SlideShare a Scribd company logo

Network Forensics Intro

J
Jake K.

A 1-day short course developed for visiting guests from Tecsup on network forensics, prepared in a day : ] The requirements/constraints were 5-7 hours of content and that the target audience had very little forensic or networking knowledge. [For that reason, flow analysis was not included as an exercise, discussion of network monitoring solutions was limited, and the focus was on end-node forensics, not networking devices/appliances themselves]

Technology
1 of 46
PURDUE UNIVERSITY TECSUP NETWORK FORENSICS AN INTRODUCTION 7.11.2013 Jake Kambic M.S. Student CNIT Cyber Forensics / Network Security
PREFACE THE BASICS AND BACKGROUND
WHO AM I? AND WHY SHOULD YOU LISTEN TO ME?     
OVERVIEW PURPOSE Today’s lessons are intended to give you an introduction to elementary and intermediate techniques in network forensics. We are only scratching the surface, but it should be rewarding. Please stop me at anytime to ask questions, or ask me to slow down!
OVERVIEW (CONT’D) TOPICS What is DFIR? What is Network Forensics? Digital Forensics vs. Incident Response The Forensic Process (Abridged) Quick Review: General Forensics Quick Review: Fundamental Computing Quick Review: Networking Where does potential evidence exist? What evidence are we looking for? Environment Factors Anti-Network Forensics Acquisition Wireshark Basics Analysis  Exercise 1: Capturing browser traffic  Exercise 2: Ann and the Apple TV  Exercise 3: 10 Minutes of Internet  Exercise 4: Bad Actors and Bad Habits
WHAT IS DFIR? Digital Forensics – More accurately Forensic Cybernetics Forensic – "pertaining to or suitable for courts of law” Cybernetics – “The field of study concerned with communication and control systems in living organisms and machines.” Cyber Forensics is then the investigation of the man-machine interface to a degree of integrity and certainty that is suitable for a court of law. Incident Response – the preparation and response to an emergency / emergent threat
DIGITAL FORENSICS VS. INCIDENT RESPONSE Cyber Forensics Incident Response Sub-discipline of law Sub-discipline of disaster recovery “Post-mortem” Post or concurrent to incident Typically independent analysis Working closely with IT to control situation Must adhere to rules of evidence [federal, daubert, etc.] Must only be as reliable as necessary to determine a course of action End Goal: Determine sequence of events, attest. End Goal: determine threat extent, mitigate threat
DF V. IR (CONT’D) WHY HIGHLIGHT THESE DISTINCTIONS? We are going to speak today about techniques from the perspective of a Forensic Investigator. However, the transient nature of network forensics means that, many times, it is not possible to perform an acquisition of evidence that adheres to current standards of evidence. In this capacity, we will also look at things relevant to IR.
THE FORENSIC PROCESS (ABRIDGED) THE QUICK AND DIRTY RUNDOWN Remember the 3 A’s Acquire Today we will be discussing acquisition and analysis techniques for network forensics Analyze Attest • Document All Steps • Establish Chain of Custody • Authenticate Acquisition • Document All Steps • Follow a repeatable, explainable process • Seek independence/exculpatory evidence • Report Documented Findings • Back Assertions with Evidence • Inter-subjective conclusions
QUICK REVIEW: GENERAL FORENSICS LIGHTNING TALKS Locard’s Principle of Exchange – “the perpetrator of a crime will bring something into the crime scene and leave with something from it.” This holds true in cyber forensics as well. The change, or what is left, may be lower than we typically look (disturbing of electrons) and may be temporal, but in the majority of incidents if you have been called in as an investigator, then there is already suspicion of malign activity that careful yet rapid acquisition will reveal.
QUICK REVIEW: GENERAL FORENSICS (CONT’D) LIGHTNING TALKS Rules of Evidence – standards (such as the Daubert criteria) set guidelines for admissibility. These “standards” vary across all levels of government, and many disparate standards exist. Situational awareness of this is paramount. Importantly, these standards typically dictate a scientific, repeatable, method of acquisition against the same data set. In the case of networking, volatile memory, and certain flash storage, this can be practically impossible.
QUICK REVIEW: GENERAL FORENSICS (CONT’D) LIGHTNING TALKS Our Mission as a forensic investigator – To understand and describe an event, collection of events, or system in the most accurate and detailed manner possible given all of the available information. To maintain the integrity of the evidence and scene to ensure that accuracy. Sometimes, we must admit that there isn’t a conclusion that can be accurately drawn based on the evidence. Our mission is not to convict someone, nor to inject/assert conjecture as fact.
QUICK REVIEW: FUNDAMENTAL COMPUTING LIGHTNING TALKS Computing Processing, Storage, and Transmission [I/O] Systems of Systems Information Has both Content and Context that we are interested in  Content – things the user/entity/protocol directly creates, accesses, or modifies  Context – metadata that frames the content, providing a point of reference & relativity Cyber The man-machine interface – adding people to the mix
QUICK REVIEW: NETWORKING Networking – “To link together to allow the sharing of data, interactive operation, and efficient utilization of resources” EXAMPLES OF NETWORK ARCHITECTURES IMPORTANT TAKE-AWAYS (organized by protocol/suite) TCP/IP Control System SCADA/ICS ModBus, DNP3 CAN CanBus, MilCAN USB/Firewire protocols Bluetooth PCI/PCIe Bus Many more, including technologies like Ethernet and 802.11 suite Systems must use transmission to acquire/share information. If it is in the browser, it came over the network, and can be reconstructed* All malware that was not built into a system or physically added via hardware alteration must have traversed a network to infect that system.
QUICK REVIEW: NETWORKING (CONT’D) TCP/IP NETWORKING AND THE OSI MODEL For today’s exercises, we are only looking at Ethernet/TCP/IP Several different models exist for defining these networking layers logically – we are going to focus on the Open Systems Interconnection (OSI) model (slightly modified) Why does this matter? [ Logically grasping a unified model of internetworking fundamentally shapes your process for searching, identifying, acquiring, and understanding evidence, and your interactions with the tools used to acquire and analyze that evidence. ]
QUICK REVIEW: NETWORKING (CONT’D) The OSI Model of networking for the Internet [Layer 8] – Human Layer 7 – Application e n c a p s u l a t i o n Layer 6 – Presentation Layer 5 – Session Layer 4 - Transportation Layer 3 – Network Layer 2 – Data-link Layer 1 – Physical [Layer 0] – Media The OSI Model is typically composed of 7 layers, with each upper layer being encapsulated in the subsequent layer below it (or the next lowest layer to it). We’ve modified the OSI model to meet our needs by adding 2 layers. “Layer 8” is a concept out of Social Engineering, but also applies to Forensic investigations. “Layer 0” is the physical media and can hold traditional forensic evidence like latent fingerprints, but can also tell us about unique constraints.
QUICK REVIEW: NETWORKING (CONT’D) The OSI Model of networking for the Internet and common protocols at each level [Layer 8] – Human Layer 7 – Application e n c a p s u l a t i o n Layer 6 – Presentation Layer 5 – Session Layer 4 - Transportation Layer 3 – Network Layer 2 – Data-link Protocol Highlights HTTP, DHCP, DNS, SMB, OSPF…lots more MIME SSL/TLS, NetBIOS, SAP, PPTP, RTP TCP, UDP IP, ICMP, IPSec, IGMP, IPX ARP, PPP, L2TP, Frame Relay Layer 1 – Physical Ethernet, USB, FireWire, RS-232, 802.11 Layer 0 – Media RJ45 ethernet cables, 2.4-5Ghz spectrum
QUICK REVIEW: NETWORKING (CONT’D) The OSI Model of networking for the Internet [Layer 8] – Human Layer 7 – Application e n c a p s u l a t i o n Layer 6 – Presentation Layer 5 – Session Layer 4 - Transportation Layer 3 – Network Layer 2 – Data-link Layer 1 – Physical [Layer 0] – Media Content can be found mainly at the application and transport layers, although technically could exist anywhere via obscure/custom protocols (such as the use of covert channels).
QUICK REVIEW: NETWORKING (CONT’D) The OSI Model of networking for the Internet [Layer 8] – Human Layer 7 – Application e n c a p s u l a t i o n Layer 6 – Presentation Layer 5 – Session Layer 4 - Transportation Layer 3 – Network Layer 2 – Data-link Layer 1 – Physical [Layer 0] – Media Context can be found at every level of the OSI model, however the most useful context is typically: Layer 2 – MAC addresses to ID devices Layer 3 – IP Addresses, ICMP response flags (OS Finger Printing) Layer 4 – Timing/sizing information (OS Finger Printing) Layer 7 – Meta data provided by HTTP, NBNS, and Routing protocols Layer 8 – naming conventions and other indicative habits/patterns
WHERE DOES POTENTIAL EVIDENCE EXIST? What sources are we trying to acquire?
WHERE DOES POTENTIAL EVIDENCE EXIST? What sources are we trying to acquire? [ It is paramount to understand that this is not a discrete question – these are SYSTEMS of systems that are interdependent. A pcap alone is not the extent of network forensics. ]
WHERE DOES POTENTIAL EVIDENCE EXIST? EVIDENCE PROVIDERS FOR A SINGLE SYSTEM OF A SERVER/CLIENT DEVICE Network Transmissions Volatile [Main] Memory Persistent [Secondary] Memory
WHERE DOES POTENTIAL EVIDENCE EXIST? For Your Situational Awareness: Be aware that modern malware can do interesting things like network through high-frequency sounds and hide in firmware/BIOS Understand that your investigation is limited by what evidence providers you collect from, and document such limitations in your analysis
WHAT POTENTIAL EVIDENCE EXISTS? EXAMPLE NETWORK ARTIFACTS IN STORAGE MEDIA [NON-EXHAUSTIVE] Volatile (Primary/Main) Memory (this includes buffers on NICs)       open/prior connections, paired with processes that initiated them recently used/downloaded programs and temporary files recently run command output (ping/tracert/etc) DNS cache routing/arp table information packets (buffered in memory) Persistent (Secondary) Memory  recently run network programs (prefetch on Windows >= XP for instance)  logs/event records  recently visited URLs  IP addresses in email headers, configuration files, etc  Network captures (did the person have packet captures on their machine?)
WHAT POTENTIAL EVIDENCE EXISTS? EVIDENCE PROVIDERS FOR ENTERPRISE SYSTEM NETWORK FORENSICS There is overlap between these mediums. This is good: Convergent sources of evidence means more support for that evidence, which can be critical in court. The more ways to verify an event, the better. Remember: Network communications are a conversation. Evidence on one side of this conversation means evidence may exist on the other side as well. (and anywhere in between too)
