Chapter 1:  Customization of the Wireshark Interface

Chapter Goal: - Learn how to edit the columns of the Wireshark user interface. Explore important items to include in the interface for performing intrusion and malware analysis

No of pages - 18        

Sub -Topics

1.      Identifying columns to delete from the default displays

2.      Adding the source and destination ports for easy traffic analysis

3.      Specialty column customization for malware analysis

Chapter Goal: Setup a network capture in Wireshark

No of pages: - 24

Sub - Topics  

1.      Prerequisites for capturing live network data

2.       Working with Network Interfaces

3.      Exploring the network capture options

4.      Filtering While Capturing

Chapter Goal: A deep understanding of the network protocols at the packet level

No of pages : 30

Sub - Topics: 

1.      Investigating IP, the workhorse of the network

3.      Dissection of TCP traffic

4.      Reassembly of packets

5.      Interpreting Name Resolution

Chapter Goal: Understand the hacking mindset and leverage that to identify attacks

No of pages: 30

Sub - Topics:

1. Introducing a Hacking Methodology

2. Examination of reconnaissance network traffic artifacts

3. Leveraging the statistical properties of the capture file

4. Identifying SMB based attacks

5. Uncovering HTTP/HTTPS based attack traffic

Chapter Goal: Use of the complex filtering capability of Wireshark to extract attack data

No of pages: 35

Sub - Topics:

2.      Investigating the conversations

4.      Building Filter Expressions

Chapter Goal: A fundamental review and understanding of the advanced features of Wireshark

No of pages: 35

Sub – Topics:

1.      Working with cryptographic information in a packet

2.      Exploring the protocol dissectors of Wireshark

4.      Capturing traffic from remote computers

6.      Creating Firewall ACL rules

Chapter Goal: Using scripts to extract and isolate data of interest from network capture files

No of pages: 30

Sub – Topics:

1.       Lua scripting

2.       Interaction with Pandas

3.      Leveraging PyShark

Chapter Goal: Develop an understanding of the different stages of a malware infection

No of pages: 36

Sub – Topics:

1.       Customization of the interface for malware analysis

3.       Recognizing URL/Domains of an infected site

4.       Determining the connections as part of the infected machine

5.       Scavenging the infected machine meta data

6.       Exporting the data objects

Chapter Goal: Identify the encoding or obfuscated method in network traffic

No of pages: 40

Sub – Topics:

1.       Investigation of njRAT

2.       Analysis of Wanna Cry

3.       Exploring Cryptolocker

4.       Dissecting TRITON

6.       Understanding exploit kits

Chapter Goal: Review and understand malware network activity as it happens

No of pages: 40

Sub – Topics:

2.       Monitoring malware communications and connections at run time and beyond

3.       Detecting network evasion attempts

4.       Investigating Cobalt Strike Beacons

5.       Exploring C2 backdoor methods

Chapter Goal: Learn different methods of extracting different types of case related and potential forensics evidence

No of pages: 30

Sub – Topics:

1.       Interception of telephony data

2.       Discovering DOS/DDoS

3.       Analysis of HTTP/HTTPS Tunneling over DNS

Chapter 11: Network Traffic Forensics

Chapter Goal: An understanding of extraction of potential forensics data

No of pages: 30

Sub – Topics:

1.       Isolation of conversations

2.       Detection of Spoofing, port scanning and SSH attacks

3.       Reconstruction of timeline network attack data

Chapter Goal: Review and summary of covered content

No of pages: 10

Kevin Cardwell is an Instructor, Curriculum Developer, Technical Editor and Author of Computer Forensics, and Hacking courses. He is the author of the EC Council Certified Penetration Testing Professional, Ethical Hacking Core Skills, Advanced Penetration Testing and ICS/SCADA Security courses. He has presented at the Blackhat USA, Hacker Halted, ISSA and TakeDownCon conferences as well as many others. He has chaired the Cybercrime and Cyberdefense Summit in Oman and was Executive Chairman of the Oil and Gas Cyberdefense Summit. He is the author of Defense and Deception: Confuse and Frustrate the Hackers, Building Virtual Pentesting Labs for Advanced Penetration Testing 1st and 2nd edition, and Backtrack: Testing Wireless Network Security. He holds a BS in Computer Science from National University in California and an MS in Software Engineering from the Southern Methodist University (SMU) in Texas.

Take a systematic approach at identifying intrusions that range from the most basic to the most sophisticated, using Wireshark, an open source protocol analyzer. This book will show you how to effectively manipulate and monitor different conversations and perform statistical analysis of these conversations to identify the IP and TCP information of interest.

Next, you'll be walked through a review of the different methods malware uses, from inception through the spread across and compromise of a network of machines. The process from the initial “click” through intrusion, the characteristics of Command and Control (C2), and the different types of lateral movement will be detailed at the packet level.

In the final part of the book, you'll explore the network capture file and identification of data for a potential forensics extraction, including inherent capabilities for the extraction of objects such as file data and other corresponding components in support of a forensics investigation.