Network Forensics. CSF: Forensics Cyber-Security. Section II. Basic Forensic Techniques and Tools. MSIDC, Spring 2017 Nuno Santos

Similar documents
Lab - Using Wireshark to Examine a UDP DNS Capture

Lab - Using Wireshark to Examine a UDP DNS Capture

To see how ARP (Address Resolution Protocol) works. ARP is an essential glue protocol that is used to join Ethernet and IP.

Defining Networks with the OSI Model. Module 2

Introduction to Computer Networks. CS 166: Introduction to Computer Systems Security

Lab Exercise Protocol Layers

Getting Wireshark. Detailed installing steps can be found on the Internet, so this tutorial won t cover this part.

9. Wireshark I: Protocol Stack and Ethernet

CPEG514 Advanced Computer Networks. Atef Abu Salim University of Nizwa Spring 2013/2014

Use of the TCP/IP Protocols and the OSI Model in Packet Tracer

LECTURE WK4 NETWORKING

PoP Level Mapping And Peering Deals

CSE 461 Midterm Winter 2018

Networking Background

Introduction to computer networking

Wireshark Lab: Getting Started v7.0

Chapter 8. Network Troubleshooting. Part II

Fundamentals of Computer Networking AE6382

Chapter 3 - Implement an IP Addressing Scheme and IP Services to Meet Network Requirements for a Small Branch Office

Linux System Administration

Lab Assignment 3 for ECE374

CS4450. Computer Networks: Architecture and Protocols. Lecture 20 Pu+ng ALL the Pieces Together. Spring 2018 Rachit Agarwal

CS519: Computer Networks. Lecture 1 (part 2): Jan 28, 2004 Intro to Computer Networking

Wireshark Lab Ethernet And Arp Solution

CNBK Communications and Networks Lab Book: Purpose of Hardware and Protocols Associated with Networking Computer Systems

Lab Two Using Wireshark to Discover IP NAME:

Chapter 15 Networks. Chapter Goals. Networking. Chapter Goals. Networking. Networking. Computer network. Node (host) Any device on a network

VERSION Lab 3: Link Layer

Lab 1: Creating Secure Architectures (Revision)

CTS2134 Introduction to Networking. Module : Troubleshooting

NET311 Computer Network Management Tools, Systems and Engineering

Lab Exercise UDP. Objective. Requirements. Step 1: Capture a Trace

Objectives: (1) To learn to capture and analyze packets using wireshark. (2) To learn how protocols and layering are represented in packets.

Wireshark Lab: Getting Started

Applied Networks & Security

On the importance and pervasiveness of computer networking

Wireshark Lab: Getting Started v6.0 Supplement to Computer Networking: A Top-Down Approach, 6th ed., J.F. Kurose and K.W. Ross

Chapter 2 Communicating Over the Network

Networking. INFO/CSE 100, Spring 2005 Fluency in Information Technology.

Lab 2: Creating Secure Architectures

Unicast Routing. Information About Layer 3 Unicast Routing CHAPTER

Wireshark Lab: Getting Started v6.0

Data Communication and Network. Introducing Networks

ICS 351: Networking Protocols

Chapter 4 The Internet

6. Correspondence relationship between Educational goals and Course goals

Networking By: Vince

ECE 650 Systems Programming & Engineering. Spring 2018

Top-Down Network Design

Use NAT to Hide the Real IP Address of CTC to Establish a Session with ONS 15454

COMPUTER NETWORKING LAB EXERCISES (TP) 4

9/5 9/13 9/14 9/25 (CKPT) 10/6 (P1.A) 10/16 (P1.B) 10/2 10/12 9/12 9/23. All of these dates are tentative! 10/18. Real-world systems

Wireshark intro. Introduction. Packet sniffer

Homework 4 assignment for ECE374 Posted: 04/06/15 Due: 04/13/15

TopGlobal MB8000 VPN Solution

Protocol Layers & Wireshark TDTS11:COMPUTER NETWORKS AND INTERNET PROTOCOLS

How does the Internet Work? The Basics: Getting a Web Page. The Basics: Getting a Web Page. Client-Server model. The Internet: Basics

OSI Network Layer. Network Fundamentals Chapter 5. Version Cisco Systems, Inc. All rights reserved. Cisco Public 1

Outline. SC/CSE 3213 Winter Sebastian Magierowski York University. ICMP ARP DHCP NAT (not a control protocol) L9: Control Protocols

The trace is here:

Wireshark Lab: Getting Started v7.0

ITEC 3800 Data Communication and Network. Introducing Networks

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Network and Security: Introduction

Problem Set 9 Due: Start of class, December 4

Lab: 2. Wireshark Getting Started

IP Addressing, monitoring and packet analyzing

Wireshark Lab: Getting Started v6.0

SMART Questionnaire. Fields marked with * are mandatory. Introduction

PLEASE WRITE NEATLY I need to be able to read your answers! (seemingly encrypted solutions can not be decrypted!)

networks List various types of networks and their

CNPE Communications and Networks Lab Book: Data Transmission Over Digital Networks

Addressing and Routing

Computer Networks Security: intro. CS Computer Systems Security

Internet Network Protocols IPv4/ IPv6

Lecture (02) Networking Model (TCP/IP) Networking Standard (OSI) (I)

THE INTERNET PROTOCOL INTERFACES

CS164 Final Exam Winter 2013

The Internet Protocol

Internet Protocol Addresses What are they like and how are the managed?