WHAT ARE WE INTERESTED IN? “IT DEPENDS” What Evidence are we looking for? It depends on:  Scope  Threat source (human intelligence vs. malware)  A multitude of other factors Content:  Exists largely at the Application/Transportation Layer  Could be executables, documents, conversations, media (images/video/audio)  proof of transactions (CCNs, web URLs, etc.) Context:  Timeline & Statistics (Sessions/Hosts/Ports/Protocols/Sizes)  Network Topology/Connected Devices  Historical Data (baselines/anomalies, previously connected to networks/keys, etc.)
THE ENVIRONMENT “NO REALLY, IT DEPENDS” Whether doing Cyber Forensics or Incident Response, network transmissions are temporal. It may not be possible to personally collect the data that will be analyzed in a timely, cost effective manner. This may necessitate instructing others in this process. You can only hope that there is an IDS/NSM solution. It’s difficult to be long range tech support and guarantee a forensically sound collection process, or that the desired evidence is even collected (chain of custody can also be an issue). Be cognizant of this possibility and be able to define and explain your steps to others.
ANTI-NETWORK FORENSICS THE 60,000 FT. VIEW Largely these can be grouped into active/passive or exploitation vs. obfuscation Obfuscation:  Spoofing (IP/MAC or IP Stack/User Agent strings to hide OS/Browser type)  Encryption (including TLS, Tor, custom)  Packing/compression of executables/files (Metasploit Stage 2 encoding)  Steganography : (  Covert channels (IP in DNS is a popular derivative, also Telex project)  Fragmentation/Order fuzzing (tools like SniffJoke) Exploitation  Attacks against investigator/IDS tools (a la CVE-2011-1591)  Active detection of network monitoring (e.g. detecting promiscuous mode by setting the MAC to illegal value and sending TCP SYN packet)
APPLIED KNOWLEDGE TAKING THEORY AND PUTTING IT TO PRACTICE
ACQUISITION THE RIGHT TOOL FOR THE JOB For our lab purposes we will be looking at relatively small data sets. Enterprise networks have voluminous throughput -- possibly terabytes/petabytes a day at multiple gigabits per second depending on the size of the organization. The tools we use today, such as Wireshark, are often not capable of capturing this amount of data without dropping packets/other degradation. Even command line tools like tshark may have issues (they are also hardware/topology constrained). There are open-source tools such as argus and ntop which can capture this kind of data, but these are outside the scope of this lecture. We will be manually analyzing packet data, but an automated solution may be required in order to be successful and efficient within the time and resource constraints that are present in “big data” situations.
ACQUISITION (CONT’D) THE RIGHT TOOL FOR THE JOB today we will use and discuss: Wireshark/tshark for network acquisition (argus/nfcapd will be discussed for flow acquisition) foremost (compiled for Windows) for carving data out of TCP streams in the pcap (winpmem/LiME will be discussed for volatile memory acquisition) (dd will be discussed for persistent memory acquisition) and for analysis we will be using: Wireshark (network capture analysis) (chaosreader/SiLK will be discussed for automated packet capture extraction/analysis) Volatility/NAFT (volatile memory analysis) (Bulk Extractor will be discussed for persistent memory analysis)
WIRESHARK BASICS FRAMES, STREAMS, AND FILTERS OH MY! Open Wireshark, and follow along with me     Notice OSI structure for packet dissectors Color represents level of OSI model/unique protocols Display filters (including auto-generation of filter) Following TCP streams (okay, so it’s still a display filter) Resource for Display filters: http://www.firstdigest.com/2009/05/wiresharks-most-usefuldisplay-filters/
EXERCISE 1 CAPTURING BROWSER TRAFFIC JOINT ACTIVITY:10 MINUTES Summary: Start a network capture with Wireshark, note the initial traffic, open a web browser, note the traffic generated by this action, browse to a webpage, stop the capture, and use Wireshark to extract file artifacts from the HTTP/TCP streams.
CASE STUDY: ANN AND THE APPLE TV This is a challenge provided by the network forensic puzzle contest. The pcap and questions can be downloaded from http://forensicscontest.com/2009/12/28/anns-appletv It’s included to highlight the fact that over the past decade, unique sources of evidence in the form of embedded devices and appliances have crept into the consumer world, offering additional, potentially useful, information about a suspects habits, anomalous activities, and whereabouts.
EXERCISE 2 ANN AND THE APPLE TV JOINT ACTIVITY: 20MIN Summary: Given a pcap of an individual’s interactions with an AppleTV, answer the associated questions. Questions: 1. What is the MAC address of Ann’s AppleTV? 2. What User-Agent string did Ann’s AppleTV use in HTTP requests? 3. What were Ann’s first four search terms on the AppleTV (all incremental searches count)? 4. What was the title of the first movie Ann clicked on? 5. What was the full URL to the movie trailer (defined by “preview-url”)? 6. What was the title of the second movie Ann clicked on? 7. What was the price to buy it (defined by “price-display”)? 8. What was the last full term Ann searched for?
SOLUTIONS: ANN AND THE APPLE TV WIRESHARK FILTERS TO FIND SOLUTIONS 1) What is the MAC address of Ann’s AppleTV? 1) eth.addr == 00:25:00:fe:07:c4 2) What User-Agent string did Ann’s AppleTV use in HTTP requests? 1) http.user_agent == "AppleTV/2.4" 3) What were Ann’s first four search terms on the AppleTV (all incremental searches count)? 1) http.request.uri contains "/MZSearch.woa/wa/incrementalSearch" 4) What was the title of the first movie Ann clicked on? 1) http.request.uri contains "viewMovie?" 5) What was the full URL to the movie trailer (defined by “preview-url”)? 1) http.request.uri contains "viewMovie?" 6) What was the title of the second movie Ann clicked on? 1) http.request.uri contains "viewMovie?" 7) What was the price to buy it (defined by “price-display”)? 1) http.request.uri contains "viewMovie?" 8) What was the last full term Ann searched for? 1) http.request.uri contains "/MZSearch.woa/wa/incrementalSearch"
INTERMISSION TIME FOR LUNCH! INDIVIDUAL OR JOINT ACTIVITY Summary: om nom nom.
PRACTICE MAKES NEAR-PERFECT MOOOOOOOOOAR WIRESHARK Now that you’ve been exposed to display filters, content extractors, and the dissectors within Wireshark, we are going to take a deeper dive. The next exercise will familiarize you with some of Wireshark’s other features
EXERCISE 3 10 MINUTES OF INTERNET INDIVIDUAL ACTIVITY: 30 MINUTES Summary: You’ve been provided with a slice of an enterprise network capture. You are charged with identifying different network segments, and extracting data from different protocols within the capture using Wireshark. There is not a right/wrong answer: this is exploratory. Hint: Follow the TCP streams, and remember that not everything worth extracting is a file.
VOLATILE MEMORY ANALYSIS FOR NETWORK ARTIFACTS We are going to use Volatility, an open source volatile memory analysis tool originally developed here at Purdue by Aaron Walters. A special thanks to Aaron and his team! Specifically, we are going to walk through the following network forensic steps on volatile memory:  identifying network connections that were active at the time of the memory capture  scanning processes which have had active connections for evidence of malware  extracting a malicious DLL that was injected over the network, and comparing it to one carved from a packet capture that triggered on the same attack  extracting packets from volatile memory and analyzing them for further evidence
VOLATILE MEMORY ANALYSIS FOR NETWORK ARTIFACTS Basic Usage Volatility –f <filename> <plugin> e.g. Volatility –f xp_infected.vmem pslist Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit ---------- -------------------- ------ ------ ------ -------- ------ ------ --------------------------------------0x865c6830 System 4 0 58 283 -----0 0x8647b020 smss.exe 544 4 3 19 -----0 2013-02-24 06:40:30 0x864db020 csrss.exe 616 544 12 371 0 0 2013-02-24 06:40:33 0x863adda0 winlogon.exe 640 544 18 514 0 0 2013-02-24 06:40:33 0x85fc1c90 services.exe 684 640 16 271 0 0 2013-02-24 06:40:33 0x86044ae0 lsass.exe 696 640 20 350 0 0 2013-02-24 06:40:33 0x860064f8 vmacthlp.exe 852 684 1 25 0 0 2013-02-24 06:40:33 0x862772c0 svchost.exe 868 684 20 198 0 0 2013-02-24 06:40:33 0x86098760 svchost.exe 952 684 9 268 0 0 2013-02-24 06:40:34 See: https://code.google.com/p/volatility/wiki/CommandReference23#Networking See also: https://blogs.sans.org/computer-forensics/files/2012/04/Memory-ForensicsCheat-Sheet-v1_2.pdf
EXERCISE 4 BAD ACTORS AND BAD HABITS INDIVIDUAL/JOINT ACTIVITY Summary: You’ve been provided with a pcap and a volatile memory capture that contain evidence of a network exploitation. Determine where the exploit occurred in the pcap, and extract the malicious executable. Then find network artifacts in the memory capture which correlate to the pcap and compare. Hint: https://code.google.com/p/volatility/wiki/CommandReference23#Networking Bonus Hint: The executable is also in memory :D do they match?
SUMMARY  Network forensics can present problems with repeatability and rules of evidence when it comes to acquisition of the evidence because it is transient.  The network forensic process is largely the same as that of a traditional digital forensic investigation.  Network forensics is more than just packets on the wire.  Network forensics spans transmission, volatile memory, and persistent memory.  Use the right tools for the job – small packet captures can successfully be analyzed with Wireshark, large scale captures may need to be automatically parsed before narrowing down sections which can be further analyzed. Hopefully, you walk away with a little more hands-on experience
PARTING THOUGHTS  You still have a lot to learn ( I still have a lot to learn )  Technology is constantly evolving, you need to stay current  As they say, practice makes perfect (well….nobody’s perfect :D)  If this topic interests you, speak to me later or research:  Structured Traffic Analysis  Network Security Monitoring (Richard Bejtlich just release a new book)  Intrusion Detection Systems  https://tools.netsa.cert.org  https://www.enisa.europa.eu/activities/cert/support/exercise
COMMENTS AND WRAP-UP Thank you! Questions?
ADDENDUM IN CASE OF EXTRA TIME, BREAK EXERCISE Summary: Exercise05 involves using bulk_extractor to extract network “features”

