Network Forensics

 
 
Wiley (Verlag)
  • erschienen am 14. Juli 2017
  • |
  • 360 Seiten
 
E-Book | ePUB mit Adobe-DRM | Systemvoraussetzungen
978-1-119-32918-3 (ISBN)
 
Intensively hands-on training for real-world network forensics
Network Forensics provides a uniquely practical guide for IT and law enforcement professionals seeking a deeper understanding of cybersecurity. This book is hands-on all the way--by dissecting packets, you gain fundamental knowledge that only comes from experience. Real packet captures and log files demonstrate network traffic investigation, and the learn-by-doing approach relates the essential skills that traditional forensics investigators may not have. From network packet analysis to host artifacts to log analysis and beyond, this book emphasizes the critical techniques that bring evidence to light.
Network forensics is a growing field, and is becoming increasingly central to law enforcement as cybercrime becomes more and more sophisticated. This book provides an unprecedented level of hands-on training to give investigators the skills they need.
* Investigate packet captures to examine network communications
* Locate host-based artifacts and analyze network logs
* Understand intrusion detection systems--and let them do the legwork
* Have the right architecture and systems in place ahead of an incident
Network data is always changing, and is never saved in one place; an investigator must understand how to examine data over time, which involves specialized skills that go above and beyond memory, mobile, or data forensics. Whether you're preparing for a security certification or just seeking deeper training for a law enforcement or IT role, you can only learn so much from concept; to thoroughly understand something, you need to do it. Network Forensics provides intensive hands-on practice with direct translation to real-world application.
1. Auflage
  • Englisch
  • New York
  • |
  • USA
John Wiley & Sons
  • 21,24 MB
978-1-119-32918-3 (9781119329183)
weitere Ausgaben werden ermittelt
RIC MESSIER has been program director for various cyber-security and computer forensics programs at Champlain College. A veteran of the networking and computer security field since the early 1980s, he has worked at large Internet service providers and small software companies. He has been responsible for the development of numerous course materials, has served on incident response teams, and has been consulted on forensic investigations for large companies.
  • Cover
  • Title Page
  • Copyright
  • About the Author
  • About the Technical Editor
  • Credits
  • Contents
  • Introduction
  • What This Book Covers
  • How to Use This Book
  • How This Book Is Organized
  • Chapter 1: Introduction to Network Forensics
  • What Is Forensics?
  • Handling Evidence
  • Cryptographic Hashes
  • Chain of Custody
  • Incident Response
  • The Need for Network Forensic Practitioners
  • Summary
  • References
  • Chapter 2: Networking Basics
  • Protocols
  • Open Systems Interconnection (OSI) Model
  • TCP/IP Protocol Suite
  • Protocol Data Units
  • Request for Comments
  • Internet Registries
  • Internet Protocol and Addressing
  • Internet Protocol Addresses
  • Internet Control Message Protocol (ICMP)
  • Internet Protocol Version 6 (IPv6)
  • Transmission Control Protocol (TCP)
  • Connection-Oriented Transport
  • User Datagram Protocol (UDP)
  • Connectionless Transport
  • Ports
  • Domain Name System
  • Support Protocols (DHCP)
  • Support Protocols (ARP)
  • Summary
  • References
  • Chapter 3: Host-Side Artifacts
  • Services
  • Connections
  • Tools
  • netstat
  • nbstat
  • ifconfig/ipconfig
  • Sysinternals
  • ntop
  • Task Manager/Resource Monitor
  • ARP
  • /proc Filesystem
  • Summary
  • Chapter 4: Packet Capture and Analysis
  • Capturing Packets
  • Tcpdump/Tshark
  • Wireshark
  • Taps
  • Port Spanning
  • ARP Spoofing
  • Passive Scanning
  • Packet Analysis with Wireshark
  • Packet Decoding
  • Filtering
  • Statistics
  • Following Streams
  • Gathering Files
  • Network Miner
  • Summary
  • Chapter 5: Attack Types
  • Denial of Service Attacks
  • SYN Floods
  • Malformed Packets
  • UDP Floods
  • Amplification Attacks
  • Distributed Attacks
  • Backscatter
  • Vulnerability Exploits
  • Insider Threats
  • Evasion
  • Application Attacks
  • Summary
  • Chapter 6: Location Awareness
  • Time Zones
  • Using whois
  • Traceroute
  • Geolocation
  • Location-Based Services
  • WiFi Positioning
  • Summary
  • Chapter 7: Preparing for Attacks
  • NetFlow
  • Logging
  • Syslog
  • Windows Event Logs
  • Firewall Logs
  • Router and Switch Logs
  • Log Servers and Monitors
  • Antivirus
  • Incident Response Preparation
  • Google Rapid Response
  • Commercial Offerings
  • Security Information and Event Management
  • Summary
  • Chapter 8: Intrusion Detection Systems
  • Detection Styles
  • Signature-Based
  • Heuristic
  • Host-Based versus Network-Based
  • Snort
  • Suricata and Sagan
  • Bro
  • Tripwire
  • OSSEC
  • Architecture
  • Alerting
  • Summary
  • Chapter 9: Using Firewall and Application Logs
  • Syslog
  • Centralized Logging
  • Reading Log Messages
  • LogWatch
  • Event Viewer
  • Querying Event Logs
  • Clearing Event Logs
  • Firewall Logs
  • Proxy Logs
  • Web Application Firewall Logs
  • Common Log Format
  • Summary
  • Chapter 10: Correlating Attacks
  • Time Synchronization
  • Time Zones
  • Network Time Protocol
  • Packet Capture Times
  • Log Aggregation and Management
  • Windows Event Forwarding
  • Syslog
  • Log Management Offerings
  • Timelines
  • Plaso
  • PacketTotal
  • Wireshark
  • Security Information and Event Management
  • Summary
  • Chapter 11: Network Scanning
  • Port Scanning
  • Operating System Analysis
  • Scripts
  • Banner Grabbing
  • Ping Sweeps
  • Vulnerability Scanning
  • Port Knocking
  • Tunneling
  • Passive Data Gathering
  • Summary
  • Chapter 12: Final Considerations
  • Encryption
  • Keys
  • Symmetric
  • Asymmetric
  • Hybrid
  • SSL/TLS
  • Cloud Computing
  • Infrastructure as a Service
  • Storage as a Service
  • Software as a Service
  • Other Factors
  • The Onion Router (TOR)
  • Summary
  • Index
  • EULA

