Book Image

Hands-On Network Forensics

By : Nipun Jaswal
2 (2)
Book Image

Hands-On Network Forensics

2 (2)
By: Nipun Jaswal

Overview of this book

Network forensics is a subset of digital forensics that deals with network attacks and their investigation. In the era of network attacks and malware threat, it’s now more important than ever to have skills to investigate network attacks and vulnerabilities. Hands-On Network Forensics starts with the core concepts within network forensics, including coding, networking, forensics tools, and methodologies for forensic investigations. You’ll then explore the tools used for network forensics, followed by understanding how to apply those tools to a PCAP file and write the accompanying report. In addition to this, you will understand how statistical flow analysis, network enumeration, tunneling and encryption, and malware detection can be used to investigate your network. Towards the end of this book, you will discover how network correlation works and how to bring all the information from different types of network devices together. By the end of this book, you will have gained hands-on experience of performing forensics analysis tasks.
Table of Contents (16 chapters)
Free Chapter
1
Section 1: Obtaining the Evidence
4
Section 2: The Key Concepts
8
Section 3: Conducting Network Forensics

Case study – identifying the attacker

In this example, we have received two capture files for analysis. We start investigating the first file as follows:

We can see that the Link type is 802.11, which means that we are investigating a WLAN. Let's see the endpoints on this network:

From the preceding statistics, we can see that we have plenty of deauthenticated packets that have been directed to the broadcast address. We can also see that two stations, 54:99:63:82:64:f5 and 2c:33:61:77:23:efwere both involved in deauthentication, which means that they might have received the deauthentication packets as well. Let's check this in Wireshark, as shown in the following screenshot:

We can see that the first deauthentication packet was broadcast at frame 4,175. Most of the time, the deauthentication packet will contain the reason code: the Class 3...