Recommended

Network forensics and investigating logs
Network forensics and investigating logsNetwork forensics and investigating logs
Network forensics and investigating logsanilinvns
 
Network forensic
Network forensicNetwork forensic
Network forensicManjushree Mashal
 
Network Forensic
Network ForensicNetwork Forensic
Network ForensicSujeet Kumar
 
Network forensics1
Network forensics1Network forensics1
Network forensics1Santosh Khadsare
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensicsprimeteacher32
 
Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 
Linux forensics
Linux forensicsLinux forensics
Linux forensicsSantosh Khadsare
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows SystemConferencias FIST
 

Recommended

Network forensics and investigating logs
Network forensics and investigating logsNetwork forensics and investigating logs
Network forensics and investigating logsanilinvns
 
Network forensic
Network forensicNetwork forensic
Network forensicManjushree Mashal
 
Network Forensic
Network ForensicNetwork Forensic
Network ForensicSujeet Kumar
 
Network forensics1
Network forensics1Network forensics1
Network forensics1Santosh Khadsare
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensicsprimeteacher32
 
Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 
Linux forensics
Linux forensicsLinux forensics
Linux forensicsSantosh Khadsare
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows SystemConferencias FIST
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsdeaneal
 
Forensic imaging tools
Forensic imaging tools Forensic imaging tools
Forensic imaging tools Dr. Richard Adams
 