Computer Networking 101

Lecture 20: Link Layer

CCRI Networking Technology I CSCO-1850 Spring 2014

Lab Assignment 4 ECE374 Spring Posted: 03/22/18 Due: 03/29/18. In this lab, we ll take a quick look at the ICMP and IP protocols.

ECE 158A: Lecture 13. Fall 2015

Packet Tracer - Investigating the TCP/IP and OSI Models in Action (Instructor Version Optional Packet Tracer)

Router Router Microprocessor controlled traffic direction home router DSL modem Computer Enterprise routers Core routers

COMP 2000 W 2012 Lab no. 3 Page 1 of 11

Packet Tracer - Explore a Network

To see the details of TCP (Transmission Control Protocol). TCP is the main transport layer protocol used in the Internet.

Lesson 10. Circuit Boards and Devices Ethernet and Wi-Wi Connectivity with the Internet

Wireshark Lab: Getting Started

Department Of Computer Science

SC/CSE 3213 Winter Sebastian Magierowski York University CSE 3213, W13 L8: TCP/IP. Outline. Forwarding over network and data link layers

Project points. CSE422 Computer Networking Spring 2018

Chapter 18 and 22. IPv4 Address. Data Communications and Networking

Lab - Mapping the Internet

DOWNLOAD OR READ : WIRESHARK LAB SOLUTIONS IP PDF EBOOK EPUB MOBI

Part 1: Introduction. Goal: Review of how the Internet works Overview

COMS Introduction to Computers. Networking

Transcription:

Network Forensics Section II. Basic Forensic Techniques and Tools CSF: Forensics Cyber-Security MSIDC, Spring 2017 Nuno Santos

Summary! Network addresses! Network infrastructure 2

Recall from last class! Ultimately, in a forensic examination, we re investigating the actions of a person! Almost every event or action on a system is the result of a user either doing something (or not doing something)! Many events change the state of the operating system (OS) 3) OS forensics 1) action! OS forensics helps understand how system changes correlate to events resulting from the actions of somebody in the real world 2) OS state change! 3

Analyzing evidence from computer networks! Traffic analysis techniques! Involves knowing:! Where to look for data! How to retrieve it! How to analyze it 4

Let s start with a practical example! Consider we access a website from our browser Internet! Can we analyze the communication going on? 5

Yes: using a packet analysis tool 1. Launch Wireshark 2. Access the URL: http://www.publico.pt 3. Save the collected network trace on a local file: e.g., trace.pcapng 6

How to interpret a network trace?! A network trace is a linearized bit-copy of collected data exchanged over the network 010101101011110000 Network trace file Computer network! Need to understand some basic networking concepts 7

Key elements in communication: an analogy Sender Common language Receiver Hello Bob! Address Message Address Communication Channel 8

Send a web page request Sender HTTP GET index.htm Protocols HTTP TPC/IP Receiver Packets IP Address IP Address Internet Network Infrastructure 9

Receiver Protocols HTTP TPC/IP Receive the web page index.htm Sender IP Address Packets IP Address Internet Network Infrastructure 10

Key concepts to interpret a network trace! Addresses! Networking infrastructure! Packets! Protocols 11

Addresses and networking infrastructure 12

IP addresses! Two computers connected to the Internet can only communicate if they have each an IP address Internet 146.193.41.201 195.23.42.21 13

! Determining local IP address (ifconfig tool) Determining IP address! Determining IP address of remote service based on DNS name! nslookup tool! www.publico.pt! IP address 14

Connected across multiple networks! Computers are not wired directly but linked through interconnected networks (IP = Internet Protocol) Network 1 Network 2 Network 3 146.193.41.201 switch router 195.23.42.21 15

Can we determine the path between endpoints?! Yes! Use the tool: traceroute 16

IP addresses have a structure! IP address comprises: network number & host number! Found abundantly in digital evidence! E.g., in network traces, logs, configuration files, etc. 17 CSF - Nuno Santos

Public IP addresses assigned geographically! Internet Assigned Numbers Authority (IANA)! IP addresses distributed hierarchically: IANA at the top! Regional Internet Registries (RIRs)! Manages blocks of addresses assigned by IANA! Internet Service Providers (ISPs)! Get blocks of addresses from RIRs! Assign addresses to other ISPs and end users 18 CSF - Nuno Santos

IP private addresses! Private IP addr can t be routed through the Internet! Example: mail header 19 CSF - Nuno Santos

A few issues about IP addresses Dynamic addresses NATs! IP assignment transient! IP hides multiple devices 20 CSF - Nuno Santos

Within a network, computers use MAC addresses! Media Access Control address (MAC address)! Unique identifier assigned to network interfaces for communications at the data link layer of a network segment! Used as network addresses for Ethernet and WiFi! Can be used to track traffic source within a network! Packets sent to the Internet do not contain MAC addresses! Can be used to classify the type of machine! Due to its internal structure! http://www.macvendorlookup.com/ 21 CSF - Nuno Santos

Coming back to our network trace 22

Conclusions! Network forensics cares about tracking the exchanging of messages in a networked system! There are four key concepts we need to understand: addresses, network infrastructure, packets, and protocols! IP addresses convey important information about the topology of the network and path of messages 23

References! Primary bibliography! [Casey11], Chapter 21, 23.2.2 24

Next class! Network Forensics II 25

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback