Sign In Start Free Trial

Book Overview & Buying
Table Of Contents

Hands-On Network Forensics

By : Nipun Jaswal

3.2 (6)

Hands-On Network Forensics

3.2 (6)

By: Nipun Jaswal

Overview of this book

Network forensics is a subset of digital forensics that deals with network attacks and their investigation. In the era of network attacks and malware threat, it’s now more important than ever to have skills to investigate network attacks and vulnerabilities. Hands-On Network Forensics starts with the core concepts within network forensics, including coding, networking, forensics tools, and methodologies for forensic investigations. You’ll then explore the tools used for network forensics, followed by understanding how to apply those tools to a PCAP file and write the accompanying report. In addition to this, you will understand how statistical flow analysis, network enumeration, tunneling and encryption, and malware detection can be used to investigate your network. Towards the end of this book, you will discover how network correlation works and how to bring all the information from different types of network devices together. By the end of this book, you will have gained hands-on experience of performing forensics analysis tasks.

Preface

Preface

Who this book is for

What this book covers

To get the most out of this book

Get in touch

Disclaimer

Free Chapter

Section 1: Obtaining the Evidence

Section 1: Obtaining the Evidence

Introducing Network Forensics

Introducing Network Forensics

Technical requirements

Network forensics investigation methodology

Source of network evidence

Wireshark essentials

Exercise 1 – a noob's keylogger

Exercise 2 – two too many

Summary

Questions and exercises

Further reading

Technical Concepts and Acquiring Evidence

Technical Concepts and Acquiring Evidence

Technical requirements

The inter-networking refresher

Log-based evidence

Case study – hack attempts

Summary

Questions and exercises

Further reading

Section 2: The Key Concepts

Section 2: The Key Concepts

Deep Packet Inspection

Deep Packet Inspection

Technical requirements

Protocol encapsulation

Analyzing packets on TCP

Analyzing packets on UDP

Analyzing packets on ICMP

Case study – ICMP Flood or something else

Summary

Questions and exercises

Further reading

Statistical Flow Analysis

Statistical Flow Analysis

Technical requirements

The flow record and flow-record processing systems (FRPS)

Sensor deployment types

Analyzing the flow

Summary

Questions

Further reading

Combatting Tunneling and Encryption

Combatting Tunneling and Encryption

Technical requirements

Decrypting TLS using browsers

Decoding a malicious DNS tunnel

Decrypting 802.11 packets

Decoding keyboard captures

Summary

Questions and exercises

Further reading

Section 3: Conducting Network Forensics

Section 3: Conducting Network Forensics

Investigating Good, Known, and Ugly Malware

Investigating Good, Known, and Ugly Malware

Technical requirements

Dissecting malware on the network

Intercepting malware for fun and profit

Behavior patterns and analysis

A real-world case study – investigating a banking Trojan on the network

Summary

Questions and exercises

Further reading

Investigating C2 Servers

Investigating C2 Servers

Technical requirements

Decoding the Metasploit shell

Case study – decrypting the Metasploit Reverse HTTPS Shellcode

Analyzing Empire C2

Case study – CERT.SE's major fraud and hacking criminal case, B 8322-16

Summary

Questions and exercises

Further reading

Investigating and Analyzing Logs

Investigating and Analyzing Logs

Technical requirements

Network intrusions and footprints

A case study – defaced servers

Summary

Questions and exercises

Further reading

WLAN Forensics

WLAN Forensics

Technical requirements

The 802.11 standard

Packet types and subtypes

Locating wireless devices

Identifying rogue access points

Identifying attacks

Case study – identifying the attacker

Summary

Questions

Further reading

Automated Evidence Aggregation and Analysis

Automated Evidence Aggregation and Analysis

Technical requirements

Automation using Python and Scapy

Automation through pyshark – Python's tshark

Merging and splitting PCAP data

Large-scale data capturing, collection, and indexing

Summary

Questions and exercises

Further reading

Other Books You May Enjoy

Other Books You May Enjoy

Leave a review - let other readers know what you think

Assessments

Assessments

Chapter 1: Introducing Network Forensics

Chapter 6: Investigating Good, Known, and Ugly Malware

Chapter 7: Investigating C2 Servers

Chapter 9: WLAN Forensics

Case study – decrypting the Metasploit Reverse HTTPS Shellcode

It is practically impossible to decrypt the HTTPS communication without using a man-in-the-middle or some sorts of SSL offloader. In the case of a Meterpreter shell, the key and certificates are dynamically generated and are then removed, making it more difficult to decrypt the encrypted sessions. However, sometimes a malicious attacker may use and impersonate SSL certificates and leave them on their system. In such cases, obtaining the private key can decrypt the HTTPS payloads for us. The following example demonstrates the SSL decryption in cases of a self-signed certificate and we are assuming that the incident responders somehow managed to grab the keys from the attackers system. Let's look at the encrypted communication given in the following screenshot:

We can see that the data is encrypted...

Visually different images

CONTINUE READING

83

Tech Concepts

36

Programming languages

73

Tech Tools

Unlimited access to the largest independent learning library in tech of over 8,000 expert-authored tech books and videos.

Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.

50+ new titles added per month and exclusive early access to books as they are being written.

Hands-On Network Forensics

Search

Your notes and bookmarks