Encase Forensic
Encase ForensicEncase Forensic
Encase ForensicMegha Sahu
 
Digital forensics
Digital forensicsDigital forensics
Digital forensicsAbdallah Hodieb
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkitMilap Oza
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital ForensicsVikas Jain
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensicsprimeteacher32
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic toolsParsons Corporation
 
Threat Intelligence
Threat IntelligenceThreat Intelligence
Threat IntelligenceDeepak Kumar (D3)
 
CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber ForensicsKathirvel Ayyaswamy
 
Database forensics
Database forensicsDatabase forensics
Database forensicsDenys A. Flores, PhD
 
03 Data Recovery - Notes
03 Data Recovery - Notes03 Data Recovery - Notes
03 Data Recovery - NotesKranthi
 
A brief Intro to Digital Forensics
A brief Intro to Digital ForensicsA brief Intro to Digital Forensics
A brief Intro to Digital ForensicsManik Bhola
 
Lecture2 Introduction to Digital Forensics.ppt
Lecture2 Introduction to Digital Forensics.pptLecture2 Introduction to Digital Forensics.ppt
Lecture2 Introduction to Digital Forensics.pptSurajgroupsvideo
 
Forensics Analysis and Validation
Forensics Analysis and Validation Forensics Analysis and Validation
Forensics Analysis and Validation Jyothishmathi Institute of Technology and Science Karimnagar
 
L6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptxL6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptxBhupeshkumar Nanhe
 
Digital Forensic
Digital ForensicDigital Forensic
Digital ForensicCleverence Kombe
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3CTIN
 
Fundamental digital forensik
Fundamental digital forensikFundamental digital forensik
Fundamental digital forensiknewbie2019
 
Incident response methodology
Incident response methodologyIncident response methodology
Incident response methodologyPiyush Jain
 
Network Forensics
Network ForensicsNetwork Forensics
Network ForensicsAndrea Lazzarotto
 
Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisGTKlondike
 

More Related Content

What's hot

Computer forensics
Computer forensicsComputer forensics
Computer forensicsdeaneal
 
Encase Forensic
Encase ForensicEncase Forensic
Encase ForensicMegha Sahu
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkitMilap Oza
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital ForensicsVikas Jain
 
03 Data Recovery - Notes
03 Data Recovery - Notes03 Data Recovery - Notes
03 Data Recovery - NotesKranthi
 
A brief Intro to Digital Forensics
A brief Intro to Digital ForensicsA brief Intro to Digital Forensics
A brief Intro to Digital ForensicsManik Bhola
 
Lecture2 Introduction to Digital Forensics.ppt
Lecture2 Introduction to Digital Forensics.pptLecture2 Introduction to Digital Forensics.ppt
Lecture2 Introduction to Digital Forensics.pptSurajgroupsvideo
 
L6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptxL6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptxBhupeshkumar Nanhe
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3CTIN
 
Fundamental digital forensik
Fundamental digital forensikFundamental digital forensik
Fundamental digital forensiknewbie2019
 
Incident response methodology
Incident response methodologyIncident response methodology
Incident response methodologyPiyush Jain
 

What's hot (20)

Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
Forensic imaging tools
Forensic imaging tools Forensic imaging tools
Forensic imaging tools
 
Encase Forensic
Encase ForensicEncase Forensic
Encase Forensic
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkit
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensics
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic tools
 
Threat Intelligence
Threat IntelligenceThreat Intelligence
Threat Intelligence
 
CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber Forensics
 
Database forensics
Database forensicsDatabase forensics
Database forensics
 
03 Data Recovery - Notes
03 Data Recovery - Notes03 Data Recovery - Notes
03 Data Recovery - Notes
 
A brief Intro to Digital Forensics
A brief Intro to Digital ForensicsA brief Intro to Digital Forensics
A brief Intro to Digital Forensics
 
Lecture2 Introduction to Digital Forensics.ppt
Lecture2 Introduction to Digital Forensics.pptLecture2 Introduction to Digital Forensics.ppt
Lecture2 Introduction to Digital Forensics.ppt
 
Forensics Analysis and Validation
Forensics Analysis and Validation Forensics Analysis and Validation
Forensics Analysis and Validation
 
L6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptxL6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptx
 
Digital Forensic
Digital ForensicDigital Forensic
Digital Forensic
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3
 
Fundamental digital forensik
Fundamental digital forensikFundamental digital forensik
Fundamental digital forensik
 
Incident response methodology
Incident response methodologyIncident response methodology
Incident response methodology
 

Viewers also liked

Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisGTKlondike
 
Forensic Analysis - Empower Tech Days 2013
Forensic Analysis - Empower Tech Days 2013Forensic Analysis - Empower Tech Days 2013
Forensic Analysis - Empower Tech Days 2013Islam Azeddine Mennouchi
 
Wired and Wireless Network Forensics
Wired and Wireless Network ForensicsWired and Wireless Network Forensics
Wired and Wireless Network ForensicsSavvius, Inc
 
Audio and Video Forensics
Audio and Video ForensicsAudio and Video Forensics
Audio and Video ForensicsDipika Sengupta
 
Matthias Vallentin - Towards Interactive Network Forensics and Incident Respo...
Matthias Vallentin - Towards Interactive Network Forensics and Incident Respo...Matthias Vallentin - Towards Interactive Network Forensics and Incident Respo...
Matthias Vallentin - Towards Interactive Network Forensics and Incident Respo...boundary_slides
 
T2 7 Chappell Network Forensics
T2 7 Chappell Network ForensicsT2 7 Chappell Network Forensics
T2 7 Chappell Network ForensicsPramod Sana
 
(120318) #fitalk web browser forensics - part i
(120318) #fitalk web browser forensics - part i(120318) #fitalk web browser forensics - part i
(120318) #fitalk web browser forensics - part iINSIGHT FORENSIC
 
Education by Sukant Gupta
Education by Sukant GuptaEducation by Sukant Gupta
Education by Sukant GuptaSukant Gupta
 
Codec Networks Providing Courses in Cyber forensic,Network Forensics.
Codec Networks Providing Courses in Cyber forensic,Network Forensics.Codec Networks Providing Courses in Cyber forensic,Network Forensics.
Codec Networks Providing Courses in Cyber forensic,Network Forensics.cnetworks
 
Analysis of (unknown) file formats
Analysis of (unknown) file formatsAnalysis of (unknown) file formats
Analysis of (unknown) file formatsMario Suvajac
 
Anatomy of File Analysis and Decomposition Engine
Anatomy of File Analysis and Decomposition EngineAnatomy of File Analysis and Decomposition Engine
Anatomy of File Analysis and Decomposition EngineMario Suvajac
 
Network Forensic Tools & Techniques Workshop
Network Forensic Tools & Techniques WorkshopNetwork Forensic Tools & Techniques Workshop
Network Forensic Tools & Techniques WorkshopPriyanka Aash
 
Autopsy 3.0 - Open Source Digital Forensics Conference
Autopsy 3.0 - Open Source Digital Forensics ConferenceAutopsy 3.0 - Open Source Digital Forensics Conference
Autopsy 3.0 - Open Source Digital Forensics ConferenceBasis Technology
 
Email Headers – Expert Forensic Analysis
Email Headers – Expert Forensic AnalysisEmail Headers – Expert Forensic Analysis
Email Headers – Expert Forensic AnalysisforensicEmailAnalysis
 
Ccna( Cisco Certified Network Associate)
Ccna( Cisco Certified Network Associate)Ccna( Cisco Certified Network Associate)
Ccna( Cisco Certified Network Associate)Sukant Gupta
 

