Hands-On Network Forensics

coverpage

Title Page

Copyright and Credits

Hands-On Network Forensics

Dedication

About Packt

Why subscribe?

Packt.com

Contributors

About the author

About the reviewer

Packt is searching for authors like you

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the color images

Conventions used

Get in touch

Reviews

Disclaimer

Section 1: Obtaining the Evidence

Introducing Network Forensics

Technical requirements

Network forensics investigation methodology

Source of network evidence

Tapping the wire and the air

CAM table on a network switch

Routing tables on routers

Dynamic Host Configuration Protocol logs

DNS servers logs

Domain controller/authentication servers/ system logs

IDS/IPS logs

Firewall logs

Proxy server logs

Wireshark essentials

Identifying conversations and endpoints

Identifying the IP endpoints

Basic filters

Exercise 1 – a noob's keylogger

Exercise 2 – two too many

Summary

Questions and exercises

Further reading

Technical Concepts and Acquiring Evidence

Technical requirements

The inter-networking refresher

Log-based evidence

Application server logs

Database logs

Firewall logs

Proxy logs

IDS logs

Case study – hack attempts

Summary

Questions and exercises

Further reading

Section 2: The Key Concepts

Deep Packet Inspection

Technical requirements

Protocol encapsulation

The Internet Protocol header

The Transmission Control Protocol header

The HTTP packet

Analyzing packets on TCP

Analyzing packets on UDP

Analyzing packets on ICMP

Case study – ICMP Flood or something else

Summary

Questions and exercises

Further reading

Statistical Flow Analysis

Technical requirements

The flow record and flow-record processing systems (FRPS)

Understanding flow-record processing systems

Exploring Netflow

Uniflow and bitflow

Sensor deployment types

Analyzing the flow

Converting PCAP to the IPFIX format

Viewing the IPFIX data

Flow analysis using SiLK

Viewing flow records as text

Summary

Questions

Further reading

Combatting Tunneling and Encryption

Technical requirements

Decrypting TLS using browsers

Decoding a malicious DNS tunnel

Using Scapy to extract packet data

Decrypting 802.11 packets

Decrypting using Aircrack-ng

Decoding keyboard captures

Summary

Questions and exercises

Further reading

Section 3: Conducting Network Forensics

Investigating Good Known and Ugly Malware

Technical requirements