1 / 14

Network forensics

Network forensics. We’ve got what it takes to take what you got!. Introduction and Course overview. What is network forensics Sources of Network Data and Evidence Forensically Sound Evidence Acquisition Techniques Packet Analysis Statistical Analysis

Download Presentation

Network forensics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.


Presentation Transcript

  1. Network forensics We’ve got what it takes to take what you got!

  2. Introduction and Course overview • What is network forensics • Sources of Network Data and Evidence • Forensically Sound Evidence Acquisition Techniques • Packet Analysis • Statistical Analysis • Event Log Aggregation, Correlation and Analysis • Active Evidence Acquisition • Analysis of Wireless Network Traffic

  3. What is network forensics “Network forensics is a sub-branch of digital forensics relating to the monitoring and analysis of computer network traffic for the purposes of information gathering, legal evidence, or intrusion detection.”1

  4. Dead-box vs. network forensics Dead-box Network • Data is changing constantly • Pinpointing direct location of needed evidence is problematic • Physical access to network devices can be difficult • Most network devices do not have persistent data storage • Investigators must minimize investigation impact on business network • Conflicting precedence and not yet standardized • Data is static and preserved once power is removed • Evidence is contained within the file system • Easy to make a forensically sound image • Seizing a businesses computer/s usually involves limited disruption • Legal precedence in place and is routinely admitted into court

  5. Why do we need to worry about network crime? • “The Federal Bureau of Investigation (FBI) estimates that cyber crime costs more than $100 billion per year.” 2 • Attacks can come from both inside and outside of the network. • Not just basement hackers anymore • Employees • Business competition • Professional hackers for hire • City-states

  6. Quick evidence review • Real evidence - physical objects that play a relevant role in the crime • Physical HHD or USB • Computer – box, keyboard, etc. • Best evidence - can be produced in court • Recovered file • Bit – for – bit snapshot of network transaction • Direct evidence – eye witness • Circumstantial evidence – linked with other evidence to draw conclusion • Email signature • USB serial number • Hearsay – second-hand information • Text file containing personal letter • Business records – routinely generated documentation • Contracts and employee policies • Logs • Digital evidence – electronic evidence • Emails / IM • Logs

  7. Investigative methodology • OSCAR 3 • Obtain information • Strategize • Collect evidence • Analyze • Report

  8. Obtain information3 • Incident description • Information regarding incident discovery • Known persons involved • Systems and / or data known to be involved • Actions taken by organization since discovery • Potential legal issues • Working time frame for investigation and resolution • Specific goals • Etc.

  9. The Environment3 • Working business model and enforceable policies • Potential legal issues involved with said business model and policies • Organizational structure • Network topology • Possible network evidence sources • Incident response management procedures • Central communication systems (investigator communication and evidence repository) • Available resources • Staff • Equipment • Funding • Time

  10. Strategize3 • Understand the goals and time frame for investigation • Organize and list resources • Identify and document evidence sources • Estimate value of evidence versus value of obtaining it • Prioritize based on this estimate • Plan of attack – both for acquisition and analysis • Set up schedule for regular communication between investigators • Remember that this is fluid and will most likely have to be adjusted

  11. Collect evidence3 • Document, document, document • Lawfully capture evidence • Make cryptographically verifiable copies • Setup secure storage of collected evidence • Establish chain of custody • Analyze copies only • Use legally obtained, reputable tools • Document every step

  12. Analyze3 • Show correlation with multiple sources of evidence • Establish a well documented timeline of activities • Highlight and further investigate events that are potentially more relevant to incident • Corroborate all evidence, which may require more evidence gathering • Reevaluate initial plan of attack and make needed adjustments • Make educated interpretations of evidence that lead to a thorough investigation, look for all possible explanations • Build working theories that can be backed up by the evidence (this is only to ensure a thorough investigation) • SEPARATE YOUR INTERPRETATIONS FROM THE FACTS

  13. Report3 • Every report must be: • Understandable by nontechnical people • Complete and meticulous • Defensible in every detail • Completely factual

  14. Works cited • http://en.wikipedia.org/wiki/Network_forensics#cite_ref-0 • http://www.evidencemagazine.com/index.php?option=com_content&task=view&id=116&Itemid=49 • Davidoff, S., & Ham, J. (2012). Network Forensics Tracking Hackers Through Cyberspace. Boston: Prentice Hall.

More Related