summary network forensics

Posted on January 8, 2021 by 2201841671rachel

week 1

Computer vs Network Forensics

Computer

•Data is not much change for
daily usage
•Evidence is contained within
the file system
•Easy to perform a
forensically sound acquisition
•Seizing one or several
computers would not make
deep impact to the business

Network Forensics
•Data is much change
constantly
•Evidence sometime exists
only in RAM
•Most network devices does
not have non-volatile storage
•Taking network devices
would be problematic

Week 2

Source of Network-based Evidence

•On the wire
•In the Air
•Switches
•Routers
•DHCP Server
•DNS Server
•Authentication Server
•NIDS/NIPS
•Firewalls
•Web Proxies
•Application Server
•Centralized Log Server
•Modem

week 3

Goal of Evidence Acquisition

Best possible outcome:

Perfect-fidelity evidence Zero impact on network environment Preserve evidence (evidence custody)

Outcome above is impossible to achieve in real environment Reality:

Not possible to achieve a zero footprint investigation Must use best practices to minimize investigative footprint Verify evidence authenticity with cryptographic checksums

Physical Interception :


Capturing or sniffing packets
Passive packet acquisition as data is
transmitted normally over the wire

Inline Network Tapping

• Layer 1 device

• Inserted between two physically connected devices

• Minor data disruption while installing net-tap

• Potential point of failure

• Physically replicates copies to a separate port/s

• Common to have four ports

• Two connected to inline to allow normal traffic

• Two sniffing ports that mirror traffic (one for each direction of data flow) • High-end taps have load-balancing for intrusion detection

week 4

NIDS/NIPS vs HIDS/HIPS
• Intrusion detection, prevention and analysis
• HID(P)S – host-based intrusion detection(prevention) systems
• NID(P)S – network-based intrusion(detection) systems
• Functionality
• Modes of detection
• Types of NIDS/NIPS
• Evidence acquisition
• Packet logging
• Systems – Snort
• Modes of Detection
• Signature Based Analysis
• Protocol Analysis
• Behavioral Analysis

week 5

OS Logs

• Windows – Event Logs

• Linux – Syslog

• Application Logs

• SMTP logs

• Web Server logs

• Access logs

• Physical device logs

• Camera logs

• UPS logs

• Network Equipment Logs

• Router logs

• Switch logs

week 6

Enable Centralized Log in the Server (1/2)

• Login to server log as root

• Edit file /etc/rsyslog.conf

• Find line below:

# provides UDP syslog reception

#module(load=”imudp”)

#input(type=”imudp” port=”514″)

# provides TCP syslog reception

#module(load=”imtcp”)

#input(type=”imtcp” port=”514″)

• Comment out those line became:

# provides UDP syslog reception module(load=”imudp”) input(type=”imudp” port=”514″)

# provides TCP syslog reception module(load=”imtcp”)

input(type=”imtcp” port=”514″)

imudp stands for input module udp

imtcp stands for input module tcp

Enabling these modules will open port 514/udp and 514/tcp for incoming log data from other machines

Save file /etc/rsyslog.conf and then restart rsyslog services by typing: service rsyslog restart

week 7

Trends in Malware Evolution

• Botnets

• Encryption and Obfuscation

• Distributed Command-and-Control Systems

• Automatic Self-Updates

• Metamorphic Network Behavior

• Blending Network Activity

• Fast-Flux DNS

• Advanced Persistent Threat (APT)

This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *