Your SlideShare is downloading. ×
File000140
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

File000140

251
views

Published on

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
251
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
14
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Module XXVII – Investigating Network Traffic
  • 2. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: Internet Traffic Begins to Bypass the U.S. Source: http://www.nytimes.com/
  • 3. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: TCP Flooder Program Released for Free Source: http://www.mxlogic.com/
  • 4. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Scenario Jessica was missing from her home for a week. She has left a note for her father mentioning that she was going to meet her school friend. Few weeks later Jessica’s dead body was found near a dumping yard. Investigators were called in to reveal the mystery that surrounded Jessica’s death. Preliminary investigation of Jessica’s computer and logs revealed some facts which helped the cops trace the killer.
  • 5. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Objective • Overview of Network Protocols • Overview of Physical and Data-link Layer of the OSI Model • Overview of Network and Transport Layer of the OSI Model • Types of Network Attacks • Why to Investigate Network Traffic? • Evidence Gathering via Sniffing • Tools • Documenting the Evidence Gathered on a Network • Evidence Reconstruction for Investigation This module will familiarize you with:
  • 6. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Flow Tools Evidence Reconstruction for Investigation Types of Network Attacks Why to Investigate Network Traffic? Evidence Gathering via Sniffing Overview of Network and Transport Layer of the OSI Model Overview of Physical and Data-link Layer of the OSI Model Overview of Network Protocols Documenting the Evidence Gathered on a Network
  • 7. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Network Addressing Schemes • Each node in LAN has a MAC address that is factory- programmed into its NIC • Data packets are addressed to either one of the nodes or all of the nodes LAN Addressing • Internet is a collection of LANs and/or other networks that are connected with routers • Each network has a unique address and each node on the network has a unique address, so an Internet address is combination of network and node addresses • IP is responsible for network layer addressing in the TCP/IP protocol Internet Addressing There are two types of network addressing schemes:
  • 8. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited OSI Reference Model
  • 9. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Overview of Network Protocols Data Unit Layer Function Protocols Host Layer Data Application Network process to application HTTP, SMTP, NNTP, TELNET, FTP, NMP, TFTPPresentation Data representation and encryption Session Interhost communication Segments Transport End-to-end connections and reliability UDP, TCP Media Layer Packets Network Path determination and logical addressing (IP) ARP, RARP, ICMP,IGMP, IP Frames Data Link Physical addressing (MAC & LLC) PPP, SLIP Bits Physical Media, signal and binary transmission
  • 10. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited TCP/ IP Protocol
  • 11. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Overview of Physical and Data- Link Layer of the OSI Model • It helps in transmitting data bits over a physical channel • It has a set of predefined rules that physical devices and interfaces on a network have to follow for data transmission to take place Physical layer: • It controls error in transmission by adding a trailer to the end of the data frame Data-link layer:
  • 12. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited • It is responsible for sending information from the source to a destined address across various links • It adds logical addresses of the sender and receiver to the header of the data packet Network layer: • The transport layer ensures the integrity and order of the message sent by the source to its destination • It also controls the error and flow control in the transmission Transport layer: Overview of Network and Transport Layer of the OSI Model
  • 13. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Types of Network Attacks IP Spoofing Router attacks Eavesdropping Denial of service Man-in-the-Middle Attack Sniffer Attack Data Modification
  • 14. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Why to Investigate Network Traffic To locate suspicious network traffic To know who is generating the troublesome traffic, and where the traffic is being transmitted to or received from To identify network problems
  • 15. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Evidence Gathering Via Sniffing Sniffer is a computer software or hardware that can intercept and log traffic passing over a digital network or part of a network Sniffers, which put NICs in promiscuous mode, are used to collect digital evidence at the physical layer SPANned ports, hardware taps help sniffing in a switched network Sniffers collect traffic from the network and transport layers other than the physical and data-link layer Investigators should configure sniffers for the size of frames to be captured
  • 16. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Acquiring Traffic Using DNS Poisoning Techniques The substitution of a false Internet provider address at the domain name service level (e.g., where web addresses are converted into numeric Internet provider addresses) DNS poisoning is a technique that tricks a DNS server into believing it has received authentic information when, in reality, it has not • Intranet DNS Spoofing (Local network) • Internet DNS Spoofing (Remote network) • Proxy Server DNS Poisoning • DNS Cache Poisoning Types of DNS Poisoning:
  • 17. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Intranet DNS Spoofing (Local Network) For this technique, you must be connected to the local area network (LAN) and be able to sniff packets Works well against switches with ARP poisoning of the router Router IP 10.0.0.254 Rebecca types www.xsecurity.com in her Web Browser IP: 10.0.0.3 Hacker runs arpspoof/dnsspoof www.xsecurity.com Hacker sets up fake Website www.xsecurity.com IP: 10.0.0.5 DNS Request What is the IP address of www.xsecurity.com Real Website www.xsecurity.com IP: 200.0.0.45 Hacker’s fake website sniffs the credential and redirects the request to real website 1 2 3 4 Hacker poisons the router and all the router traffic is forwarded to his machine
  • 18. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Internet DNS Spoofing (Remote Network) Send a Trojan to Rebecca’s machine and change her DNS IP address to that of the attacker Works across networks. Easy to set up and implement Rebecca types www.xsecurity.com in her Web Browser Hacker runs DNS Server in Russia IP: 200.0.0.2 Real Website www.xsecurity.com IP: 200.0.0.45 Hacker’s fake website sniffs the credential and redirects the request to real website 5 Fake Website IP: 65.0.0.2 Hacker’s infects Rebecca’s computer by changing her DNS IP address to: 200.0.0.2 1 2 3 4
  • 19. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Internet DNS Spoofing Steps to redirect all the DNS request traffic from a host machine to you: 1. • Set up a fake website on your computer 2. • Install treewalk and modify the file mentioned in the readme.txt to your IP address. Treewalk will make you the DNS server 3. • Modify the file dns-spoofing.bat and replace the IP address with your IP address 4. • Trojanize the dns-spoofing.bat file and send it to Jessica (ex: chess.exe) 5. • When the host clicks the trojaned file, it will replace Jessica’s DNS entry in her TCP/IP properties with that of your machine’s 6. • You will become the DNS server for Jessica and her DNS requests will go through you 7. • When Jessica connects to XSECURITY.com, she resolves to the fake XSECURITY website; you sniff the password and send her to the real website
  • 20. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Proxy Server DNS Poisoning Send a Trojan to Rebecca’s machine and change her proxy server settings in Internet Explorer to that of the attacker Works across networks. Easy to set up and implement Rebecca types www.xsecurity.com in her Web Browser Hacker runs Proxy Server in Russia IP: 200.0.0.2 Real Website www.xsecurity.com IP: 200.0.0.45 Hacker’s fake website sniffs the credential and redirects the request to real website 4 Fake Website IP: 65.0.0.2 Hacker sends Rebecca’s request to fake website 2 3 1Hacker’s infects Rebecca’s computer by changing her IE Proxy address to: 200.0.0.2
  • 21. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited DNS Cache Poisoning To perform a cache poisoning attack, the attacker exploits a flaw in the DNS server software that can make it accept incorrect information If the server does not correctly validate DNS responses to ensure that they have come from an authoritative source, it will end up caching the incorrect entries locally and serve them to users that make the same request • For example, an attacker poisons the IP address DNS entries for a target website on a given DNS server, replacing them with the IP address of a server he controls • He then creates fake entries for files on the server he controls with names matching those on the target server
  • 22. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Evidence Gathering from ARP Table MAC address, a part of the data-link layer, is associated with the system hardware The ARP table of a router comes in handy for investigating network attacks as the table contains IP addresses associated with the respective MAC addresses ARP table can be accessed using the c:arp –a command in Windows OS
