Upload
alfred-long
View
216
Download
2
Embed Size (px)
Citation preview
What is FORENSICS?Why do we need Network Forensics?Why it is so important?
IntroductionNetwork – Interconnection of computers by communicating
channels
Large amount of Data or Packets transferring at each interval of time
Attacks may be either passive or active
Network Forensics is like camera on the network
discover the source of security attacks
provides useful tools for investigating cybercrimes on the Internet
Network Forensics• Analyzing the network traffic
• Examining the network devices like Routers
• Data rate is very fast
• Need to store the packets to find the behavior
• Deal with volatile and dynamic information
• Identify all possible security violations
• Identify malicious activities from the traffic logs and discover their details, and to assess the damage
• Act of capturing, recording, and analyzing network audit trails in order to discover the source of security breaches or other information assurance problems.
Systems collect data in two forms:
"Catch-it-as-you-can" –
• Packets passing through certain traffic point are captured • Analysis is done subsequently • Requires large amounts of storage.
"Stop, look and listen" –
• Packet is analyzed in memory• Certain information saved for future analysis.
Definition:
• Comprehensive data collection:—anything that crosses the network, whether email, IM, VoIP, FTP, HTML, or some other application or protocol — collected by a single system and stored in a common, searchable format
• Flexible data collection: Collect all data on a network segment for future inspection or focus on a specific user or server.
Capabilities
• Catching hackers on the wire
• Attackers fingerprints remain throughout the network, in firewall logs, IDS/IPS, web proxies, traffic captures
Ethernet
--data on this layer is collected using network interface card (NIC) of a host.
-- it collects all the traffic that comes over the network.
TCP/IP
--in this routing tables are used to identify attackers.
--a part from routing tables, authentication logs are also used in this layer.
The Internet
--Web server logs are used here.
--used to extract user account information.
Network forensics includes
• preparation• collection• preservation• examination• analysis• Investigation• presentation
Network Forensic Analysis Tools (NFATs)
• administrators to monitor networks,• gather all information • about anomalous traffic • assist in network crime investigation
A Generic Framework for Network Forensics
Preparation and
authorization
Collection of network tracesPreservation
and protection
Examination and analysis
Investigation and
attribution
Presentation and review
Wire Shark
• also known as Ethereal
• used in ETHERNET layer
• uses pcap to capture data
• data is captured from live traffic or read from a file that recorded already
• VoIP calls can be detected in the captured traffic
Network forensic analysis
• open source and proprietary security tools• Wire shark• Tcp dump• Snort
Conclusion real world method of
initially identifying and responding to computer crimes and policy violations
data mining tools, network engineers have the data they need to identify and fix problems
security teams can reconstruct the sequence of events
References
en.wikipedia.org/wiki/Network_forensics
www.fidelissecurity.com/network-forensics-tools
www.wireshark.com
www.e-evidence.info/version3
portforward.com/networking/wireshark.htm
ieeexplore.ieee.org/stamp/stamp.jsp