Viewers also liked (20)

Network Forensics
Network ForensicsNetwork Forensics
Network Forensics
 
Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysis
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensics
 
Network Forensics: Packet Analysis Using Wireshark
Network Forensics: Packet Analysis Using WiresharkNetwork Forensics: Packet Analysis Using Wireshark
Network Forensics: Packet Analysis Using Wireshark
 
Forensic Analysis - Empower Tech Days 2013
Forensic Analysis - Empower Tech Days 2013Forensic Analysis - Empower Tech Days 2013
Forensic Analysis - Empower Tech Days 2013
 
Wired and Wireless Network Forensics
Wired and Wireless Network ForensicsWired and Wireless Network Forensics
Wired and Wireless Network Forensics
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
Audio and Video Forensics
Audio and Video ForensicsAudio and Video Forensics
Audio and Video Forensics
 
Matthias Vallentin - Towards Interactive Network Forensics and Incident Respo...
Matthias Vallentin - Towards Interactive Network Forensics and Incident Respo...Matthias Vallentin - Towards Interactive Network Forensics and Incident Respo...
Matthias Vallentin - Towards Interactive Network Forensics and Incident Respo...
 
T2 7 Chappell Network Forensics
T2 7 Chappell Network ForensicsT2 7 Chappell Network Forensics
T2 7 Chappell Network Forensics
 
(120318) #fitalk web browser forensics - part i
(120318) #fitalk web browser forensics - part i(120318) #fitalk web browser forensics - part i
(120318) #fitalk web browser forensics - part i
 
Education by Sukant Gupta
Education by Sukant GuptaEducation by Sukant Gupta
Education by Sukant Gupta
 
Codec Networks Providing Courses in Cyber forensic,Network Forensics.
Codec Networks Providing Courses in Cyber forensic,Network Forensics.Codec Networks Providing Courses in Cyber forensic,Network Forensics.
Codec Networks Providing Courses in Cyber forensic,Network Forensics.
 
Analysis of (unknown) file formats
Analysis of (unknown) file formatsAnalysis of (unknown) file formats
Analysis of (unknown) file formats
 
Anatomy of File Analysis and Decomposition Engine
Anatomy of File Analysis and Decomposition EngineAnatomy of File Analysis and Decomposition Engine
Anatomy of File Analysis and Decomposition Engine
 
Network Forensic Tools & Techniques Workshop
Network Forensic Tools & Techniques WorkshopNetwork Forensic Tools & Techniques Workshop
Network Forensic Tools & Techniques Workshop
 
Autopsy 3.0 - Open Source Digital Forensics Conference
Autopsy 3.0 - Open Source Digital Forensics ConferenceAutopsy 3.0 - Open Source Digital Forensics Conference
Autopsy 3.0 - Open Source Digital Forensics Conference
 
Email Headers – Expert Forensic Analysis
Email Headers – Expert Forensic AnalysisEmail Headers – Expert Forensic Analysis
Email Headers – Expert Forensic Analysis
 
computer forensics
computer forensics computer forensics
computer forensics
 
Ccna( Cisco Certified Network Associate)
Ccna( Cisco Certified Network Associate)Ccna( Cisco Certified Network Associate)
Ccna( Cisco Certified Network Associate)
 

Similar to Network Forensics Intro

Introduction to Networking and OSI Model
Introduction to Networking and OSI ModelIntroduction to Networking and OSI Model
Introduction to Networking and OSI ModelKawtharAlsharah
 
1.Architecture
1.Architecture1.Architecture
1.Architecturephanleson
 
Network Forensic Investigation of HTTPS Protocol
Network Forensic Investigation of HTTPS ProtocolNetwork Forensic Investigation of HTTPS Protocol
Network Forensic Investigation of HTTPS ProtocolIJMER
 
0 presentacion de introduccion
0 presentacion de introduccion0 presentacion de introduccion
0 presentacion de introduccionRonald Gutierrez
 
communication-protocols
communication-protocols communication-protocols
communication-protocolsAli Kamil
 
Dynamic Semantics for Semantics for Dynamic IoT Environments
Dynamic Semantics for Semantics for Dynamic IoT EnvironmentsDynamic Semantics for Semantics for Dynamic IoT Environments
Dynamic Semantics for Semantics for Dynamic IoT EnvironmentsPayamBarnaghi
 
Automated Live Forensics Analysis for Volatile Data Acquisition
Automated Live Forensics Analysis for Volatile Data AcquisitionAutomated Live Forensics Analysis for Volatile Data Acquisition
Automated Live Forensics Analysis for Volatile Data AcquisitionIJERA Editor
 
Networking fundamentals
Networking fundamentalsNetworking fundamentals
Networking fundamentalsThe Avi Sharma
 
3G Wireless Access, Abstract
3G Wireless Access, Abstract3G Wireless Access, Abstract
3G Wireless Access, AbstractVictoria Burke
 
Lesson 1. General Introduction to IT and Cyber Security.pptx
Lesson 1. General Introduction to IT and Cyber Security.pptxLesson 1. General Introduction to IT and Cyber Security.pptx
Lesson 1. General Introduction to IT and Cyber Security.pptxJezer Arces
 
Cisco Network Insider: Three Ways to Secure your Network
Cisco Network Insider: Three Ways to Secure your NetworkCisco Network Insider: Three Ways to Secure your Network
Cisco Network Insider: Three Ways to Secure your NetworkRobb Boyd
 
Distributed Systems
Distributed SystemsDistributed Systems
Distributed Systemsmitali.ray
 
Networks - Lecture E
Networks - Lecture ENetworks - Lecture E
Networks - Lecture ECMDLearning
 
DATA COMMUNICATION PPT
DATA COMMUNICATION PPTDATA COMMUNICATION PPT
DATA COMMUNICATION PPTMajane Padua
 

Similar to Network Forensics Intro (20)

Introduction to Networking and OSI Model
Introduction to Networking and OSI ModelIntroduction to Networking and OSI Model
Introduction to Networking and OSI Model
 
OSI layer
OSI layerOSI layer
OSI layer
 
1.Architecture
1.Architecture1.Architecture
1.Architecture
 
Network Forensic Investigation of HTTPS Protocol
Network Forensic Investigation of HTTPS ProtocolNetwork Forensic Investigation of HTTPS Protocol
Network Forensic Investigation of HTTPS Protocol
 
Networks
NetworksNetworks
Networks
 
0 presentacion de introduccion
0 presentacion de introduccion0 presentacion de introduccion
0 presentacion de introduccion
 
communication-protocols
communication-protocols communication-protocols
communication-protocols
 
Dynamic Semantics for Semantics for Dynamic IoT Environments
Dynamic Semantics for Semantics for Dynamic IoT EnvironmentsDynamic Semantics for Semantics for Dynamic IoT Environments
Dynamic Semantics for Semantics for Dynamic IoT Environments
 
Isys20261 lecture 06
Isys20261 lecture 06Isys20261 lecture 06
Isys20261 lecture 06
 
Automated Live Forensics Analysis for Volatile Data Acquisition
Automated Live Forensics Analysis for Volatile Data AcquisitionAutomated Live Forensics Analysis for Volatile Data Acquisition
Automated Live Forensics Analysis for Volatile Data Acquisition
 
Networking fundamentals
Networking fundamentalsNetworking fundamentals
Networking fundamentals
 
ppt_dcn.pdf
ppt_dcn.pdfppt_dcn.pdf
ppt_dcn.pdf
 
3G Wireless Access, Abstract
3G Wireless Access, Abstract3G Wireless Access, Abstract
3G Wireless Access, Abstract
 
Lesson 1. General Introduction to IT and Cyber Security.pptx
Lesson 1. General Introduction to IT and Cyber Security.pptxLesson 1. General Introduction to IT and Cyber Security.pptx
Lesson 1. General Introduction to IT and Cyber Security.pptx
 
Cisco Network Insider: Three Ways to Secure your Network
Cisco Network Insider: Three Ways to Secure your NetworkCisco Network Insider: Three Ways to Secure your Network
Cisco Network Insider: Three Ways to Secure your Network
 
Distributed Systems
Distributed SystemsDistributed Systems
Distributed Systems
 
FIOT_Uni4.pptx
FIOT_Uni4.pptxFIOT_Uni4.pptx
FIOT_Uni4.pptx
 
Lumeta IPsonar Aligned to ITIL v3
Lumeta IPsonar Aligned to ITIL v3Lumeta IPsonar Aligned to ITIL v3
Lumeta IPsonar Aligned to ITIL v3
 
Networks - Lecture E
Networks - Lecture ENetworks - Lecture E
Networks - Lecture E
 
DATA COMMUNICATION PPT
DATA COMMUNICATION PPTDATA COMMUNICATION PPT
DATA COMMUNICATION PPT
 

Recently uploaded

Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 

Recently uploaded (20)

Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 

Network Forensics Intro

  • 1. PURDUE UNIVERSITY TECSUP NETWORK FORENSICS AN INTRODUCTION 7.11.2013 Jake Kambic M.S. Student CNIT Cyber Forensics / Network Security
  • 3. WHO AM I? AND WHY SHOULD YOU LISTEN TO ME?     
  • 4. OVERVIEW PURPOSE Today’s lessons are intended to give you an introduction to elementary and intermediate techniques in network forensics. We are only scratching the surface, but it should be rewarding. Please stop me at anytime to ask questions, or ask me to slow down!
  • 5. OVERVIEW (CONT’D) TOPICS What is DFIR? What is Network Forensics? Digital Forensics vs. Incident Response The Forensic Process (Abridged) Quick Review: General Forensics Quick Review: Fundamental Computing Quick Review: Networking Where does potential evidence exist? What evidence are we looking for? Environment Factors Anti-Network Forensics Acquisition Wireshark Basics Analysis  Exercise 1: Capturing browser traffic  Exercise 2: Ann and the Apple TV  Exercise 3: 10 Minutes of Internet  Exercise 4: Bad Actors and Bad Habits
  • 6. WHAT IS DFIR? Digital Forensics – More accurately Forensic Cybernetics Forensic – "pertaining to or suitable for courts of law” Cybernetics – “The field of study concerned with communication and control systems in living organisms and machines.” Cyber Forensics is then the investigation of the man-machine interface to a degree of integrity and certainty that is suitable for a court of law. Incident Response – the preparation and response to an emergency / emergent threat
  • 7. DIGITAL FORENSICS VS. INCIDENT RESPONSE Cyber Forensics Incident Response Sub-discipline of law Sub-discipline of disaster recovery “Post-mortem” Post or concurrent to incident Typically independent analysis Working closely with IT to control situation Must adhere to rules of evidence [federal, daubert, etc.] Must only be as reliable as necessary to determine a course of action End Goal: Determine sequence of events, attest. End Goal: determine threat extent, mitigate threat
  • 8. DF V. IR (CONT’D) WHY HIGHLIGHT THESE DISTINCTIONS? We are going to speak today about techniques from the perspective of a Forensic Investigator. However, the transient nature of network forensics means that, many times, it is not possible to perform an acquisition of evidence that adheres to current standards of evidence. In this capacity, we will also look at things relevant to IR.
  • 9. THE FORENSIC PROCESS (ABRIDGED) THE QUICK AND DIRTY RUNDOWN Remember the 3 A’s Acquire Today we will be discussing acquisition and analysis techniques for network forensics Analyze Attest • Document All Steps • Establish Chain of Custody • Authenticate Acquisition • Document All Steps • Follow a repeatable, explainable process • Seek independence/exculpatory evidence • Report Documented Findings • Back Assertions with Evidence • Inter-subjective conclusions
  • 10. QUICK REVIEW: GENERAL FORENSICS LIGHTNING TALKS Locard’s Principle of Exchange – “the perpetrator of a crime will bring something into the crime scene and leave with something from it.” This holds true in cyber forensics as well. The change, or what is left, may be lower than we typically look (disturbing of electrons) and may be temporal, but in the majority of incidents if you have been called in as an investigator, then there is already suspicion of malign activity that careful yet rapid acquisition will reveal.
  • 11. QUICK REVIEW: GENERAL FORENSICS (CONT’D) LIGHTNING TALKS Rules of Evidence – standards (such as the Daubert criteria) set guidelines for admissibility. These “standards” vary across all levels of government, and many disparate standards exist. Situational awareness of this is paramount. Importantly, these standards typically dictate a scientific, repeatable, method of acquisition against the same data set. In the case of networking, volatile memory, and certain flash storage, this can be practically impossible.
  • 12. QUICK REVIEW: GENERAL FORENSICS (CONT’D) LIGHTNING TALKS Our Mission as a forensic investigator – To understand and describe an event, collection of events, or system in the most accurate and detailed manner possible given all of the available information. To maintain the integrity of the evidence and scene to ensure that accuracy. Sometimes, we must admit that there isn’t a conclusion that can be accurately drawn based on the evidence. Our mission is not to convict someone, nor to inject/assert conjecture as fact.
  • 13. QUICK REVIEW: FUNDAMENTAL COMPUTING LIGHTNING TALKS Computing Processing, Storage, and Transmission [I/O] Systems of Systems Information Has both Content and Context that we are interested in  Content – things the user/entity/protocol directly creates, accesses, or modifies  Context – metadata that frames the content, providing a point of reference & relativity Cyber The man-machine interface – adding people to the mix
  • 14. QUICK REVIEW: NETWORKING Networking – “To link together to allow the sharing of data, interactive operation, and efficient utilization of resources” EXAMPLES OF NETWORK ARCHITECTURES IMPORTANT TAKE-AWAYS (organized by protocol/suite) TCP/IP Control System SCADA/ICS ModBus, DNP3 CAN CanBus, MilCAN USB/Firewire protocols Bluetooth PCI/PCIe Bus Many more, including technologies like Ethernet and 802.11 suite Systems must use transmission to acquire/share information. If it is in the browser, it came over the network, and can be reconstructed* All malware that was not built into a system or physically added via hardware alteration must have traversed a network to infect that system.
  • 15. QUICK REVIEW: NETWORKING (CONT’D) TCP/IP NETWORKING AND THE OSI MODEL For today’s exercises, we are only looking at Ethernet/TCP/IP Several different models exist for defining these networking layers logically – we are going to focus on the Open Systems Interconnection (OSI) model (slightly modified) Why does this matter? [ Logically grasping a unified model of internetworking fundamentally shapes your process for searching, identifying, acquiring, and understanding evidence, and your interactions with the tools used to acquire and analyze that evidence. ]
  • 16. QUICK REVIEW: NETWORKING (CONT’D) The OSI Model of networking for the Internet [Layer 8] – Human Layer 7 – Application e n c a p s u l a t i o n Layer 6 – Presentation Layer 5 – Session Layer 4 - Transportation Layer 3 – Network Layer 2 – Data-link Layer 1 – Physical [Layer 0] – Media The OSI Model is typically composed of 7 layers, with each upper layer being encapsulated in the subsequent layer below it (or the next lowest layer to it). We’ve modified the OSI model to meet our needs by adding 2 layers. “Layer 8” is a concept out of Social Engineering, but also applies to Forensic investigations. “Layer 0” is the physical media and can hold traditional forensic evidence like latent fingerprints, but can also tell us about unique constraints.
  • 17. QUICK REVIEW: NETWORKING (CONT’D) The OSI Model of networking for the Internet and common protocols at each level [Layer 8] – Human Layer 7 – Application e n c a p s u l a t i o n Layer 6 – Presentation Layer 5 – Session Layer 4 - Transportation Layer 3 – Network Layer 2 – Data-link Protocol Highlights HTTP, DHCP, DNS, SMB, OSPF…lots more MIME SSL/TLS, NetBIOS, SAP, PPTP, RTP TCP, UDP IP, ICMP, IPSec, IGMP, IPX ARP, PPP, L2TP, Frame Relay Layer 1 – Physical Ethernet, USB, FireWire, RS-232, 802.11 Layer 0 – Media RJ45 ethernet cables, 2.4-5Ghz spectrum
  • 18. QUICK REVIEW: NETWORKING (CONT’D) The OSI Model of networking for the Internet [Layer 8] – Human Layer 7 – Application e n c a p s u l a t i o n Layer 6 – Presentation Layer 5 – Session Layer 4 - Transportation Layer 3 – Network Layer 2 – Data-link Layer 1 – Physical [Layer 0] – Media Content can be found mainly at the application and transport layers, although technically could exist anywhere via obscure/custom protocols (such as the use of covert channels).
  • 19. QUICK REVIEW: NETWORKING (CONT’D) The OSI Model of networking for the Internet [Layer 8] – Human Layer 7 – Application e n c a p s u l a t i o n Layer 6 – Presentation Layer 5 – Session Layer 4 - Transportation Layer 3 – Network Layer 2 – Data-link Layer 1 – Physical [Layer 0] – Media Context can be found at every level of the OSI model, however the most useful context is typically: Layer 2 – MAC addresses to ID devices Layer 3 – IP Addresses, ICMP response flags (OS Finger Printing) Layer 4 – Timing/sizing information (OS Finger Printing) Layer 7 – Meta data provided by HTTP, NBNS, and Routing protocols Layer 8 – naming conventions and other indicative habits/patterns
  • 20. WHERE DOES POTENTIAL EVIDENCE EXIST? What sources are we trying to acquire?
  • 21. WHERE DOES POTENTIAL EVIDENCE EXIST? What sources are we trying to acquire? [ It is paramount to understand that this is not a discrete question – these are SYSTEMS of systems that are interdependent. A pcap alone is not the extent of network forensics. ]
  • 22. WHERE DOES POTENTIAL EVIDENCE EXIST? EVIDENCE PROVIDERS FOR A SINGLE SYSTEM OF A SERVER/CLIENT DEVICE Network Transmissions Volatile [Main] Memory Persistent [Secondary] Memory
  • 23. WHERE DOES POTENTIAL EVIDENCE EXIST? For Your Situational Awareness: Be aware that modern malware can do interesting things like network through high-frequency sounds and hide in firmware/BIOS Understand that your investigation is limited by what evidence providers you collect from, and document such limitations in your analysis
  • 24. WHAT POTENTIAL EVIDENCE EXISTS? EXAMPLE NETWORK ARTIFACTS IN STORAGE MEDIA [NON-EXHAUSTIVE] Volatile (Primary/Main) Memory (this includes buffers on NICs)       open/prior connections, paired with processes that initiated them recently used/downloaded programs and temporary files recently run command output (ping/tracert/etc) DNS cache routing/arp table information packets (buffered in memory) Persistent (Secondary) Memory  recently run network programs (prefetch on Windows >= XP for instance)  logs/event records  recently visited URLs  IP addresses in email headers, configuration files, etc  Network captures (did the person have packet captures on their machine?)
  • 25. WHAT POTENTIAL EVIDENCE EXISTS? EVIDENCE PROVIDERS FOR ENTERPRISE SYSTEM NETWORK FORENSICS There is overlap between these mediums. This is good: Convergent sources of evidence means more support for that evidence, which can be critical in court. The more ways to verify an event, the better. Remember: Network communications are a conversation. Evidence on one side of this conversation means evidence may exist on the other side as well. (and anywhere in between too)
  • 26. WHAT ARE WE INTERESTED IN? “IT DEPENDS” What Evidence are we looking for? It depends on:  Scope  Threat source (human intelligence vs. malware)  A multitude of other factors Content:  Exists largely at the Application/Transportation Layer  Could be executables, documents, conversations, media (images/video/audio)  proof of transactions (CCNs, web URLs, etc.) Context:  Timeline & Statistics (Sessions/Hosts/Ports/Protocols/Sizes)  Network Topology/Connected Devices  Historical Data (baselines/anomalies, previously connected to networks/keys, etc.)
  • 27. THE ENVIRONMENT “NO REALLY, IT DEPENDS” Whether doing Cyber Forensics or Incident Response, network transmissions are temporal. It may not be possible to personally collect the data that will be analyzed in a timely, cost effective manner. This may necessitate instructing others in this process. You can only hope that there is an IDS/NSM solution. It’s difficult to be long range tech support and guarantee a forensically sound collection process, or that the desired evidence is even collected (chain of custody can also be an issue). Be cognizant of this possibility and be able to define and explain your steps to others.
  • 28. ANTI-NETWORK FORENSICS THE 60,000 FT. VIEW Largely these can be grouped into active/passive or exploitation vs. obfuscation Obfuscation:  Spoofing (IP/MAC or IP Stack/User Agent strings to hide OS/Browser type)  Encryption (including TLS, Tor, custom)  Packing/compression of executables/files (Metasploit Stage 2 encoding)  Steganography : (  Covert channels (IP in DNS is a popular derivative, also Telex project)  Fragmentation/Order fuzzing (tools like SniffJoke) Exploitation  Attacks against investigator/IDS tools (a la CVE-2011-1591)  Active detection of network monitoring (e.g. detecting promiscuous mode by setting the MAC to illegal value and sending TCP SYN packet)
  • 29. APPLIED KNOWLEDGE TAKING THEORY AND PUTTING IT TO PRACTICE
  • 30. ACQUISITION THE RIGHT TOOL FOR THE JOB For our lab purposes we will be looking at relatively small data sets. Enterprise networks have voluminous throughput -- possibly terabytes/petabytes a day at multiple gigabits per second depending on the size of the organization. The tools we use today, such as Wireshark, are often not capable of capturing this amount of data without dropping packets/other degradation. Even command line tools like tshark may have issues (they are also hardware/topology constrained). There are open-source tools such as argus and ntop which can capture this kind of data, but these are outside the scope of this lecture. We will be manually analyzing packet data, but an automated solution may be required in order to be successful and efficient within the time and resource constraints that are present in “big data” situations.
  • 31. ACQUISITION (CONT’D) THE RIGHT TOOL FOR THE JOB today we will use and discuss: Wireshark/tshark for network acquisition (argus/nfcapd will be discussed for flow acquisition) foremost (compiled for Windows) for carving data out of TCP streams in the pcap (winpmem/LiME will be discussed for volatile memory acquisition) (dd will be discussed for persistent memory acquisition) and for analysis we will be using: Wireshark (network capture analysis) (chaosreader/SiLK will be discussed for automated packet capture extraction/analysis) Volatility/NAFT (volatile memory analysis) (Bulk Extractor will be discussed for persistent memory analysis)
