TOPIC Name

www.quickheal.com
 Introduction to Linux Forensics
Network forensics involves capturing and analyzing network traffic to identify security
incidents and potential attackers, aiding in the identification of attack vectors and
sources of breaches.

It plays a crucial role in detecting malicious activities, tracing attackers, and preventing
future incidents by helping investigators understand attack methods and vulnerabilities
exploited.

The complexity of network traffic and the need for detailed analysis make network
forensics a resource-intensive and challenging task, requiring significant time, tools, and
expertise for accurate results.
Network forensics can reveal the following information
 Source of security incidents  Intrusion techniques used by
attackers
 Path of intrusion
 Traces and evidence of the attack

We Secure your tomorrow,

www.quickheal.com
today!
 Postmortem and Real-Time Analysis
Forensic examination of logs can be divided into two categories

Postmortem Real-Time Analysis

 Postmortem analysis involves
investigating past network incidents to
determine their origin, sequence, and
cause, often resulting in detailed
reports and actionable insights for
preventing similar future events.
 This type of analysis is thorough and
can be revisited multiple times,
allowing investigators to exhaustively
examine the attack's details and
create corrective measures, but it is
time-consuming compared to real-time
analysis.
 Real-time analysis focuses on
detecting and responding to ongoing
attacks, providing immediate results to
counteract the attack and protect
network resources.
 This analysis requires swift action, with
investigators needing to quickly assess
log files and network traffic to identify
and mitigate malicious activities, often
under tight time constraints.

We Secure your tomorrow,

www.quickheal.com
today!
 Network Attacks

Most Common Attacks on Networks Attacks Specific to Wireless Networks

 Eavesdropping  Enumeration  Rogue Access Connection

Point Attack Attack
 Data Modification  Session Hijacking
 Client  Honeypot Access
 IP Address Buffer Overflow Misassociation Point Attack
Spoofing
 Email Infection  Misconfigured  Key Reinstallation
 Denial-of-Service Access Point Attack (KRACK)
Attack  Malware attack
Attack
 AP MAC Spoofing
 Man-in-the-Middle  Password-based  Unauthorized
Attack attack Association  Jamming Attack

 Packet Sniffing  Router Attacks  Ad Hoc

We Secure your tomorrow,

www.quickheal.com
today!
 Indicators of Compromise (IoCs)
Indicators of Compromise (IoCs) are critical evidence used by forensic investigators to
detect, analyze, and respond to security breaches by identifying unusual system
behavior and suspicious activities on a network or host.
Examples of IoCs

Unusual outbound network traffic Uniform Resource Locators (URLs)

User-agent strings Login anomalies

Increased requests for the same

Network traffic on unusual ports
file

Unknown connections Protocol violations

File modification Increased bandwidth consumption

Unexpected system/server reboot Service unavailability

Logins from unknown locations Unknown configuration changes

We Secure your tomorrow,

www.quickheal.com
today!
 Where to Look for Evidence
To effectively trace security events and breaches, investigators must analyze logs generated at
different layers of the network, which are categorized by the TCP/IP and OSI models. Each layer—
ranging from the Network Access Layer to the Application Layer—produces logs that can provide
crucial evidence regarding data flow, security incidents, and network behavior.
Network Devices and
Functions Layers of TCP/IP Model Protocols Applications Logs

Handles high-level protocols, issues of File Transfer (TFTP, FTP, NFS), Email
Servers/Desktops, Anti-virus, Business
representation, encoding, and dialog Application layer (SMTP), Network Management
Applications, Databases
control (SNMP), Name Management (DNS)

rovides a logical connection between Transmission Control Protocol (TCP)

Transport layer Firewall, IDS/IPS
the endpoints and provides transport and User Datagram Protocol (UDP)

Internet Protocol (IP), Internet Control

Selects the best path through the
Internet layer Message Protocol (ICMP), Address Firewall, IDS/IPS, VPN
network for data flow
Resolution Protocol (ARP)

Ethernet, Fast Ethernet, SLIP, PPP,

Defines how to transmit an IP
Network Access layer FDDI, ATM, Frame Relay, SMDS, ARP, Routers and Switches
datagram to the other devices
Proxy ARP, RARP

We Secure your tomorrow,

www.quickheal.com
today!
 Types of Network-based Evidence
1. Full Content Data
 Complete Packet Capture: Captures all
packets flowing through a network without
filtration, offering detailed information for in-
depth analysis and event reconstruction. Tools
like Wireshark and tcpdump are commonly
used to analyze subsets of this data.
 Supports Postmortem Analysis: Facilitates
a granular and flexible approach to recreate
events, making it valuable for understanding
the sequence of a security incident.
3. Alert Data
 Security Event Warnings: Generated by
tools like Snort IDS and Suricata, it flags
potential security events based on traffic
inspection, assisting investigators in
identifying threats.
 False Positives Management: Requires
careful validation since signature-based
detection can lead to false positives,
necessitating cross-verification with other
evidence sources.
We Secure your tomorrow,
www.quickheal.comtoday!
2. Session Data
 Traffic Metadata Overview: Summarizes
conversations between devices, including
information like source/destination IPs and
ports, session start time, and exchanged data,
providing a concise view of interactions.
 Efficient for Initial Analysis: While less
detailed than full content data, it helps
investigators quickly identify suspicious
sessions or patterns in network activity.
4. Statistical Data
 Network Behavior Profiling: Provides a
summary of network traffic, including
timestamps, protocols, packet sizes, and
rates, offering a high-level understanding of
network activity.
 Trend Analysis: Helps in identifying
abnormal patterns and detecting potential
security incidents by analyzing averages and
trends in traffic statistics.
 Event Correlation
Event correlation identifies key events from large datasets, assigning new meaning to related events
occurring within a specific timeframe. This helps to focus on the most relevant occurrences for
quicker analysis and decision-making.
New events can replace older ones in the event stream, ensuring relevance and real-time updates
during the correlation process. This dynamic adjustment allows investigators to respond to emerging
issues effectively.
Event correlator tools gather data from monitoring systems, process significant events, and discard
irrelevant ones to streamline analysis. These tools also help prioritize events based on severity and
impact to reduce noise in event logs.

Commonly implemented on log management platforms, aiding investigators in efficient system

monitoring and troubleshooting. The platform integrates event data from various sources to provide
a comprehensive view of system health and incidents.

Event aggregation

Event masking
Steps in event
correlation: Event filtering

Root cause analysis

We Secure your tomorrow,
www.quickheal.com
today!
 Types of Event Correlation

Cross-Platform Correlation
Same-Platform Correlation
 This method is applied when
 This method is used when all devices different operating systems and
in the network operate on the same hardware platforms are used within
OS, allowing for straightforward an organization's network, requiring
event analysis across the entire integration of diverse event data.
network.
 Example: An organization with
 Example: An organization running Windows-based client systems,
Microsoft Windows on all servers can Linux-based firewalls, and a Linux-
collect event logs and perform trend based email gateway must correlate
analysis on system behaviors using a events from all these different
single OS platform. platforms to detect issues across the
network.

We Secure your tomorrow,

www.quickheal.com
today!
 Prerequisites of Event Correlation
Data Collection and
Aggregation
 Event data must be gathered from
multiple sources, such as security
devices, servers, and network
elements, and then aggregated into
a centralized system for easier
analysis.
 The collection process should be
automated to ensure real-time or
near-real-time data transfer, helping
in prompt identification of events
and incidents.
 Example: To ensure secure data
transmission, organizations may use
TLS encryption when transferring log
data from a firewall, intrusion
detection system (IDS), or other
devices to a centralized log
management system, minimizing
the risk of exposure during transit.
We Secure your tomorrow,
www.quickheal.com
today!
Normalization
 After gathering event data, logs from
different sources may be in varying
formats, requiring conversion into a
common, standardized format for
consistent analysis.
 Normalization makes it easier to
compare events across systems, as
data from different platforms will be
represented in the same structure.
 Example: Logs from Windows
servers, Linux firewalls, and network
routers are normalized into a uniform
format (such as JSON or syslog) to
facilitate the correlation process,
enabling seamless analysis by
correlation tools.
Data Reduction
 To ensure that event correlation
remains efficient, duplicate or
irrelevant data must be removed,
reducing the volume of information
processed.
 Data reduction methods such as
event de-duplication and
compression help eliminate noise
and focus on important, actionable
data.
 Example: Event correlation tools
may use compression to remove
repeated log entries or combine
similar events into a single report,
such as aggregating multiple failed
login attempts from a single user
into one event to improve processing
efficiency.
 Event Correlation Approaches
Graph-Based Approach: Identifies dependencies between system components, such
as network devices and services, and uses a graph to trace possible root causes when
faults or failures occur, aiding in the detection of issues based on component
interrelationships.
Neural Network-Based Approach: Leverages machine learning through neural
networks to automatically detect anomalies in event streams, identify root causes of
failures, and correlate related events, making it effective in real-time event monitoring
and fault detection.
Codebook-Based Approach: Uses a pre-constructed codebook to store sets of events
and correlate them efficiently, providing a faster correlation process than rule-based
systems by reducing the number of comparisons needed for each event.

