Presentation is loading. Please wait.

Presentation is loading. Please wait.

Guide to Computer Forensics and Investigations1 Network Forensics Overview Network forensics –Systematic tracking of incoming and outgoing traffic To ascertain.

Published byHanna Cantrell Modified over 9 years ago

Similar presentations

Presentation on theme: "Guide to Computer Forensics and Investigations1 Network Forensics Overview Network forensics –Systematic tracking of incoming and outgoing traffic To ascertain."— Presentation transcript:

1 Guide to Computer Forensics and Investigations1 Network Forensics Overview Network forensics –Systematic tracking of incoming and outgoing traffic To ascertain how an attack was carried out or how an event occurred on a network Intruders leave trail behind Determine the cause of the abnormal traffic –Internal bug –Attackers

2 Guide to Computer Forensics and Investigations2 Securing a Network Layered network defense strategy –Sets up layers of protection to hide the most valuable data at the innermost part of the network Defense in depth (DiD) –Similar approach developed by the NSA –Modes of protection People Technology Operations

3 Guide to Computer Forensics and Investigations3 Securing a Network (continued) Testing networks is as important as testing servers You need to be up to date on the latest methods intruders use to infiltrate networks –As well as methods internal employees use to sabotage networks

4 Guide to Computer Forensics and Investigations4 Developing Standard Procedures for Network Forensics Long, tedious process Standard procedure –Always use a standard installation image for systems on a network –Close any way in after an attack –Attempt to retrieve all volatile data –Acquire all compromised drives –Compare files on the forensic image to the original installation image

5 Guide to Computer Forensics and Investigations5 Developing Standard Procedures for Network Forensics (continued) Computer forensics –Work from the image to find what has changed Network forensics –Restore drives to understand attack Work on an isolated system –Prevents malware from affecting other systems

6 Guide to Computer Forensics and Investigations6 Reviewing Network Logs Record ingoing and outgoing traffic –Network servers –Routers –Firewalls Tcpdump tool for examining network traffic –Can generate top 10 lists –Can identify patterns Attacks might include other companies –Do not reveal information discovered about other companies

7 Guide to Computer Forensics and Investigations7 Using Network Tools Sysinternals –A collection of free tools for examining Windows products Examples of the Sysinternals tools: –RegMon shows Registry data in real time –Process Explorer shows what is loaded –Handle shows open files and processes using them –Filemon shows file system activity

8 Guide to Computer Forensics and Investigations8 Using Packet Sniffers Packet sniffers –Devices or software that monitor network traffic –Most work at layer 2 or 3 of the OSI model Most tools follow the PCAP format Some packets can be identified by examining the flags in their TCP headers Tools –Tcpdump,Tethereal, wireshark

9 9 OSI Model

10 Guide to Computer Forensics and Investigations10 Using Packet Sniffers (continued)

11 Guide to Computer Forensics and Investigations11 Using Packet Sniffers (continued) Tools (continued) –Snort –Tcpslice –Tcpreplay –Tcpdstat –Ngrep –Etherape –Netdude –Argus –Ethereal

12 Guide to Computer Forensics and Investigations12 Using Packet Sniffers (continued)

13 Guide to Computer Forensics and Investigations13 Examining the Honeynet Project Attempt to thwart Internet and network hackers –Provides information about attacks methods Objectives are awareness, information, and tools Distributed denial-of-service (DDoS) attacks –A recent major threat –Hundreds or even thousands of machines (zombies) can be used

14 Guide to Computer Forensics and Investigations14 Examining the Honeynet Project (continued) Zero day attacks –Another major threat –Attackers look for holes in networks and OSs and exploit these weaknesses before patches are available Honeypot –Normal looking computer that lures attackers to it Honeywalls –Monitor what’s happening to honeypots on your network and record what attackers are doing

15 Guide to Computer Forensics and Investigations15 Examining the Honeynet Project (continued) Its legality has been questioned –Cannot be used in court –Can be used to learn about attacks Manuka Project –Used the Honeynet Project’s principles To create a usable database for students to examine compromised honeypots Honeynet Challenges –You can try to ascertain what an attacker did and then post your results online

Download ppt "Guide to Computer Forensics and Investigations1 Network Forensics Overview Network forensics –Systematic tracking of incoming and outgoing traffic To ascertain."

Similar presentations

Guide to Computer Forensics and Investigations Third Edition

Guide to Computer Forensics and Investigations Third Edition
Guide to Computer Forensics and Investigations Fourth Edition Chapter 11 Virtual Machines, Network Forensics, and Live Acquisitions.

Guide to Computer Forensics and Investigations Fourth Edition Chapter 11 Virtual Machines, Network Forensics, and Live Acquisitions.
Guide to Computer Forensics and Investigations Fourth Edition Chapter 11 Virtual Machines, Network Forensics, and Live Acquisitions.

Guide to Computer Forensics and Investigations Fourth Edition Chapter 11 Virtual Machines, Network Forensics, and Live Acquisitions.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Hacker, Cracker?! Are they the same? No!!! Hacker programmers intensely interested in the arcane and recondite workings of any computer operating system.

Hacker, Cracker?! Are they the same? No!!! Hacker programmers intensely interested in the arcane and recondite workings of any computer operating system.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Honeypots Margaret Asami. What are honeypots ? an intrusion detection mechanism entices intruders to attack and eventually take over the system, while.

Honeypots Margaret Asami. What are honeypots ? an intrusion detection mechanism entices intruders to attack and eventually take over the system, while.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Distributed Denial of Service Attacks CMPT 471 1 Distributed Denial of Service Attacks Darius Law.

Distributed Denial of Service Attacks CMPT Distributed Denial of Service Attacks Darius Law.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Honeynet/Honeypot Project - Leslie Cherian - Todd Deshane - Patty Jablonski - Creighton Long May 2, 2006.

Honeynet/Honeypot Project - Leslie Cherian - Todd Deshane - Patty Jablonski - Creighton Long May 2, 2006.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Guide to Computer Forensics and Investigations Third Edition Chapter 11 Network Forensics.

Guide to Computer Forensics and Investigations Third Edition Chapter 11 Network Forensics.
COS 413 Day 20. Agenda Assignment 6 is posted –Due Nov 7 (Chap 11 & 12) LAB 7 write-up due tomorrow Lab 8 in OMS tomorrow –Hands-on project 11-1 through.

COS 413 Day 20. Agenda Assignment 6 is posted –Due Nov 7 (Chap 11 & 12) LAB 7 write-up due tomorrow Lab 8 in OMS tomorrow –Hands-on project 11-1 through.
John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.

John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.
Recovering and Examining Computer Forensic Evidence Noblett, Pollit, & Presley Forensic Science Communications October 2000 (Cited by 13 according to Google.

Recovering and Examining Computer Forensic Evidence Noblett, Pollit, & Presley Forensic Science Communications October 2000 (Cited by 13 according to Google.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering

Department Of Computer Engineering
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Hands-on: Capturing an Image with AccessData FTK Imager

Hands-on: Capturing an Image with AccessData FTK Imager

Similar presentations

Ads by Google