{"id":339,"date":"2015-10-24T19:04:53","date_gmt":"2015-10-24T11:04:53","guid":{"rendered":"http:\/\/note.systw.net\/note\/?p=339"},"modified":"2023-10-30T19:30:05","modified_gmt":"2023-10-30T11:30:05","slug":"network-forensics","status":"publish","type":"post","link":"https:\/\/systw.net\/note\/archives\/339","title":{"rendered":"Network forensics"},"content":{"rendered":"\n

Network forensics<\/strong>
sniffing, recording, acquisition and analysis of the network traffic and event logs in order to investigate a network security incident.<\/p>\n\n\n\n

Infomation from Network forensics :<\/strong>
Source of security incidents
Path of the attack
Intrusion techniques used by attackers<\/p>\n\n\n\n

Network addressing schemes<\/strong>
Mac address: for LAN
IP: for internet addressing<\/p>\n\n\n\n

\u91cd\u5efa\u7db2\u8def\u72af\u7f6a\u9451\u8b58\u7684\u4e09\u5927\u57fa\u790e<\/strong>
temporal analysis : \u5354\u52a9\u8fa8\u8a8d\u6642\u9593\u8207\u76f8\u95dc\u8b49\u64da
Relational analysis : \u5354\u52a9\u8fa8\u8a8d\u54ea\u4e9b\u9023\u7dda\u8ddf\u72af\u7f6a\u6709\u95dc
Functional analysis : \u5354\u52a9\u8fa8\u8a8d\u54ea\u4e9b\u662f\u72af\u7f6a\u9020\u6210\u7684event
refer
http:\/\/wenku.baidu.com\/view\/da7fbcd0360cba1aa811da11.html?re=view<\/p>\n\n\n\n

—————————————————–<\/p>\n\n\n\n

Network Attack<\/strong><\/h2>\n\n\n\n

Network attack<\/strong>
most attacks are from inside the organization<\/p>\n\n\n\n

Common type of network attacks<\/strong>
enumeration<\/strong>: \u6536\u96c6\u76ee\u6a19\u8cc7\u8a0a
https:\/\/systw.net\/note\/af\/sblog\/more.php?id=165<\/a>
denial of service attack<\/strong>
https:\/\/systw.net\/note\/af\/sblog\/more.php?id=170<\/a>
packet sniffing<\/strong>
https:\/\/systw.net\/note\/af\/sblog\/more.php?id=169<\/a>
session sniffing<\/strong>: \u5e38\u7528\u5728\u7db2\u9280\u5077victim\u7684session\u7528\u4ee5\u5047\u5192victm\u4ea4\u6613
https:\/\/systw.net\/note\/af\/sblog\/more.php?id=171<\/a>
buffer overflow<\/strong>
https:\/\/systw.net\/note\/af\/sblog\/more.php?id=172<\/a>
trojan horse<\/strong>
https:\/\/systw.net\/note\/af\/sblog\/more.php?id=168<\/a><\/p>\n\n\n\n

…<\/p>\n\n\n\n

Traffic capturing and analysis tools<\/strong><\/h3>\n\n\n\n

Sniffer network tool \u3000<\/strong>
network miner
wireshark
tcpdump
windump
ettercap<\/p>\n\n\n\n

Tool: network miner<\/strong>
\u53ef\u5c07sniffer\u7684raw data\u4ee5\u8cc7\u8a0a\u65b9\u5f0f\u5448\u73fe
\u53ef\u8b80sniffier\u6a94\u6848\u548c\u76f4\u63a5sniffer\u505a\u5206\u6790
funcation include below
host: \u7d71\u8a08\u8cc7\u8a0a,IP,\u5361\u865f
files: \u986f\u793a\u4ec0\u9ebc\u6a94\u6848\u88ab\u50b3\u8f38
img:\u76f4\u63a5\u6293\u5716
messages: \u4e0d\u52a0\u5bc6\u7684email\u6216\u6587\u5b57\u8a0a\u606f\u53ef\u4ee5\u88ab\u986f\u793a\u51fa\u4f86
credentials; \u5217\u51fa\u8207\u5e33\u5bc6\u6709\u95dc\u7684\u8cc7\u8a0a
parameters: \u5217\u51fahtml\u8868\u55ae\u76f8\u95dc\u53c3\u6578
keywords: \u53ea\u5217\u51fa\u6709\u6307\u5b9a\u95dc\u9375\u5b57\u76f8\u95dc\u7684packet\u5167\u5bb9
cleartext: \u5217\u51fa\u6240\u6709\u660e\u78bc
anomalies: \u7c21\u55ae\u7570\u5e38\u5075\u6e2c<\/p>\n\n\n\n