Rule-Based Approach: Correlates events by following a set of predefined rules

(condition → action), where an event is processed based on matching conditions, and the
corresponding actions are triggered based on event combinations.

Field-Based Approach: Focuses on comparing specific events with single or multiple

fields in normalized data, making it a basic but effective way to identify correlations
between event parameters in simpler event structures.

We Secure your tomorrow,

www.quickheal.com
today!
 Event Correlation Approaches (Cont’d)
Packet Parameter/Payload Correlation for Network Management: Correlates
network packets with attack signatures to detect new threats, helping network
administrators identify attack patterns and potentially malicious activities by comparing
packet parameters.
Profile/Fingerprint-Based Approach: Helps in identifying compromised systems by
comparing forensic event data, such as OS fingerprints and network activity, with known
attacker profiles to detect repeat attacks or identify systems serving as attack relays.

Open-Port-Based Correlation: Correlates the list of open ports on a host with those
under attack, determining the likelihood of a successful attack based on exposed
services and potential vulnerabilities.

Bayesian Correlation: Uses statistical probabilities and prior knowledge of conditions

to predict the next possible actions of an attacker after a breach, enabling the detection
of potential future attack steps based on historical attack data.

Time or Role-Based Approach: Leverages behavioral data of users and systems to

trigger alerts when anomalies are found, focusing on unusual actions based on time or
the user’s role within the organization, helping to detect unauthorized activities.

We Secure your tomorrow,

www.quickheal.com
today!
 Event Correlation Approaches (Cont’d)
Route Correlation: Extracts information about the path taken by an attacker during a
cyberattack and correlates this data to identify further malicious actions, helping
investigators understand the full scope and progression of the attack.
Topology-Based Event Correlation: Analyzes events in the context of the network or
system topology, helping to understand how network structures and relationships
between devices influence the occurrence of certain events, and identifying complex
patterns.
Cross-Domain Event Correlation: Correlates events from multiple domains or data
sources, such as network, application, and security logs, to identify patterns and causal
relationships that may not be visible when analyzing each domain in isolation.

Multivariate Correlation: Simultaneously analyzes multiple variables or events to

identify interrelationships, enabling a deeper understanding of complex scenarios where
the correlation between multiple factors can reveal hidden threats.
Contextual Correlation: Considers the context of events, such as user identity,
location, or device type, to establish correlations that are more meaningful and accurate,
enhancing the ability to detect suspicious or unauthorized behavior based on contextual
information.

We Secure your tomorrow,

www.quickheal.com
today!
 Log Files as Evidence
Valuable Information for Investigators: Log files provide crucial
details about system activities, helping investigators track intrusions by
identifying and relating events from different network sources, including
operating systems, applications, IDSs, and firewalls.

Challenges with Log Integrity: Log files are susceptible to tampering,

as attackers can insert false entries to mislead investigators, making it
critical to ensure their authenticity during an investigation.

Admissibility of Logs in Court: For log files to be accepted as evidence

in legal proceedings, they must meet specific criteria, including
maintaining their integrity and being handled according to legal
standards, which may require expert testimony.

Compliance with Legal Standards: Log files must adhere to applicable

laws and regulations to be considered valid in court. Ensuring that they
are accurate, reliable, and intact is essential for their use as credible
evidence in forensic investigations.

We Secure your tomorrow,

www.quickheal.com
today!
 Analyzing Firewall Logs
1. Firewall's Role in Network Security
 Firewalls monitor and control incoming and
outgoing network traffic, blocking or allowing
data based on predefined security rules to
protect the system from potential threats,
including hackers and malware.
3. Insights for Malicious Activity
 While firewalls alone may not provide a
complete picture of an attack, their logs offer
valuable insights into the nature of suspicious
events, helping investigators correlate
activities with other data sources to pinpoint
the origin and impact of an incident.
5. Log File Management and Storage
 Firewall logs are stored as plain-text files and
can be viewed using text editors. However,
due to storage limitations, older logs are
overwritten when the file storage limit is
reached. Therefore, regular log file collection
and storage are necessary for future analysis.
We Secure your tomorrow,
www.quickheal.com
today!
2. Firewall Log Files
 Firewall logs record critical network traffic
details such as source and destination IP
addresses, ports used, timestamps, and
priority. These logs help investigators identify
suspicious activity and track abnormal
behavior across the network.
4. Log Analysis for Detection
 Investigators analyze firewall logs by
examining specific areas such as suspicious IP
addresses, application-generated requests,
DNS queries, and URLs. Timing and patterns in
the logs can help detect malicious activities.
6. Value in Security Incidents
 During a security incident, firewall logs serve
as crucial evidence, allowing investigators to
trace the timeline of events, correlate with
other suspicious files, and identify the attack's
source and potential targets.
 Analyzing Firewall Logs: Cisco
Cisco ASA Firewall logs are critical in network forensic investigations, with mnemonics serving as identifiers to represent event severities. Investigators
can leverage these log details to trace activities, identify threats, and analyze patterns by focusing on the most relevant logs initially and expanding their
scope as needed.
Mnemonic Severity Description
4000nn 4 IPS alert triggered by a number string, indicating a security event from one IP address to another over a specified interface.
106001 2 Denies inbound TCP connections from a source IP/port to a destination IP/port based on specified TCP flags over the named interface.
106002 2 Outbound connection denied based on ACL rules (acl_ID) for traffic from an internal source to an external destination.
106006 2 UDP traffic from an external source and port to an internal destination and port is denied on a named interface.
106007 2 Inbound UDP traffic is denied due to DNS issues, such as malformed queries or responses.
106010 3 Blocks inbound protocol traffic from the source to the destination on a specific interface.
106012 3 Denies IP packets with specific options or headers that do not conform to protocol standards.
106013 3 Drops echo requests sent from a source to a PAT-translated (Port Address Translation) IP address.
106014 6 ICMP packets denied due to protocol rules or configurations, including details of the type and code fields.
106015 2 Denies TCP traffic without an established connection based on TCP flags and connection state over a specific interface.
106016 2 Blocks IP spoofing attempts where the source address appears illegitimate or fabricated.
106017 2 Prevents Land Attacks (source and destination IP are identical) which can cause denial-of-service or other disruptions.
106018 1 Denies ICMP packets of a specific type or code based on outbound ACL rules.
106020 1 Blocks fragmented packets such as teardrop fragments, which exploit buffer overflows with irregular fragment sizes or offsets.
106021 4 Reverse path forwarding checks fail for traffic from a source to a destination, indicating potential route misconfigurations or spoofing.
106022 3 Connection spoofing detected for protocol traffic between specified source and destination IPs on a named interface.
106023 4 Protocol traffic from a source to a destination is denied based on an access group ACL, with details about port, service type, and associated flags or codes.
106100 4 Logs details of permitted or denied traffic as per ACL (acl_ID), including protocol, interface, source, destination, and hit counts over time intervals.
710003
3 Blocks traffic based on an access list, showing source IP/port, destination interface, and target service information for denied packets.
We Secure your tomorrow,
www.quickheal.com
today!
 Analyzing Firewall Logs: Check Point
 Log Viewer Tool: The Check Point Log Viewer uses Action Icons Description
color-coded event logs and icons to provide a visual
representation of log activities, aiding investigators in
Connection Accepted The firewall accepted a connection.
identifying security events.
 Event Log Color Coding: Connection Decrypted The firewall decrypted a connection.

1. Red: Blocks connections per the security policy. Connection Dropped The firewall dropped a connection.

2. Orange: Marks suspicious but accepted traffic. Connection Encrypted The firewall encrypted a connection.

3. Blue: Represents accepted traffic. Connection Rejected The firewall rejected a connection.
 Icons for Actions: The log viewer employs various A security event was monitored but not blocked due to the current
icons to represent actions like accepted connections, Connection Monitored
configuration.
blocked URLs, detected viruses, and more, offering
quick identification of events. URL Allowed The firewall allowed a URL.

