Presentation is loading. Please wait.

Presentation is loading. Please wait.

Guide to Computer Forensics and Investigations, Second Edition Chapter 12 Network Forensics.

Published byBlake Wilson Modified over 8 years ago

Similar presentations

Presentation on theme: "Guide to Computer Forensics and Investigations, Second Edition Chapter 12 Network Forensics."— Presentation transcript:

1 Guide to Computer Forensics and Investigations, Second Edition Chapter 12 Network Forensics

2 Guide to Computer Forensics and Investigations, 2e2 Objectives Understand Internet fundamentals Understand network basics Acquire data on a Linux computer

3 Guide to Computer Forensics and Investigations, 2e3 Objectives (continued) Understand network forensics Understand the use of network tools Understand the goals of the Honeynet Project

4 Guide to Computer Forensics and Investigations, 2e4 Understanding Internet Fundamentals Internet = Collection of networks Internet protocols for message exchange –E-mail Internet Service Provider (ISP) –Internet entry point –Username and password Common software –Web browsers and e-mail clients

5 Guide to Computer Forensics and Investigations, 2e5 Internet Protocols Standards and rules Every computer must observe a protocol TCP/IP default Internet protocol –TCP connection-oriented –UDP connectionless Addressing (IPv4) –32-bit long divided into four groups of 8 bits –Binary representation

6 Guide to Computer Forensics and Investigations, 2e6 Internet Protocols (continued) Addressing (continued) –Dotted quad (205.55.29.170) –Several classes (A, B, C, D and E) Domain Name Service –Translate IP addresses to named addresses or vice versa

7 Guide to Computer Forensics and Investigations, 2e7 Understanding Network Basics Hardening networks –Applying latest patches –Layered network defense strategies Protocols –TCP/IP –IPX/SPX Network Address Translation –Translates IP addresses

8 Guide to Computer Forensics and Investigations, 2e8 Understanding Network Basics (continued) DHCP –Dynamically assigns IP addresses to hosts Attacks –Internal –External –Early and mid-1990s 70% internal/30% external

9 Guide to Computer Forensics and Investigations, 2e9 Acquiring Data on Linux Computers dd command –Disk-to-disk file –Disk-to-image file –Block-to-block copy –Block-to-file copy –Ext2fs, Ext3fs, NTFS, FAT, NTFS, HFS, HPFS Gzip command to compress image files

10 Guide to Computer Forensics and Investigations, 2e10 Acquiring Data on Linux Computers (continued) Linux boot disks –Knoppix –MandrakeMove –Fedora Rescue –Gentoo Live –F.I.R.E. –Penguin Sleuth Kit –Tom’s Root Boot Kit

11 Guide to Computer Forensics and Investigations, 2e11 Acquiring Data on Linux Computers (continued)

12 Guide to Computer Forensics and Investigations, 2e12 Acquiring Data on Linux Computers (continued)

13 Guide to Computer Forensics and Investigations, 2e13 Acquiring Data on Linux Computers (continued) Steps for using dd –Boot PC in Linux –Create disk mounting points –Mount all disks needed –Create copies For multiple volumes –Determine number of bytes per volume –Calculate number of segments you need to create

14 Guide to Computer Forensics and Investigations, 2e14 Acquiring Data on Linux Computers (continued)

15 Guide to Computer Forensics and Investigations, 2e15 Acquiring Data on Linux Computers (continued) Linux dd script file –Input source –Output source –Block size –Number of blocks to save Hash check original media –Linux md5sum command –Linux sha1sum command

16 Guide to Computer Forensics and Investigations, 2e16 Acquiring Data on Linux Computers (continued) Image creation script example: Image restore script example:

17 Guide to Computer Forensics and Investigations, 2e17 Understanding Network Forensics Systematic tracking of incoming and outgoing traffic –Need to know normal traffic behavior Intruders leave trace behind –Experimented intruders are harder to trace Determine the cause of the abnormal traffic –Internal bug –Attackers

