Book Image

Hands-On Network Forensics

By : Nipun Jaswal
2 (2)
Book Image

Hands-On Network Forensics

2 (2)
By: Nipun Jaswal

Overview of this book

Network forensics is a subset of digital forensics that deals with network attacks and their investigation. In the era of network attacks and malware threat, it’s now more important than ever to have skills to investigate network attacks and vulnerabilities. Hands-On Network Forensics starts with the core concepts within network forensics, including coding, networking, forensics tools, and methodologies for forensic investigations. You’ll then explore the tools used for network forensics, followed by understanding how to apply those tools to a PCAP file and write the accompanying report. In addition to this, you will understand how statistical flow analysis, network enumeration, tunneling and encryption, and malware detection can be used to investigate your network. Towards the end of this book, you will discover how network correlation works and how to bring all the information from different types of network devices together. By the end of this book, you will have gained hands-on experience of performing forensics analysis tasks.

Related Content you might be interested in

Current Title:

Small book image
Hands-On Network Forensics
Nipun Jaswal
Mar, 2019 | 358 pages
Small book image
Mastering Linux Administration
Alexandru Calcatinge | Julian Balog
Mar, 2024 | 764 pages
Small book image
Linux for System Administrators
Viorel Rudareanu | Daniil Baturin
Sep, 2023 | 294 pages
Small book image
Mastering Linux Administration
Alexandru Calcatinge | Julian Balog
Jun, 2021 | 772 pages
Table of Contents (16 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Get in touch
Disclaimer
Free Chapter
1
Section 1: Obtaining the Evidence
Section 1: Obtaining the Evidence
2
Introducing Network Forensics
Introducing Network Forensics
Technical requirements
Network forensics investigation methodology
Source of network evidence
Wireshark essentials
Exercise 1 – a noob's keylogger
Exercise 2 – two too many
Summary
Questions and exercises
Further reading
3
Technical Concepts and Acquiring Evidence
Technical Concepts and Acquiring Evidence
Technical requirements
The inter-networking refresher
Log-based evidence
Case study – hack attempts
Summary
Questions and exercises
Further reading
4
Section 2: The Key Concepts
Section 2: The Key Concepts
5
Deep Packet Inspection
Deep Packet Inspection
Technical requirements
Protocol encapsulation
Analyzing packets on TCP
Analyzing packets on UDP
Analyzing packets on ICMP
Case study – ICMP Flood or something else
Summary
Questions and exercises
Further reading
6
Statistical Flow Analysis
Statistical Flow Analysis
Technical requirements
The flow record and flow-record processing systems (FRPS) 
Sensor deployment types
Analyzing the flow
Summary
Questions
 Further reading
7
Combatting Tunneling and Encryption
Combatting Tunneling and Encryption
Technical requirements
Decrypting TLS using browsers
Decoding a malicious DNS tunnel
Decrypting 802.11 packets
Decoding keyboard captures
Summary
Questions and exercises
Further reading
8
Section 3: Conducting Network Forensics
Section 3: Conducting Network Forensics
9
Investigating Good, Known, and Ugly Malware
Investigating Good, Known, and Ugly Malware
Technical requirements
Dissecting malware on the network
Intercepting malware for fun and profit
Behavior patterns and analysis
A real-world case study – investigating a banking Trojan on the network
Summary
Questions and exercises
Further reading
10
Investigating C2 Servers
Investigating C2 Servers
Technical requirements
Decoding the Metasploit shell
Case study – decrypting the Metasploit Reverse HTTPS Shellcode
Analyzing Empire C2
Case study – CERT.SE's major fraud and hacking criminal case, B 8322-16
Summary
Questions and exercises
Further reading
11
Investigating and Analyzing Logs
Investigating and Analyzing Logs
Technical requirements
Network intrusions and footprints
A case study – defaced servers
Summary
Questions and exercises
Further reading
12
WLAN Forensics
WLAN Forensics
Technical requirements
The 802.11 standard
Packet types and subtypes
Locating wireless devices
Identifying rogue access points
Identifying attacks
Case study – identifying the attacker
Summary
Questions
Further reading
13
Automated Evidence Aggregation and Analysis
Automated Evidence Aggregation and Analysis
Technical requirements
Automation using Python and Scapy
Automation through pyshark – Python's tshark
Merging and splitting PCAP data
Large-scale data capturing, collection, and indexing
Summary
 Questions and exercises
Further reading
14
Other Books You May Enjoy
Other Books You May Enjoy
Leave a review - let other readers know what you think
15
Assessments
Assessments
Chapter 1: Introducing Network Forensics
Chapter 6: Investigating Good, Known, and Ugly Malware
Chapter 7: Investigating C2 Servers
Chapter 9: WLAN Forensics

Exercise 2 – two too many

Let's analyze another capture file from https://github.com/nipunjaswal/networkforensics/blob/master/Ch1/Two%20to%20Many/twotomany.pcap, that we currently don't know any details about and try reconstructing the chain of events.

We will open the PCAP in Wireshark, as follows:

From the preceding screenshot, we can see that numerous SYN packets are being sent out to the 64.13.134.52 IP address. However, looking closely, we can see that most of the packets are being sent every so often from a single port, which is 36050 and 36051to almost every port on 64.13.134.52. Yes, you guessed right: this looks like a port scan. Initially the SYN packet is sent out, and on receiving a SYN/ACK, the port is considered open.

We know that the originating IP address, 172.16.0.8is an internal one and the server being contracted...

Previous Section
End of Section 7
Next Section