Scribd
Upload
44 views

Module 6 - Network-Forensics

The document discusses network forensics and covers topics such as networking fundamentals, network security tools, network attacks, incident response, and network evidence investigation. It describes concepts like TCP/IP, client-server and peer-to-peer networks, different network types, IP addresses, common network security tools, types of network attacks, the NIST incident response process, and challenges with network investigation.

Uploaded by

dungnthe172688
Copyright
© © All Rights Reserved
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
44 views

Module 6 - Network-Forensics

The document discusses network forensics and covers topics such as networking fundamentals, network security tools, network attacks, incident response, and network evidence investigation. It describes concepts like TCP/IP, client-server and peer-to-peer networks, different network types, IP addresses, common network security tools, types of network attacks, the NIST incident response process, and challenges with network investigation.

Uploaded by

dungnthe172688
Copyright
© © All Rights Reserved
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 28

Module 6.

Network Forensics
(part 3)
Topics

• Networking Fundamentals
• Types of Networks
• Network Security Tools
• Network Attacks
• Incident Response
• Network Evidence & Investigation
Networking Fundamentals
Network Concepts

• TCP/IP (Transmission Control Protocol / Internet Protocol)


– The common language for the Internet
• Client/Server Network
– Each computer has one of the roles: client or server
– Modern computers mix the roles
• Peer-to-peer Network
– Every member has same role, as both client and server
– Commonly used with bittorrent to share files illegally
Network Types

• LAN (Local Area Network)


– Within a single building or a few nearby buildings
• WAN (Wide Area Network)
– Larger area
• Internet
– Largest WAN, the whole world
• MAN (Metropolitan Area Network)
• PAN (Personal Area Network)
– Bluetooth: max. range 10 meters
• CAN (Campus Area Network)
IP Addresses

• IPv4: 32 bits, in four octets


– Each octet written as a decimal number 0-255
– Ex: 192.168.1.101
– Only four billion total addresses
– They are running out
• IPv6: 128 bit in eight 16-bit fields
– Each field a 4-character hexadecimal valoe
– Range 0000 – FFFF
– Ex: 2001:0db8:0000:0000:1111:2222:3333:4444
– Many addresses: 300 billion billion billon billion
Network Security Tools
Firewalls, IDS, and Sniffers

• Filters inbound and, optionally, outbound traffic


• Simple firewalls filter based on packet headers
– IP address, port nnumber
• Layer 7 firewall
– Looks inside packet to discriminate more
– Can detect Facebook, TeamViewer, BitTorrent
• Intrusion Detection System
– Blocks malicious traffic based on a set of definitions
– Ex: Snort
• Sniffer
– Captures packets for analysis
– Ex: Wireshark
Network Attacks
Network Attacks

• DDoS (Distributed Denial of Service)


– Many bots attack a server
• IP Spoofing
– False Source IP in packets
– Can make attacks appear to come from trusted sources
• Man-in-the-Middle
– Intercept traffic
– Attacker can examine or alter data
– Can impersonate user
– Defense is SSL
Social Engineering

• Tricking people
into security
violations
Most Common Hacking Methods

• Backdoor
– From a malware infection allowing remote control
• Footprinting
– Gathering public information about a target
• Fingerprinting
– Scanning a target for open ports and other information
• Based on a 2011 Verizon study
Insider Threat

• The biggest threat


• Does more harm than external attacks
• Difficult to detect or prevent
Incident Response
NIST Process

• Preparation
– Planning for security incidents
– Proactive defenses, such as
• Hardening systems
• Patching
• Perimeter defense
• User awareness training
• Policies, procedures, and guidelines
• Detection and Analysis
– IDS produce false positives
– Network traffic is erratic
NIST Process

• Containment
• Eradication
• Recovery
• Postincident Review
– Root-cause analysis
– Plan how to prevent future incidence
– Revise policies and procedures
Network Evidence & Investigation
Where is the Evidence?

• All devices along the route may contain log files


– Servers
– Routers
– Firewalls
– Evidence may be volatile
Log Files

• Authentication log
– Account and IP address of users
• Application log
– Timestamps shown when application was used and by whom
• Operating system log
– Track reboots, file access, clients served, and much more
• Device logs
– On routers and firewalls
Network Investigative Tools

• Wireshark
– Sniffer
• NetIntercept
– Hardware applicance to record network traffic
• NetWitness Investigator
– Can gather and analyze network traffic
• Snort
– IDS
NetIntercept
Network Investigation Challenges

• IP addresses can be spoofed


– Bounced through proxies
– Or through compromised systems
– Or through the Tor anonymity network
• Logs are often incomplete or absent
– Logs are erased after some time
– Attackers can erase logs
• Jurisdiction
– Attacks can cross state or national boundaries
• Q&A

http://fpt.edu.vn 06/04/24 28

You might also like