18 Guide to Computer Forensics and Investigations, 2e18 Approach to Network Forensics Long, tedious process Standard procedure –Use image for machines on network –Close any way in after an attack –Acquire all compromised drives –Make a bit-stream image of the drives –Compare images to original images –Optionally, store images on a server

19 Guide to Computer Forensics and Investigations, 2e19 Approach to Network Forensics (continued) Computer forensics –Work from the image to find what has changed Network forensics –Restore drives to understand attack Work on an isolated system –Prevents malware from affecting other systems

20 Guide to Computer Forensics and Investigations, 2e20 Network Logs Record ingoing and outgoing traffic –Network servers –Routers –Firewalls Tcpdump tool for examining network traffic –Top 10 lists –Pattern Attacks might include other companies –Distributed Denial of Service (DDoS)

21 Guide to Computer Forensics and Investigations, 2e21 Using Network Tools PsTools suite –RegMon shows Registry data in real time –Process Explorer shows what is loaded –Handle shows open files and processes using them –PsExec runs processes remotely –PsGetSid display SID –PsKill kills process by name or ID

22 Guide to Computer Forensics and Investigations, 2e22 Using Network Tools (continued) PsTools suite (continued) –PsList lists details about a process –PsLoggedOn shows who’s logged locally –PsPasswd changes account passwords –PsService controls and views services –PsShutdown shuts down and restarts PCs –PsSuspend suspends processes

23 Guide to Computer Forensics and Investigations, 2e23 Using Network Tools (continued)

24 Guide to Computer Forensics and Investigations, 2e24 UNIX/Linux Tools Knoppix-STD tools –Dcfldd the U.S. DoD dd version –Memfetch forces a memory dump –Photorec grabs files from a digital camera –Snort intrusion detection system –Oinkmaster helps manage your snort rules –John the Ripper –Chntpw resets passwords on a Windows PC

25 Guide to Computer Forensics and Investigations, 2e25 UNIX/Linux Tools (continued) Knoppix-STD tools (continued) –Tcpdum is a packet sniffer –Ethereal another packet sniffer Packet sniffer –Devices or software that monitors network traffic –Most Work at layer 2 or 3 of the OSI model

26 Guide to Computer Forensics and Investigations, 2e26 UNIX/Linux Tools (continued)

27 Guide to Computer Forensics and Investigations, 2e27 UNIX/Linux Tools (continued) The Auditor –Based on Knoppix –Contains more than 300 tools 20 for scanning 10 for network scanning Brute-force attack Bluetooh and wireless Autopsy and Sleuth Kit Word lists with more than 64 million entries

28 Guide to Computer Forensics and Investigations, 2e28 Network Sniffers Operate at layers 2 or 3 of the OSI model Most tools follow the PCAP format Tools: –Tcpdump –Tethereal –Snort –Tcpslice –Tcpreplay

29 Guide to Computer Forensics and Investigations, 2e29 Network Sniffers (continued) Tools (continued): –Tcpdstat –Ngrep –Etherape –Netdude –Argus –Ethereal –The Auditor

30 Guide to Computer Forensics and Investigations, 2e30 Network Sniffers (continued)

31 Guide to Computer Forensics and Investigations, 2e31 The Honeynet Project Attempt to thwart Internet and network hackers –Provides information about attack methods Honeypots –Normal looking computer that lures attackers to it Honeywalls –Monitor outbound connections –Snort-inline intrusion prevention systems

32 Guide to Computer Forensics and Investigations, 2e32 The Honeynet Project (continued)

33 Guide to Computer Forensics and Investigations, 2e33 The Honeynet Project (continued) Its legality has been questioned –Cannot be used in court –Can be used to learn about attacks Scan of the month –Monthly challenge contest –Good as a learning experience

34 Guide to Computer Forensics and Investigations, 2e34 The Honeynet Project (continued)

35 Guide to Computer Forensics and Investigations, 2e35 Summary Network forensics tracks down internal and external network intrusions Most networks today use TCP/IP Networks must be hardened by using good architecture Each NOS has its own way of handling security, and you must become familiar with how yours operates

36 Guide to Computer Forensics and Investigations, 2e36 Summary (continued) Tools such as PsTools, Knoppix-STD, and others can be used to monitor what’s happening on your network The Honeynet Project is designed to help people learn the latest intrusion techniques that hackers are using

Download ppt "Guide to Computer Forensics and Investigations, Second Edition Chapter 12 Network Forensics."

