Digital Forensics Lecture 7. Network Analysis

Similar documents
Digital Forensics Lecture 5. DF Analysis Techniques

Computer Forensics: Investigating Network Intrusions and Cybercrime, 2nd Edition. Chapter 2 Investigating Network Traffic

When Recognition Matters WHITEPAPER CLFE CERTIFIED LEAD FORENSIC EXAMINER.

Certified Cyber Security Analyst VS-1160

Chapter 7 Forensic Duplication

Computer Forensic Capabilities. Cybercrime Lab Computer Crime and Intellectual Property Section United States Department of Justice

Course 832 EC-Council Computer Hacking Forensic Investigator (CHFI)

ECE 435 Network Engineering Lecture 23

Chapter 7 Forensic Duplication

COMPUTER FORENSICS (CFRS)

Transport Layer TCP & UDP Week 7. Module : Computer Networks Lecturers : Lucy White Office : 324

Overview Intrusion Detection Systems and Practices

Computer Forensics US-CERT

Part 1. Lecturer: Prof. Mohamed Bettaz Coordinator: Prof. Mohamed Bettaz Internal Examiner: Dr. Mourad Maouche. Examination Paper

Certified Snort Professional VS-1148

Digital Cameras. An evaluation of the collection, preservation and evaluation of data collected from digital

Actual4Test. Actual4test - actual test exam dumps-pass for IT exams

OHLONE COLLEGE Ohlone Community College District OFFICIAL COURSE OUTLINE

Digital Forensics at a University. Calvin Weeks Director, Oklahoma Digital Forensics Lab University of Oklahoma

CompTIA JK CompTIA Network+ Certification. Download Full Version :

Digital Forensics Lecture 01- Disk Forensics

MORGAN STATE UNIVERSITY DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING COURSE SYLLABUS FALL, 2015

Security+ SY0-501 Study Guide Table of Contents

CSE 565 Computer Security Fall 2018

and the Forensic Science CC Spring 2007 Prof. Nehru

No Country for Old Security Compliance in the Cloud. Joel Sloss, CDSA Board of Directors May 2017

EC-Council Certified Network Defender (CND) Duration: 5 Days Method: Instructor-Led

Network Traffic Analysis - Course Outline

TestOut Network Pro - English 4.1.x COURSE OUTLINE. Modified

Technology Safety Quick Tips

Syllabus: The syllabus is broadly structured as follows:

GAQM Exam CEH-001 Certified Ethical Hacker (CEH) Version: 6.0 [ Total Questions: 878 ]

PROTECTING INFORMATION ASSETS NETWORK SECURITY

Computer Science 461 Final Exam May 22, :30-3:30pm

Novetta Cyber Analytics

TestOut Network Pro - English 5.0.x COURSE OUTLINE. Modified

Introduction to Computer Security

Ethical Hacking and Countermeasures V7

Compare Security Analytics Solutions

Advanced Diploma on Information Security

Lab 4: Network Packet Capture and Analysis using Wireshark

CUNY John Jay College of Criminal Justice MATH AND COMPUTER SCIENCE

CSE 565 Computer Security Fall 2018

From the Lab to the Boardroom; Forensics goes mainstream

CompTIA Network+ Study Guide Table of Contents

Pass4suresVCE. Pass4sures exam vce dumps for guaranteed success with high scores

SIEM Overview with OSSIM Case Study. Mohammad Husain, PhD Cal Poly Pomona

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Wireless Security Access Policy and Agreement

Incident response in the energy

CEH: CERTIFIED ETHICAL HACKER v9

Certified Penetration Testing Consultant

Chapter 5.6 Network and Multiplayer

Course 831 Certified Ethical Hacker v9

Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

ETHICAL HACKING & COMPUTER FORENSIC SECURITY

ACCURATE STUDY GUIDES, HIGH PASSING RATE! Question & Answer. Dump Step. provides update free of charge in one year!

Responsible Officer Approved by

20-CS Cyber Defense Overview Fall, Network Basics

This course prepares candidates for the CompTIA Network+ examination (2018 Objectives) N

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

Financial Forensic Accounting

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Course 831 EC-Council Certified Ethical Hacker v10 (CEH)

Hitachi Visualization Suite

Network sniffing packet capture and analysis

Windows Forensics Advanced

Software System For Automatic Reaction To Network Anomalies And In Real Time Data Capturing Necessary For Investigation Of Digital Forensics

A Software System for automatic reaction to network anomalies and in Real Time Data Capturing necessary for investigation of digital Forensics

Wireless Network Security

Digital Forensics. Outline. What is Digital Forensics? Outline cont. Jason Trent Laura Woodard

2. INTRUDER DETECTION SYSTEMS

Detecting Protected Layer-3 Rogue APs

Ulster University Standard Cover Sheet

Digital Evidence: I know it s there, how do I get it?

Blue Team Handbook: Incident Response Edition

CYBER FRAUD & DATA BREACHES 16 CPE s May 16-17, 2018

Investigative Response Case Metrics Initiative Preliminary findings from 700+ data compromise investigations

Securing Wireless Networks by By Joe Klemencic Mon. Apr

CISSP CEH PKI SECURITY + CEHv9: Certified Ethical Hacker. Upcoming Dates. Course Description. Course Outline

Implementing Internet Security

Autumn 1 Autumn 2 Spring 1 Spring 2 Summer 1 Summer 2. networks. environmental concerns. Knowledge and skills covered: Knowledge and skills covered:

CNIT 121: Computer Forensics. 9 Network Evidence

MiPDF.COM. 1. Convert the decimal number 231 into its binary equivalent. Select the correct answer from the list below.

