Rights Contact Login For More Details
- Wiley
More About This Title Network Forensics
English
Network Forensics provides a uniquely practical guide for IT and law enforcement professionals seeking a deeper understanding of cybersecurity. This book is hands-on all the way—by dissecting packets, you gain fundamental knowledge that only comes from experience. Real packet captures and log files demonstrate network traffic investigation, and the learn-by-doing approach relates the essential skills that traditional forensics investigators may not have. From network packet analysis to host artifacts to log analysis and beyond, this book emphasizes the critical techniques that bring evidence to light.
Network forensics is a growing field, and is becoming increasingly central to law enforcement as cybercrime becomes more and more sophisticated. This book provides an unprecedented level of hands-on training to give investigators the skills they need.
- Investigate packet captures to examine network communications
- Locate host-based artifacts and analyze network logs
- Understand intrusion detection systems—and let them do the legwork
- Have the right architecture and systems in place ahead of an incident
Network data is always changing, and is never saved in one place; an investigator must understand how to examine data over time, which involves specialized skills that go above and beyond memory, mobile, or data forensics. Whether you're preparing for a security certification or just seeking deeper training for a law enforcement or IT role, you can only learn so much from concept; to thoroughly understand something, you need to do it. Network Forensics provides intensive hands-on practice with direct translation to real-world application.
English
RIC MESSIER has been program director for various cyber-security and computer forensics programs at Champlain College. A veteran of the networking and computer security field since the early 1980s, he has worked at large Internet service providers and small software companies. He has been responsible for the development of numerous course materials, has served on incident response teams, and has been consulted on forensic investigations for large companies.
English
Introduction xxi
1 Introduction to Network Forensics 1
What Is Forensics? 3
Handling Evidence 4
Cryptographic Hashes 5
Chain of Custody 8
Incident Response 8
The Need for Network Forensic Practitioners 10
Summary 11
References 12
2 Networking Basics 13
Protocols 14
Open Systems Interconnection (OSI) Model 16
TCP/IP Protocol Suite 18
Protocol Data Units 19
Request for Comments 20
Internet Registries 23
Internet Protocol and Addressing 25
Internet Protocol Addresses 28
Internet Control Message Protocol (ICMP) 31
Internet Protocol Version 6 (IPv6) 31
Transmission Control Protocol (TCP) 33
Connection-Oriented Transport 36
User Datagram Protocol (UDP) 38
Connectionless Transport 39
Ports 40
Domain Name System 42
Support Protocols (DHCP) 46
Support Protocols (ARP) 48
Summary 49
References 51
3 Host-Side Artifacts 53
Services 54
Connections 60
Tools 62
netstat 63
nbstat 66
ifconfi g/ipconfi g 68
Sysinternals 69
ntop 73
Task Manager/Resource Monitor 75
ARP 77
/proc Filesystem 78
Summary 79
4 Packet Capture and Analysis 81
Capturing Packets 82
Tcpdump/Tshark 84
Wireshark 89
Taps 91
Port Spanning 93
ARP Spoofi ng 94
Passive Scanning 96
Packet Analysis with Wireshark 98
Packet Decoding 98
Filtering 101
Statistics 102
Following Streams 105
Gathering Files 106
Network Miner 108
Summary 110
5 Attack Types 113
Denial of Service Attacks 114
SYN Floods 115
Malformed Packets 118
UDP Floods 122
Amplifi cation Attacks 124
Distributed Attacks 126
Backscatter 128
Vulnerability Exploits 130
Insider Threats 132
Evasion 134
Application Attacks 136
Summary 140
6 Location Awareness 143
Time Zones 144
Using whois 147
Traceroute 150
Geolocation 153
Location-Based Services 156
WiFi Positioning 157
Summary 158
7 Preparing for Attacks 159
NetFlow 160
Logging 165
Syslog 166
Windows Event Logs 171
Firewall Logs 173
Router and Switch Logs 177
Log Servers and Monitors 178
Antivirus 180
Incident Response Preparation 181
Google Rapid Response 182
Commercial Offerings 182
Security Information and Event Management 183
Summary 185
8 Intrusion Detection Systems 187
Detection Styles 188
Signature-Based 188
Heuristic 189
Host-Based versus Network-Based 190
Snort 191
Suricata and Sagan 201
Bro 203
Tripwire 205
OSSEC 206
Architecture 206
Alerting 207
Summary 208
9 Using Firewall and Application Logs 211
Syslog 212
Centralized Logging 216
Reading Log Messages 220
LogWatch 222
Event Viewer 224
Querying Event Logs 227
Clearing Event Logs 231
Firewall Logs 233
Proxy Logs 236
Web Application Firewall Logs 238
Common Log Format 240
Summary 243
10 Correlating Attacks 245
Time Synchronization 246
Time Zones 246
Network Time Protocol 247
Packet Capture Times 249
Log Aggregation and Management 251
Windows Event Forwarding 251
Syslog 252
Log Management Offerings 254
Timelines 257
Plaso 258
PacketTotal 259
Wireshark 261
Security Information and Event Management 262
Summary 263
11 Network Scanning 265
Port Scanning 266
Operating System Analysis 271
Scripts 273
Banner Grabbing 275
Ping Sweeps 278
Vulnerability Scanning 280
Port Knocking 285
Tunneling 286
Passive Data Gathering 287
Summary 289
12 Final Considerations 291
Encryption 292
Keys 293
Symmetric 294
Asymmetric 295
Hybrid 296
SSL/TLS 297
Cloud Computing 306
Infrastructure as a Service 306
Storage as a Service 309
Software as a Service 310
Other Factors 311
The Onion Router (TOR) 314
Summary 317
Index 319
