounting3 Collecting Clues and Evidence A forensic investigator needs to be familiar with the protocols used on the Internet to be able to collect clues about either internal or external attackers. In addition, when law enforcement officials send requests or subpoenas for information about a company’s logs, the forensic analyst must understand the type of information being sought.

4 Chapter 14Forensic and Investigative Accounting4 Protocols Internet protocols are those rules allowing different operating systems and machines to communicate with one another over the Internet.

5 Chapter 14Forensic and Investigative Accounting5 Transmission Control Protocol (TCP) and Internet Protocol (IP) TCP/IP protocols are the communication guidelines used and widely supported over the Internet. TCP/IP protocols are the communication guidelines used and widely supported over the Internet. Almost every packet of information sent over the Internet uses the datagrams contained within a TCP/IP envelope. The datagrams consist of layers of information needed to verify the packet and get the information from the sender’s to the receiver’s location following traffic control guidelines. Almost every packet of information sent over the Internet uses the datagrams contained within a TCP/IP envelope. The datagrams consist of layers of information needed to verify the packet and get the information from the sender’s to the receiver’s location following traffic control guidelines.

6 Chapter 14Forensic and Investigative Accounting6 Transmission Control Protocol (TCP) and Internet Protocol (IP) Application Layer Transportation Layer Network Layer Data Link Layer Hardware Layer Electronic Impulse Layered Operating System Interconnection (OSI) Model

7 Chapter 14Forensic and Investigative Accounting7

8 Chapter 14Forensic and Investigative Accounting8 IP Address Defined An IP address is a 32-bit number (four bytes) that identifies the sender and recipient who is sending or receiving a packet of information over the Internet. The 32-bit IP address is known as dotted decimal notation. The minimum value for an octet is 0, and the maximum value for an octet is 255. illustrates the basic format of an IP address.

9 Chapter 14Forensic and Investigative Accounting9 TCP/IP Connections A three-way handshake synchronizes both ends of a connection by allowing both sides to agree upon initial sequence numbers. This mechanism also guarantees that both sides are ready to transmit data and know that the other side is ready to transmit as well. A three-way handshake synchronizes both ends of a connection by allowing both sides to agree upon initial sequence numbers. This mechanism also guarantees that both sides are ready to transmit data and know that the other side is ready to transmit as well.

10 Chapter 14Forensic and Investigative Accounting10 Popular Protocols DNS: The Domain Name System DNS: The Domain Name System Finger: Used to determine the status of other hosts and/or users Finger: Used to determine the status of other hosts and/or users FTP: The File Transfer Protocol allows a user to transfer files between local and remote host computers FTP: The File Transfer Protocol allows a user to transfer files between local and remote host computers HTTP: The Hypertext Transfer Protocol is the basis for exchange of information over the World Wide Web HTTP: The Hypertext Transfer Protocol is the basis for exchange of information over the World Wide Web

11 Chapter 14Forensic and Investigative Accounting11 Popular Protocols IMAP: The Internet Mail Access Protocol defines an alternative to POP as the interface between a user's mail client software and an e-mail server, used to download mail from the server to the client IMAP: The Internet Mail Access Protocol defines an alternative to POP as the interface between a user's mail client software and an e-mail server, used to download mail from the server to the client Ping: A utility that allows a user at one system to determine the status of other hosts and the latency in getting a message Ping: A utility that allows a user at one system to determine the status of other hosts and the latency in getting a message POP: The Post Office Protocol defines a simple interface between a user's mail client software and an e-mail server POP: The Post Office Protocol defines a simple interface between a user's mail client software and an e-mail server

12 Chapter 14Forensic and Investigative Accounting12 Popular Protocols SSH: The Secure Shell is a protocol that allows remote logon to a host across the Internet SSH: The Secure Shell is a protocol that allows remote logon to a host across the Internet SMTP: The Simple Mail Transfer Protocol is the standard protocol for the exchange of electronic mail over the Internet SMTP: The Simple Mail Transfer Protocol is the standard protocol for the exchange of electronic mail over the Internet SNMP: The Simple Network Management Protocol defines procedures and management information databases for managing TCP/IP-based network devices SNMP: The Simple Network Management Protocol defines procedures and management information databases for managing TCP/IP-based network devices Telnet: Short for Telecommunication Network, a virtual terminal protocol allowing a user logged on to one TCP/IP host to access other hosts Telnet: Short for Telecommunication Network, a virtual terminal protocol allowing a user logged on to one TCP/IP host to access other hosts

13 Chapter 14Forensic and Investigative Accounting13 Web Log Entries One important method for finding the web trail of an attacker is in examining web logs. One important method for finding the web trail of an attacker is in examining web logs. Recorded network logs provide information needed to trace all website usage. Recorded network logs provide information needed to trace all website usage. Web Log = Blog Web Log = Blog Also check transaction logs and server logs Also check transaction logs and server logs

14 Chapter 14Forensic and Investigative Accounting14 Web Log Entries Information provided in a log includes the visitor’s IP address, geographical location, the actions the visitor performs on the site, browser type, time on page, and the site the visitor used before arriving. Information provided in a log includes the visitor’s IP address, geographical location, the actions the visitor performs on the site, browser type, time on page, and the site the visitor used before arriving. Logs should be stored on a separate computer from the web server hosting the site so they cannot be easily altered. Logs should be stored on a separate computer from the web server hosting the site so they cannot be easily altered.