DATASHEET. Advanced 6-Port Gigabit VPN Network Router. Model: ER-6. Sophisticated Routing Features. Advanced Security, Monitoring, and Management

ECE 435 Network Engineering Lecture 23

GE s Enterprise Sensor Grid

Means for Intrusion Detection. Intrusion Detection. INFO404 - Lecture 13. Content

E-guide Getting your CISSP Certification

Chapter 7. Network Intrusion Detection and Analysis. SeoulTech UCS Lab (Daming Wu)

MTA_98-366_Vindicator930

LECTURE WK4 NETWORKING

incident reponse unravelled

2 nd ARF Seminar on Cyber Terrorism PAKISTAN S PERSPECTIVE AND EXPERIENCE WITH REFERENCE TO CERT IN COMBATING CYBER TERRORISM

716 West Ave Austin, TX USA

Vendor: ECCouncil. Exam Code: EC Exam Name: Computer Hacking Forensic Investigator Exam. Version: Demo

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Emerging Threat Intelligence using IDS/IPS. Chris Arman Kiloyan

Transcription:

Digital Forensics Lecture 7 Network Analysis

This Week s Presentations Johnathan Ammons: Web Analysis Kelcey Tietjen: Wireless Network Traffic David Burton: Collection and Analysis of Network Traffic David Burton: Network Devices: Routers, Switches, (EC)

Week after Next Presentations Maggie Castillo: Cell Phones Jim Curry: PDAs Ryan Ware: Investigation of Non-traditional Equipment: Autos, Washers, Nicholas Gallegos: MP3 Players Barry Gavrich: Flash Media (EC) Ron Prine: Digital Cameras Next Week: Midterm Exam

Lecture Overview Legal/Policy Preparation Collection Analysis Findings/ Evidence Reporting/ Action Investigative Goals Investigation Centric Analysis Data Centric Analysis General Tools and Methods

Module 1 First Steps

Goals Collect evidence Identify: Scope of activity Other parties involved Support or refute allegation Timeline Ensure compliance

Types of Network-Based Evidence Full content data Every bit, every sound, lots of disk space Session data Addresses, phone numbers, trap&trace Alert data Triggered, keywords, addresses, services, event Statistical data Whole picture, causal, patterns

Characteristics of Network Data Ephemeral Many locations Computer systems Network components Can be large in size Might be encrypted Could be fragmented

Tying it Together Role is a key factor in all decisions Goals determine Type of collection Type of collection determines Tools

Module 2 Setup

Consider a network diagram to show Route diversity Switched networks Convergence Wireless (hidden node problem) Difficulties resulting from this Incomplete observation Difficulty in collecting on a network that s not well prepped Well trained investigators Large data

System Tools Used for after-incident collection Volatile data on running system Placed prior to need How do you trust the data collected?

Network Tools Part of infrastructure Routers, switches, hubs, access points Packet capture, SNMP, other Additional taps Workstations, sniffers Packet capture, IDS s, other

Module 3 Investigation Centric Analysis

Roles User Owner of personal system Corporation or organization Company Service Provider Local investigators Federal investigators International investigators

Role-Based Motivation Private owner Maintain system security (i.e., Title 18) Corporation Maintain system security, ensure operational continuity Investigate system misuse Identify and manage compromise Various investigative authorities Investigate computer-related criminal activity Fraud, theft, damage, use of IT in other crimes, etc. Investigate other criminal activity Murder, kidnap, fraud, etc. Counter-terrorism

Approach Identify communicating parties Geo-locate the source/destination Help provide individual attribution Determine intent/nature of suspected communications Capture and provide evidence of crime Identify social networks Others?

Processes Store and post-analyze vs. real time analysis Implement a corporate framework Court order to wire tap Others?

Analysis Techniques Log analysis Network device Computer network logs Statistics Protocol Conversations Time of day Flow size Number of connections Signatures Well known crime

Module 4 Data Centric Analysis

Tools for Collection Packet capture and interpretation ethereal tcpdump windump Limitations For example, stream reassembly Statistical tools

Tools for Analysis tcptrace identify sessions snort event scanner tcpflow reassembling sessions ethereal jack of all trades

Network Equipment Routers Switches SNMP enabled devices Firewalls DHCP servers IDS sensors Proxy servers

Routers/Switches Caches (Live analysis) ARP Route tables Logs Previously setup for capture

Network Computer Information Similar to network device commands From computer point-of-view Corresponding connections to network devices

Module 5 Future Needs

Gaps What are the features that each role would enjoy having? Home user Parent Corporate IT investigator Criminal investigator Counter terrorism authority

More Gaps What are the difficult problems? E.g., observation, interpretation, large data analysis, etc.

More Gaps Balancing privacy with security Data collection on switched or multi-path networks Volume of data to be collected Analysis techniques

Questions? After all, you are an investigator

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback