Day 5
Day 5
• Packet Capture: Collects real-time network traffic or retrieves stored packet data
for in-depth examination. This feature allows users to capture all traffic moving
through a network interface or a targeted segment of the network.
• Protocol Analysis: Decodes a wide range of protocols such as HTTP, TCP, DNS,
SSL, and others, giving insights into the specifics of each network conversation and
enabling better understanding and problem-solving.
• Traffic Analysis: Provides patterns and trends by analyzing data flow. It identifies
"normal" behavior in network traffic and makes it easier to spot unusual or
suspicious anomalies, which can be a red flag for potential security issues.
• Data Export: Offers options for exporting captured data in various formats
(e.g., .pcap, .txt), making it easy to archive data for long-term storage or conduct
further analysis in other specialized tools.
•
• Network Protocol Analyzers in Security
• Network protocol analyzers play a crucial role in network security and forensic
analysis:
• Intrusion Detection: Detects abnormal or suspicious network behavior, such as
unusual port scanning or unexpected IP address communications, which might
indicate ongoing attacks or reconnaissance activities.
• Data Breach Detection: Identifies potential unauthorized attempts to exfiltrate
sensitive data by recognizing unusual data flows and traffic patterns.
• Traffic Monitoring: Allows continuous monitoring to detect unauthorized
communication channels, unauthorized protocol usage, or malicious domains,
helping to prevent breaches or isolate infected systems.
•
• Below are some of the most commonly used network protocol analyzers that cater
to various security and network analysis needs:
• Wireshark: A widely used, open-source protocol analyzer known for its extensive
protocol support and robust packet analysis capabilities.
• Tcpdump: A command-line tool that provides basic packet capture and analysis,
popular among professionals who prefer lightweight, fast network analysis.
• NetFlow: Primarily used for traffic analysis and monitoring. It helps detect
anomalies and generates reports on network usage trends.
• Nmap: Known primarily as a network scanner, Nmap also offers packet capture
capabilities and is especially useful for network discovery and security auditing.
• NetworkMiner: A network forensic tool that focuses on reconstructing sessions
and extracting files from packet captures, making it a valuable tool for forensic
analysis.
•
b. Hands-on Examples
Scope: Computer forensics encompasses a wide array of digital devices and sources,
including hard drives, USB devices, mobile devices, network logs, emails, memory dumps,
cloud storage, and much more.
1. Volatile Evidence: Data that is lost when a device is powered off, such as RAM
contents, running processes, and open network connections.
2. Non-Volatile Evidence: Persistent data stored on physical media, including
documents, emails, and system logs on hard drives or external storage.
3. Network Evidence: Logs from network devices like routers, firewalls, and network
appliances, which can reveal traffic patterns and suspicious connections.
4. Cloud Evidence: Data stored on third-party cloud platforms, including user files,
system logs, and account activities.
5. Mobile Evidence: Information extracted from mobile devices, including call
records, SMS, app data, and geolocation data.
• Disk Imaging: Tools like dd, FTK Imager, and EnCase create exact copies (images)
of storage media to preserve the original data.
• File Recovery: Autopsy, Recuva, and R-Studio are used to retrieve deleted files,
especially those removed without standard deletion practices.
• Log Analysis: Tools like Log Parser and Splunk allow detailed examination of logs to
identify abnormal or suspicious activity patterns.
• Memory Forensics: Volatility and Rekall analyze memory (RAM) dumps to extract
valuable insights on live processes, network connections, and potential malware.
1. Primary Data: The core evidence consisting of raw files, documents, emails,
images, and other user-generated content that may contain traces of activity or
incriminating data.
2. Metadata: Often hidden, metadata includes detailed information about files, such
as creation and modification dates, geolocation tags in images, and application-
specific attributes, offering insights into file history and usage.
3. Registry Data: On Windows systems, the registry stores configuration settings,
system preferences, and user activity, such as connected USB devices and recently
accessed files, making it valuable for user activity reconstruction.
4. System Artifacts: Transient data like log files, temporary files, cache, and browser
history. These artifacts often reveal application usage patterns, internet browsing
history, and interaction timelines, providing context to user activities.
Handling digital evidence demands careful security practices to maintain data integrity
and confidentiality:
Forensic investigations often involve analyzing evidence to trace the path and impact of
specific attacks:
• Ransomware Analysis:
o Attack Vector: Ransomware encrypts files on the victim’s system and
demands a ransom payment for the decryption key.
o Forensic Steps: Identify the ransomware variant, trace the initial infection
vector (e.g., email, exploit, or remote desktop), and attempt decryption if
feasible. Examination may also reveal shadow copies or alternative recovery
options.
• Phishing Attack Investigation:
o Attack Vector: Phishing emails are crafted to impersonate trusted entities,
often aiming to steal user credentials or install malware.
o Forensic Steps: Analyze email headers to identify sender IPs, extract any
embedded links or attachments, and cross-reference with known phishing
domains. Correlate with affected users’ login history to identify potential
data compromise.
• APT Detection and Investigation:
o Attack Vector: Advanced Persistent Threats (APTs) are sophisticated,
prolonged attacks often targeting sensitive data in specific organizations or
industries.
o Forensic Steps: Utilize threat intelligence to identify known indicators of
compromise (IOCs), monitor C2 (Command and Control) traffic, collect
malware samples, and conduct behavior analysis to understand attacker
motives and techniques.
Evidence Collection Tools
Different forensic tools are specialized for capturing and analyzing specific types of digital
evidence:
• Forensic Images: FTK Imager and dd are popular tools for creating exact forensic
copies (images) of disks, preserving the original data for analysis.
• Memory Analysis: Volatility is used to examine RAM dumps, revealing processes,
active connections, and possible malware.
• Network Evidence: Tcpdump and Wireshark capture live network traffic, enabling
forensic analysis of network data, including packet inspection for signs of
infiltration or data exfiltration.
1. Data Carving:
a. Purpose: Recover data from unallocated or deleted space where traditional
file recovery methods may fail.
b. Tools: PhotoRec and Foremost can extract specific file types, like JPEGs,
from partially overwritten or fragmented files.
c. Example: Carving out partially deleted images from a memory dump to
recover visual evidence.
2. Timeline Analysis:
a. Purpose: Establish the sequence of events related to a security incident or
user activity.
b. Tools: Plaso and Autopsy enable the creation of detailed timelines, showing
the order and timestamps of events.
c. Example: Correlating file modification timestamps with user logins to
determine if unauthorized access occurred during a breach.
3. Keyword Searching:
a. Purpose: Quickly locate relevant terms or patterns within large datasets,
facilitating targeted investigation.
b. Tools: Sleuth Kit supports advanced keyword searches for sensitive terms
like "confidential" or specific user IDs.
c. Example: Searching for "confidential" in an employee’s emails to investigate
possible data leaks.
4. Registry Analysis:
a. Purpose: Examine the Windows registry to reveal user activity and system
changes, such as installed applications and user activity logs.
b. Tools: Registry Explorer and RegRipper are used to parse and analyze registry
data.
c. Example: Identifying recently accessed files or recently installed software on
a suspect's system.
Reporting