Network Forensics

Read more

Intensively hands-on training for real-world network forensics
 
Network Forensics provides a uniquely practical guide for IT and law enforcement professionals seeking a deeper understanding of cybersecurity. This book is hands-on all the way--by dissecting packets, you gain fundamental knowledge that only comes from experience. Real packet captures and log files demonstrate network traffic investigation, and the learn-by-doing approach relates the essential skills that traditional forensics investigators may not have. From network packet analysis to host artifacts to log analysis and beyond, this book emphasizes the critical techniques that bring evidence to light.
 
Network forensics is a growing field, and is becoming increasingly central to law enforcement as cybercrime becomes more and more sophisticated. This book provides an unprecedented level of hands-on training to give investigators the skills they need.
* Investigate packet captures to examine network communications
* Locate host-based artifacts and analyze network logs
* Understand intrusion detection systems--and let them do the legwork
* Have the right architecture and systems in place ahead of an incident
 
Network data is always changing, and is never saved in one place; an investigator must understand how to examine data over time, which involves specialized skills that go above and beyond memory, mobile, or data forensics. Whether you're preparing for a security certification or just seeking deeper training for a law enforcement or IT role, you can only learn so much from concept; to thoroughly understand something, you need to do it. Network Forensics provides intensive hands-on practice with direct translation to real-world application.

List of contents

Introduction xxi
 
1 Introduction to Network Forensics 1
 
What Is Forensics? 3
 
Handling Evidence 4
 
Cryptographic Hashes 5
 
Chain of Custody 8
 
Incident Response 8
 
The Need for Network Forensic Practitioners 10
 
Summary 11
 
References 12
 
2 Networking Basics 13
 
Protocols 14
 
Open Systems Interconnection (OSI) Model 16
 
TCP/IP Protocol Suite 18
 
Protocol Data Units 19
 
Request for Comments 20
 
Internet Registries 23
 
Internet Protocol and Addressing 25
 
Internet Protocol Addresses 28
 
Internet Control Message Protocol (ICMP) 31
 
Internet Protocol Version 6 (IPv6) 31
 
Transmission Control Protocol (TCP) 33
 
Connection-Oriented Transport 36
 
User Datagram Protocol (UDP) 38
 
Connectionless Transport 39
 
Ports 40
 
Domain Name System 42
 
Support Protocols (DHCP) 46
 
Support Protocols (ARP) 48
 
Summary 49
 
References 51
 
3 Host-Side Artifacts 53
 
Services 54
 
Connections 60
 
Tools 62
 
netstat 63
 
nbstat 66
 
ifconfi g/ipconfi g 68
 
Sysinternals 69
 
ntop 73
 
Task Manager/Resource Monitor 75
 
ARP 77
 
/proc Filesystem 78
 
Summary 79
 
4 Packet Capture and Analysis 81
 
Capturing Packets 82
 
Tcpdump/Tshark 84
 
Wireshark 89
 
Taps 91
 
Port Spanning 93
 
ARP Spoofi ng 94
 
Passive Scanning 96
 
Packet Analysis with Wireshark 98
 
Packet Decoding 98
 
Filtering 101
 
Statistics 102
 
Following Streams 105
 
Gathering Files 106
 
Network Miner 108
 
Summary 110
 
5 Attack Types 113
 
Denial of Service Attacks 114
 
SYN Floods 115
 
Malformed Packets 118
 
UDP Floods 122
 
Amplifi cation Attacks 124
 
Distributed Attacks 126
 
Backscatter 128
 
Vulnerability Exploits 130
 
Insider Threats 132
 
Evasion 134
 
Application Attacks 136
 
Summary 140
 
6 Location Awareness 143
 
Time Zones 144
 
Using whois 147
 
Traceroute 150
 
Geolocation 153
 
Location-Based Services 156
 
WiFi Positioning 157
 
Summary 158
 
7 Preparing for Attacks 159
 
NetFlow 160
 
Logging 165
 
Syslog 166
 
Windows Event Logs 171
 
Firewall Logs 173
 
Router and Switch Logs 177
 
Log Servers and Monitors 178
 
Antivirus 180
 
Incident Response Preparation 181
 
Google Rapid Response 182
 
Commercial Offerings 182
 
Security Information and Event Management 183
 
Summary 185
 
8 Intrusion Detection Systems 187
 
Detection Styles 188
 
Signature-Based 188
 
Heuristic 189
 
Host-Based versus Network-Based 190
 
Snort 191
 
Suricata and Sagan 201
 
Bro 203
 
Tripwire 205
 
OSSEC 206
 
Architecture 206
 
Alerting 207
 
Summary 208
 
9 Using Firewall and Application Logs 211
 
Syslog 212
 
Centralized Logging 216
 
Reading Log Messages 220
 
LogWatch 222
 
Event Viewer 224
 
Querying Event Logs 227
 
Clearing Event Logs 231
 
Firewall Logs 233
 
Proxy Logs 236
 

About the author

RIC MESSIER has been program director for various cyber-security and computer forensics programs at Champlain College. A veteran of the networking and computer security field since the early 1980s, he has worked at large Internet service providers and small software companies. He has been responsible for the development of numerous course materials, has served on incident response teams, and has been consulted on forensic investigations for large companies.

Summary

Intensively hands-on training for real-world network forensics Network Forensics provides a uniquely practical guide for IT and law enforcement professionals seeking a deeper understanding of cybersecurity.