C.S. Projects

Hello

Posts Tagged ‘Network Forensic’

Network Forensics — Week 11

Comments Off on Network Forensics — Week 11

December 12th, 2020 Posted 5:21 pm

Week 11

This session we learned about switches, routers as wells as firewalls.

Switches are in OSI Layer 2. This contains the MAC address in hexa code. This MAC address identifies the device that is being used as it is unique. However, this MAC address can be easily faked. ARP allows users to convert the MAC address into IP address.

On the other hand, routers are in OSI layer 3. Unlike switches, routers can make routing, meaning it can make a connection between different network whereas switches can’t.

Firewalls have the details on successful or failed connection attempts, protocols , and applications in the network.

Network Forensics — Week 10

Comments Off on Network Forensics — Week 10

December 7th, 2020 Posted 10:30 am

Week 10

This session we learned about event log correlation and analysis. There are a different types of logs in a computer, such as event logs and security logs.

In order to see the event logs in Windows 10, search for ‘Event Viewer’. There are also several types of logs, such as:
Firewall
Recycle bin
IE browsing history
Shortcut files

There are also several analysis tools that can be used to analyse these logs:
Commercial tools :
Retrace
Splunk
Logmatic
Logentries

Open source tools :
Logstash
Graylog

Graylog is able to analyse all the logs when all the companies servers are connected to it. If one system is attacked, then the attack can be investigated through the data of the attack. Graylog’s features provides the time and source of each log. Thus, it makes it easier to identify if someone is trying to brute force their way into the system.

Network Forensics — Week 8

Comments Off on Network Forensics — Week 8

November 21st, 2020 Posted 2:19 pm

Week 8

This session we learned about network intrusion detection and analysis.

NIDS -> Network-based Intrusion Detection System, the tools here are used to detect if there are anomalies or suspicious behaviour in our personal network. It sees traffic flow in the network, if there is a suspicious activities such as traffic going down. However it does not prevent it, it just detect it. It is like an early warning system which informs the user that someone is trying to attack the network.

NIPS -> Network-based Intrusion Prevention System, the tools here are used to prevent any attack that is recognised by the system, such as if there are ransomware in the network, the system would try to isolate the server that would be impacted by that ransomware. It is one step after the NIDS.

HIDS -> Host-based Intrusion Detection System HIPS -> Host-based Intrusion Prevention System

Functionality

Both of HIDS and NIDS are rule based that issue alerts. The rules are based on the research of other people and if there are new pattern of attack, the researcher will add new rules to detect that attack. It is configured to capture suspicious packet sequences. In NIPS, the processing time is critical whereas in NIDS it is not. NIDS is only for detection, so there is no problem.

Types of IDS

There are two types of IDS

The first type is Commercial:

-> Check Point IPS Software Blade

-> Next-Generation Intrusion Prevention System (NGIPS)

-> Extreme NIPS

-> Tipping Point IPS



The second type is Open-Source:

For NIDS:

-> Snort

-> Bro

-> Suricata

-> Sagan



For HIDS:

-> OSSEC

-> Fail2Ban

-> AIDE

-> Samhain

Network Forensics — Week 7

Comments Off on Network Forensics — Week 7

October 31st, 2020 Posted 2:03 pm

Week 7

This session we learned about wireless devices that are used in network forensic. There are many wireless devices, such as:

bluetooth earphones
wifi
infrared devices such as TV remotes
wireless doorbells
Zigbee devices
cell phones
Wi-Fi
WiMAX
AM/FM radio

The cases involved with wireless include and are not limited to
1. Tracking a stolen laptop when it connects to a wireless network
2. Identifying rogue wireless access points which were installed by insiders in order to bypass security
3. Investigate malicious and suspicious activity or activities occurring via a wireless network
4. Investigate attacks on the wireless network (denial-of-service or encryption cracking etc.)