 Detailed Log Features: Check Point logs provide URL Filtered The firewall blocked a URL.
fields such as predefined and custom queries, time-
based search capabilities, log statistics, and detailed Virus Detected A virus was detected in an email.
result panes to streamline investigation.
Potential Spam Stamped An email was marked as potential spam.
 Real-Time Analysis: The log viewer helps
investigators correlate activities like dropped Potential Spam Detected An email was rejected as potential spam.
connections or detected malware with potential threats
for actionable insights. Mail Allowed A non-spam email was logged.

Blocked by VStream AV VStream Antivirus blocked a connection.

We Secure your tomorrow,
www.quickheal.com
today!
 Analyzing IDS Logs
 Functions of IDS Logs: Intrusion Detection Systems (IDS) logs record, notify, and produce reports about
events to identify suspicious or malicious activities. These logs help in detecting probes, generating attack
signatures, and measuring attack statistics.
 Integration and Alerts: IDS systems integrate with centralized logging servers and SIEM solutions while
alerting administrators through multiple channels such as emails, SNMP traps, and system log messages to
provide timely responses to intrusions.
General Indicators of Intrusion
A sudden increase in bandwidth Repeated probes of the available services Repeated login attempts from remote
consumption. on your machines. hosts.

Failure to comply with protocols and

Requests targeting known vulnerabilities. Repeated unusual network activity.
syntaxes.

Connection requests from IPs outside the

A sudden influx of log data, potentially Unexpected elements such as unusual
network range, suggesting an
indicating DoS or DDoS attacks. date, time, or system resource usage.
unauthenticated intruder.

We Secure your tomorrow,

www.quickheal.com
today!
 Analyzing IDS Logs: OSSEC
 Log Analysis in Real Time: OSSEC employs the logcollector and analysisd processes to perform real-time
log-based intrusion detection, which includes decoding, filtering, and classifying logs from internal sources,
Windows event logs, and remote syslogs.
 Key Investigation Insights: OSSEC logs provide vital information, such as failed login attempts, to help
investigators identify indicators of compromise (IoCs) and trace policy violations or malicious activities.

OSSEC Log Details

1. Date and Time

2. Host Name

3. Program Name 1 2 3 4 5 6 7

4. Log Message

5. Username

6. Source IP Address

7. Port Number

We Secure your tomorrow,

www.quickheal.com
today!
 Analyzing IDS Logs: Check Point
 Integrated IDS/IPS Management: The Check Point intrusion protection system (IPS) combines IDS and IPS
functionalities, providing investigators with built-in software for efficient log analysis and evidence collection.
 Log Viewing with SmartView Tracker: Investigators can access IDS/IPS logs through the SmartDashboard
by selecting SmartConsole and navigating to SmartView Tracker, which displays event details such as data,
protections, and actions taken.
 Log Analysis for Risk Evaluation: Check Point logs provide comprehensive information on network traffic,
supporting business risk valuation and bandwidth adjustment. Investigators can filter and export logs via the
SmartView Tracker Audit Logs feature for deeper analysis.

Source:https://www.checkpoint.com

We Secure your tomorrow,

www.quickheal.com
today!
 Analyzing Honeypot Logs
 Purpose of Honeypots: Honeypots are dummy systems designed to lure attackers, enabling organizations to
understand attack strategies, identify risks, and strengthen their defenses.
 Kippo Honeypot for Analysis: Kippo is a popular honeypot tool used to deceive attackers, track their
methodologies, and extract valuable insights for minimizing real attack risks.
 Relevance of Log Analysis: Analyzing honeypot logs provides investigators with critical information such as
attack patterns, sources, and techniques, aiding further investigation and evidence collection.

Kippo Honeypot Log

Details
1. Timestamp
2. Type of session
3. Session ID and Source IP
address
4. Message with other details

We Secure your tomorrow,

www.quickheal.com
today!
 Analyzing Router Logs
Purpose of Router Logs: Routers store essential The incoming log details are as follows
network activity details such as date, time, source
and destination IPs, and ports used, which are
critical for verifying attack timestamps and tracing 1. Date and time 4. Destination IP
unauthorized access.
2. Source IP address address
Log Storage and Analysis: Due to limited memory
on network devices, logs are periodically collected 3. Source port 5. Destination port
and stored externally. Investigators analyze these
logs manually or with tools, applying filters to
remove irrelevant data.
Redirecting Logs to Syslog Server: For proper
collection and analysis, router logs can be
redirected to a syslog server using commands like:
 # config terminal
 # logging <Syslog Server IP Address>
 # exit
Investigation Insights from Logs: Logs from
compromised devices, including routers, switches,
databases, and application servers, help
investigators correlate events, identify suspicious
activities, and save critical data for forensic
examination.

We Secure your tomorrow,

www.quickheal.com
today!
 Analyzing Router Logs (Cont’d)
The incoming log details are as follows

1. Date
2. Time
3. Source IP address
4. Source-port
5. URL accessed
6. URL IP address
7. Port Used

We Secure your tomorrow,

www.quickheal.com
today!
 Analyzing Router Logs (Cont’d)
Gathering Evidence from an ARP
Table
 Role of ARP Table: The ARP table
maps IP addresses to
corresponding MAC addresses,
offering vital information about
recent network communications
during a network forensic
investigation.
 Command for Viewing ARP
Table: Investigators can access
the ARP table on a router by
issuing the command:
 show arp
 Importance in Evidence
Collection: The ARP table aids in
identifying hosts involved in a
potential attack, providing critical
data that links IP and MAC
addresses for deeper analysis.

We Secure your tomorrow,

www.quickheal.com
today!
 Analyzing Router Logs: Cisco
Cisco Router Log Analysis: Cisco IOS and ASA logs classify events by severity (0-7) and
mnemonics to provide administrators with critical insights into network activity, aiding in incident
investigation, identifying communication relationships, and understanding attackers’ motives and
tools.
Mnemonics Used by Cisco Router
Mnemonic Severity Description
Severity Value/Code Description
%SEC-6-IPACCESSLOGDP 6 A packet matching the log criteria for the given access list has been detected.
Emergency 0 System unusable messages
1 %SEC-6-IPACCESSLOGNP 6 A packet matching the log criteria for the given access list has been detected.
Alert Immediate action required messages
6 A packet matching the log criteria for the given access list has been detected
Critical 2 Critical condition messages %SEC-6-IPACCESSLOGP
(TCP or UDP).
Error 3 Error condition messages 6 Some packet-matching logs were missed because the access list log messages
%SEC-6-IPACCESSLOGRL
were rate-limited, or no access list log buffers were available.
4
Warning Warning condition messages 6
%SEC-6-IPACCESSLOGRP A packet matching the log criteria for the given access list has been detected.
5 6
Notice Normal but significant messages %SEC-6-IPACCESSLOGS A packet matching the log criteria for the given access list was detected.

Informational 6 Informational messages 4 The system could not process the packet due to insufficient room for all desired
%SEC-4-TOOMANY
IP header options. The packet has been discarded.
Debug 7 Debugging messages
%IPV6-6-ACCESSLOGP 6 A packet matching the log criteria for the given access list was detected.

%IPV6-6-ACCESSLOGDP 6 A packet matching the log criteria for the given access list was detected.

%IPV6-6-ACCESSLOGNP 6 A packet matching the log criteria for the given access list was detected.

We Secure your tomorrow,

www.quickheal.com
today!
 Analyzing Router Logs: Cisco (Cont’d)
The following details are found in Cisco router log

1. Event ID 5. Protocols supplied

2. Date 6. Source IP address
3. Time 7. Destination IP address
4. Identifier

We Secure your tomorrow,

www.quickheal.com
today!
 Analyzing Router Logs: Juniper
 System Logging and Tracing: Juniper's Junos OS supports system logging to capture critical
events like logins, login failures, and shutdowns, and tracing to log routing protocol operations
and packet exchanges.
 Log Storage and Default Location: Juniper router logs are stored in a file named “messages”,
located at /var/log/ for M, MX, and T series routers.
 Log Analysis for Security: Key details such as date, time, router name, status, and messages
can be retrieved for investigation using the command:
 codeuser@my-device > show log messages

Details Found in Juniper

Router Logs

1. Date and time

2. Router name and ID

3. Status

4. Message

We Secure your tomorrow,

www.quickheal.com
today!
 Analyzing DHCP Logs
DHCP IPv4 Logs Format  Role of DHCP Logs in Forensics: DHCP logs provide
Field Description critical information about IP addresses assigned to
ID Log entry identifier
systems in the network, aiding investigators in correlating
Date
devices to specific network activities during forensic
Date of the log entry
analysis.
Time Time of the log entry
 Log Storage and File Formats: On Windows Server
Description Details about the logged event
2022, DHCP logs are stored in C:\Windows\System32\
IP Address Assigned IPv4 address
dhcp, with IPv4 logs named DhcpSrvLog-<DAY>.log and
Host Name Host name of the client
IPv6 logs named DhcpV6SrvLog-<DAY>.log.
DHCP IPv6 Logs Format
MAC Address MAC address of the client
Field Description
User Name User associated with the session
ID Log entry identifier
TransactionID Transaction identifier for DHCP operation
Date Date of the log entry
QResult Query result
Time Time of the log entry
Probationtime Lease probation time
Description Details about the logged event
CorrelationID Identifier for correlating events
IPv6 Address Assigned IPv6 address
Dhcid DHCP client identifier
Host Name Host name of the client
VendorClass (Hex) Vendor-specific options (Hex)
Error Code Error code for failed actions
VendorClass (ASCII) Vendor-specific options (ASCII)
Duid Length Length of the DHCP unique identifier
UserClass (Hex) User class information (Hex)
Duid Bytes (Hex) DHCP unique identifier (Hexadecimal)
UserClass (ASCII) User class information (ASCII)
User Name User associated with the session
RelayAgentInformation Information provided by relay agents
Dhcid DHCP client identifier
DnsRegError DNS registration error code
Subnet Prefix Subnet prefix for assigned IPv6 address
We Secure your tomorrow,
www.quickheal.com
today!
 Analyzing Cisco Switch Logs
 Role of Cisco Switch Logs in Investigations:  Comprehensive Syslog Analysis: EventLog Analyzer
Cisco switch logs help forensic investigators processes syslogs from various devices like switches,
analyze network traffic, monitor connections, routers, and intrusion detection systems, offering a
and identify user activities and security events visualized overview of network activity and extensive
to gather evidence for legal proceedings. insights into security incidents.
Commands to Examine Cisco Switch Logs
Enabling Logging: Use logging console [severity-
level] to enable logging with a specific severity
level, and logging logfile logfile-name severity-level
[size bytes] to log messages to a file with a set
severity and size limit.
Viewing Logs: Commands such as show logging
console, show logging last number, and show
logging logfile allow investigators to view log
configurations, recent log entries, and timestamped
logs for specified time ranges.
Remote Syslog Configuration: The logging
server command can configure a remote syslog
server to capture switch logs for centralized
analysis, enhancing monitoring capabilities.

We Secure your tomorrow,

www.quickheal.com
today!
 Analyzing VPN Logs
 Role of VPN Logs in Investigations: VPN logs provide critical information such as timestamps,
user IP addresses, connection durations, and accessed websites, enabling investigators to
uncover evidence and trace suspect activities.
 Elastic Stack for VPN Log Analysis: Elastic Stack (ELK Stack) offers robust tools like
Elasticsearch, Kibana, and Logstash to securely analyze, visualize, and search VPN logs for
forensic investigations.
Key Information and
Options Available in the
Discover Tab of Elastic
Stack

1. Logs

2. Fields Pane

3. Index Pattern

4. Search Bar

5. Time Filter

6. Time Interval

7. TOP Bar

We Secure your tomorrow,

www.quickheal.com
today!
  Significance of SSH Logs: SSH logs assist forensic

Analyzing SSH Logs

investigators in reconstructing system events, detecting
intrusions, and analyzing disruptions in normal operations. They
provide key insights into the nature and timing of incidents.
 Relevant Commands:
 To analyze SSH logs for specific events: grep "keyword"
/var/log/auth.log
 To list all SSH-related activity in real-time: journalctl -fu ssh
 Commands for Failed Login Attempts: Investigators can
extract details of failed SSH login attempts, including IP
addresses, timestamps, and additional information.
 Commands
 List all failed login attempts: grep "Failed password"
/var/log/auth.log
 Extract and sort IP addresses with failed attempts: grep "Failed
password" /var/log/auth.log | awk '{print $11}' | uniq -c |
sort -nr
 View additional details of failed attempts: egrep "Failed|
Failure" /var/log/auth.log
 Commands for Analyzing SSH Logs via Journalctl: The
journalctl command provides options to analyze SSH logs over
specific time periods, view them in real-time, and extract specific
details.
 Commands:
 View SSH logs from yesterday: journalctl -u ssh --since
yesterday
 View logs for a specific time range: journalctl -u ssh --since
"2023-11-12We Secure--until
07:00:00" your tomorrow,
"2023-11-12 19:00:00"
www.quickheal.com today! users: lastlog
 View recent logged-in
 Analyzing DNS Server Logs
 Role of DNS Logs in Investigations: DNS logs are essential for identifying malicious activities like
DNS tunneling, cache poisoning, and phishing. They provide insights into network traffic, including DNS
queries, response codes, and user behavior, aiding in threat detection.
 DNS Log Analysis Tools: Tools like Splunk, ELK Stack, and Graylog help investigators filter and
visualize DNS logs to detect anomalies, NXDOMAIN errors, empty DNS queries, and DNS zone transfer
requests.
 Key DNS Log Details: DNS logs contain vital information such as query types (A, AAAA, MX), sender
and receiver IP addresses, query content, and protocols used, enabling investigators to trace network
events and uncover potential security threats.
DNS logs include the
following details
1. Date and time
2. Connection ID
3. Sender IP address
4. Sender port number
5. Receiver IP address
6. Receiver port number
7. Protocol used
8. Requested query
9. Query type

We Secure your tomorrow,

www.quickheal.com
today!
 Network Log Analysis Tools
 Security Onion: Security Onion provides a
comprehensive platform for network visibility
and log management, allowing investigators to
view alerts, analyze protocol metadata, and log
network traffic during forensic investigations.
 Logz.io: Logz.io enables rapid analysis of
various log types, filtering unused log data, and
offering insights with advanced integrations,
data processing, and monitoring dashboards
for effective incident investigation.

Additional Tools : Suricata Wazuh Splunk

https://suricata.io https://wazuh.com https://www.splunk. Nagios
com
https://www.nagios.
org
We Secure your tomorrow,
www.quickheal.com
today!
 Why Investigate Network Traffic?
 Importance of Network Traffic Analysis: Investigating network traffic helps detect suspicious
activities, ongoing attacks, and misuse by examining conversations between devices, revealing
crucial details like attacker IPs, targeted devices, and malicious activities.
 Benefits in Forensics: Network traffic analysis supports identifying various attack aspects, such as
DoS attacks, malware activities, scanning attempts, and unauthorized logins, providing evidence for
legal proceedings.
Objectives of Network Forensics Investigation

 Detect and examine an ongoing  dentify how an attack was carried

attack out

 Trace packets related to a security  Identify hosts/networks involved in

intrusion the incident

 Discover unauthorized access in  Assess the extent of compromise

network security

We Secure your tomorrow,

www.quickheal.com
today!
 Gathering Evidence via Sniffers
Definition and Functionality: Packet sniffers intercept and log network
traffic by putting the Network Interface Card (NIC) in promiscuous mode,
allowing them to capture all data passing through the network.

Switched Network Sniffing: Sniffers utilize spanned ports and hardware

taps to facilitate traffic capture in switched networks, enabling
comprehensive analysis of data flows.

Traffic Layer Focus: Packet sniffers primarily collect data from the
network and transport layers, excluding the physical and data link layers,
to focus on relevant evidence.

Applications in Network Forensics: Sniffers are valuable for detecting

intrusions, supervising network devices, troubleshooting network issues,
and controlling traffic flow during forensic investigations.

Behavior Analysis: Forensic investigators use sniffers to monitor and

analyze the behavior of suspicious applications or devices, aiding in
identifying anomalies or malicious activities.

We Secure your tomorrow,

www.quickheal.com
today!
 Gathering Evidence via Sniffers
tcpdump: tcpdump is a command-line network
Wireshark: Wireshark is a GUI-based network
packet analyzer that allows investigators to
protocol analyzer offering deep inspection of
capture, filter, and save network packets for
hundreds of protocols, live traffic capture, offline
analysis, supporting options like -w to write
analysis, and advanced filtering capabilities with
packets to a file and -r to read from a saved
support for compressed and multi-format files.
packet file.