15 Chapter 14Forensic and Investigative Accounting15 TCPDUMP TCPDUMP is a form of network sniffer that can disclose most of the information contained in a TCP/IP packet. TCPDUMP is a form of network sniffer that can disclose most of the information contained in a TCP/IP packet. Windows uses WinDUMP Windows uses WinDUMP A sniffer is a program used to secretly capture datagrams moving across a network and disclose the information contained in the datagram’s network protocols. A sniffer is a program used to secretly capture datagrams moving across a network and disclose the information contained in the datagram’s network protocols.

16 Chapter 14Forensic and Investigative Accounting16 Decoding Simple Mail Transfer Protocol (SMTP) SMTP is the protocol used to send e-mail over the Internet. SMTP is the protocol used to send e-mail over the Internet. SMTP server logs can be used to check the path of the e-mail from the sending host to the receiving host. SMTP server logs can be used to check the path of the e-mail from the sending host to the receiving host.

17 Chapter 14Forensic and Investigative Accounting17 Decoding Simple Mail Transfer Protocol (SMTP) Most of the important information about the origin of an e-mail message is in the long form of the header. The most important data for tracing purposes is the IP addresses and the message ID.

18 Chapter 14Forensic and Investigative Accounting18 Tracing and Decoding IP Addresses Traceroute Traceroute Whois Whois Ping Ping Finger searches Finger searches

19 Chapter 14Forensic and Investigative Accounting19 Narrowing the Search Preliminary Incident Response Form Preliminary Incident Response Form John Doe subpoena John Doe subpoena

20 Chapter 14Forensic and Investigative Accounting20 Informational Searches Internet databases Internet databases –General searches –Name, telephone number, and e-mail address search engines –Internet relay chat (IRC), FTP, and Listserv searches –Usenet postings search –Legal records –Instant messaging (IM) Web page searches Web page searches Government data searches Government data searches Miscellaneous searches Miscellaneous searches

Download ppt "Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal © 2005, CCH INCORPORATED 4025 W. Peterson Ave."

Similar presentations

Cisco 2 - Routers Perrine. J Page 14/30/2015 Chapter 10 TCP/IP Protocol Suite The function of the TCP/IP protocol stack is to transfer information from.

Cisco 2 - Routers Perrine. J Page 14/30/2015 Chapter 10 TCP/IP Protocol Suite The function of the TCP/IP protocol stack is to transfer information from.
Linux+ Guide to Linux Certification, Second Edition Chapter 14 Network Configuration.

Linux+ Guide to Linux Certification, Second Edition Chapter 14 Network Configuration.
Layer 7- Application Layer

Layer 7- Application Layer
Networking Theory (part 2). Internet Architecture The Internet is a worldwide collection of smaller networks that share a common suite of communication.

Networking Theory (part 2). Internet Architecture The Internet is a worldwide collection of smaller networks that share a common suite of communication.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 1 v3.0 Module 11 TCP/IP Transport and Application Layers.

1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 1 v3.0 Module 11 TCP/IP Transport and Application Layers.
Lesson 19 Internet Basics.

Lesson 19 Internet Basics.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Application Layer Functionality and Protocols Network Fundamentals – Chapter.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Application Layer Functionality and Protocols Network Fundamentals – Chapter.
Chapter Overview TCP/IP Protocols IP Addressing.

Chapter Overview TCP/IP Protocols IP Addressing.
Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.

Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.
Process-to-Process Delivery:

Process-to-Process Delivery:
Chapter Eleven An Introduction to TCP/IP. Objectives To compare TCP/IP’s layered structure to OSI To review the structure of an IP address To look at.

Chapter Eleven An Introduction to TCP/IP. Objectives To compare TCP/IP’s layered structure to OSI To review the structure of an IP address To look at.
Data Communications and Networks

Data Communications and Networks
Forensic and Investigative Accounting

Forensic and Investigative Accounting
Hands-On Microsoft Windows Server 2003 Networking Chapter Three TCP/IP Architecture.

Hands-On Microsoft Windows Server 2003 Networking Chapter Three TCP/IP Architecture.
Lesson 24. Protocols and the OSI Model. Objectives At the end of this Presentation, you will be able to:

Lesson 24. Protocols and the OSI Model. Objectives At the end of this Presentation, you will be able to:
Networking Basics TCP/IP TRANSPORT and APPLICATION LAYER Version 3.0 Cisco Regional Networking Academy.

Networking Basics TCP/IP TRANSPORT and APPLICATION LAYER Version 3.0 Cisco Regional Networking Academy.
 TCP/IP is the communication protocol for the Internet  TCP/IP defines how electronic devices should be connected to the Internet, and how data should.

 TCP/IP is the communication protocol for the Internet  TCP/IP defines how electronic devices should be connected to the Internet, and how data should.
Network Protocols. Why Protocols?  Rules and procedures to govern communication Some for transferring data Some for transferring data Some for route.

Network Protocols. Why Protocols?  Rules and procedures to govern communication Some for transferring data Some for transferring data Some for route.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 3: TCP/IP Architecture.

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 3: TCP/IP Architecture.
Chapter 9.

Chapter 9.

Similar presentations

Ads by Google