Network Forensics — Week 5

Comments Off on Network Forensics — Week 5

October 17th, 2020 Posted 4:56 pm

Week 5

This session we learned about evidence acquisition. The best possible outcome would be perfect-fidelity evidence with zero impact on network environment. However, it is not possible to achieve a zero footprint investigation, thus maximum effort must be made to minimise investigative footprint

Physical Interception is capturing or sniffing packets, the tools available for this are
* Inline Network Tap
* Induction Could (which are not commercially available)
* Fiber Optic Taps (similar to inline tap)

Well known software used to capture and sniff packets are
* wireshark
* tcpdump
* ngrep
* nmap

tcpdump has several commands that be use for analysis such as
tcpdump -D which list all possible network interfaces
tcpdump -I interface which shows all packet captured from the network interface

Network Forensics — Week 4

Comments Off on Network Forensics — Week 4

October 13th, 2020 Posted 6:41 pm

Week 4

This session we learned about the tools that are needed in order to find, sample, seal and dissect the evidence obtained. This is an extremely important part in network forensics. The evidence that will be investigated could come in many forms, such as a pcap file.

We also learned about flow analysis. Flow analysis is used in order to locate data in the operating system or to identify patterns in traffic.There are several tools that can be used for flow analysis. Those tools are Wireshark, tccpflor, pcapcat, tcpxtract.

Wireshark is available on windows and kali linux. This tool is used to read packet traffic in the operating system, see source and destination address and the details of the package caught.

There are also different types of flow analysis techniques, those techniques are
* list conversation and flow
* export a flow
* file and data carving


Network Forensic — Week 2

Comments Off on Network Forensic — Week 2

September 26th, 2020 Posted 8:12 am

Week 2

This session we learned about Source of Network-based Evidence and Principles of Internetworking

There are different kinds of network-based evidence. Such as On the wire In the Air and Routers. On the wire is a physical cabling that carries data over the network. A wire tapping can provide real-time network data. There are different tap types, such as vampire tap, surreptitious fibre tap and infrastructure tap. Vampire tap punctures insulation and touches cables.Surreptitious fibre tapbends cable and cuts sheath which exposes light signal Infrastructure tap plugs into connectors and replicates signal.

In the air functions as wireless station to station signals. It may not be as useful as the others as the information obtained is usually encrypted, but there are still information that can be obtained such as:

  • Management and controls frames
  • Access Points
  • Stations Probes for AP’s and APs
  • MAC addresses of legitimate authenticated stations
  • Volume-based statistical traffic analysis


Routers connect traffic on different subnets or networks. It allows different addressing schemes to communicate. Routers make MANs, WANs, and GANs possible. Routers are useful sources fo numerous reasons such as:

  • Routing tables
    • Map ports on the router to networks they connect
    • Allows path tracing
  • Function as packet filters
  • Logging functions and flow records
  • Deployed intrusion detection



Internetworking on the other hand is the connection and communication between many networks. A link between networks must be established, routing for delivery of data packets, an account to keep track of status information are needed in other to establish internetworking.

Network Forensic — Week 1

Comments Off on Network Forensic — Week 1

September 18th, 2020 Posted 2:36 pm

Week 1

Network Forensics can be defines as a section of digital forensics. It’s main objective centres on monitoring and analysing network traffic. The intention behind this is

  • Intrusion Detection/Prevention
  • Information Gathering
  • Legal Evidence


Network Forensics is often confused with Computer Forensics. However, these two are very different as shown in the table below.
Computer Forensics Network Forensics
Data is not much change for daily usage Data is much change constantly
Evidence is contained within the file system Evidence sometime exists only in RAM
Easy to perform a forensically sound acquisition Most network devices does not have non-volatile storage
Seizing one or several computers would not make deep impact to the business Taking network devices would be problematic


Network Forensics is needed to be able to determine how the incident occurred and how long it took. Furthermore, it can help identify what data was taken and what systems were affected. This is basically used to collect evidence so that the criminal will be convicted. Network Forensics is able to obtain different kinds of evidence that is useful in identifying the culprit