What is FORENSICS? Why do we need Network Forensics? Why it is so important?

  • Published on

  • View

  • Download


<p>PowerPoint Presentation</p> <p>What is FORENSICS?Why do we need Network Forensics?Why it is so important?</p> <p>IntroductionNetwork Interconnection of computers by communicating channels</p> <p>Large amount of Data or Packets transferring at each interval of time</p> <p>Attacks may be either passive or active</p> <p>Network Forensics is like camera on the network </p> <p>discover the source of security attacks</p> <p>provides useful tools for investigating cybercrimes on the InternetNetwork ForensicsAnalyzing the network traffic </p> <p>Examining the network devices like Routers</p> <p>Data rate is very fast</p> <p>Need to store the packets to find the behavior</p> <p>Deal with volatile and dynamic information</p> <p>Identify all possible security violations </p> <p>Identify malicious activities from the traffic logs and discover their details, and to assess the damageAct of capturing, recording, and analyzing network audit trails in order to discover the source of security breaches or other information assurance problems. </p> <p>Systems collect data in two forms:</p> <p>"Catch-it-as-you-can" </p> <p>Packets passing through certain traffic point are captured Analysis is done subsequently Requires large amounts of storage.</p> <p>"Stop, look and listen" </p> <p>Packet is analyzed in memoryCertain information saved for future analysis. Definition:Comprehensive data collection:anything that crosses the network, whether email, IM, VoIP, FTP, HTML, or some other application or protocol collected by a single system and stored in a common, searchable format</p> <p>Flexible data collection:Collect all data on a network segment for future inspection or focus on a specific user or server.</p> <p>CapabilitiesCatching hackers on the wire</p> <p>Attackers fingerprints remain throughout the network, in firewall logs, IDS/IPS, web proxies, traffic capturesEthernet</p> <p>--data on this layer is collected using network interface card(NIC) of a host.</p> <p>--it collects all the traffic that comes over the network.</p> <p>TCP/IP</p> <p>--in this routing tables are used to identify attackers.</p> <p>--a part from routing tables, authentication logs are also used in this layer.</p> <p>The Internet</p> <p>--Web server logs are used here.</p> <p>--used to extract user account information.</p> <p>Network forensics includes</p> <p>preparationcollectionpreservationexaminationanalysisInvestigationpresentation</p> <p>Network Forensic Analysis Tools (NFATs)</p> <p>administrators to monitor networks,gather all information about anomalous traffic assist in network crime investigationA Generic Framework for Network ForensicsPreparation and authorizationCollection of network tracesPreservation and protectionExamination and analysisInvestigation and attributionPresentation and reviewWire Shark</p> <p> also known as Ethereal</p> <p> used in ETHERNET layer</p> <p> uses pcap to capture data</p> <p> data is captured from live traffic or read from a file that recorded already</p> <p> VoIPcalls can be detected in the captured traffic</p> <p>Network forensic analysis</p> <p>open source and proprietary security toolsWire sharkTcp dump Snort</p> <p>Conclusion real world method of initially identifying and responding to computer crimes and policy violationsdata mining tools, network engineers have the data they need to identify and fix problemssecurity teams can reconstruct the sequence of eventsReferencesen.wikipedia.org/wiki/Network_forensics</p> <p>www.fidelissecurity.com/network-forensics-tools</p> <p>www.wireshark.com</p> <p>www.e-evidence.info/version3</p> <p>portforward.com/networking/wireshark.htm</p> <p>ieeexplore.ieee.org/stamp/stamp.jsp</p>


View more >