ps:
tool: Fwanalog(FWanalog parse firewall log)
\u5206\u6790firewall log\u7684\u7a0b\u5f0f<\/p>\n\n\n\n

ps:
elastic packetbeat: \u5206\u6790packet<\/p>\n\n\n\n

—————————————————–<\/p>\n\n\n\n

Email Crimes<\/strong><\/h2>\n\n\n\n

About Email basic
https:\/\/systw.net\/note\/af\/sblog\/more.php?id=66<\/a><\/p>\n\n\n\n

Email crime category<\/strong>
email attack: phishing, spamming,…etc
email\u8f14\u52a9\u72af\u7f6a: \u7f6a\u72af\u901a\u8a0a\u9593\u7684email<\/p>\n\n\n\n

Common email attack
email spamming<\/strong>
email bombing\/mail storm<\/strong>
sending huge volumes of email to an address in an attempt to overflow the mailbox, or overwhelm the server where the email address is hosted, to cause a denial-of-service attack
phishing<\/strong>
The criminal act of sending an illegitimate email, falsely claiming to be from a legitimate site in an attempt to acquire the user’s personal or account information
email spoofing<\/strong>
The forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source<\/p>\n\n\n\n

…<\/p>\n\n\n\n

Steps to investigate<\/p>\n\n\n\n

First step in the investigation<\/strong>
Trace the IP address to its origin<\/p>\n\n\n\n

Common information for investigation<\/strong>
user account that was used to send the account
unique message identifier
contents of the e-mail message
date and time the message was sent<\/p>\n\n\n\n

E-mail\u9451\u8b58<\/strong>
1.Examining an e-mail message
2.Copying an e-mail message
3.Printing an e-mail message
4.Viewing e-mail address
5.Examining an e-mail header
6.Emamining attachments
7.tracing and E-mail
refer
http:\/\/wenku.baidu.com\/view\/da7fbcd0360cba1aa811da11.html?re=view<\/p>\n\n\n\n

ps:
microsoft outlook email file<\/strong>
default path:\u3000C:Users%username%AppDataLocalMicrosoftOutlook
.pst, Outlook\u90f5\u4ef6\u8cc7\u6599\u6a94
.ost, \u4f7f\u7528exchange\u7684outlook\u5feb\u53d6\u90f5\u4ef6\u6a94
.dbx, outlook express \u90f5\u4ef6\u8cc7\u6599\u6a94

ps:
Exchange server tracking log<\/strong>
if message tracking enabled.
the message tracking log file: C:Program FilesExchsrvrservername.log<\/p>\n\n\n\n

…<\/p>\n\n\n\n

Email forensics tool<\/p>\n\n\n\n

Email header analysis<\/strong>
http:\/\/mxtoolbox.com\/EmailHeaders.aspx<\/p>\n\n\n\n

Common email forensics tool<\/strong>
EnCase
FTK
FINALeMail
Sawmill-GroupWise
Audimation for Logging
R-Mail
Paraben’s Email Examiner
EMailTrackerPro<\/p>\n","protected":false},"excerpt":{"rendered":"

Network forensicssniffing, rec …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[11],"tags":[],"class_list":["post-339","post","type-post","status-publish","format-standard","hentry","category-forensics"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/339","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=339"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/339\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=339"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=339"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=339"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}