What is FORENSICS?Why do we need Network Forensics?Why it is so important?

IntroductionNetwork – Interconnection of computers by communicating

channels

Large amount of Data or Packets transferring at each interval of time

Attacks may be either passive or active

Network Forensics is like camera on the network

discover the source of security attacks

provides useful tools for investigating cybercrimes on the Internet

Network Forensics• Analyzing the network traffic

• Examining the network devices like Routers

• Data rate is very fast

• Need to store the packets to find the behavior

• Deal with volatile and dynamic information

• Identify all possible security violations

• Identify malicious activities from the traffic logs and discover their details, and to assess the damage

• Act of capturing, recording, and analyzing network audit trails in order to discover the source of security breaches or other information assurance problems.

Systems collect data in two forms:

"Catch-it-as-you-can" –

• Packets passing through certain traffic point are captured • Analysis is done subsequently • Requires large amounts of storage.

"Stop, look and listen" –

• Packet is analyzed in memory• Certain information saved for future analysis.

Definition:

• Comprehensive data collection:—anything that crosses the network, whether email, IM, VoIP, FTP, HTML, or some other application or protocol — collected by a single system and stored in a common, searchable format

• Flexible data collection: Collect all data on a network segment for future inspection or focus on a specific user or server.

Capabilities

• Catching hackers on the wire

• Attackers fingerprints remain throughout the network, in firewall logs, IDS/IPS, web proxies, traffic captures

Ethernet

--data on this layer is collected using network interface card (NIC) of a host.

-- it collects all the traffic that comes over the network.

TCP/IP

--in this routing tables are used to identify attackers.

--a part from routing tables, authentication logs are also used in this layer.

The Internet

--Web server logs are used here.

--used to extract user account information.

Network forensics includes

• preparation• collection• preservation• examination• analysis• Investigation• presentation

Network Forensic Analysis Tools (NFATs)

• administrators to monitor networks,• gather all information • about anomalous traffic • assist in network crime investigation

A Generic Framework for Network Forensics

Preparation and

authorization

Collection of network tracesPreservation

and protection

Examination and analysis

Investigation and

attribution

Presentation and review

Wire Shark

• also known as Ethereal

• used in ETHERNET layer

• uses pcap to capture data

• data is captured from live traffic or read from a file that recorded already

• VoIP calls can be detected in the captured traffic

Network forensic analysis

• open source and proprietary security tools• Wire shark• Tcp dump• Snort

Conclusion real world method of

initially identifying and responding to computer crimes and policy violations

data mining tools, network engineers have the data they need to identify and fix problems

security teams can reconstruct the sequence of events

References

en.wikipedia.org/wiki/Network_forensics

www.fidelissecurity.com/network-forensics-tools

www.wireshark.com

www.e-evidence.info/version3

portforward.com/networking/wireshark.htm

ieeexplore.ieee.org/stamp/stamp.jsp