Network forensics
sniffing, recording, acquisition and analysis of the network traffic and event logs in order to investigate a network security incident.
Infomation from Network forensics :
Source of security incidents
Path of the attack
Intrusion techniques used by attackers
Network addressing schemes
Mac address: for LAN
IP: for internet addressing
重建網路犯罪鑑識的三大基礎
temporal analysis : 協助辨認時間與相關證據
Relational analysis : 協助辨認哪些連線跟犯罪有關
Functional analysis : 協助辨認哪些是犯罪造成的event
refer
http://wenku.baidu.com/view/da7fbcd0360cba1aa811da11.html?re=view
—————————————————–
Network Attack
Network attack
most attacks are from inside the organization
Common type of network attacks
enumeration: 收集目標資訊
https://systw.net/note/af/sblog/more.php?id=165
denial of service attack
https://systw.net/note/af/sblog/more.php?id=170
packet sniffing
https://systw.net/note/af/sblog/more.php?id=169
session sniffing: 常用在網銀偷victim的session用以假冒victm交易
https://systw.net/note/af/sblog/more.php?id=171
buffer overflow
https://systw.net/note/af/sblog/more.php?id=172
trojan horse
https://systw.net/note/af/sblog/more.php?id=168
…
Traffic capturing and analysis tools
Sniffer network tool
network miner
wireshark
tcpdump
windump
ettercap
Tool: network miner
可將sniffer的raw data以資訊方式呈現
可讀sniffier檔案和直接sniffer做分析
funcation include below
host: 統計資訊,IP,卡號
files: 顯示什麼檔案被傳輸
img:直接抓圖
messages: 不加密的email或文字訊息可以被顯示出來
credentials; 列出與帳密有關的資訊
parameters: 列出html表單相關參數
keywords: 只列出有指定關鍵字相關的packet內容
cleartext: 列出所有明碼
anomalies: 簡單異常偵測
ps:
tool: Fwanalog(FWanalog parse firewall log)
分析firewall log的程式
ps:
elastic packetbeat: 分析packet
—————————————————–
Email Crimes
About Email basic
https://systw.net/note/af/sblog/more.php?id=66
Email crime category
email attack: phishing, spamming,…etc
email輔助犯罪: 罪犯通訊間的email
Common email attack
email spamming
email bombing/mail storm
sending huge volumes of email to an address in an attempt to overflow the mailbox, or overwhelm the server where the email address is hosted, to cause a denial-of-service attack
phishing
The criminal act of sending an illegitimate email, falsely claiming to be from a legitimate site in an attempt to acquire the user’s personal or account information
email spoofing
The forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source
…
Steps to investigate
First step in the investigation
Trace the IP address to its origin
Common information for investigation
user account that was used to send the account
unique message identifier
contents of the e-mail message
date and time the message was sent
E-mail鑑識
1.Examining an e-mail message
2.Copying an e-mail message
3.Printing an e-mail message
4.Viewing e-mail address
5.Examining an e-mail header
6.Emamining attachments
7.tracing and E-mail
refer
http://wenku.baidu.com/view/da7fbcd0360cba1aa811da11.html?re=view
ps:
microsoft outlook email file
default path: C:Users%username%AppDataLocalMicrosoftOutlook
.pst, Outlook郵件資料檔
.ost, 使用exchange的outlook快取郵件檔
.dbx, outlook express 郵件資料檔
ps:
Exchange server tracking log
if message tracking enabled.
the message tracking log file: C:Program FilesExchsrvrservername.log
…
Email forensics tool
Email header analysis
http://mxtoolbox.com/EmailHeaders.aspx
Common email forensics tool
EnCase
FTK
FINALeMail
Sawmill-GroupWise
Audimation for Logging
R-Mail
Paraben’s Email Examiner
EMailTrackerPro