We Secure your tomorrow,

www.quickheal.com
today!
 Display Filters in Wireshark
Filtering by Protocol: Display filters in Wireshark allow investigators to
filter captured packets by protocol by typing protocol names like arp, http,
tcp, udp, or dns in the Filter box.

Monitoring Specific Ports: Filters can isolate traffic for specific ports or
IP addresses, such as tcp.port==23, ip.addr==192.168.1.100, or
combinations like ip.addr==192.168.1.100 && tcp.port==23.

Filtering by Multiple IP Addresses: Wireshark enables filtering by

multiple IP addresses using logical operators, e.g., ip.addr == 10.0.0.4 or
ip.addr == 10.0.0.5.

Filtering by IP Address: Investigators can focus on specific IP addresses

using filters like ip.addr == 10.0.0.4.

Other Filters: Advanced filters provide flexibility for specific scenarios,

such as ip.dst == 10.0.1.50 && frame.pkt_len > 400 or
ip.src==205.153.63.30 or ip.dst==205.153.63.30.

We Secure your tomorrow,

www.quickheal.com
today!
 Additional Wireshark Filters
Filter for TCP Resets: Use tcp.flags.reset==1
to display all TCP packets where the reset flag
is set.
Filter by Hexadecimal Values: Apply udp
contains 33:27:58 to filter UDP packets
containing the specific hex sequence 0x33
0x27 0x58 at any offset.
Filter for HTTP GET Requests: The filter
http.request isolates all HTTP GET requests
from captured traffic.
Filter for TCP Retransmissions: Use
tcp.analysis.retransmission to display all
retransmitted packets in the trace.
Filter for Specific Text in TCP Packets:
Apply tcp contains traffic to display all TCP
packets that contain the word "traffic" in the
payload.
We Secure your tomorrow,
www.quickheal.com
today!
Exclude Specific Protocols: Use !(arp or
icmp or dns) to hide ARP, ICMP, and DNS traffic,
focusing only on the desired traffic.
Filter by TCP Port: The filter tcp.port ==
4000 displays all TCP packets where port 4000
is the source or destination.
Filter for SMTP and ICMP Traffic: Use
tcp.port eq 25 or icmp to isolate packets for
SMTP (port 25) or ICMP traffic.
Filter for LAN Traffic Only: Apply
ip.src==192.168.0.0/16 and
ip.dst==192.168.0.0/16 to view traffic strictly
within the LAN (192.168.x.x).
Filter by Protocol and Exclude Specific
IPs: Use ip.src != xxx.xxx.xxx.xxx && ip.dst !=
xxx.xxx.xxx.xxx && sip to filter for SIP traffic
while excluding unwanted IP addresses.
 Analyze Traffic for TCP SYN Flood DoS Attack
 Definition of TCP SYN Flood DoS
Attack: A SYN flood attack involves sending
numerous SYN packets with spoofed IP
addresses to overwhelm the target server's
resources, preventing legitimate access.
 Indicators of a SYN Flood in Wireshark:
Signs include a high volume of TCP SYN
packets of identical length (e.g., 120 bytes)
originating from multiple IP addresses and
targeting a single destination.
 Target Information: In the example, the
attack is directed at the IP address
192.168.0.145 on HTTP port 80.
 Using Wireshark Statistics for
Confirmation: Navigate to Statistics →
Protocol Hierarchy to analyze the proportion
of TCP traffic. An unusually high percentage
of TCP packets can indicate a SYN flood.
 Impact of a SYN Flood Attack: The
attack exhausts the server's CPU and RAM
by leaving incomplete TCP handshakes,
ultimately leading to a Denial of Service
(DoS).
We Secure your tomorrow,
www.quickheal.com
today!
 Analyze Traffic for SYN-FIN Flood DoS Attack
 Definition of SYN-FIN Flood DoS Attack:
This attack involves flooding the network
with packets that have both the SYN and FIN
flags set simultaneously, an abnormal
behavior in typical TCP communication.
 Detection of SYN-FIN Packets in
Wireshark: Use the filter tcp.flags==0x003
to identify packets with both SYN and FIN
flags set.
 Traffic Characteristics: In the example,
numerous SYN-FIN packets are sent from a
single source IP 10.0.0.2 to the destination
IP 10.128.0.2 on HTTP port 80.
 Analyzing Traffic Statistics: Navigate to
Statistics → Capture File Properties to
evaluate the packet capture window. The
example shows 118 packets per second at
51Kbps over a 14-second window, indicating
a SYN-FIN flood attack.

We Secure your tomorrow,

www.quickheal.com
today!
 Analyze Traffic for ICMP Flood Attack

 ICMP Ping Flood Attack: This

type of DDoS attack targets a
server by sending a high volume
of ICMP Echo Request (ping)
packets, which forces the server
to use excessive bandwidth and
processing power, leading to
system overload and a denial-of-
service condition.
 Detecting with Wireshark: To
identify an ICMP flood attack, use
the filter icmp.type == 8 in
Wireshark to display only ICMP
Echo Request packets. A sudden
surge in these packets indicates a
potential flood attack,
overwhelming the targeted
server's resources.

We Secure your tomorrow,

www.quickheal.com
today!
 Analyze Traffic for UDP Flood Attack
 UDP Flood Attack: A UDP
flood attack sends a high
volume of spoofed UDP
packets to the target server,
causing it to generate ICMP
destination unreachable
responses, which overwhelms
the server and its firewall,
leading to denial-of-service
conditions for legitimate
traffic.
 Wireshark Detection: To
identify a UDP flood attack,
use the filter
(ip.proto==17)&&(udp.dstpor
t==80) in Wireshark. If the
captured packets show a
large number of 500-byte
UDP packets with nonsensical
data sent to port 80, it
indicates a UDP flood attack.

We Secure your tomorrow,

www.quickheal.com
today!
 Analyze Traffic for HTTP Flood Attack
 HTTP Flood Attack: An HTTP flood attack targets layer 7 by making the server handle
numerous HTTP GET, POST, or combined requests, causing the server to become overwhelmed
and unable to respond to legitimate traffic, leading to a denial-of-service condition.
 Wireshark Detection: Use the filter tcp.stream eq 1 to detect TCP connections established with
the targeted server. Then apply the http filter to analyze GET and POST requests to identify
suspicious traffic patterns indicating an HTTP flood.
 Response Analysis: Investigate the server's responses (e.g., HTTP/1.1 200 OK or HTTP/1.1 403
FORBIDDEN) to requests sent from the attacker’s IP. Repeated responses, especially for multiple
URLs, suggest an HTTP flood attack.

We Secure your tomorrow,

www.quickheal.com
today!
 Analyze Traffic for FTP Password Cracking Attempts
 FTP Password Cracking: FTP
password cracking involves an attacker
using brute-force or dictionary attacks
to guess a user’s password by making
repeated login attempts to an FTP
server.
 Detecting with Wireshark: Use the
filter ftp.request to monitor all FTP
requests on the network, helping
investigators track login attempts and
identify potential password cracking
activities.
 Monitoring Unsuccessful Logins:
Apply the filter ftp.response.code ==
530 to identify unsuccessful login
attempts. A high number of failed
attempts is indicative of a brute-force
password cracking attack.
 Successful Login Detection: Use
ftp.response.code == 230 to track
successful logins, which may indicate
the attacker has successfully guessed
the password and gained unauthorized
access to the FTP server.
We Secure your tomorrow,
www.quickheal.comtoday!
 Analyze Traffic for SMB Password Cracking
Attempts
 SMB Password Cracking: SMB
password cracking attempts involve
attackers making multiple login
attempts using different usernames over
the SMB protocol to guess valid
credentials.
 Detecting with Wireshark: Wireshark
can reveal multiple login attempts from
the source IP (10.10.1.11) to the target
IP (10.10.1.13) with the error message
“STATUS_LOGON_FAILURE,” indicating a
brute-force attack.
 Identifying Targeted Usernames:
Investigators should analyze the
usernames in the captured traffic to see
if any match those of authorized users,
signaling a successful password
cracking attempt.
 Additional Information Gathering:
Review other details in the Transmission
Control Protocol section, such as source
and destination ports and packet byte
count, to further investigate the nature
of the attack.
We Secure your tomorrow,
www.quickheal.comtoday!
 Analyze Traffic for Sniffing Attempts
 Sniffing and Man-in-the-Middle Attacks: Sniffing and MiTM attacks involve attackers
intercepting network traffic to capture sensitive data, often by positioning themselves between a
client and server.

