SlideShare a Scribd company logo

Network Forensics

Download as PPT, PDF
Conferencias FIST
Conferencias FIST
Technology
1 of 23
Conferencia FIST Enero/Madrid 2008 @ Sponsored by: Network Forensics and Lessons Learnt from the July 07 London Attacks Geoff Harris Alderbridge Consulting Ltd geoff.harris@alderbridge.com www.alderbridge.com 0044 1423 321900
About the Author Background in Military Communications Design CEO Alderbridge Consulting formed 1997 ISSA-UK President UK Government CLAS Consultant CISSP, ITPC, BSc, DipEE, C.Eng 2
3
4
Early Firewall Adoption 5
DMZs & De-Perimeterisation 6
An early Intrusion Prevention System – Is IDS dead? 7
Forensics – fingerprints & DNA Edward Henry appointed as Assistant Commissioner of Police at New Scotland Yard and began to introduce his fingerprint system. The first British court conviction by fingerprints in 1902 8
11 March 2004 – Madrid Train Bombings 10 explosions on 4 commuter trains (cercanías) killing 191 people and wounding 1,755 9
7 July 2005 - London 3 tube explosions and 1 bus explosion Entire London Underground system shut down 10
Post 7 July 2005 – London Investigations 12 July 2005 Idenitifed three suspects from CCTV footage, a missing person's report and documents found in the debris at each bomb site. Luton railways station is closed as police investigate a car parked there and believed to be associated with the suspects caught on CCTV cameras. 11
The Dummy Run “Police trawl through 80,000 CCTV tapes” “Ten weeks after the attacks, CCTV footage was released of three of the bombers setting out on a "practice run". Mohammad Sidique Khan, Germaine Lindsay and Shehzad Tanweer - but not Hasib Hussain - met at Luton station at around 0810 BST on June 28. 12
The Dummy Run Video cameras showed them buying tickets before they boarded a train to King's Cross, where they arrived at 0855 and made their way to the Underground network. Police said they were seen at Baker Street at midday before they returned to King's Cross at 1250, arriving back in Luton 50 minutes later. 13
Detecting The IT Network Attack • Firewall logs • System Logs • IDS – Host IDS & Network IDS • Correlation of events – SEM tools Management Overhead - MSS 14
Hiding In The Noise • The Slow Scan • Random Ports – Random Port Hopping • Trojan/Covert channels over well used ports • The outgoing IRC, http, https threat 15
“Network CCTV” as a Forensic Tool Site A Site B WAN Points of interception for passive network sniffing Commonly Used Existing Sniffing Products Microsoft Net Mon NAI Sniffer Ethereal Problem – the ability to capture the moment of attack at the right time and understand what lead up to the attack 16
“Network CCTV” as a Forensic Tool For the IDS & Network CCTV - NIKSUN NetDetector Other products such as NetIntercept 17
“Network CCTV” as a Forensic Tool Manchester Leeds Internet FW1 FW1 WAN London - HQ FW1 Web Mail VPN Server Server Gateway FW1 FW1 Stealth Monitoring LAN (RESTRICTE D) Server Server (RESTRICTE D) Central Security Server (UNCLASSIFIED) FW1 FW1 Security LAN Trusted LAN (UNCLASSIFIED) Trusted LAN (RESTRICTED) (RESTRICTED) Netw ork IDS Sensor Proposed Netw ork Recorder 18
Hiding In The Noise 19
Network Packet Decode 20
Summary • CCTV in UK has been highly successful • Social issues – invasion of privacy • “Network CCTV” is very powerful as a forensic tool • Employee and citizen rights here too • Threat to corporate and government networks due to terrorism and espionage continues to grow 21
Creative Commons Attribution-ShareAlike 2.0 You are free: •to copy, distribute, display, and perform this work •to make commercial use of this work Under the following conditions: Attribution. You must give the original author credit. Share Alike. If you alter, transform, or build upon this work, you may distribute the resulting work only under a license identical to this one. For any reuse or distribution, you must make clear to others the license terms of this work. Any of these conditions can be waived if you get permission from the author. Your fair use and other rights are in no way affected by the above. This work is licensed under the Creative Commons Attribution-ShareAlike License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/2.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA. 22
www.fistconference.org @ with the sponsorship of: Geoff Harris Alderbridge Consulting Ltd geoff.harris@alderbridge.com www.alderbridge.com 0044 1423 321900 23