Introduction


One of the best things about the different technology fields, should you have the stomach for it-and many don't-is the near constant change. Over the decades I have been involved in technology-based work, I've either had to or managed to reinvent myself and my career every handful of years or less. The world keeps changing and in order to maintain pace, we have to change too. In one of my incarnations that ended not many months ago now, I ran graduate and undergraduate programs at Champlain College in its online division. One of my responsibilities within that role was overseeing development of course materials. Essentially, either I or someone I hired developed the course and then I hired people who could teach it, often the people who did the development, though not always.

In the process of developing a course on network forensics, I discovered that there wasn't a lot of material around that covered it. At the time, I was able to find a single book but it wasn't one that we could make use of at the college because of policies focused on limiting costs to students. As a result, when I was asked what my next book would be, a book on network forensics that would explore in more detail the ideas I think are really important to anyone who is doing network investigations made the most sense to me.

What This Book Covers


I like to understand the why and how of things. I find it serves me better. When I understand the why and how, I don't get stuck in a dinosaur graveyard because at its core, technology continues to cycle around a number of central ideas. This has always been true. When you understand what underpins the technology, you'll see it's a variation on something you've seen before, if you stick around long enough. As a result, what is covered in this book is a lot of "how and why" and less of "these are the latest trendy tools" because once you understand the how and why, once you get to what's underneath, the programs can change and you'll still understand what it is you are looking at, rather than expecting the tools to do the work for you.

This is the reason why this book, while offering up some ideas about investigations, is really more about the technologies that network investigations are looking at. If you understand how networks work, you'll know better where to look for the information you need. You'll also be able to navigate changes. While we've moved from coax to twisted pair to optical to wireless, ultimately the protocols have remained the same for decades. As an example, Ethernet was developed in the 1970s and your wireless network connection, whether it's at home or at your favorite coffee shop down the street, still uses Ethernet. We're changing the delivery mechanism without changing what is being delivered. Had you learned how Ethernet worked in the early 1980s, you could look at a frame of Ethernet traffic today and still understand exactly what is happening.

The same is true of so-called cloud computing. In reality, it's just the latest term for outsourcing or even the service bureaus that were big deals in the '70s and '80s. We outsource our computing needs to companies so we don't have to deal with any of the hassle of the equipment and we can focus on the needs of the business. Cloud computing makes life much easier because delivery of these services has settled down to a small handful of well-known protocols. We know how they all work so there is no deciphering necessary.

At the risk of over-generalizing, for many years now there has been a significant emphasis on digital forensics, seen particularly through the lens of any number of TV shows that glorify the work of a forensic investigator and, in the process, get huge chunks of the work and the processes completely wrong. So-called dead-box forensics has been in use for decades now, where the investigator gets a disk or a disk image and culls through all the files, and maybe even the memory image for artifacts. The way people use computers and computing devices is changing. On top of that, as more and more businesses are affected by incidents that have significant financial impact, they have entirely different needs.

The traditional law enforcement approach to forensics is transitioning, I believe, to more of a consulting approach or an incident response at the corporate level. In short, there will continue to be a growing need for people who can perform network investigations as time goes on. With so many attackers in the business of attacking-their attacks, thefts, scams, and so on are how they make their living-the need for skilled investigators is unlikely to lessen any time in the near future. As long as there is money to be made, you can be sure the criminal incidents will continue.

As you read through this book, you will find that the "what's underneath" at the heart of everything. We'll talk about a lot of technologies, protocols, and products, but much of it is with the intention of demonstrating that the more things change, the more they stay the same.

How to Use This Book


I've always been a big believer in a hands-on approach to learning. Rather than just talking about theories, you'll look at how the tools work in the field. However, this is not a substitute for actually using them yourself. All of the tools you look at in this book are either open source or have community editions, which means you can spend time using the tools yourself by following along with the different features and capabilities described in each chapter. It's best to see how they all behave in your own environment, especially since some of the examples provided here may look and behave differently on your systems because you'll have different network traffic and configurations. Working along with the text, you'll not only get hands-on experience with the tools, but you will see how everything on your own systems and networks behaves.

How This Book Is Organized


This book is organized so that chapter topics more or less flow from one to the next.

Chapter 1 provides a foundational understanding of forensics. It also looks at what it means to perform forensic investigations as well as what an incident response might look like and why they are important. You may or may not choose to skim or skip this chapter, depending on how well-versed you are with some of the basic legal underpinnings and concepts of what forensics and incident response are.

Chapter 2 provides the foundation of what you should know about networking and protocols, because the rest of the book will be looking at network traffic in a lot of detail. If you are unfamiliar with networking and the protocols we use to communicate across a network, you should spend a fair amount of time here, getting used to how everything is put together.

Chapter 3 covers host-side artifacts. After all, not everything happens over the bare wire. Communication originates and terminates from end devices like computers, tablets, phones, and a variety of other devices. When communication happens between two devices, there are traces on those devices. We'll cover what those artifacts might be and how you might recover them.

Chapter 4 explains how you would go about capturing network traffic and then analyzing it.

Chapter 5 talks about the different types of attacks you may see on the network. Looking at these attacks relies on the material covered in Chapter 4, because we are going to look at packet captures and analyze them to look at the attack traffic.

Chapter 6 is about how a computer knows where it is and how you can determine where a computer is based on information that you have acquired over the network. You can track this down in a number of ways to varying levels of granularity without engaging Internet service providers.

Chapter 7 covers how you can prepare yourself for a network investigation. Once an incident happens, the network artifacts are gone because they are entirely ephemeral on the wire. If you are employed by or have a relationship with a business that you perform investigations for, you should think about what you need in place so that when an incident happens, you have something to look at. Otherwise you will be blind, deaf, and dumb.

Chapter 8 continues the idea of getting prepared by talking about intrusion detection systems and their role in a potential investigation.

Along the same lines, Chapter 9 is about firewalls and other applications that may be used for collecting network-related information.

Chapter 10 covers how to correlate all of that information once you have it in order to obtain something that you can use. This includes the importance of timelines so you can see what happened and in what order.

Chapter 11 is about performing network scans so you can see what the attacker might see. Network scanning can also tell you things that looking at your different hosts may not tell you.

Finally, Chapter 12 is about other considerations. This includes cryptography and cloud computing and how they can impact a network forensic investigation.

Once you have a better understanding of all of the different types of network communications and all of the supporting information, I hope you will come away with a much better understanding of the importance of making use of the network for investigations. I hope you will find that your skills as a network investigator...

Dateiformat: ePUB
Kopierschutz: Adobe-DRM (Digital Rights Management)

Systemvoraussetzungen:

Computer (Windows; MacOS X; Linux): Installieren Sie bereits vor dem Download die kostenlose Software Adobe Digital Editions (siehe E-Book Hilfe).

Tablet/Smartphone (Android; iOS): Installieren Sie bereits vor dem Download die kostenlose App Adobe Digital Editions (siehe E-Book Hilfe).

E-Book-Reader: Bookeen, Kobo, Pocketbook, Sony, Tolino u.v.a.m. (nicht Kindle)

Das Dateiformat ePUB ist sehr gut für Romane und Sachbücher geeignet - also für "fließenden" Text ohne komplexes Layout. Bei E-Readern oder Smartphones passt sich der Zeilen- und Seitenumbruch automatisch den kleinen Displays an. Mit Adobe-DRM wird hier ein "harter" Kopierschutz verwendet. Wenn die notwendigen Voraussetzungen nicht vorliegen, können Sie das E-Book leider nicht öffnen. Daher müssen Sie bereits vor dem Download Ihre Lese-Hardware vorbereiten.

Bitte beachten Sie bei der Verwendung der Lese-Software Adobe Digital Editions: wir empfehlen Ihnen unbedingt nach Installation der Lese-Software diese mit Ihrer persönlichen Adobe-ID zu autorisieren!

Weitere Informationen finden Sie in unserer E-Book Hilfe.


Download (sofort verfügbar)

38,99 €
inkl. 7% MwSt.
Download / Einzel-Lizenz
ePUB mit Adobe-DRM
siehe Systemvoraussetzungen
E-Book bestellen