  • 23. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Evidence Gathering at the Data- link Layer: DHCP Database The DHCP database determines the MAC addresses associated with the computer in custody The DHCP server maintains a list of recent queries along with the MAC address and IP address • Photographing the computer screen • Taking the screenshot of the table and saving it on disk • Using the HyperTerminal logging facility Documentation of the ARP table is done by:
  • 24. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Screenshot: DHCP Log
  • 25. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Gathering Evidence by IDS IDS can be configured to capture the network traffic and generate alerts Results of networking devices such as routers and firewalls, can be recorded through a serial cable using Windows HyperTerminal program or by a UNIX script If the amount of information to be captured is huge, then record the onscreen event using a video camera or a relative software program
  • 26. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Traffic Capturing and Analysis Tools
  • 27. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tool: Tcpdump http://www.tcpdump.org/ • Captured packet count • Received packet count • “dropped by kernel” packets count Tcpdump report consists of: • SunOS 3.x or 4.x , Solaris, HP-UX, IRIX, Linux, Ultrix and Digital UNIX, BSD It supports the following platforms: Tcpdump is a powerful tool that allows to sniff network packets and make statistical analysis of these dumps It operates by putting the network card into promiscuous mode It may be used to measure the response time, packet loss percentages, and view TCP/UDP connection Establishment and Termination
  • 28. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Screenshot: Tcpdump
  • 29. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tool: Windump http://www.winpcap.org/ • C:Windump –w filename.dmp • The packets are stored in the C drive with the filename. The packets can be analyzed by using a notepad • C:Windump –w filename.dmp –s 65535 • The above command can be used to specify the size of the Ethernet packet to be captured Command for saving the captured data packets using Windump as a sniffer: WinDump is a version of tcpdump for Windows platform
  • 30. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tool: Windump (cont’d) http://www.winpcap.org/ • 20:50:00.037087 IP (tos 0x0, ttl 128, id 2572, len 46) 192.168.2.24.1036 > 64.12.24.42.5190: P [tcp sum ok] 157351:157357(6) ack 2475757024 win 8767 (DF) Sample output of the Windump: • timestamp  20:50:00.037087 • IP [protocol header]  tos 0x0, ttl 128, id 2572, len 46 • source IP:port  192.168.2.24.1036 • destination IP:port 64.12.24.42.5190: • P [push flag] [tcp sum ok] 157351:157357 • [sequence numbers] (6) [bytes of data] • acknowledgement and sequence number ack 2475757024 • window size (DF) [don’t fragment set] win 8767 The above entry can be deciphered as:
  • 31. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Screenshot: Windump
  • 32. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tool: NetIntercept http://www.sandstorm.net NetIntercept captures and archives network traffic, so you can analyze problems as soon as they are detected It correlates user sessions and reconstructs files transmitted or received over the network, giving you immediate evidence of misbehavior Using NetIntercept, you can discover the security breaches, the points of regulatory non-compliance, the network problems, and shift your focus from finding problems to fixing them
  • 33. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Screenshot: NetIntercept
  • 34. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tool: Wireshark http://www.wireshark.org/ Wireshark is a network protocol analyzer for UNIX and Windows It allows the users to examine data from a live network or from a file stored on the disk The user can interactively browse the captured data, viewing summary and detailed information of each packet captured
  • 35. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Screenshot: Wireshark
  • 36. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Traffic Capturing and Analysis Tools CommView monitors the network activity capable of capturing and analyzing packets on any Ethernet network Softperfect Network Sniffer is a network protocol analyzer or sniffer
  • 37. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Traffic Capturing and Analysis Tools (cont’d) HttpDetect (EffeTech HTTP Sniffer) is a HTTP sniffer, packet analyzer, content rebuilder and http traffic monitor EtherDetect Packet Sniffer is a connection oriented packet sniffer and protocol analyzer
  • 38. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Traffic Capturing and Analysis Tools (cont’d) OmniPeek Workgroup is a full- featured, stand-alone network forensic analysis tool Iris Network Traffic Analyzer is a vulnerability forensics solution used for network traffic analysis and reporting
  • 39. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Traffic Capturing and Analysis Tools (cont’d) SmartSniff is a TCP/IP packet capture program that allows you to inspect the network traffic that passes through the network adapter NetSetMan allows you to quickly switch between pre-configured network settings
