Network Forensics


Network forensics
sniffing, recording, acquisition and analysis of the network traffic and event logs in order to investigate a network security incident.

Infomation from Network forensics :
Source of security incidents
Path of the attack
Intrusion techniques used by attackers

Network addressing schemes
Mac address: for LAN
IP: for internet addressing

重建網路犯罪鑑識的三大基礎
temporal analysis : 協助辨認時間與相關證據
Relational analysis : 協助辨認哪些連線跟犯罪有關
Functional analysis : 協助辨認哪些是犯罪造成的event
refer
http://wenku.baidu.com/view/da7fbcd0360cba1aa811da11.html?re=view


........................................................................................

Network Attack

Network attack
most attacks are from inside the organization

Common type of network attacks
enumeration: 收集目標資訊
http://systw.net/note/af/sblog/more.php?id=165
denial of service attack
http://systw.net/note/af/sblog/more.php?id=170
packet sniffing
http://systw.net/note/af/sblog/more.php?id=169
session sniffing: 常用在網銀偷victim的session用以假冒victm交易
http://systw.net/note/af/sblog/more.php?id=171
buffer overflow
http://systw.net/note/af/sblog/more.php?id=172
trojan horse
http://systw.net/note/af/sblog/more.php?id=168

...

Traffic capturing and analysis tools

Sniffer network tool  
network miner
wireshark
tcpdump
windump
ettercap

Tool: network miner
可將sniffer的raw data以資訊方式呈現
可讀sniffier檔案和直接sniffer做分析
funcation include below
host: 統計資訊,IP,卡號
files: 顯示什麼檔案被傳輸
img:直接抓圖
messages: 不加密的email或文字訊息可以被顯示出來
credentials; 列出與帳密有關的資訊
parameters: 列出html表單相關參數
keywords: 只列出有指定關鍵字相關的packet內容
cleartext: 列出所有明碼
anomalies: 簡單異常偵測

ps:
tool: Fwanalog(FWanalog parse firewall log)
分析firewall log的程式

ps:
elastic packetbeat: 分析packet

 

........................................................................................

Email Crimes

About Email basic
http://systw.net/note/af/sblog/more.php?id=66

Email crime category
email attack: phishing, spamming,...etc
email輔助犯罪: 罪犯通訊間的email

Common email attack
email spamming
email bombing/mail storm
sending huge volumes of email to an address in an attempt to overflow the mailbox, or overwhelm the server where the email address is hosted, to cause a denial-of-service attack
phishing
The criminal act of sending an illegitimate email, falsely claiming to be from a legitimate site in an attempt to acquire the user's personal or account information
email spoofing
The forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source

...

Steps to investigate

First step in the investigation
Trace the IP address to its origin

Common information for investigation
user account that was used to send the account
unique message identifier
contents of the e-mail message
date and time the message was sent

E-mail鑑識
1.Examining an e-mail message
2.Copying an e-mail message
3.Printing an e-mail message
4.Viewing e-mail address
5.Examining an e-mail header
6.Emamining attachments
7.tracing and E-mail
refer
http://wenku.baidu.com/view/da7fbcd0360cba1aa811da11.html?re=view

ps:
microsoft outlook email file
default path: C:Users%username%AppDataLocalMicrosoftOutlook
.pst, Outlook郵件資料檔
.ost, 使用exchange的outlook快取郵件檔
.dbx, outlook express 郵件資料檔

ps:
Exchange server tracking log
if message tracking enabled.
the message tracking log file: C:Program FilesExchsrvrservername.log

...

Email forensics tool

Email header analysis
http://mxtoolbox.com/EmailHeaders.aspx

Common email forensics tool
EnCase
FTK
FINALeMail
Sawmill-GroupWise
Audimation for Logging
R-Mail
Paraben's Email Examiner
EMailTrackerPro

2015-10-24 08:01:45發表 2015-10-24 08:01:54修改   

數據分析
程式開發
計算機組織與結構
資料結構與演算法
Database and MySql
manage tool
windows
unix-like
linux service
network
network layer3
network layer2
network WAN
network service
作業系統
數位鑑識

資訊安全解決方案
資訊安全威脅
Cisco security
Cisco network
Cisco layer3
Cisco layer2



  登入      [牛的大腦] | [單字我朋友] Powered by systw.net