 Active Sniffing: Active sniffing occurs over a switched network where attackers inject packets
to manipulate the switch’s ARP cache (CAM) and gain unauthorized access to network traffic.

 Passive Sniffing: Passive sniffing is performed on a hub where the attacker captures all
broadcasted packets within the same collision domain without injecting any traffic.

 Techniques Used: Common sniffing techniques include MAC flooding and ARP poisoning, which
allow attackers to intercept and analyze network traffic.

 Detection with Wireshark: Investigators can use Wireshark to detect signs of sniffing
attempts, including unusual ARP requests or MAC address anomalies, which may indicate MAC
flooding or ARP poisoning.

We Secure your tomorrow,

www.quickheal.com
today!
 Analyze Traffic for MAC Flooding Attempt
 MAC Flooding Overview: MAC flooding,
also known as CAM flooding, involves
sending fake Ethernet frames with various
MAC addresses to flood a switch's CAM
table, causing network disruptions.
 Detection in Wireshark: Investigators can
identify MAC flooding attempts in Wireshark
by analyzing source and destination MAC
addresses and the Time to Live (TTL) values
in the packets.
 Malformed Packets: MAC flooded packets
often appear as malformed in Wireshark,
though malformed packets can also be
generated by other network issues, not just
flooding attacks.
 Expert Information Tab: To detect a MAC
flooding attempt, investigators should
navigate to the Analyze → Expert
Information tab in Wireshark and examine
any malformed packets for signs of flooding.
 Packet Consistency: A strong indication of
a MAC flooding attack is when packets from
different IP addresses are destined for the
same IP address and contain identical TTL
values, signaling manipulation of the
switch’sWe
ARPSecure
table.your tomorrow,
www.quickheal.comtoday!
 Analyze Traffic for ARP Poisoning Attempt
 ARP Poisoning Overview: ARP
poisoning involves an attacker spoofing
their MAC address to redirect network
traffic intended for a legitimate target,
enabling the attacker to intercept or
manipulate the data flow.
 Wireshark Detection: Investigators can
detect ARP poisoning by looking for
duplicate IP addresses in the ARP protocol.
Wireshark displays a warning message,
"duplicate use of <IP address> detected,"
indicating potential poisoning.
 Display Filter: Using the filter
arp.duplicate-address-detected after
capturing packets can help pinpoint ARP
poisoning attempts by identifying IP-MAC
address mismatches.
 MAC Address Duplication: In the case
of an ARP poisoning attack, Wireshark will
show an IP address associated with
multiple MAC addresses, as seen in the
example where IP address 192.168.1.1 is
linked to two different MAC addresses.
We Secure your tomorrow,
www.quickheal.com
today!
 Analyze Traffic for SMTP HELO Flood Attack
 SMTP HELO Flood Detection: Investigators can identify SMTP HELO flood attacks by filtering
server traffic using the tcp.stream eq 2 display filter in Wireshark, which highlights the repeated
creation and termination of SMTP sessions.
 Session Analysis: The presence of multiple SMTP HELO requests followed by quick QUIT
commands indicates a high volume of created and closed sessions, causing server resource
exhaustion and preventing legitimate client access.

We Secure your tomorrow,

www.quickheal.com
today!
 Analyze Traffic to Detect Malware Activity
 Detecting Suspicious
Connections: Investigators can
detect malware activity by analyzing
traffic patterns in Wireshark, such as
unusual IP address connections or
suspicious ports being used, like the
connection attempt to IP 10.10.10.16
on port 5552.
 Online Database Check: Once
suspicious ports or IP addresses are
identified, investigators should cross-
reference them with online
databases, such as https://any.run, to
determine if they are associated with
known malware, such as njRAT trojan
on port 5552.
 Traffic Anomalies Post-Malware
Execution: After malware execution,
the infected system may attempt to
contact a C2 server (e.g., port 5552),
signaling potential data exfiltration or
further instructions, which can be
flagged during network traffic
analysis.
We Secure your tomorrow,
www.quickheal.comtoday!
 Analyze Network Traffic through NetFlow
 NetFlow Overview: NetFlow provides a comprehensive way to analyze network traffic by
collecting data on unidirectional packet flows, using criteria such as source/destination IP, ports,
and protocol version to generate flow records, reducing the need for packet-level analysis.
 Flow Monitoring and Analysis: NetFlow-enabled devices (e.g., routers) generate flow
statistics that aid investigators in monitoring bandwidth usage, detecting threats, aggregating
data, and performing forensic analysis of network traffic.

NetFlow-enabled Device
Traffic flow Traffic flow
Traffic

• Source/Destination IP NetFlow Cache

addresses Flow Packet Packet/Bytes
Information
• NetFlow cache
Address, Ports… 11003 1435
• IP version
• Source/Destination port Next Entry…
numbers Creating a flow record
• Source Interface
We Secure your tomorrow, • Packets or bytes
www.quickheal.com
today!
 Analyze Network Traffic through NetFlow (Cont’d)
NetFlow Analyzer: NetFlow Analyzer provides PRTG Network
real-time visibility into network bandwidth usage, Monitor
helping investigators track internal and external https://www.paessler.com
threats, detect anomalies, and identify potential
zero-day intrusions by analyzing flow data. NetFlow Traffic
Analyzer
https://www.solarwinds.co
m

Nagios Network
Analyzer
https://www.nagios.com

Add images later

ntopng
https://www.ntop.org

Auvik
https://www.auvik.com

We Secure your tomorrow,

www.quickheal.com
today!
 Network Forensic Analysis Using Dshell
 Dshell Framework Overview: Dshell
is a Python-based forensic network
analysis tool designed to dissect
network traffic (PCAP files) and extract
valuable data, providing flexibility for
various forensic analysis tasks in
network investigations.
 Usage and Setup: Investigators must
set up Dshell by cloning the GitHub
repository and installing dependencies.
Once set up, they can use various
decoders to analyze network traffic,
extract specific data, and uncover
insights during the investigation.
We Secure your tomorrow,
www.quickheal.com
today!
Dshell Commands For Analyzing a
Network
 DNS Lookups Analysis: To analyze DNS queries
in network traffic, use the decode -p dns
command to display DNS lookups and sort the
results for easy review:Dshell> decode -p dns
~/pcap/dns.cap | sort.
 Stream Reassembly: Investigators can
reassemble and follow a network traffic stream
(e.g., HTTP) using the decode -p followstream
command to gain insights into the flow of
data:Dshell> decode -p followstream ~/pcap/v6-
http.cap.
 Country-Specific Flow Data: To view network
flow data specific to a country code (e.g., Japan),
investigators can chain plugins such as
country+netflow:Dshell> decode -p
country+netflow –country_code=JP
~/pcap/SkypeIRC.cap.
 Tools for Investigating Network Traffic
Artifact Extraction and Analysis: NetworkMiner is a
powerful open-source network forensics tool that allows Arkime
investigators to extract and analyze various artifacts (e.g., https://arkime.com
files, emails, credentials) from PCAP files. It provides
detailed insights into network traffic and allows searching
through sniffed data for specific keywords, making it a Capsa Portable
valuable tool for network investigations. Network Analyzer
https://www.colasoft.com

Free Network
Analyzer
https://freenetworkanalyzer
.com

Add images later Vehere Network

Forensics
https://vehere.com

CapLoader
https://www.netresec.com

We Secure your tomorrow,

www.quickheal.com
today!
 Centralized Logging Using SIEM Solutions
Comprehensive Security View: SIEM
solutions provide a centralized platform
for collecting and analyzing log data from
internal and external sources, offering a
unified view of an organization's security
landscape.
Real-Time Threat Detection: Through
SIEM
real-time monitoring and event
correlation, SIEM can identify threats that
may go unnoticed by traditional security
methods, such as signature-based SECURITY ANALYTICS
detection.
Incident Response and Action: SIEM
systems can trigger actions, such as
LOG MANAGEMENT
reconfiguring firewalls and intrusion
prevention systems, based on detected
threats to help mitigate potential security
risks.
Forensic Evidence and Timeline
Creation: The logs stored and analyzed
by SIEM tools serve as crucial evidence in
investigating security incidents, helping
to trace the source and reconstruct the
sequence of events during an attack.
We Secure your tomorrow,
www.quickheal.com
today!
 SIEM Solutions
 IBM Security Qradar SIEM: IBM QRadar SIEM
 Splunk Enterprise Security: Splunk ES integrates advanced AI, security event
offers a data-driven approach to security, correlation, and asset-based vulnerability
providing full visibility into security posture, assessments to provide proactive threat
enabling fast and accurate decision-making, detection, situational awareness, and
and improving threat detection and risk compliance support, helping security teams
mitigation across large-scale environments. maximize their effectiveness in identifying and
addressing security risks.

