Uploaded byPriyanka Aash
Network Forensic Tools & Techniques Workshop
The document is a professional profile of Tamaghna Basu, a senior security engineer and developer specializing in web app security and network penetration testing. It outlines his qualifications, including various certifications, and experience in network forensics, mentioning tools like Wireshark and TCP Dump for packet analysis. The text emphasizes the intricate nature of network forensics and the importance of methodical analysis to uncover hidden data and suspicious activities.
More Related Content
Similar to Network Forensic Tools & Techniques Workshop
Network Forensic Tools & Techniques Workshop
- 1.
- 2. $WHOAMI • Senior SecurityEngineer • Developer turned Security Researcher - Web app security and network pen-testing, exploit development and network forensic • OSCP, GCIH, RHCE, CEH, ECSA, Cyber Crime Investigator • Speaker at OWASP, NULLCON, C0C0N, CLUBHACK, ISACA conferences • Winner of NULLCON 2010 “Battle Underground” hacking competition
- 3. • SANS Mentorfor Sec 504: Hacker Techniques, Exploits & Incident handling course, SANS Institute, USA. • Core Member of NULL community – www.null.co.in . Facilitates NULL Bangalore Chapter • Member of - NASSCOM-DSCI, HONEYNET, CLUBHACK, OWASP etc. $WHOAMI
- 4.
- 6. TOO BIG TOCOVER • Difficult to cover every aspect of Network Forensic • So many aspects, features and possibilities • Highly addictive
- 7. TOO LONG TOCOVER
- 8. • A millionthings can go wrong with a computer network - from a simple spyware infection to a complex router configuration error. • Packet level is the most basic level where nothing is hidden. • Understand the network, who is on a network, whom your computer is talking to, What is the network usage, any suspicious communication (DOS , botnet, Intrusion attempt etc.) • Find unsecured and bloated applications – FTP sends clear text authentication data • One phase of computer forensic - could reveal data otherwise hidden somewhere in a 150 GB HDD. WHY PACKET ANALYSIS?
- 9.
- 10.
- 11.
- 12.
- 14. PRE-REQUISITE • An inquisitivemind and sometimes weirder is better
- 15. THERE ALWAYS BEA PROBLEM TO SOLVE
- 16. • Being abit organized helps in long run
- 17. NOW WHAT? Think itlike you are solving a mystery • Where do we start? • What questions to ask? • What tools do we need? • Once you have the traces - what then?
- 18. Capture •Where, How, What,How long Transfer •Hash, split, distribute Analyze •IP, Protocol, Time, Delay, Duration, pattern, graphs, charts, blah… HOW DO WE DO IT?
- 19. CAPTURE • Capture Methods •Wired • Mirror/Monitor/SPAN • Taps • Hubs • ARP poisoning??? • Promiscuous mode • WinPCAP/LibPCAP • Wireless • Rfmon/monitor mode • AirPCap
- 20. WHICH INTERFACE TOCAPTURE
- 21. ALWAYS START WITHTHE NETWORK DETAILS
- 22. MORE QUESTIONS BETTERANALYSIS • Are the servers in the same locations or different • Same subnet, different subnet • Any suspicion - IP Address, Application • When did it start • How and when did it get identified • Why you were there – lack of resource, time, expertise
- 23. WHAT NOT TODO • Do not scroll up and down and try manually reading packets one by one. • Do not capture any and every traffic just for the sake of capturing. • Do not ASSUME. You can have thoughts, suspicions.
- 24. THEN WHAT DOWE DO?
- 25.
- 26.
- 27. STILL NEED REASONS! •Capture Filters • Display Filters • Auto-complete • Red – error, Green – good • Recent usage history
- 28. FILTERS • Create Filterfrom Packet/field • Multiple filter conditioning using “and”, “or”, “not” etc. • Protocol Filtering
- 29. FOLLOW THE STREAMS •TCP • UDP • APP layer • FTP • HTTP • TELNET
- 31. RECONSTRUCT THE CRIMESCENE • Understand the flow • Reconstruct the files • Identify the attacker and victim
- 32. STATISTICS – PROTOCOLHIERARCHY
- 33. STATISTICS – ENDPOINTS
- 34.
- 35.
- 37. REFERENCE • Wireshark Universityby Laura Chappell and Gerald Combs • Sharkfest talks - Betty DuBois on Network Mysteries • Securitytube.net by Vivek Ramchandran • Picture courtesy Google. Not my property.
- 38.