  • 32. WIRESHARK BASICS FRAMES, STREAMS, AND FILTERS OH MY! Open Wireshark, and follow along with me     Notice OSI structure for packet dissectors Color represents level of OSI model/unique protocols Display filters (including auto-generation of filter) Following TCP streams (okay, so it’s still a display filter) Resource for Display filters: http://www.firstdigest.com/2009/05/wiresharks-most-usefuldisplay-filters/
  • 33. EXERCISE 1 CAPTURING BROWSER TRAFFIC JOINT ACTIVITY:10 MINUTES Summary: Start a network capture with Wireshark, note the initial traffic, open a web browser, note the traffic generated by this action, browse to a webpage, stop the capture, and use Wireshark to extract file artifacts from the HTTP/TCP streams.
  • 34. CASE STUDY: ANN AND THE APPLE TV This is a challenge provided by the network forensic puzzle contest. The pcap and questions can be downloaded from http://forensicscontest.com/2009/12/28/anns-appletv It’s included to highlight the fact that over the past decade, unique sources of evidence in the form of embedded devices and appliances have crept into the consumer world, offering additional, potentially useful, information about a suspects habits, anomalous activities, and whereabouts.
  • 35. EXERCISE 2 ANN AND THE APPLE TV JOINT ACTIVITY: 20MIN Summary: Given a pcap of an individual’s interactions with an AppleTV, answer the associated questions. Questions: 1. What is the MAC address of Ann’s AppleTV? 2. What User-Agent string did Ann’s AppleTV use in HTTP requests? 3. What were Ann’s first four search terms on the AppleTV (all incremental searches count)? 4. What was the title of the first movie Ann clicked on? 5. What was the full URL to the movie trailer (defined by “preview-url”)? 6. What was the title of the second movie Ann clicked on? 7. What was the price to buy it (defined by “price-display”)? 8. What was the last full term Ann searched for?
  • 36. SOLUTIONS: ANN AND THE APPLE TV WIRESHARK FILTERS TO FIND SOLUTIONS 1) What is the MAC address of Ann’s AppleTV? 1) eth.addr == 00:25:00:fe:07:c4 2) What User-Agent string did Ann’s AppleTV use in HTTP requests? 1) http.user_agent == "AppleTV/2.4" 3) What were Ann’s first four search terms on the AppleTV (all incremental searches count)? 1) http.request.uri contains "/MZSearch.woa/wa/incrementalSearch" 4) What was the title of the first movie Ann clicked on? 1) http.request.uri contains "viewMovie?" 5) What was the full URL to the movie trailer (defined by “preview-url”)? 1) http.request.uri contains "viewMovie?" 6) What was the title of the second movie Ann clicked on? 1) http.request.uri contains "viewMovie?" 7) What was the price to buy it (defined by “price-display”)? 1) http.request.uri contains "viewMovie?" 8) What was the last full term Ann searched for? 1) http.request.uri contains "/MZSearch.woa/wa/incrementalSearch"
  • 37. INTERMISSION TIME FOR LUNCH! INDIVIDUAL OR JOINT ACTIVITY Summary: om nom nom.
  • 38. PRACTICE MAKES NEAR-PERFECT MOOOOOOOOOAR WIRESHARK Now that you’ve been exposed to display filters, content extractors, and the dissectors within Wireshark, we are going to take a deeper dive. The next exercise will familiarize you with some of Wireshark’s other features
  • 39. EXERCISE 3 10 MINUTES OF INTERNET INDIVIDUAL ACTIVITY: 30 MINUTES Summary: You’ve been provided with a slice of an enterprise network capture. You are charged with identifying different network segments, and extracting data from different protocols within the capture using Wireshark. There is not a right/wrong answer: this is exploratory. Hint: Follow the TCP streams, and remember that not everything worth extracting is a file.
  • 40. VOLATILE MEMORY ANALYSIS FOR NETWORK ARTIFACTS We are going to use Volatility, an open source volatile memory analysis tool originally developed here at Purdue by Aaron Walters. A special thanks to Aaron and his team! Specifically, we are going to walk through the following network forensic steps on volatile memory:  identifying network connections that were active at the time of the memory capture  scanning processes which have had active connections for evidence of malware  extracting a malicious DLL that was injected over the network, and comparing it to one carved from a packet capture that triggered on the same attack  extracting packets from volatile memory and analyzing them for further evidence
  • 41. VOLATILE MEMORY ANALYSIS FOR NETWORK ARTIFACTS Basic Usage Volatility –f <filename> <plugin> e.g. Volatility –f xp_infected.vmem pslist Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit ---------- -------------------- ------ ------ ------ -------- ------ ------ --------------------------------------0x865c6830 System 4 0 58 283 -----0 0x8647b020 smss.exe 544 4 3 19 -----0 2013-02-24 06:40:30 0x864db020 csrss.exe 616 544 12 371 0 0 2013-02-24 06:40:33 0x863adda0 winlogon.exe 640 544 18 514 0 0 2013-02-24 06:40:33 0x85fc1c90 services.exe 684 640 16 271 0 0 2013-02-24 06:40:33 0x86044ae0 lsass.exe 696 640 20 350 0 0 2013-02-24 06:40:33 0x860064f8 vmacthlp.exe 852 684 1 25 0 0 2013-02-24 06:40:33 0x862772c0 svchost.exe 868 684 20 198 0 0 2013-02-24 06:40:33 0x86098760 svchost.exe 952 684 9 268 0 0 2013-02-24 06:40:34 See: https://code.google.com/p/volatility/wiki/CommandReference23#Networking See also: https://blogs.sans.org/computer-forensics/files/2012/04/Memory-ForensicsCheat-Sheet-v1_2.pdf
  • 42. EXERCISE 4 BAD ACTORS AND BAD HABITS INDIVIDUAL/JOINT ACTIVITY Summary: You’ve been provided with a pcap and a volatile memory capture that contain evidence of a network exploitation. Determine where the exploit occurred in the pcap, and extract the malicious executable. Then find network artifacts in the memory capture which correlate to the pcap and compare. Hint: https://code.google.com/p/volatility/wiki/CommandReference23#Networking Bonus Hint: The executable is also in memory :D do they match?
  • 43. SUMMARY  Network forensics can present problems with repeatability and rules of evidence when it comes to acquisition of the evidence because it is transient.  The network forensic process is largely the same as that of a traditional digital forensic investigation.  Network forensics is more than just packets on the wire.  Network forensics spans transmission, volatile memory, and persistent memory.  Use the right tools for the job – small packet captures can successfully be analyzed with Wireshark, large scale captures may need to be automatically parsed before narrowing down sections which can be further analyzed. Hopefully, you walk away with a little more hands-on experience
  • 44. PARTING THOUGHTS  You still have a lot to learn ( I still have a lot to learn )  Technology is constantly evolving, you need to stay current  As they say, practice makes perfect (well….nobody’s perfect :D)  If this topic interests you, speak to me later or research:  Structured Traffic Analysis  Network Security Monitoring (Richard Bejtlich just release a new book)  Intrusion Detection Systems  https://tools.netsa.cert.org  https://www.enisa.europa.eu/activities/cert/support/exercise
  • 45. COMMENTS AND WRAP-UP Thank you! Questions?
  • 46. ADDENDUM IN CASE OF EXTRA TIME, BREAK EXERCISE Summary: Exercise05 involves using bulk_extractor to extract network “features”