  • 40. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Traffic Capturing and Analysis Tools (cont’d) Distinct Network Monitor displays live network traffic Statistics MaaTec Network Analyzer tool used for capturing, saving, and analyzing network traffic
  • 41. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Traffic Capturing and Analysis Tools (cont’d) Ntop is a network traffic probe that shows network usage on user terminal EtherApe displays the network activity graphically by featuring link layer, IP, and TCP modes
  • 42. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Traffic Capturing and Analysis Tools (cont’d) Colasoft Capsa Network Analyzer is a TCP/IP Network Sniffer and Analyzer that offers real time monitoring and data analyzing of the network traffic Colasoft EtherLook monitors real time network traffic flowing around local network and to/from the Internet efficiently
  • 43. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Traffic Capturing and Analysis Tools (cont’d) AnalogX Packetmon allows to capture IP packets that pass through network interface - whether they originate from machine on which PacketMon is installed, or a completely different machine on the network BillSniff is a network protocol analyzer (sniffer) that provides detailed information about the current traffic, as well as overall protocol statistics
  • 44. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Traffic Capturing and Analysis Tools (cont’d) IE HTTP Analyzer is an add-in for Internet Explorer, that allows to capture HTTP/HTTPS traffic in real-time EtherDetect Packet Sniffer captures and groups all network traffic and allows you to view real-time details for each packet, as well as the content
  • 45. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Traffic Capturing and Analysis Tools (cont’d) EtherScan Analyzer captures and analyzes the packets over local network Sniphere is a WinPCAP network sniffer that supports most of the common protocols
  • 46. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited IP sniffer is a protocol analyzer, that supports filtering rules, adapter selection, packet decoding, and advanced protocol description etc. Atelier Web Ports Traffic Analyzer is a network traffic sniffer and logger that allows you to monitor all Internet and network traffic on your PC and view the actual content of the packets Traffic Capturing and Analysis Tools (cont’d)
  • 47. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Traffic Capturing and Analysis Tools (cont’d) IPgrab is a verbose packet sniffer for UNIX hosts Nagios is a host and service monitor designed to run under the Linux operating system
  • 48. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Traffic Capturing and Analysis Tools (cont’d) Give Me Too is an affordable packet sniffer, network analyzer, and network sniffer that plugs into computer networks and monitors any Internet and e-mail activity that occurs in them Sniff - O - Matic is a network protocol analyzer and packet sniffer that captures the network traffic and enables you to analyze the data
  • 49. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited EtherSnoop http://www.arechisoft.com/ EtherSnoop is a network sniffer, designed for capturing, and analyzing the packets going through the network It captures the data passing through your dial-up connection or network Ethernet card, analyzes the data, and represents it in a readable form
  • 50. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited GPRS Network Sniffer: Nokia LIG • Lawful Interception Controller (LIC) • Lawful Interception Browser (LIB) • Lawful Interception Extension (LIE) The architecture of implementation comprises: The Nokia LIG sniffs GPRS traffic It provides precise solution for constructing the GPRS interception system It is sold only to Law enforcement agencies
  • 51. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited GPRS Network Sniffer: Nokia LIG (cont’d)
  • 52. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Siemens Monitoring Center http://networks.siemens.com/ When it comes to fighting, crime and thwarting terrorist attacks, law enforcement and government security agencies need the right tools to get results and fulfill their mandate Therefore, state-of-the-art monitoring center solutions are must for lawful interception (LI) The Siemens Monitoring Center (MC) has been specifically developed to fulfill the complex needs of law enforcement agencies worldwide More than 90 Monitoring Center solutions have been installed by Siemens Voice and Data Recording (VDR) in over 60 countries The VDR system intercepts voice, data, GPRS traffic, cell, e-mail messages, and encrypted data It is sold only to Law Enforcement Agencies