Recommended

Synacktiv mobile communications attacks
Synacktiv mobile communications attacksSynacktiv mobile communications attacks
Synacktiv mobile communications attacks📡 Sebastien Dudek
 
China - Student Framework Sample 第一次作业
China - Student Framework Sample 第一次作业China - Student Framework Sample 第一次作业
China - Student Framework Sample 第一次作业Ryan Gunhold
 
SmartCard Forum 2011 - RFID Wormholes
SmartCard Forum 2011 - RFID WormholesSmartCard Forum 2011 - RFID Wormholes
SmartCard Forum 2011 - RFID WormholesOKsystem
 
Jam proofong
Jam proofongJam proofong
Jam proofongkangibhai
 
Demostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis ForenseDemostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis ForenseConferencias FIST
 
Not only a XSS
Not only a XSSNot only a XSS
Not only a XSSConferencias FIST
 
Inseguridad en Redes Wireless
Inseguridad en Redes WirelessInseguridad en Redes Wireless
Inseguridad en Redes WirelessConferencias FIST
 
Inkblot Passwords
Inkblot PasswordsInkblot Passwords
Inkblot PasswordsConferencias FIST
 

Recommended

Synacktiv mobile communications attacks
Synacktiv mobile communications attacksSynacktiv mobile communications attacks
Synacktiv mobile communications attacks📡 Sebastien Dudek
 
China - Student Framework Sample 第一次作业
China - Student Framework Sample 第一次作业China - Student Framework Sample 第一次作业
China - Student Framework Sample 第一次作业Ryan Gunhold
 
SmartCard Forum 2011 - RFID Wormholes
SmartCard Forum 2011 - RFID WormholesSmartCard Forum 2011 - RFID Wormholes
SmartCard Forum 2011 - RFID WormholesOKsystem
 
Jam proofong
Jam proofongJam proofong
Jam proofongkangibhai
 
Demostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis ForenseDemostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis ForenseConferencias FIST
 
Not only a XSS
Not only a XSSNot only a XSS
Not only a XSSConferencias FIST
 
Inseguridad en Redes Wireless
Inseguridad en Redes WirelessInseguridad en Redes Wireless
Inseguridad en Redes WirelessConferencias FIST
 
Inkblot Passwords
Inkblot PasswordsInkblot Passwords
Inkblot PasswordsConferencias FIST
 
Network Forensics
Network ForensicsNetwork Forensics
Network ForensicsConferencias FIST
 
Attack presentation
Attack presentationAttack presentation
Attack presentationFrikha Nour
 
Tor the onion router
Tor the onion routerTor the onion router
Tor the onion routerAshly Liza
 
VISIBLE LIGHT COMMUNICATION
VISIBLE LIGHT COMMUNICATIONVISIBLE LIGHT COMMUNICATION
VISIBLE LIGHT COMMUNICATIONMaheshnagakumar Tokala
 
Using a VPN or and TOR by remmy nweke, fellow, cyber security policy defender
Using a VPN or and TOR by remmy nweke, fellow, cyber security policy defenderUsing a VPN or and TOR by remmy nweke, fellow, cyber security policy defender
Using a VPN or and TOR by remmy nweke, fellow, cyber security policy defenderRemmy Nweke, mNGE, mNUJ, mGOCOP
 
chapter 7 -wireless network security.ppt
chapter 7 -wireless network security.pptchapter 7 -wireless network security.ppt
chapter 7 -wireless network security.pptabenimelos
 
Firewall
FirewallFirewall
FirewallApo
 
Chris Swan's CloudExpo Europe presentation "The networking declaration of ind...
Chris Swan's CloudExpo Europe presentation "The networking declaration of ind...Chris Swan's CloudExpo Europe presentation "The networking declaration of ind...
Chris Swan's CloudExpo Europe presentation "The networking declaration of ind...Cohesive Networks
 
