Introduction xxi

1 Introduction to Network Forensics 1

What Is Forensics? 3

Handling Evidence 4

Cryptographic Hashes 5

Chain of Custody 8

Incident Response 8

The Need for Network Forensic Practitioners 10

Summary 11

References 12

2 Networking Basics 13

Protocols 14

Open Systems Interconnection (OSI) Model 16

TCP/IP Protocol Suite 18

Protocol Data Units 19

Request for Comments 20

Internet Registries 23

Internet Protocol and Addressing 25

Internet Protocol Addresses 28

Internet Control Message Protocol (ICMP) 31

Internet Protocol Version 6 (IPv6) 31

Transmission Control Protocol (TCP) 33

Connection–Oriented Transport 36

User Datagram Protocol (UDP) 38

Connectionless Transport 39

Ports 40

Domain Name System 42

Support Protocols (DHCP) 46

Support Protocols (ARP) 48

Summary 49

References 51

3 Host–Side Artifacts 53

Services 54

Connections 60

Tools 62

netstat 63

nbstat 66

ifconfi g/ipconfi g 68

Sysinternals 69

ntop 73

Task Manager/Resource Monitor 75

ARP 77

/proc Filesystem 78

Summary 79

4 Packet Capture and Analysis 81

Capturing Packets 82

Tcpdump/Tshark 84

Wireshark 89

Taps 91

Port Spanning 93

ARP Spoofi ng 94

Passive Scanning 96

Packet Analysis with Wireshark 98

Packet Decoding 98

Filtering 101

Statistics 102

Following Streams 105

Gathering Files 106

Network Miner 108

Summary 110

5 Attack Types 113

Denial of Service Attacks 114

SYN Floods 115

Malformed Packets 118

UDP Floods 122

Amplifi cation Attacks 124

Distributed Attacks 126

Backscatter 128

Vulnerability Exploits 130

Insider Threats 132

Evasion 134

Application Attacks 136

Summary 140

6 Location Awareness 143

Time Zones 144

Using whois 147

Traceroute 150

Geolocation 153

Location–Based Services 156

WiFi Positioning 157

Summary 158

7 Preparing for Attacks 159

NetFlow 160

Logging 165

Syslog 166

Windows Event Logs 171

Firewall Logs 173

Router and Switch Logs 177

Log Servers and Monitors 178

Antivirus 180

Incident Response Preparation 181

Google Rapid Response 182

Commercial Offerings 182

Security Information and Event Management 183

Summary 185

8 Intrusion Detection Systems 187

Detection Styles 188

Signature–Based 188

Heuristic 189

Host–Based versus Network–Based 190

Snort 191

Suricata and Sagan 201

Bro 203

Tripwire 205

OSSEC 206

Architecture 206

Alerting 207

Summary 208

9 Using Firewall and Application Logs 211

Syslog 212

Centralized Logging 216

Reading Log Messages 220

LogWatch 222

Event Viewer 224

Querying Event Logs 227

Clearing Event Logs 231

Firewall Logs 233

Proxy Logs 236

Web Application Firewall Logs 238

Common Log Format 240

Summary 243

10 Correlating Attacks 245

Time Synchronization 246

Time Zones 246

Network Time Protocol 247

Packet Capture Times 249

Log Aggregation and Management 251

Windows Event Forwarding 251

Syslog 252

Log Management Offerings 254

Timelines 257

Plaso 258

PacketTotal 259

Wireshark 261

Security Information and Event Management 262

Summary 263

11 Network Scanning 265

Port Scanning 266

Operating System Analysis 271

Scripts 273

Banner Grabbing 275

Ping Sweeps 278

Vulnerability Scanning 280

Port Knocking 285

Tunneling 286

Passive Data Gathering 287

Summary 289

12 Final Considerations 291

Encryption 292

Keys 293

Symmetric 294

Asymmetric 295

Hybrid 296

SSL/TLS 297

Cloud Computing 306

Infrastructure as a Service 306

Storage as a Service 309

Software as a Service 310

Other Factors 311

The Onion Router (TOR) 314

Summary 317

Index 319

RIC MESSIER has been program director for various cyber–security and computer forensics programs at Champlain College. A veteran of the networking and computer security field since the early 1980s, he has worked at large Internet service providers and small software companies. He has been responsible for the development of numerous course materials, has served on incident response teams, and has been consulted on forensic investigations for large companies.

The hands–on training you need to develop vital network forensics skills

As cybercrime grows ever more sophisticated, IT and law enforcement professionals have a constantly expanding need for up–to–the–minute skills in identifying, verifying, and preventing network attacks. Network forensics is a dynamic field, and practitioners need to stay on top of ever–evolving threats. To do this effectively, you need hands–on experience.

Network Forensics not only teaches the concepts involved, but also lets you practice actually taking the necessary steps to expose vital evidence. Because network data is always changing and never saved in one place, the network forensic specialist must understand how to examine data over time. Network forensics expert Ric Messier provides what you need to know through the use of dissecting packets, using real packet captures and log files to demonstrate performing a forensic investigation on network traffic. You′ll learn both the "why" and the "how," enabling you to quickly and easily apply your knowledge to actual situations on the job.

Because Network Forensics lets you roll up your sleeves and really practice essential steps, you′ll learn to:

• Investigate packet captures to identify network communications involved in an attack or crime
• Locate host–based artifacts left by network communications
• Use logs left behind by network services to correlate with packet captures
• Understand intrusion detection systems and use them for investigative work
• Prepare for an incident by having the right network architecture and systems in place