Guide to Computer Forensics and Investigations, Second Edition



Similar documents
1! Network forensics

Open Source and Incident Response

Digital Forensic Tool for Decision Making in Computer Security Domain

Contents. vii. Preface. P ART I THE HONEYNET 1 Chapter 1 The Beginning 3. Chapter 2 Honeypots 17. xix

Digital Forensics and Cyber Crime Datamining

Network Forensics an emerging approach to an network analysis.

information security and its Describe what drives the need for information security.

Linux Network Security

Open Source Security Tools

Intrusion Detection Systems (IDS)

Network Forensics: Log Analysis

Chapter 14 Analyzing Network Traffic. Ed Crowley

Secure Software Programming and Vulnerability Analysis

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Network Intrusion Analysis (Hands-on)

Log Processing Tools. PS Tools Suite. PSTools Suite. PSTools Suite

The HoneyNet Project Scan Of The Month Scan 27

Chapter 9 Firewalls and Intrusion Prevention Systems

1 Data information is sent onto the network cable using which of the following? A Communication protocol B Data packet

Honeypots / honeynets

P Principles of Network Forensics P Terms & Log-based Tracing P Application Layer Log Analysis P Lower Layer Log Analysis

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

Course Description and Outline. IT Essential II: Network Operating Systems V2.0

Course Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits)

Multi-Homing Dual WAN Firewall Router

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Traffic Monitoring : Experience

Windows Client/Server Local Area Network (LAN) System Security Lab 2 Time allocation 3 hours

INFORMATION SECURITY TRAINING CATALOG (2015)

FortKnox Personal Firewall

Networks and Security Lab. Network Forensics

CRYPTUS DIPLOMA IN IT SECURITY

Network/Internet Forensic and Intrusion Log Analysis

Firewalls, IDS and IPS

JOB READY ASSESSMENT BLUEPRINT COMPUTER NETWORKING FUNDAMENTALS - PILOT. Test Code: 4514 Version: 01

Networking: EC Council Network Security Administrator NSA

Second-generation (GenII) honeypots

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

PowerChute TM Network Shutdown Security Features & Deployment

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Determine if the expectations/goals/strategies of the firewall have been identified and are sound.

Network Based Intrusion Detection Using Honey pot Deception

Open Source Security Tool Overview

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

From Network Security To Content Filtering

THE HONG KONG POLYTECHNIC UNIVERSITY Department of Electronic and Information Engineering

SOUTHERN POLYTECHNIC STATE UNIVERSITY. Snort and Wireshark. IT-6873 Lab Manual Exercises. Lucas Varner and Trevor Lewis Fall 2013

Codes of Connection for Devices Connected to Newcastle University ICT Network

CMPT 471 Networking II

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Networking Test 4 Study Guide

Network Security, ISA 656, Angelos Stavrou. Snort Lab

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

HoneyBOT User Guide A Windows based honeypot solution

INTRUSION DETECTION SYSTEMS and Network Security

Use of Honeypot and IP Tracing Mechanism for Prevention of DDOS Attack

Firewalls. Chapter 3

The Reverse Firewall: Defeating DDOS Attacks Emanating from a Local Area Network

Design and Configuration of a Network Security and Forensics Lab

Chapter 11 Cloud Application Development

Certified Ethical Hacker Exam Version Comparison. Version Comparison

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

ANTI-HACKER TOOL KIT. ourth Edition

Course Title: Penetration Testing: Security Analysis

Chapter 8 Router and Network Management

Advancement in Virtualization Based Intrusion Detection System in Cloud Environment

CH ENSA EC-Council Network Security Administrator Detailed Course Outline

: SENIOR DESIGN PROJECT: DDOS ATTACK, DETECTION AND DEFENSE SIMULATION

Firewalls Overview and Best Practices. White Paper

Guide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP

Network Security Demonstration - Snort based IDS Integration -

How To Protect Your Firewall From Attack From A Malicious Computer Or Network Device

Payment Card Industry (PCI) Data Security Standard

For more information on SQL injection, please refer to the Visa Data Security Alert, SQL Injection Attacks, available at

Network Security Administrator

COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM

2! Bit-stream copy. Acquisition and Tools. Planning Your Investigation. Understanding Bit-Stream Copies. Bit-stream Copies (contd.

IDS and Penetration Testing Lab III Snort Lab

Linux Networking Basics

HONEYD (OPEN SOURCE HONEYPOT SOFTWARE)

Network Defense Tools

Computer Security DD2395

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

3.1 RS-232/422/485 Pinout:PORT1-4(RJ-45) RJ-45 RS-232 RS-422 RS-485 PIN1 TXD PIN2 RXD PIN3 GND PIN4 PIN5 T PIN6 T PIN7 R+ PIN8 R-

EFFECTIVE IMPLEMENTATION OF DYNAMIC CLASSIFICATION FOR NETWORK FORENSIC AND TRAFFIC ANALYSIS

Project Proposal Active Honeypot Systems By William Kilgore University of Advancing Technology. Project Proposal 1

Security Frameworks. An Enterprise Approach to Security. Robert Belka Frazier, CISSP

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

Host Hardening. OS Vulnerability test. CERT Report on systems vulnerabilities. (March 21, 2011)

EC-Council Network Security Administrator (ENSA) Duration: 5 Days Method: Instructor-Led

Locking down a Hitachi ID Suite server

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

A Senior Design Project on Network Security

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak Capture Link Server V1.00

Network Security and Firewall 1

Proxy Server, Network Address Translator, Firewall. Proxy Server

Transcription:

Guide to Computer Forensics and Investigations, Second Edition Chapter 12 Network Forensics Objectives Understand Internet fundamentals Understand network basics Acquire data on a Linux computer Guide to Computer Forensics and Investigations, 2e 2 Objectives Understand network forensics Understand the use of network tools Understand the goals of the Honeynet Project Guide to Computer Forensics and Investigations, 2e 3 1

Understanding Internet Fundamentals Internet = Collection of networks Internet protocols for message exchange E-mail Internet Service Provider (ISP) Internet entry point Username and password Common software Web browsers and e-mail clients Guide to Computer Forensics and Investigations, 2e 4 Internet Protocols Standards and rules Every computer must observe a protocol TCP/IP default Internet protocol TCP connection-oriented UDP connectionless Addressing (IPv4) 32-bit long divided into four groups of 8 bits Binary representation Guide to Computer Forensics and Investigations, 2e 5 Internet Protocols Addressing Dotted quad (205.55.29.170) Several classes (A, B, C, D and E) Domain Name Service Translate IP addresses to named addresses or vice versa Guide to Computer Forensics and Investigations, 2e 6 2

Understanding Network Basics Hardening networks Applying latest patches Layered network defense strategies Protocols TCP/IP IPX/SPX Network Address Translation Translates IP addresses Guide to Computer Forensics and Investigations, 2e 7 Understanding Network Basics DHCP Dynamically assigns IP addresses to hosts Attacks Internal External Early and mid-1990s 70% internal/30% external Guide to Computer Forensics and Investigations, 2e 8 Acquiring Data on Linux Computers dd command Disk-to-disk file Disk-to-image file Block-to-block copy Block-to-file copy Ext2fs, Ext3fs, NTFS, FAT, NTFS, HFS, HPFS Gzip command to compress image files Guide to Computer Forensics and Investigations, 2e 9 3

Acquiring Data on Linux Computers Linux boot disks Knoppix MandrakeMove Fedora Rescue Gentoo Live F.I.R.E. Penguin Sleuth Kit Tom s Root Boot Kit Guide to Computer Forensics and Investigations, 2e 10 Acquiring Data on Linux Computers Guide to Computer Forensics and Investigations, 2e 11 Acquiring Data on Linux Computers Guide to Computer Forensics and Investigations, 2e 12 4

Acquiring Data on Linux Computers Steps for using dd Boot PC in Linux Create disk mounting points Mount all disks needed Create copies For multiple volumes Determine number of bytes per volume Calculate number of segments you need to create Guide to Computer Forensics and Investigations, 2e 13 Acquiring Data on Linux Computers Guide to Computer Forensics and Investigations, 2e 14 Acquiring Data on Linux Computers Linux dd script file Input source Output source Block size Number of blocks to save Hash check original media Linux md5sum command Linux sha1sum command Guide to Computer Forensics and Investigations, 2e 15 5

Acquiring Data on Linux Computers Image creation script example: Image restore script example: Guide to Computer Forensics and Investigations, 2e 16 Understanding Network Forensics Systematic tracking of incoming and outgoing traffic Need to know normal traffic behavior Intruders leave trace behind Experimented intruders are harder to trace Determine the cause of the abnormal traffic Internal bug Attackers Guide to Computer Forensics and Investigations, 2e 17 Approach to Network Forensics Long, tedious process Standard procedure Use image for machines on network Close any way in after an attack Acquire all compromised drives Make a bit-stream image of the drives Compare images to original images Optionally, store images on a server Guide to Computer Forensics and Investigations, 2e 18 6

Approach to Network Forensics Computer forensics Work from the image to find what has changed Network forensics Restore drives to understand attack Work on an isolated system Prevents malware from affecting other systems Guide to Computer Forensics and Investigations, 2e 19 Network Logs Record ingoing and outgoing traffic Network servers Routers Firewalls Tcpdump tool for examining network traffic Top 10 lists Pattern Attacks might include other companies Distributed Denial of Service (DDoS) Guide to Computer Forensics and Investigations, 2e 20 Using Network Tools PsTools suite RegMon shows Registry data in real time Process Explorer shows what is loaded Handle shows open files and processes using them PsExec runs processes remotely PsGetSid display SID PsKill kills process by name or ID Guide to Computer Forensics and Investigations, 2e 21 7

Using Network Tools PsTools suite PsList lists details about a process PsLoggedOn shows who s logged locally PsPasswd changes account passwords PsService controls and views services PsShutdown shuts down and restarts PCs PsSuspend suspends processes Guide to Computer Forensics and Investigations, 2e 22 Using Network Tools Guide to Computer Forensics and Investigations, 2e 23 UNIX/Linux Tools Knoppix-STD tools Dcfldd the U.S. DoD dd version Memfetch forces a memory dump Photorec grabs files from a digital camera Snort intrusion detection system Oinkmaster helps manage your snort rules John the Ripper Chntpw resets passwords on a Windows PC Guide to Computer Forensics and Investigations, 2e 24 8

UNIX/Linux Tools Knoppix-STD tools Tcpdum is a packet sniffer Ethereal another packet sniffer Packet sniffer Devices or software that monitors network traffic Most Work at layer 2 or 3 of the OSI model Guide to Computer Forensics and Investigations, 2e 25 UNIX/Linux Tools Guide to Computer Forensics and Investigations, 2e 26 UNIX/Linux Tools The Auditor Based on Knoppix Contains more than 300 tools 20 for scanning 10 for network scanning Brute-force attack Bluetooh and wireless Autopsy and Sleuth Kit Word lists with more than 64 million entries Guide to Computer Forensics and Investigations, 2e 27 9

Network Sniffers Operate at layers 2 or 3 of the OSI model Most tools follow the PCAP format Tools: Tcpdump Tethereal Snort Tcpslice Tcpreplay Guide to Computer Forensics and Investigations, 2e 28 Network Sniffers Tools : Tcpdstat Ngrep Etherape Netdude Argus Ethereal The Auditor Guide to Computer Forensics and Investigations, 2e 29 Network Sniffers Guide to Computer Forensics and Investigations, 2e 30 10

The Honeynet Project Attempt to thwart Internet and network hackers Provides information about attack methods Honeypots Normal looking computer that lures attackers to it Honeywalls Monitor outbound connections Snort-inline intrusion prevention systems Guide to Computer Forensics and Investigations, 2e 31 The Honeynet Project Guide to Computer Forensics and Investigations, 2e 32 The Honeynet Project Its legality has been questioned Cannot be used in court Can be used to learn about attacks Scan of the month Monthly challenge contest Good as a learning experience Guide to Computer Forensics and Investigations, 2e 33 11

The Honeynet Project Guide to Computer Forensics and Investigations, 2e 34 Summary Network forensics tracks down internal and external network intrusions Most networks today use TCP/IP Networks must be hardened by using good architecture Each NOS has its own way of handling security, and you must become familiar with how yours operates Guide to Computer Forensics and Investigations, 2e 35 Summary Tools such as PsTools, Knoppix-STD, and others can be used to monitor what s happening on your network The Honeynet Project is designed to help people learn the latest intrusion techniques that hackers are using Guide to Computer Forensics and Investigations, 2e 36 12

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information