Security in IoT
Security in IoTSecurity in IoT
Security in IoTgr9293
 
The next generation ethernet gangster (part 2)
The next generation ethernet gangster (part 2)The next generation ethernet gangster (part 2)
The next generation ethernet gangster (part 2)Jeff Green
 
Overlay networks
Overlay networksOverlay networks
Overlay networksMayank Chaudhari
 
File000142
File000142File000142
File000142Desmond Devendran
 
PLNOG 9: Paweł Wachelka - Network protection against DoS/DDoS attacks
PLNOG 9: Paweł Wachelka - Network protection against DoS/DDoS attacks PLNOG 9: Paweł Wachelka - Network protection against DoS/DDoS attacks
PLNOG 9: Paweł Wachelka - Network protection against DoS/DDoS attacks PROIDEA
 
Security Issues of 802.11b
Security Issues of 802.11bSecurity Issues of 802.11b
Security Issues of 802.11bguestd7b627
 
Security Issues of IEEE 802.11b
Security Issues of IEEE 802.11bSecurity Issues of IEEE 802.11b
Security Issues of IEEE 802.11bSreekanth GS
 
Ceh v5 module 15 hacking wireless networks
Ceh v5 module 15 hacking wireless networksCeh v5 module 15 hacking wireless networks
Ceh v5 module 15 hacking wireless networksVi Tính Hoàng Nam
 
Wireless Mesh For Transportation
Wireless Mesh For TransportationWireless Mesh For Transportation
Wireless Mesh For TransportationFiretide
 
The next generation ethernet gangster (part 2)
The next generation ethernet gangster (part 2)The next generation ethernet gangster (part 2)
The next generation ethernet gangster (part 2)Jeff Green
 
Starsight FT WIFI (for governments)
Starsight FT WIFI (for governments)Starsight FT WIFI (for governments)
Starsight FT WIFI (for governments)Spontane_IT
 
Sergio González - WiFiSlax 4.0 [RootedCON 2010]
Sergio González - WiFiSlax 4.0 [RootedCON 2010]Sergio González - WiFiSlax 4.0 [RootedCON 2010]
Sergio González - WiFiSlax 4.0 [RootedCON 2010]RootedCON
 
Seguridad en Open Solaris
Seguridad en Open SolarisSeguridad en Open Solaris
Seguridad en Open SolarisConferencias FIST
 
Seguridad en Entornos Web Open Source
Seguridad en Entornos Web Open SourceSeguridad en Entornos Web Open Source
Seguridad en Entornos Web Open SourceConferencias FIST
 

More Related Content

Similar to Network Forensics

Attack presentation
Attack presentationAttack presentation
Attack presentationFrikha Nour
 
Tor the onion router
Tor the onion routerTor the onion router
Tor the onion routerAshly Liza
 
Using a VPN or and TOR by remmy nweke, fellow, cyber security policy defender
Using a VPN or and TOR by remmy nweke, fellow, cyber security policy defenderUsing a VPN or and TOR by remmy nweke, fellow, cyber security policy defender
Using a VPN or and TOR by remmy nweke, fellow, cyber security policy defenderRemmy Nweke, mNGE, mNUJ, mGOCOP
 
chapter 7 -wireless network security.ppt
chapter 7 -wireless network security.pptchapter 7 -wireless network security.ppt
chapter 7 -wireless network security.pptabenimelos
 
Firewall
FirewallFirewall
FirewallApo
 
Chris Swan's CloudExpo Europe presentation "The networking declaration of ind...
Chris Swan's CloudExpo Europe presentation "The networking declaration of ind...Chris Swan's CloudExpo Europe presentation "The networking declaration of ind...
Chris Swan's CloudExpo Europe presentation "The networking declaration of ind...Cohesive Networks
 
Security in IoT
Security in IoTSecurity in IoT
Security in IoTgr9293
 
The next generation ethernet gangster (part 2)
The next generation ethernet gangster (part 2)The next generation ethernet gangster (part 2)
The next generation ethernet gangster (part 2)Jeff Green
 
PLNOG 9: Paweł Wachelka - Network protection against DoS/DDoS attacks
PLNOG 9: Paweł Wachelka - Network protection against DoS/DDoS attacks PLNOG 9: Paweł Wachelka - Network protection against DoS/DDoS attacks
PLNOG 9: Paweł Wachelka - Network protection against DoS/DDoS attacks PROIDEA
 
Security Issues of 802.11b
Security Issues of 802.11bSecurity Issues of 802.11b
Security Issues of 802.11bguestd7b627
 
Security Issues of IEEE 802.11b
Security Issues of IEEE 802.11bSecurity Issues of IEEE 802.11b
Security Issues of IEEE 802.11bSreekanth GS
 
Ceh v5 module 15 hacking wireless networks
Ceh v5 module 15 hacking wireless networksCeh v5 module 15 hacking wireless networks
Ceh v5 module 15 hacking wireless networksVi Tính Hoàng Nam
 
Wireless Mesh For Transportation
Wireless Mesh For TransportationWireless Mesh For Transportation
Wireless Mesh For TransportationFiretide
 
The next generation ethernet gangster (part 2)
The next generation ethernet gangster (part 2)The next generation ethernet gangster (part 2)
The next generation ethernet gangster (part 2)Jeff Green
 
Starsight FT WIFI (for governments)
Starsight FT WIFI (for governments)Starsight FT WIFI (for governments)
Starsight FT WIFI (for governments)Spontane_IT
 
Sergio González - WiFiSlax 4.0 [RootedCON 2010]
Sergio González - WiFiSlax 4.0 [RootedCON 2010]Sergio González - WiFiSlax 4.0 [RootedCON 2010]
Sergio González - WiFiSlax 4.0 [RootedCON 2010]RootedCON
 

Similar to Network Forensics (20)

Network Forensics
Network ForensicsNetwork Forensics
Network Forensics
 
Attack presentation
Attack presentationAttack presentation
Attack presentation
 
Tor the onion router
Tor the onion routerTor the onion router
Tor the onion router
 
VISIBLE LIGHT COMMUNICATION
VISIBLE LIGHT COMMUNICATIONVISIBLE LIGHT COMMUNICATION
VISIBLE LIGHT COMMUNICATION
 
Using a VPN or and TOR by remmy nweke, fellow, cyber security policy defender
Using a VPN or and TOR by remmy nweke, fellow, cyber security policy defenderUsing a VPN or and TOR by remmy nweke, fellow, cyber security policy defender
Using a VPN or and TOR by remmy nweke, fellow, cyber security policy defender
 
chapter 7 -wireless network security.ppt
chapter 7 -wireless network security.pptchapter 7 -wireless network security.ppt
chapter 7 -wireless network security.ppt
 
Firewall
FirewallFirewall
Firewall
 
Chris Swan's CloudExpo Europe presentation "The networking declaration of ind...
Chris Swan's CloudExpo Europe presentation "The networking declaration of ind...Chris Swan's CloudExpo Europe presentation "The networking declaration of ind...
Chris Swan's CloudExpo Europe presentation "The networking declaration of ind...
 
Security in IoT
Security in IoTSecurity in IoT
Security in IoT
 
The next generation ethernet gangster (part 2)
The next generation ethernet gangster (part 2)The next generation ethernet gangster (part 2)
The next generation ethernet gangster (part 2)
 
Overlay networks
Overlay networksOverlay networks
Overlay networks
 
File000142
File000142File000142
File000142
 
PLNOG 9: Paweł Wachelka - Network protection against DoS/DDoS attacks
PLNOG 9: Paweł Wachelka - Network protection against DoS/DDoS attacks PLNOG 9: Paweł Wachelka - Network protection against DoS/DDoS attacks
PLNOG 9: Paweł Wachelka - Network protection against DoS/DDoS attacks
 
Security Issues of 802.11b
Security Issues of 802.11bSecurity Issues of 802.11b
Security Issues of 802.11b
 
Security Issues of IEEE 802.11b
Security Issues of IEEE 802.11bSecurity Issues of IEEE 802.11b
Security Issues of IEEE 802.11b
 
Ceh v5 module 15 hacking wireless networks
Ceh v5 module 15 hacking wireless networksCeh v5 module 15 hacking wireless networks
Ceh v5 module 15 hacking wireless networks
 
Wireless Mesh For Transportation
Wireless Mesh For TransportationWireless Mesh For Transportation
Wireless Mesh For Transportation
 
The next generation ethernet gangster (part 2)
The next generation ethernet gangster (part 2)The next generation ethernet gangster (part 2)
The next generation ethernet gangster (part 2)
 
Starsight FT WIFI (for governments)
Starsight FT WIFI (for governments)Starsight FT WIFI (for governments)
Starsight FT WIFI (for governments)
 
Sergio González - WiFiSlax 4.0 [RootedCON 2010]
Sergio González - WiFiSlax 4.0 [RootedCON 2010]Sergio González - WiFiSlax 4.0 [RootedCON 2010]
Sergio González - WiFiSlax 4.0 [RootedCON 2010]
 

More from Conferencias FIST

Seguridad en Entornos Web Open Source
Seguridad en Entornos Web Open SourceSeguridad en Entornos Web Open Source
Seguridad en Entornos Web Open SourceConferencias FIST
 
Las Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática ForenseLas Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática ForenseConferencias FIST
 
Evolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFiEvolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFiConferencias FIST
 
El Information Security Forum
El Information Security ForumEl Information Security Forum
El Information Security ForumConferencias FIST
 
Mas allá de la Concienciación
Mas allá de la ConcienciaciónMas allá de la Concienciación
Mas allá de la ConcienciaciónConferencias FIST
 
Riesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el DesarrolloRiesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el DesarrolloConferencias FIST
 
IDS with Artificial Intelligence
IDS with Artificial IntelligenceIDS with Artificial Intelligence
IDS with Artificial IntelligenceConferencias FIST
 

More from Conferencias FIST (20)

Seguridad en Open Solaris
Seguridad en Open SolarisSeguridad en Open Solaris
Seguridad en Open Solaris
 
Seguridad en Entornos Web Open Source
Seguridad en Entornos Web Open SourceSeguridad en Entornos Web Open Source
Seguridad en Entornos Web Open Source
 
Spanish Honeynet Project
Spanish Honeynet ProjectSpanish Honeynet Project
Spanish Honeynet Project
 
Seguridad en Windows Mobile
Seguridad en Windows MobileSeguridad en Windows Mobile
Seguridad en Windows Mobile
 
SAP Security
SAP SecuritySAP Security
SAP Security
 
Que es Seguridad
Que es SeguridadQue es Seguridad
Que es Seguridad
 
Network Access Protection
Network Access ProtectionNetwork Access Protection
Network Access Protection
 
Las Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática ForenseLas Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática Forense
 
Evolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFiEvolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFi
 
El Information Security Forum
El Information Security ForumEl Information Security Forum
El Information Security Forum
 
Criptografia Cuántica
Criptografia CuánticaCriptografia Cuántica
Criptografia Cuántica
 
Mas allá de la Concienciación
Mas allá de la ConcienciaciónMas allá de la Concienciación
Mas allá de la Concienciación
 
Security Metrics
Security MetricsSecurity Metrics
Security Metrics
 
PKI Interoperability
PKI InteroperabilityPKI Interoperability
PKI Interoperability
 
Wifislax 3.1
Wifislax 3.1Wifislax 3.1
Wifislax 3.1
 
Riesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el DesarrolloRiesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el Desarrollo
 
Security Maturity Model
Security Maturity ModelSecurity Maturity Model
Security Maturity Model
 
Cisco Equipment Security
Cisco Equipment SecurityCisco Equipment Security
Cisco Equipment Security
 
IDS with Artificial Intelligence
IDS with Artificial IntelligenceIDS with Artificial Intelligence
IDS with Artificial Intelligence
 
Continuidad de Negocio
Continuidad de NegocioContinuidad de Negocio
Continuidad de Negocio
 

Recently uploaded

Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 

Recently uploaded (20)

Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 

Network Forensics

  • 1. Conferencia FIST Enero/Madrid 2008 @ Sponsored by: Network Forensics and Lessons Learnt from the July 07 London Attacks Geoff Harris Alderbridge Consulting Ltd geoff.harris@alderbridge.com www.alderbridge.com 0044 1423 321900
  • 2. About the Author Background in Military Communications Design CEO Alderbridge Consulting formed 1997 ISSA-UK President UK Government CLAS Consultant CISSP, ITPC, BSc, DipEE, C.Eng 2
  • 3. 3
  • 4. 4
  • 7. An early Intrusion Prevention System – Is IDS dead? 7
  • 8. Forensics – fingerprints & DNA Edward Henry appointed as Assistant Commissioner of Police at New Scotland Yard and began to introduce his fingerprint system. The first British court conviction by fingerprints in 1902 8
  • 9. 11 March 2004 – Madrid Train Bombings 10 explosions on 4 commuter trains (cercanías) killing 191 people and wounding 1,755 9
  • 10. 7 July 2005 - London 3 tube explosions and 1 bus explosion Entire London Underground system shut down 10
  • 11. Post 7 July 2005 – London Investigations 12 July 2005 Idenitifed three suspects from CCTV footage, a missing person's report and documents found in the debris at each bomb site. Luton railways station is closed as police investigate a car parked there and believed to be associated with the suspects caught on CCTV cameras. 11
  • 12. The Dummy Run “Police trawl through 80,000 CCTV tapes” “Ten weeks after the attacks, CCTV footage was released of three of the bombers setting out on a "practice run". Mohammad Sidique Khan, Germaine Lindsay and Shehzad Tanweer - but not Hasib Hussain - met at Luton station at around 0810 BST on June 28. 12
  • 13. The Dummy Run Video cameras showed them buying tickets before they boarded a train to King's Cross, where they arrived at 0855 and made their way to the Underground network. Police said they were seen at Baker Street at midday before they returned to King's Cross at 1250, arriving back in Luton 50 minutes later. 13
  • 14. Detecting The IT Network Attack • Firewall logs • System Logs • IDS – Host IDS & Network IDS • Correlation of events – SEM tools Management Overhead - MSS 14
  • 15. Hiding In The Noise • The Slow Scan • Random Ports – Random Port Hopping • Trojan/Covert channels over well used ports • The outgoing IRC, http, https threat 15
  • 16. “Network CCTV” as a Forensic Tool Site A Site B WAN Points of interception for passive network sniffing Commonly Used Existing Sniffing Products Microsoft Net Mon NAI Sniffer Ethereal Problem – the ability to capture the moment of attack at the right time and understand what lead up to the attack 16
  • 17. “Network CCTV” as a Forensic Tool For the IDS & Network CCTV - NIKSUN NetDetector Other products such as NetIntercept 17
  • 18. “Network CCTV” as a Forensic Tool Manchester Leeds Internet FW1 FW1 WAN London - HQ FW1 Web Mail VPN Server Server Gateway FW1 FW1 Stealth Monitoring LAN (RESTRICTE D) Server Server (RESTRICTE D) Central Security Server (UNCLASSIFIED) FW1 FW1 Security LAN Trusted LAN (UNCLASSIFIED) Trusted LAN (RESTRICTED) (RESTRICTED) Netw ork IDS Sensor Proposed Netw ork Recorder 18
  • 19. Hiding In The Noise 19
  • 21. Summary • CCTV in UK has been highly successful • Social issues – invasion of privacy • “Network CCTV” is very powerful as a forensic tool • Employee and citizen rights here too • Threat to corporate and government networks due to terrorism and espionage continues to grow 21
  • 22. Creative Commons Attribution-ShareAlike 2.0 You are free: •to copy, distribute, display, and perform this work •to make commercial use of this work Under the following conditions: Attribution. You must give the original author credit. Share Alike. If you alter, transform, or build upon this work, you may distribute the resulting work only under a license identical to this one. For any reuse or distribution, you must make clear to others the license terms of this work. Any of these conditions can be waived if you get permission from the author. Your fair use and other rights are in no way affected by the above. This work is licensed under the Creative Commons Attribution-ShareAlike License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/2.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA. 22
  • 23. www.fistconference.org @ with the sponsorship of: Geoff Harris Alderbridge Consulting Ltd geoff.harris@alderbridge.com www.alderbridge.com 0044 1423 321900 23

Editor's Notes

  1. Para la mayor parte de las organizaciones los activos se dividen entre críticos y no críticos.
  2. Para la mayor parte de las organizaciones los activos se dividen entre críticos y no críticos.