  • 53. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Siemens Monitoring Center (cont’d) • Fixed networks PSTN (local and international exchanges) • Mobile networks GSM, GPRS, and UMTS • Next Generation Networks (NGN) • IP Networks (local loop, ISP, and Internet backbone) • Automatic correlation of content of communication to IRI Universal Monitoring Center concept for all monitoring requirements within telecommunication networks:
  • 54. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Siemens Monitoring Center (cont’d) Mono and stereo, optionally compressed, and voice recording Full duplex/no compression recording for data demodulation (fax, Internet, e- mails etc.) Customized add-on applications Centralized or distributed Monitoring Center (Monitoring Center-to-go) Scalable and adaptable to customer requirements Joint roadmap for upcoming telecommunications technology Monitoring Center (UMTS, NGN, ETSI-Internet)
  • 55. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Screenshot: Siemens Monitoring Center
  • 56. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited NetWitness® Investigator http://www.netwitness.com/ It provides security operations staff, auditors, and fraud and forensics investigators the power to perform free-form contextual analysis of raw network data Features: • SSL Decryption (with server certificate) • Interactive time charts, and summary view • Interactive packet view and decode • Hash Pcap on Export • Enhanced content views • Real-time analytics • Extensive network and application layer filtering (e.g. MAC, IP, User, Keywords, Etc.) • IPv6 support • Captures live from any wired or wireless interface • Full content search, with Regex support • Exports data in .pcap format • Imports packets from any open-source, home-grown and commercial packet capture system(e.g. .pcap file import) • Bookmarking & History Tracking • Integrated GeoIP for resolving IP addresses to city/county, supporting Google Earth visualization
  • 57. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Screenshot: NetWitness® Investigator
  • 58. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited NetWitness® Informer http://www.netwitness.com/ NetWitness® Informer provides detailed reporting, charting and alerting on network performance, insider threats, data leakage, compliance monitoring, I/T asset misuse, hacker activities, and a host of other threats Features: • Predefined report rules, categories and templates • Flexible, WYSIWYG drag-and-drop report builder & scheduling engine • Fully customizable, XML-based rules and report library for infinite report and alert combinations • Live-charting for real-time dashboard of activity • Full role-based access controls • Supports CEF, SNMP, syslog, SMTP data push Report Examples: • Security - profile and alert on zero-day, BOTnet, DYN, DNS and intrusion activity with complete content • Compliance - audit network-based components of policies and regulations such as FISMA, HIPPA, ISO 1779, SOXGLB, and PCI standards • IT Operations - report and chart across application and network layer metrics • Business Intelligence - profile sensitive data flow in real-time with total access to all events and content surrounding suspect activity • Insider Threat - monitor and profile computer, user, and resource activity across every application and device • Legal – support e-Discovery, criminal investigations, or liability audits through network entity profiling and analysis
  • 59. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Screenshot: NetWitness® Informer
  • 60. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited NetResident http://www.tamos.com/ NetResident is a network content monitoring program that captures, stores, analyzes, and reconstructs network events such as e-mail messages, web pages, downloaded files, instant messages, and VoIP conversations
  • 61. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited nGenius InfiniStream http://www.netscout.com/ • Eliminating the need to sift through numerous packet trace files to find specific network or link behavior • Alleviating the need to wait for an issue to reoccur by utilizing continuous packet capture and playback to view the packets associated with an issue • Mining the recorded data in an efficient, flexible and logical methodology to reveal issues much faster and meet the challenges of the modern IP network • Delivering the post-event forensic analysis necessary to diagnose problems quickly and minimize the impact on the end user NetScout’s real-time analysis and packet recording minimizes mean time to resolution by: InfiniStream, combined with NetScout analysis and reporting solutions, provides the critical KPI-to-Flow-to-Packet top-down workflow needed to quickly and efficiently detect, diagnose and verify the resolution of elusive and intermittent IT service problems
  • 62. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Screenshot: Infinistream Console
