Hands-On Network Forensics
eBook - ePub

Hands-On Network Forensics

Investigate network attacks and find evidence using common network forensic tools

  1. 358 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

Hands-On Network Forensics

Investigate network attacks and find evidence using common network forensic tools

About this book

Gain basic skills in network forensics and learn how to apply them effectively

Key Features

  • Investigate network threats with ease
  • Practice forensics tasks such as intrusion detection, network analysis, and scanning
  • Learn forensics investigation at the network level

Book Description

Network forensics is a subset of digital forensics that deals with network attacks and their investigation. In the era of network attacks and malware threat, it's now more important than ever to have skills to investigate network attacks and vulnerabilities.

Hands-On Network Forensics starts with the core concepts within network forensics, including coding, networking, forensics tools, and methodologies for forensic investigations. You'll then explore the tools used for network forensics, followed by understanding how to apply those tools to a PCAP file and write the accompanying report. In addition to this, you will understand how statistical flow analysis, network enumeration, tunneling and encryption, and malware detection can be used to investigate your network. Towards the end of this book, you will discover how network correlation works and how to bring all the information from different types of network devices together.

By the end of this book, you will have gained hands-on experience of performing forensics analysis tasks.

What you will learn

  • Discover and interpret encrypted traffic
  • Learn about various protocols
  • Understand the malware language over wire
  • Gain insights into the most widely used malware
  • Correlate data collected from attacks
  • Develop tools and custom scripts for network forensics automation

Who this book is for

The book targets incident responders, network engineers, analysts, forensic engineers and network administrators who want to extend their knowledge from the surface to the deep levels of understanding the science behind network protocols, critical indicators in an incident and conducting a forensic search over the wire.

Frequently asked questions

Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription.
No, books cannot be downloaded as external files, such as PDFs, for use outside of Perlego. However, you can download books within the Perlego app for offline reading on mobile or tablet. Learn more here.
Perlego offers two plans: Essential and Complete
  • Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
  • Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
Both plans are available with monthly, semester, or annual billing cycles.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes! You can use the Perlego app on both iOS or Android devices to read anytime, anywhere — even offline. Perfect for commutes or when you’re on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Yes, you can access Hands-On Network Forensics by Nipun Jaswal in PDF and/or ePUB format, as well as other popular books in Computer Science & Computer Networking. We have over one million books available in our catalogue for you to explore.

Information

Publisher
Packt Publishing
Year
2019
Print ISBN
9781789344523
eBook ISBN
9781789341058
Edition
1
Topic
Computer Science
Subtopic
Computer Networking
Index
Computer Science

Section 1: Obtaining the Evidence

This section focuses on the basics of network forensics while covering essential concepts, tools, and techniques involved in executing a network forensic investigation.
The following chapters will be covered in this section:
  • Chapter 1, Introducing Network Forensics
  • Chapter 2, Technical Concepts and Acquiring Evidence

Introducing Network Forensics

Network forensics is one of the sub-branches of digital forensics where the data being analyzed is the network traffic going to and from the system under observation. The purposes of this type of observation are collecting information, obtaining legal evidence, establishing a root-cause analysis of an event, analyzing malware behavior, and so on. Professionals familiar with digital forensics and incident response (DFIR) know that even the most careful suspects leave traces and artifacts behind. But forensics generally also includes imaging the systems for memory and hard drives, which can be analyzed later. So, how do network forensics come into the picture? Why do we need to perform network forensics at all? Well, the answer to this question is relatively simple.
Let's consider a scenario where you are hunting for some unknown attackers in a massive corporate infrastructure containing thousands of systems. In such a case, it would be practically impossible to image and analyze every system. The following two scenarios would also be problematic:
  • Instances where the disk drives may not be available
  • Cases where the attack is in progress, and you may not want to tip off the attackers
Whenever an intrusion or a digital crime happens over the wire, whether it was successful or not, the artifacts left behind can help us understand and recreate not only the intent of the attack, but also the actions performed by the attackers.
If the attack was successful, what activities were conducted by the attackers on the system? What happened next? Generally, most severe attacks, such as Advanced Package Tool (APT), ransomware, espionage, and others, start from a single instance of an unauthorized entry into a network and then evolve into a long-term project for the attackers until the day their goals are met; however, throughout this period the information flowing in and out of the network goes through many different devices, such as routers, firewalls, hubs, switches, web proxies, and others. Our goal is to identify and analyze all these different artifacts. Throughout this chapter, we will discuss the following:
  • Network forensics methodology
  • Sources of evidence
  • A few necessary case studies demonstrating hands-on network forensics

Technical requirements

To perform the exercises covered in this chapter, you will require the following:
  • A laptop/desktop computer with an i5/i7 processor or any other equivalent AMD processor with at least 8 GB RAM and around 100 GB of free space.
  • VMware Player/VirtualBox installation with Kali OS installed. You can download it from https://www.offensive-security.com/kali-linux-vm-vmware-virtualbox-image-download/.
  • Installing Wireshark on Windows: https://www.wireshark.org/docs/wsug_html_chunked/ChBuildInstallWinInstall.html.
  • Netcat From Kali Linux (already installed).
  • Download NetworkMiner from https://www.netresec.com/?page=Networkminer.
  • The PCAP files for this chapter, downloaded from https://github.com/nipunjaswal/networkforensics/tree/master/Ch1.
Every investigation requires a precise methodology. We will discuss the popular network forensics methodology used widely across the industry in the next section.
To install Wireshark on Windows, go to https://www.wireshark.org/docs/wsug_html_chunked/ChBuildInstallWinInstall.html.

Network forensics investigation methodology

To assure accurate and meaningful results at the end of a network forensic exercise, you, as a forensic investigator, must follow a rigid path through a methodological framework. This path is shown in the following diagram:
Obtain, Strategize, Collect, Analyze, and Report (OSCAR) is one such framework that ensures appropriate and constant results. Let's look at each phase from a network forensics point of view:
  • Obtain information: Obtaining information about the incident and the environment is one of the first things to do in a network forensics exercise. The goal of this phase is to familiarize a forensic investigator with the type of incident. The timestamps and timeline of the event, the people, systems, and endpoints involved in the incident—all of these facts are crucial in building up a detailed picture of the event.
  • Strategize: Planning the investigation is one of the critical phases in a network forensics scenario, since logs from various devices can differ in their nature; for example, the volatility of log entries from a firewall compared with that of details such as the ARP of a system would be very different. A good strategy would impact the overall outcome of the investigation. Therefore, you should keep the following points in mind while strategizing the entire forensics investigation process:
    • Define clear goals and timelines
    • Find the sources of evidence
    • Analyze the cost and value of the sources
    • Prioritize acquisition
    • Plan timely upd...

Table of contents

  1. Title Page
  2. Copyright and Credits
  3. Dedication
  4. About Packt
  5. Contributors
  6. Preface
  7. Section 1: Obtaining the Evidence
  8. Introducing Network Forensics
  9. Technical Concepts and Acquiring Evidence
  10. Section 2: The Key Concepts
  11. Deep Packet Inspection
  12. Statistical Flow Analysis
  13. Combatting Tunneling and Encryption
  14. Section 3: Conducting Network Forensics
  15. Investigating Good, Known, and Ugly Malware
  16. Investigating C2 Servers
  17. Investigating and Analyzing Logs
  18. WLAN Forensics
  19. Automated Evidence Aggregation and Analysis
  20. Other Books You May Enjoy
  21. Assessments