https://www.datadoghq Elastic
.com
LogRhythm https://www.elastic.
Other SIEM co
https://logrhythm.co
Tools: m
Datadog Cloud
SIEM

We Secure your tomorrow,

www.quickheal.com
today! Graylog
 Examine

Brute-force Attack
SIEM Configuration: Configure SIEM to log and track security events like multiple logins from
the same IP address, failed login attempts, and system file changes to detect potential brute-
force attacks.
 Event IDs for Windows Logs: Windows Event Viewer records failed logins with Event ID 4625
and successful logins with Event ID 4624, which can be used to track login activity and identify
brute-force attempts.
 Search Queries in SIEM: Use search queries in SIEM to detect unusual login patterns by
filtering failed login events (Event ID 4625) and identifying accounts with multiple failed login
attempts.

 Splunk Alerts: Tools like Splunk can trigger alerts  Event Investigation: After detecting a brute-force
when a significant number of failed login attempts attack, examine event details such as the host name,
are detected, such as 15 or more failed attempts, source IP, account name, and time stamps to gather
signaling a possible brute-force attack. more context and identify the nature of the attack.

We Secure your tomorrow,

www.quickheal.com
today!
 Examine DoS Attack
 TCP Dump Analysis: Capture network traffic using Wireshark and analyze the conversations
between client IP and server IP to detect abnormal traffic patterns, such as a spike in packets
within a short timeframe, indicating a potential DoS attack.
 Packet Count Review: Look for significant increases in the number of packets captured, as
seen in the example where 23,890 packets were captured in one minute, which could signal a
DoS attack.

 Examine IP Addresses and Ports: Investigate the
specific IP addresses and ports involved in the attack by
examining the pcap file in Wireshark, and identify unusual
traffic, such as high volume traffic from a single client IP to
a server IP on non-standard ports.
 Search Queries for Further Investigation: Use search
queries in SIEM tools to further analyze the traffic and pinpoint
the attack source, such as detecting abnormal traffic patterns
between specific IP addresses and ports, as seen with the client
IP 10.10.10.10 sending traffic to port 63657 on the server IP.

We Secure your tomorrow,

www.quickheal.com
today!
 Examine Malware Activity
Monitor Network Traffic for Suspicious
Connections: Use SIEM tools to monitor
network traffic for any unusual connections,
such as malware attempting to establish
communication with a C2 server. In the
example, client IP 10.10.10.10 connects to
server IP 10.10.10.12 on port 1177, which is
associated with njRAT malware.
Tcpdump Analysis: Perform Tcpdump
analysis through Splunk or other tools to
detect suspicious traffic patterns, such as
unexpected ports being used for
communication, which may indicate the
presence of malware.
Examine Event Logs for Malicious Files:
Investigate event logs on the suspect
machine for evidence of malicious activity. In
this case, Kibana was used to find logs
indicating the presence of the malicious
njrat.exe file in the system directory.
Correlate Traffic and Event Logs:
Correlate network traffic analysis with system
event logs to pinpoint the origin and nature of
the malware. The network activity involving
suspicious ports and the presence of
malicious files in the system
We Secure directory help to
your tomorrow,
confirm thetoday!
www.quickheal.com malware’s presence.
 Examine Data Exfiltration Attempts over FTP
 Monitor for Unusual FTP Connections: Use
SIEM tools to track FTP connections and detect
any unusual activity. Look for data transfers from
unauthorized IP addresses or unusual amounts of
data being transferred, which may signal data
exfiltration attempts.
 Inspect FTP Traffic: Review network traffic
through SIEM for connections involving FTP (port
21) to ensure that any unauthorized data
transfers are identified. In the example, an FTP
connection from IP 10.10.10.10 to server IP
10.10.10.12 over port 21 should raise suspicion.
 Check Firewall Rules: Ensure that the network
firewall is configured to restrict outbound FTP
connections, especially to unauthorized external
servers. If FTP connections are detected outside
allowed IP addresses or without valid
authorization, it should be flagged as a potential
security breach.
 Investigate the Source and Destination of
FTP Connections: Examine the source and
destination IP addresses involved in FTP transfers.
If a connection is detected from an unauthorized
source (like IP 10.10.10.10) to a server IP that
should not allow FTP traffic, further investigation
into potentialWe Secure
data your tomorrow,
exfiltration is warranted.
www.quickheal.com today!
 Examine Network Scanning Attempts
 Monitor Network Traffic Patterns: Look for
unusual traffic patterns in the network, such as a
series of incomplete TCP handshakes or unusual flags
like FIN, XMAS, or SYN, which are commonly used in
network scanning tools like Nmap. These can indicate
reconnaissance activities by attackers.
 Use IDS/IPS Systems for Detection: Utilize
Intrusion Detection Systems (IDS) like Snort, which
provide rules to detect common scanning techniques
(e.g., FIN, SYN, XMAS). These tools can help identify
potential network scans based on specific traffic
signatures and behaviors.
 Integrate Security Logs into SIEM: Pull logs from
various network security devices (e.g., firewalls, IDS)
into your SIEM platform to aggregate and analyze
scanning attempts. By using search queries to filter
for specific scanning patterns (e.g., FIN or SYN flags),
you can easily detect unauthorized network scanning.
 Examine Source IP for Suspicious Activity:
Investigate the source IP address (e.g., 10.10.10.2)
involved in suspicious scanning attempts. If this IP is
seen repeatedly performing scanning activities, like
using Nmap, it could be an early sign of a
reconnaissance phase in a potential attack, requiring
further investigation andyour
We Secure possible mitigation.
tomorrow,
www.quickheal.com
today!
 Examine Ransomware Attack
Data Source System Monitor (Sysmon) data, File Activity Monitoring
Detect attempt of creating a large number of files in a short span of time
Anomaly/Signatures Look for known Ransomware file extensions
Detect increase in attempts of file renames on network file shares

Typical Extensions of Ransomware Files

We Secure your tomorrow,

www.quickheal.com
today!
 Examine Ransomware Attack (Cont’d)
 Monitor Known Ransomware File Extensions: Regularly check for suspicious file extensions
associated with ransomware, such as .crypt, .locky, and .encrypted, to detect potential
ransomware attacks early. This list is constantly evolving, so it's important to stay updated with
new extensions.
 Watch for Unusual File Renaming Activity: Ransomware often renames files to hide their
encryption. A significant increase in file renaming activity across network file shares could be a
strong indicator of a ransomware attack in progress, requiring immediate investigation.

We Secure your tomorrow,

www.quickheal.com
today!
 Examine Ransomware Attack (Cont’d)
 Deploy a Sacrificial Network Share: Set up a sacrificial network share with random files to act
as an early warning system for ransomware attacks. If ransomware tries to access or encrypt
these files, it can trigger an alert, preventing further damage.
 Utilize Sysmon and Splunk for Ransomware Detection: Leverage tools like Sysmon to
monitor system activities such as file creation and process changes. Using Splunk, you can query
events like file creation and track the creation of multiple files in a short period, a common
behavior in ransomware attacks.

We Secure your tomorrow,

www.quickheal.com
today!
 Detect Rogue DNS Server (DNS Hijacking / DNS
Spoofing)
 Monitor DNS Server Activity: Continuously monitor DNS server logs on your network for any unusual DNS
names or IP addresses that don't match the internal list of legitimate DNS names. This can help identify
potential rogue DNS servers attempting to redirect traffic.
 Cross-Check DNS Names with Known Internal List: Use the SIEM tool to compare the DNS names
detected on the network with a pre-established list of trusted internal DNS names. Any DNS names that do not
appear on this list could be signs of DNS hijacking or spoofing.
 Detect Unusual Traffic on TCP/UDP Port 53: Rogue DNS servers often operate on port 53, the standard DNS
port. Search for suspicious or unauthorized traffic on TCP/UDP port 53 to identify potential attempts to redirect
DNS requests to a rogue server.
 Investigate Anomalies with SIEM Tools: Leverage tools like Splunk to detect and analyze anomalous DNS
queries or responses. Any deviation from normal DNS traffic patterns, such as large numbers of DNS requests to
unfamiliar servers, should be flagged for further investigation.

