Book Image

Learning Network Forensics

By : Samir Datt
Book Image

Learning Network Forensics

By: Samir Datt

Overview of this book

We live in a highly networked world. Every digital device—phone, tablet, or computer is connected to each other, in one way or another. In this new age of connected networks, there is network crime. Network forensics is the brave new frontier of digital investigation and information security professionals to extend their abilities to catch miscreants on the network. The book starts with an introduction to the world of network forensics and investigations. You will begin by getting an understanding of how to gather both physical and virtual evidence, intercepting and analyzing network data, wireless data packets, investigating intrusions, and so on. You will further explore the technology, tools, and investigating methods using malware forensics, network tunneling, and behaviors. By the end of the book, you will gain a complete understanding of how to successfully close a case.
Table of Contents (17 chapters)
Learning Network Forensics
About the Author
About the Reviewers


Just like the motto of the Olympic Games—Faster, Higher, Stronger—networks today are faster, wider, and greater. For widespread high-speed networks, carrying greater volumes of data has become a norm rather than the exception. All of these characteristics come with great exposure to a huge variety of threats to the data carried by the networks. The current threat landscape necessitates an increased understanding of the data on our networks, the way we secure it and the tell-tale signs left behind after an incident. This book aims at introducing the subject of network forensics to further help in understanding how data flows across the networks as well as introduce the ability to investigate forensic artifacts or clues to gather more information related to an incident.

What this book covers

Chapter 1, Becoming Network 007s, introduces the exciting world of network forensics. This chapter introduces the concepts and readies the reader to jump right into network forensics.

Chapter 2, Laying Hands on the Evidence, explains how to acquire both physical and virtual evidence in order to understand the type of incident involved.

Chapter 3, Capturing & Analyzing Data Packets, takes the user further into the world of network investigation by focusing on network traffic capture and analysis.

Chapter 4, Going Wireless, explains how to investigate wireless networks with additional considerations for wireless protection and security.

Chapter 5, Tracking an Intruder on the Network, investigates intrusions using a Network Intrusion Detection System (NIDS) and a Network Intrusion Prevention System (NIPS).

Chapter 6, Connecting the Dots – Event Logs, explains how to collect event logs and then correlate and connect the links, followed by the analysis.

Chapter 7, Proxies, Firewalls, and Routers, helps us to understand web proxies, firewalls, and routers and the reasons to investigate them.

Chapter 8, Smuggling Forbidden Protocols – Network Tunneling, shows advanced concepts of letting a network send its data via the connection of another network.

Chapter 9, Investigating Malware – Cyber Weapons of the Internet, covers advanced topics about the trends in malware evolution and the investigation of forensic artifacts caused by the malware.

Chapter 10, Closing the Deal – Solving the Case, enables the user with full-fledged skills in tackling cases to give the finishing touches and close the deal.

What you need for this book

Readers must be aware of the basics of operating systems such as Linux and Windows as well as networking concepts such as TCP/IP and routers.

The book uses the following software:

  • Tcpdump with the libpcap library

  • Wireshark

  • FTK Imager (AccessData)

  • NetworkMiner for passive network sniffing

  • SNORT for evidence acquisition in the NIDS/NIPS mode

  • Splunk to collect and analyze log files

  • Squid as an open-source proxy

  • YARA to help identify malware

Who this book is for

This book is intended for network administrators, system administrators, information security & forensics professionals, as well as the curious who wish to learn about network forensics and want to be able to identify, collect, examine, and analyze evidence that exists on the networks.

This could be from the perspective of internal threats, external intrusions, or a blend of both.

Further, this book will act as a great foundation for those interested in enhancing their skills and fast-tracking their career from both a personal and organizational growth perspective.


In this book, you will find a number of text styles that distinguish between different kinds of information. Here are some examples of these styles and an explanation of their meaning.

Code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles are shown as follows: "Tcpdump also provides the option to save the captured network traffic (packets) to a .pcap format file for future analysis."

Any command-line input or output is written as follows:

$ apt -get install tcpdump

New terms and important words are shown in bold. Words that you see on the screen, for example, in menus or dialog boxes, appear in the text like this: "The Application log stores events logged by the applications or programs."


Warnings or important notes appear in a box like this.


Tips and tricks appear like this.

Reader feedback

Feedback from our readers is always welcome. Let us know what you think about this book—what you liked or disliked. Reader feedback is important for us as it helps us develop titles that you will really get the most out of.

To send us general feedback, simply e-mail , and mention the book's title in the subject of your message.

If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide at

Customer support

Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.

Downloading the color images of this book

We also provide you with a PDF file that has color images of the screenshots/diagrams used in this book. The color images will help you better understand the changes in the output. You can download this file from


Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you find a mistake in one of our books—maybe a mistake in the text or the code—we would be grateful if you could report this to us. By doing so, you can save other readers from frustration and help us improve subsequent versions of this book. If you find any errata, please report them by visiting, selecting your book, clicking on the Errata Submission Form link, and entering the details of your errata. Once your errata are verified, your submission will be accepted and the errata will be uploaded to our website or added to any list of existing errata under the Errata section of that title.

To view the previously submitted errata, go to and enter the name of the book in the search field. The required information will appear under the Errata section.


Piracy of copyrighted material on the Internet is an ongoing problem across all media. At Packt, we take the protection of our copyright and licenses very seriously. If you come across any illegal copies of our works in any form on the Internet, please provide us with the location address or website name immediately so that we can pursue a remedy.

Please contact us at with a link to the suspected pirated material.

We appreciate your help in protecting our authors and our ability to bring you valuable content.


If you have a problem with any aspect of this book, you can contact us at , and we will do our best to address the problem.