Module 6.

Network Forensics
(part 3)
 Topics

• Networking Fundamentals
• Types of Networks
• Network Security Tools
• Network Attacks
• Incident Response
• Network Evidence & Investigation
Networking Fundamentals
 Network Concepts

• TCP/IP (Transmission Control Protocol / Internet Protocol)

– The common language for the Internet
• Client/Server Network
– Each computer has one of the roles: client or server
– Modern computers mix the roles
• Peer-to-peer Network
– Every member has same role, as both client and server
– Commonly used with bittorrent to share files illegally
 Network Types

• LAN (Local Area Network)

– Within a single building or a few nearby buildings
• WAN (Wide Area Network)
– Larger area
• Internet
– Largest WAN, the whole world
• MAN (Metropolitan Area Network)
• PAN (Personal Area Network)
– Bluetooth: max. range 10 meters
• CAN (Campus Area Network)
 IP Addresses

• IPv4: 32 bits, in four octets

– Each octet written as a decimal number 0-255
– Ex: 192.168.1.101
– Only four billion total addresses
– They are running out
• IPv6: 128 bit in eight 16-bit fields
– Each field a 4-character hexadecimal valoe
– Range 0000 – FFFF
– Ex: 2001:0db8:0000:0000:1111:2222:3333:4444
– Many addresses: 300 billion billion billon billion
Network Security Tools
 Firewalls, IDS, and Sniffers

• Filters inbound and, optionally, outbound traffic

• Simple firewalls filter based on packet headers
– IP address, port nnumber
• Layer 7 firewall
– Looks inside packet to discriminate more
– Can detect Facebook, TeamViewer, BitTorrent
• Intrusion Detection System
– Blocks malicious traffic based on a set of definitions
– Ex: Snort
• Sniffer
– Captures packets for analysis
– Ex: Wireshark
Network Attacks
 Network Attacks

• DDoS (Distributed Denial of Service)

– Many bots attack a server
• IP Spoofing
– False Source IP in packets
– Can make attacks appear to come from trusted sources
• Man-in-the-Middle
– Intercept traffic
– Attacker can examine or alter data
– Can impersonate user
– Defense is SSL
Social Engineering

• Tricking people
into security
violations
 Most Common Hacking Methods

• Backdoor
– From a malware infection allowing remote control
• Footprinting
– Gathering public information about a target
• Fingerprinting
– Scanning a target for open ports and other information
• Based on a 2011 Verizon study
 Insider Threat

• The biggest threat

• Does more harm than external attacks
• Difficult to detect or prevent
Incident Response
 NIST Process

• Preparation
– Planning for security incidents
– Proactive defenses, such as
• Hardening systems
• Patching
• Perimeter defense
• User awareness training
• Policies, procedures, and guidelines
• Detection and Analysis
– IDS produce false positives
– Network traffic is erratic
 NIST Process

• Containment
• Eradication
• Recovery
• Postincident Review
– Root-cause analysis
– Plan how to prevent future incidence
– Revise policies and procedures
Network Evidence & Investigation
 Where is the Evidence?

• All devices along the route may contain log files

– Servers
– Routers
– Firewalls
– Evidence may be volatile
 Log Files

• Authentication log
– Account and IP address of users
• Application log
– Timestamps shown when application was used and by whom
• Operating system log
– Track reboots, file access, clients served, and much more
• Device logs
– On routers and firewalls
 Network Investigative Tools

• Wireshark
– Sniffer
• NetIntercept
– Hardware applicance to record network traffic
• NetWitness Investigator
– Can gather and analyze network traffic
• Snort
– IDS
NetIntercept
 Network Investigation Challenges

• IP addresses can be spoofed

– Bounced through proxies
– Or through compromised systems
– Or through the Tor anonymity network
• Logs are often incomplete or absent
– Logs are erased after some time
– Attackers can erase logs
• Jurisdiction
– Attacks can cross state or national boundaries
 • Q&A

http://fpt.edu.vn 06/04/24 28