We Secure your tomorrow,

www.quickheal.com
today!
 Detect Rogue DNS Server (DNS Hijacking / DNS
Spoofing)
Collection and Preservation of Wireless Evidence: Wireless network
forensics involves gathering evidence such as encrypted or plain data
transfers, IP and MAC addresses, SSIDs, and device geolocations, while
ensuring the integrity of the evidence for use in legal proceedings.

Specialized Tools and Techniques: Investigators must utilize

specialized tools to capture and analyze wireless network traffic, taking
into account wireless security protocols and addressing unique challenges
posed by wireless networks compared to wired networks.

Documentation and Chain of Custody: Maintaining an accurate and

detailed chain of custody is critical in wireless network forensics to ensure
the admissibility of evidence in court and to preserve the integrity of the
investigation process.
Identifying and Analyzing Malicious Activity: Wireless network
forensics helps detect anomalies and suspicious activities such as
unauthorized access or malicious attacks, providing insights into the
source, method, and impact of the attack, including tracing the attacker's
location and network behavior.

We Secure your tomorrow,

www.quickheal.com
today!
 Wireless Network Forensics Challenges and Risks
Limited Traffic Capture: Forensic tools Tracking Roaming Events: Tools may
may only capture traffic from one fail to track devices roaming between
wireless channel, limiting evidence access points, hindering geolocation and
collection from multiple access points. activity monitoring.

Signal Degradation: Increased hops

Impersonation Attacks: Spoofed MAC
between devices and the workstation
addresses make it difficult to identify
reduce signal quality, complicating data
attackers and gather reliable evidence.
collection.

Rogue Network Detection Risks:

Ad-Hoc Network Topology: Dynamic
Investigators risk detection while
ad-hoc networks complicate determining
collecting evidence from cybercriminal-
network state during a security breach.
controlled rogue networks.

Unreliable Channels: High packet loss Inaccurate Tool Results: Wireless

due to unreliable wireless channels forensic tools can generate false
hinders effective forensic evidence positives or negatives, affecting
collection. evidence reliability.

We Secure your tomorrow,

www.quickheal.com
today!
 Types of Wireless Evidence
Type of Wireless Evidence
Wi-Fi Network Information
Wireless Device Data
Bluetooth Interactions
Wireless Network Traffic
Location and Tracking Data
SSID Broadcasts and Network
Lists
RFID and NFC Transactions
Wireless Spectrum
We Secure your tomorrow,
www.quickheal.com
today!
Description
Data from Wi-Fi routers/access points including connected devices,
timestamps, MAC/IP addresses, and data transfer logs.
Information about wireless networks accessed by devices (e.g., laptops) stored
in system logs.
Records of paired devices and data exchanged via Bluetooth, including
peripheral devices and beacons.
Captured network traffic revealing data on network activities, transmitted
data, protocols, and encrypted traffic patterns.
Data from GPS devices and cell tower records for triangulating device
locations.
Information on networks stored on a device and their SSID, helping identify
connected wireless networks.
Data from RFID systems and NFC transactions that can reveal user or device
interactions.
Information about wireless signal strength and quality to identify unauthorized
or rogue access points.
 Wireless Network Forensics Process
Discover Wireless Access Points: Identify
wireless devices in the network using passive
(listening to beacon frames) or active
(responding to probe requests) scanning
methods, providing insight into the network's
structure.
Identify Active Connections: Identify active
connections and collect details such as IP
addresses, MAC addresses, SSIDs, and signal
levels using tools like Wi-Fi Scanner, enabling
investigators to map network traffic.
Connect to the Suspected Wireless
Network: Connect the forensic workstation to
the compromised network after determining
signal strength to begin capturing network
traffic, facilitating the collection of relevant
data.
We Secure your tomorrow,
www.quickheal.com
today!
Detect Rogue/Malicious Access Points:
Use tools like inSSIDer to detect rogue access
points by examining their MAC address, SSID,
vendor, and channel, ensuring the integrity of
the network and security measures.
Measure Signal Strength: Determine the
signal strength of access points using tools
like NetSpot to map network infrastructure
and pinpoint access point locations, assisting
in visualizing the network layout.
Sniff and Analyze Packets: Use tools like
Wireshark to capture and analyze network
packets, extracting relevant artifacts like
source/destination IPs, ports, protocols, and
timestamps, crucial for identifying suspicious
activities.
 Detect Rogue Access Points
Detect Rogue Access Points: Rogue access points are unauthorized devices installed
within a network, potentially enabling attacks such as data theft or DoS. Detecting these
access points requires active wireless discovery, comparison with network inventories,
and location tracking.
Wireless Network Steps to Detect a Rogue Access Point Location Tracking
Comparison  After
Discovery  Compare detected access identifying a
 Use Wi-Fi discovery rogue access point, use
points with the authorized
tools like inSSIDer and tools like AirCheck G2
device inventory to
NetSurveyor to actively Wi-Fi Tester to
identify any unlisted
scan the wireless determine the physical
devices, which could be
network for any location of the rogue AP
potential rogue access
unauthorized or hidden based on its signal
points.
access points that could  Check the SSID and MAC strength.
be malicious.  Accurate location
 This step helps detect address of the detected
tracking helps
access points. If the SSID
rogue APs in the investigators trace the
is not listed in the
vicinity, which are not rogue AP to its source
permitted list, or the MAC
visible on the wired and assess the scope of
address doesn’t match
network and could pose the security threat
the ARP table, it suggests
a significant security within the physical
an unauthorized device.
risk. premises.
We Secure your tomorrow,
www.quickheal.com
today!
 Wi-Fi Discovery Tools
 NetSurveyor: A network discovery tool that
 nSSIDer: A Wi-Fi optimization and
provides real-time information on nearby
troubleshooting tool that helps users visualize
wireless APs, with the ability to display data in
signal strengths, channels, and other relevant
various diagnostic views and charts.
details about nearby wireless networks.
Investigators can use NetSurveyor to identify
Investigators can use inSSIDer to discover and
rogue APs, assess signal strengths, and
analyze Wi-Fi access points in their vicinity.
generate detailed reports.

com rk.co

Other Wi-Fi Wi-Fi Scanner

Acrylic WiFi
Discovery https://lizardsystem
s.com Analyzer
Tools: WirelessMon
https://www.acrylicwifi.
https://www.passma Ekahau Wi-Fi
We Secure your tomorrow, Heatmaps
www.quickheal.com
today! https://www.ekaha
 Detect Access Point MAC Address Spoofing
Attempts
Methods to Detect MAC Address Spoofing

Signal Strength-based Detection Signal Strength-based Detection

1. Involves analyzing the sequence 1. Relies on monitoring received signal
number (SN) field in MAC-layer frame strength (RSS) values, which can
headers, where the SN increments by fluctuate due to factors like
one for each sent data or management transmission power and distance.
frame. 2. Detects spoofing by analyzing sudden
2. Detects unexpected SN gaps in the changes in RSS from a MAC address,
sequence, which could indicate MAC as legitimate devices typically
address spoofing by an attacker. maintain stable RSS values.
3. Assumes that the sequence number 3. More effective when the victim device
counters of the attacker and legitimate is far from the attacker, as the
devices will differ, helping to identify difference in RSS becomes more
discrepancies. noticeable with distance.
4. Provides a reliable method for 4. Helps identify MAC address spoofing
detecting spoofing in real-time network attacks by highlighting anomalies in
traffic by examining the consistency of signal strength patterns during
sequence numbers. wireless communication.

We Secure your tomorrow,

www.quickheal.com
today!
 Module Summary: Fundamentals of Computer
Forensics
Key Points
This module covered the importance of Linux forensics and methods for collecting volatile and non-
volatile data from Linux systems.

We explored Linux memory analysis techniques to gather valuable insights from system memory.

The module also discussed Mac forensics, including data collection from macOS systems.

Mac memory forensics and tools were examined to understand how to analyze volatile data in
macOS.

In the next module, we will focus on detailed techniques for performing network forensics.

We Secure your tomorrow,

www.quickheal.com
today!
 THANK
YOU

Quick Heal Academy

Cyber Education and Services
www.quickheal.co.in Email :
[email protected]
www.quickheal.com