Upload
priyanka-aash
View
763
Download
3
Embed Size (px)
Citation preview
TOO BIG TO COVER
• Difficult to cover every aspect of
Network Forensic
• So many aspects, features and
possibilities
• Highly addictive
• A million things can go wrong with a computer
network - from a simple spyware infection to a
complex router configuration error.
• Packet level is the most basic level where
nothing is hidden.
• Understand the network, who is on a network,
whom your computer is talking to, What is the
network usage, any suspicious
communication (DOS , botnet, Intrusion
attempt etc.)
• Find unsecured and bloated applications –
FTP sends clear text authentication data
• One phase of computer forensic - could reveal
data otherwise hidden somewhere in a 150
GB HDD.
WHY PACKET ANALYSIS?
NOW WHAT?
Think it like you are solving a mystery
• Where do we start?
• What questions to ask?
• What tools do we need?
• Once you have the traces - what then?
Capture•Where, How, What, How long
Transfer•Hash, split, distribute
Analyze
• IP, Protocol, Time, Delay, Duration, pattern, graphs, charts, blah…
HOW DO WE DO IT?
CAPTURE
• Capture Methods
• Wired
• Mirror/Monitor/SPAN
• Taps
• Hubs
• ARP poisoning???
• Promiscuous mode
• WinPCAP/LibPCAP
• Wireless
• Rfmon/monitor mode
• AirPCap
MORE QUESTIONS BETTER ANALYSIS
• Are the servers in the same locations or different
• Same subnet, different subnet
• Any suspicion - IP Address, Application
• When did it start
• How and when did it get identified
• Why you were there – lack of resource, time, expertise
WHAT NOT TO DO
• Do not scroll up and down and try manually reading packets
one by one.
• Do not capture any and every traffic just for the sake of
capturing.
• Do not ASSUME. You can have thoughts, suspicions.
STILL NEED REASONS!
• Capture Filters
• Display Filters
• Auto-complete
• Red – error, Green – good
• Recent usage history
FILTERS
• Create Filter from
Packet/field
• Multiple filter conditioning
using “and”, “or”, “not”
etc.
• Protocol Filtering
RECONSTRUCT THE CRIME SCENE
• Understand the flow
• Reconstruct the files
• Identify the attacker
and victim
REFERENCE
• Wireshark University by Laura Chappell and Gerald Combs
• Sharkfest talks - Betty DuBois on Network Mysteries
• Securitytube.net by Vivek Ramchandran
• Picture courtesy Google. Not my property.