Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
TOO BIG TO COVER
• Difficult to cover every aspect of
Network Forensic
• So many aspects, features and
possibilities
• Highly addictive
TOO LONG TO COVER
• A million things can go wrong with a computer
network - from a simple spyware infection to a
complex router configuration error.
• Packet level is the most basic level where
nothing is hidden.
• Understand the network, who is on a network,
whom your computer is talking to, What is the
network usage, any suspicious
communication (DOS , botnet, Intrusion
attempt etc.)
• Find unsecured and bloated applications –
FTP sends clear text authentication data
• One phase of computer forensic - could reveal
data otherwise hidden somewhere in a 150
GB HDD.
WHY PACKET ANALYSIS?
IN DEPTH ANALYSIS
3 PHASES
TOOLS
•Wireshark!
•Tcpdump
•Networkminer etc.
Sniffer
•Xplico etc.
Analyzer
PRE-REQUISITE
• Patience…
PRE-REQUISITE
• An inquisitive mind and
sometimes weirder is
better
THERE ALWAYS BE A PROBLEM TO SOLVE
• Being a bit
organized helps in
long run
NOW WHAT?
Think it like you are solving a mystery
• Where do we start?
• What questions to ask?
• What tools do we need?
• Once you have the traces - what then?
Capture•Where, How, What, How long
Transfer•Hash, split, distribute
Analyze
• IP, Protocol, Time, Delay, Duration, pattern, graphs, charts, blah…
HOW DO WE DO IT?
CAPTURE
• Capture Methods
• Wired
• Mirror/Monitor/SPAN
• Taps
• Hubs
• ARP poisoning???
• Promiscuous mode
• WinPCAP/LibPCAP
• Wireless
• Rfmon/monitor mode
• AirPCap
WHICH INTERFACE TO CAPTURE
ALWAYS START WITH THE NETWORK DETAILS
MORE QUESTIONS BETTER ANALYSIS
• Are the servers in the same locations or different
• Same subnet, different subnet
• Any suspicion - IP Address, Application
• When did it start
• How and when did it get identified
• Why you were there – lack of resource, time, expertise
WHAT NOT TO DO
• Do not scroll up and down and try manually reading packets
one by one.
• Do not capture any and every traffic just for the sake of
capturing.
• Do not ASSUME. You can have thoughts, suspicions.
THEN WHAT DO WE DO?
STILL NEED REASONS!
• Capture Filters
• Display Filters
• Auto-complete
• Red – error, Green – good
• Recent usage history
FILTERS
• Create Filter from
Packet/field
• Multiple filter conditioning
using “and”, “or”, “not”
etc.
• Protocol Filtering
FOLLOW THE STREAMS
• TCP
• UDP
• APP layer
• FTP
•HTTP
• TELNET
RECONSTRUCT THE CRIME SCENE
• Understand the flow
• Reconstruct the files
• Identify the attacker
and victim
STATISTICS – PROTOCOL HIERARCHY
STATISTICS – END POINTS
STATISTICS – CONVERSATIONS
STATISTICS – COLORING RULES
REFERENCE
• Wireshark University by Laura Chappell and Gerald Combs
• Sharkfest talks - Betty DuBois on Network Mysteries
• Securitytube.net by Vivek Ramchandran
• Picture courtesy Google. Not my property.
32
THANK YOU
Related Documents
