The document is an introduction to network forensics presented by Laura Chappell at the SHARKFEST '08 conference from March 31 to April 2, 2008. It discusses case studies of network intrusions including a company being locked out on Thanksgiving from a foreign country and examining unusual network traffic to identify data leaks. It also covers topics like where to find evidence of reconnaissance like port scans and OS fingerprinting, evidence of attacks like unusual connection pairs, and reviewing peculiar traffic patterns in trace files to identify infections. The document recommends resources for network forensic signatures and provides information on obtaining Laura's Lab Kit v9 with sample packet captures and
1. An Introduction to
Network Forensics
Identifying Reconnassance and Attack
Processes on the Network
Laura Chappell
Founder | Wireshark University
SHARKFEST '08
Foothill College
March 31 - April 2, 2008
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
2. Case Studies
1. Company servers ‘locked down’ on Thanksgiving morning; traffic
paths indicate tunnel into network from a foreign country
2. Network traffic to and from the compromised host revealed a back
back-
channel and the propagator of the malicious code
3. Excessive outbound traffic alerted the staff to a possible data leak;
examination of the data flow and the target confirmed the leak
4. Unique peer-to-peer data flow prompted the IT team to investigate;
peer
the investigation revealed improper network use, but no security leak