Similar presentations

Guide to Computer Forensics and Investigations Third Edition

Guide to Computer Forensics and Investigations Third Edition
Guide to Computer Forensics and Investigations Fourth Edition Chapter 11 Virtual Machines, Network Forensics, and Live Acquisitions.

Guide to Computer Forensics and Investigations Fourth Edition Chapter 11 Virtual Machines, Network Forensics, and Live Acquisitions.
Guide to Computer Forensics and Investigations Fourth Edition Chapter 11 Virtual Machines, Network Forensics, and Live Acquisitions.

Guide to Computer Forensics and Investigations Fourth Edition Chapter 11 Virtual Machines, Network Forensics, and Live Acquisitions.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
Guide to Computer Forensics and Investigations1 Network Forensics Overview Network forensics –Systematic tracking of incoming and outgoing traffic To ascertain.

Guide to Computer Forensics and Investigations1 Network Forensics Overview Network forensics –Systematic tracking of incoming and outgoing traffic To ascertain.
5-Network Defenses Dr. John P. Abraham Professor UTPA.

5-Network Defenses Dr. John P. Abraham Professor UTPA.
Linux+ Guide to Linux Certification, Second Edition Chapter 14 Network Configuration.

Linux+ Guide to Linux Certification, Second Edition Chapter 14 Network Configuration.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Understanding Networks. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.

Understanding Networks. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.
Introduction To Networking

Introduction To Networking
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Information Networking Security and Assurance Lab National Chung Cheng University F.I.R.E. Forensics & Incident Response Environment.

Information Networking Security and Assurance Lab National Chung Cheng University F.I.R.E. Forensics & Incident Response Environment.
Guide to Computer Forensics and Investigations Third Edition Chapter 11 Network Forensics.

Guide to Computer Forensics and Investigations Third Edition Chapter 11 Network Forensics.
COS/PSA 413 Day 17. Agenda Lab 8 write-up grades –3 B’s, 1 C and 1 F –Answer the Questions!!! Capstone progress report 2 overdue Today we will be discussing.

COS/PSA 413 Day 17. Agenda Lab 8 write-up grades –3 B’s, 1 C and 1 F –Answer the Questions!!! Capstone progress report 2 overdue Today we will be discussing.
Hands-On Microsoft Windows Server 2003 Networking Chapter 1 Windows Server 2003 Networking Overview.

Hands-On Microsoft Windows Server 2003 Networking Chapter 1 Windows Server 2003 Networking Overview.
Data Networking Fundamentals Unit 7 7/2/2015 1 Modified by: Brierley.

Data Networking Fundamentals Unit 7 7/2/ Modified by: Brierley.
2004, Jei F.I.R.E. Forensics & Incident Response Environment Information Networking Security and Assurance Lab National Chung Cheng University.

2004, Jei F.I.R.E. Forensics & Incident Response Environment Information Networking Security and Assurance Lab National Chung Cheng University.
COS 413 Day 20. Agenda Assignment 6 is posted –Due Nov 7 (Chap 11 & 12) LAB 7 write-up due tomorrow Lab 8 in OMS tomorrow –Hands-on project 11-1 through.

COS 413 Day 20. Agenda Assignment 6 is posted –Due Nov 7 (Chap 11 & 12) LAB 7 write-up due tomorrow Lab 8 in OMS tomorrow –Hands-on project 11-1 through.
Hands-on: Capturing an Image with AccessData FTK Imager

Hands-on: Capturing an Image with AccessData FTK Imager

Similar presentations

Ads by Google