  • 63. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited eTrust Network Forensics http://www3.ca.com/ eTrust Network Forensics captures raw network data and uses advanced forensics analysis to identify how business assets are affected by network exploits, internal data theft, and security or HR policy violations Its patented technology allows IT and security staff to visualize the network’s activity, uncover anomalous traffic, and investigate breaches with a single and convenient solution • Powerful forensic analysis — links network data with security alerts • Holistic view of network element dependencies through a knowledge base • Quickly discovers network anomalies or trouble spots • Effectively visualizes communications in interactive 2D graphs • Enhances existing security investments with graphical reports
  • 64. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Screenshot: eTrust Network Forensics
  • 65. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited ProDiscover Investigator http://www.techpathways.com/ ProDiscover Investigator investigates the disk content throughout the network It checks for illegal activity or for compliance to company policy and gathers evidence for potential use in legal proceedings
  • 66. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited P2 Enterprise Shuttle (P2EES) http://www.paraben-enterprise.com/ P2EES is an enterprise investigation tool that views, acquires, and searches client’s data wherever it resides in an enterprise It checks the main communications which pass through for the system as well as for the routers and firewalls It acts as the central repository for all forensic images collected and is integrated with MYSQL
  • 67. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Screenshot: P2 Enterprise Shuttle
  • 68. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Show Traffic http://demosten.com/ Show Traffic monitors network traffic on the chosen network interface and displays it continuously It locates suspicious network traffic or evaluates current utilization of the network interface
  • 69. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Network Probe http://objectplanet.com/ Network Probe identifies the problem causing in the network traffic It shows who is generating the troublesome traffic, and where the traffic is being transmitted or received
  • 70. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Snort Intrusion Detection System http://snort.org/ Snort is a versatile, lightweight, and useful intrusion detection system Snort logs packets in either tcpdump binary format or in Snort's decoded ASCII format to log directories that are named based on the IP address of the foreign host Plug-ins allow the detection and reporting subsystems to be extended Available plug-ins include database logging, small fragment detection, portscan detection, and HTTP URI normalization
  • 71. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Snort IDS Placement Firewall
  • 72. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited IDS Policy Manager http://www.activeworx.org IDS Policy Manager has been the de facto standard for managing Snort rules on Windows. You can create Snort rules graphically
  • 73. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Documenting the Evidence Gathered on a Network If the network logs are small, you can take a print-out and attest Document the evidence gathering process by mentioning the name of the person who collected the evidence, from where it was collected • The procedure used to collect evidence and the reason for collecting evidence The process of documenting digital evidence on a network becomes more complex when the evidence is gathered from systems which are on remote locations
  • 74. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Evidence Reconstruction for Investigation • Evidence is not static and is not concentrated at a single point on the network • The variety of hardware and software found on the network makes the evidence gathering process more difficult Gathering evidence trails on a network is cumbersome for the following reasons: • Temporal analysis; helps to identify time and sequence of events • Relational analysis; helps to identify the link between suspect and the victim with respect to the crime • Functional analysis; helps to identify events that triggered the crime Three fundamentals of reconstruction for investigating crime are:
  • 75. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Summary There are two types of network addressing schemes: LAN Addressing and Internetwork Addressing Sniffer is computer software or hardware that can intercept and log traffic passing over a digital network or part of a network The ARP table of a router comes handy for investigating network attacks as the table contains IP addresses associated with the respective MAC addresses The DHCP server maintains a list of recent queries along with the MAC address and IP address IDS can be configured to capture network traffic when an alert is generated
  • 76. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 77. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited