Scribd
Upload
167 views28 pages

Module 6 - Network-Forensics

The document discusses network forensics and covers topics such as networking fundamentals, network security tools, network attacks, incident response, and network evidence investigation. It describes concepts like TCP/IP, client-server and peer-to-peer networks, different network types, IP addresses, common network security tools, types of network attacks, the NIST incident response process, and challenges with network investigation.

Uploaded by

dungnthe172688
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
167 views28 pages

Module 6 - Network-Forensics

The document discusses network forensics and covers topics such as networking fundamentals, network security tools, network attacks, incident response, and network evidence investigation. It describes concepts like TCP/IP, client-server and peer-to-peer networks, different network types, IP addresses, common network security tools, types of network attacks, the NIST incident response process, and challenges with network investigation.

Uploaded by

dungnthe172688
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd

Module 6.

Network Forensics
(part 3)
Topics

• Networking Fundamentals
• Types of Networks
• Network Security Tools
• Network Attacks
• Incident Response
• Network Evidence & Investigation
Networking Fundamentals
Network Concepts

• TCP/IP (Transmission Control Protocol / Internet Protocol)


– The common language for the Internet
• Client/Server Network
– Each computer has one of the roles: client or server
– Modern computers mix the roles
• Peer-to-peer Network
– Every member has same role, as both client and server
– Commonly used with bittorrent to share files illegally
Network Types

• LAN (Local Area Network)


– Within a single building or a few nearby buildings
• WAN (Wide Area Network)
– Larger area
• Internet
– Largest WAN, the whole world
• MAN (Metropolitan Area Network)
• PAN (Personal Area Network)
– Bluetooth: max. range 10 meters
• CAN (Campus Area Network)
IP Addresses

• IPv4: 32 bits, in four octets


– Each octet written as a decimal number 0-255
– Ex: 192.168.1.101
– Only four billion total addresses
– They are running out
• IPv6: 128 bit in eight 16-bit fields
– Each field a 4-character hexadecimal valoe
– Range 0000 – FFFF
– Ex: 2001:0db8:0000:0000:1111:2222:3333:4444
– Many addresses: 300 billion billion billon billion
Network Security Tools
Firewalls, IDS, and Sniffers

• Filters inbound and, optionally, outbound traffic


• Simple firewalls filter based on packet headers
– IP address, port nnumber
• Layer 7 firewall
– Looks inside packet to discriminate more
– Can detect Facebook, TeamViewer, BitTorrent
• Intrusion Detection System
– Blocks malicious traffic based on a set of definitions
– Ex: Snort
• Sniffer
– Captures packets for analysis
– Ex: Wireshark
Network Attacks
Network Attacks

• DDoS (Distributed Denial of Service)


– Many bots attack a server
• IP Spoofing
– False Source IP in packets
– Can make attacks appear to come from trusted sources
• Man-in-the-Middle
– Intercept traffic
– Attacker can examine or alter data
– Can impersonate user
– Defense is SSL
Social Engineering

• Tricking people
into security
violations
Most Common Hacking Methods

• Backdoor
– From a malware infection allowing remote control
• Footprinting
– Gathering public information about a target
• Fingerprinting
– Scanning a target for open ports and other information
• Based on a 2011 Verizon study
Insider Threat

• The biggest threat


• Does more harm than external attacks
• Difficult to detect or prevent
Incident Response
NIST Process

• Preparation
– Planning for security incidents
– Proactive defenses, such as
• Hardening systems
• Patching
• Perimeter defense
• User awareness training
• Policies, procedures, and guidelines
• Detection and Analysis
– IDS produce false positives
– Network traffic is erratic
NIST Process

• Containment
• Eradication
• Recovery
• Postincident Review
– Root-cause analysis
– Plan how to prevent future incidence
– Revise policies and procedures
Network Evidence & Investigation
Where is the Evidence?

• All devices along the route may contain log files


– Servers
– Routers
– Firewalls
– Evidence may be volatile
Log Files

• Authentication log
– Account and IP address of users
• Application log
– Timestamps shown when application was used and by whom
• Operating system log
– Track reboots, file access, clients served, and much more
• Device logs
– On routers and firewalls
Network Investigative Tools

• Wireshark
– Sniffer
• NetIntercept
– Hardware applicance to record network traffic
• NetWitness Investigator
– Can gather and analyze network traffic
• Snort
– IDS
NetIntercept
Network Investigation Challenges

• IP addresses can be spoofed


– Bounced through proxies
– Or through compromised systems
– Or through the Tor anonymity network
• Logs are often incomplete or absent
– Logs are erased after some time
– Attackers can erase logs
• Jurisdiction
– Attacks can cross state or national boundaries
• Q&A

http://fpt.edu.vn 06/04/24 28

You might also like