Hands-On Network Forensics

Book description

Gain basic skills in network forensics and learn how to apply them effectively

Key Features

  • Investigate network threats with ease
  • Practice forensics tasks such as intrusion detection, network analysis, and scanning
  • Learn forensics investigation at the network level

Book Description

Network forensics is a subset of digital forensics that deals with network attacks and their investigation. In the era of network attacks and malware threat, it's now more important than ever to have skills to investigate network attacks and vulnerabilities.

Hands-On Network Forensics starts with the core concepts within network forensics, including coding, networking, forensics tools, and methodologies for forensic investigations. You'll then explore the tools used for network forensics, followed by understanding how to apply those tools to a PCAP file and write the accompanying report. In addition to this, you will understand how statistical flow analysis, network enumeration, tunneling and encryption, and malware detection can be used to investigate your network. Towards the end of this book, you will discover how network correlation works and how to bring all the information from different types of network devices together.

By the end of this book, you will have gained hands-on experience of performing forensics analysis tasks.

What you will learn

  • Discover and interpret encrypted traffic
  • Learn about various protocols
  • Understand the malware language over wire
  • Gain insights into the most widely used malware
  • Correlate data collected from attacks
  • Develop tools and custom scripts for network forensics automation

Who this book is for

The book targets incident responders, network engineers, analysts, forensic engineers and network administrators who want to extend their knowledge from the surface to the deep levels of understanding the science behind network protocols, critical indicators in an incident and conducting a forensic search over the wire.

Publisher resources

View/Submit Errata

Table of contents

  1. Title Page
  2. Copyright and Credits
    1. Hands-On Network Forensics
  3. Dedication
  4. About Packt
    1. Why subscribe?
    2. Packt.com
  5. Contributors
    1. About the author
    2. About the reviewer
    3. Packt is searching for authors like you
  6. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
      1. Download the color images
      2. Conventions used
    4. Get in touch
      1. Reviews
    5. Disclaimer
  7. Section 1: Obtaining the Evidence
  8. Introducing Network Forensics
    1. Technical requirements
    2. Network forensics investigation methodology
    3. Source of network evidence
      1. Tapping the wire and the air
      2. CAM table on a network switch
      3. Routing tables on routers
      4. Dynamic Host Configuration Protocol logs
      5. DNS servers logs
      6. Domain controller/authentication servers/ system logs
      7. IDS/IPS logs
      8. Firewall logs
      9. Proxy server logs
    4. Wireshark essentials
      1. Identifying conversations and endpoints
      2. Identifying the IP endpoints
      3. Basic filters
    5. Exercise 1 – a noob's keylogger
    6. Exercise 2 – two too many
    7. Summary
    8. Questions and exercises
    9. Further reading
  9. Technical Concepts and Acquiring Evidence
    1. Technical requirements
    2. The inter-networking refresher
    3. Log-based evidence
      1. Application server logs
      2. Database logs
      3. Firewall logs
      4. Proxy logs
      5. IDS logs
    4. Case study – hack attempts
    5. Summary
    6. Questions and exercises
    7. Further reading
  10. Section 2: The Key Concepts
  11. Deep Packet Inspection
    1. Technical requirements
    2. Protocol encapsulation
      1. The Internet Protocol header
      2. The Transmission Control Protocol header
      3. The HTTP packet
    3. Analyzing packets on TCP
    4. Analyzing packets on UDP
    5. Analyzing packets on ICMP
    6. Case study – ICMP Flood or something else
    7. Summary
    8. Questions and exercises
    9. Further reading
  12. Statistical Flow Analysis
    1. Technical requirements
    2. The flow record and flow-record processing systems (FRPS) 
      1. Understanding flow-record processing systems
      2. Exploring Netflow
      3. Uniflow and bitflow
    3. Sensor deployment types
    4. Analyzing the flow
      1. Converting PCAP to the IPFIX format
      2. Viewing the IPFIX data
      3. Flow analysis using SiLK
        1. Viewing flow records as text
    5. Summary
    6. Questions
    7.  Further reading
  13. Combatting Tunneling and Encryption
    1. Technical requirements
    2. Decrypting TLS using browsers
    3. Decoding a malicious DNS tunnel
      1. Using Scapy to extract packet data
    4. Decrypting 802.11 packets
      1. Decrypting using Aircrack-ng
    5. Decoding keyboard captures
    6. Summary
    7. Questions and exercises
    8. Further reading
  14. Section 3: Conducting Network Forensics
  15. Investigating Good, Known, and Ugly Malware
    1. Technical requirements
    2. Dissecting malware on the network
      1. Finding network patterns
    3. Intercepting malware for fun and profit
      1. PyLocky ransomware decryption using PCAP data
      2. Decrypting hidden tear ransomware
    4. Behavior patterns and analysis
    5. A real-world case study – investigating a banking Trojan on the network
    6. Summary
    7. Questions and exercises
    8. Further reading
  16. Investigating C2 Servers
    1. Technical requirements
    2. Decoding the Metasploit shell
      1. Working with PowerShell obfuscation
      2. Decoding and decompressing with Python
    3. Case study – decrypting the Metasploit Reverse HTTPS Shellcode
    4. Analyzing Empire C2
    5. Case study – CERT.SE's major fraud and hacking criminal case, B 8322-16
    6. Summary
    7. Questions and exercises
    8. Further reading
  17. Investigating and Analyzing Logs
    1. Technical requirements
    2. Network intrusions and footprints
      1. Investigating SSH logs
      2. Investigating web proxy logs
      3. Investigating firewall logs
    3. A case study – defaced servers
    4. Summary
    5. Questions and exercises
    6. Further reading
  18. WLAN Forensics
    1. Technical requirements
    2. The 802.11 standard
      1. Wireless evidence types
      2. Using airodump-ng to tap the air
    3. Packet types and subtypes
    4. Locating wireless devices
    5. Identifying rogue access points
      1. Obvious changes in the MAC address
      2. The tagged perimeters
      3. The time delta analysis
    6. Identifying attacks
      1. Rogue AP attacks
      2. Peer-to-peer attacks
      3. Eavesdropping
      4. Cracking encryption
      5. Authentication attacks
      6. Denial of service
      7. Investigating deauthentication packets
    7. Case study – identifying the attacker
    8. Summary
    9. Questions
    10. Further reading
  19. Automated Evidence Aggregation and Analysis
    1. Technical requirements
    2. Automation using Python and Scapy
    3. Automation through pyshark – Python's tshark
    4. Merging and splitting PCAP data
      1. Splitting PCAP data on parameters
      2. Splitting PCAP data in streams
    5. Large-scale data capturing, collection, and indexing
    6. Summary
    7.  Questions and exercises
    8. Further reading
  20. Other Books You May Enjoy
    1. Leave a review - let other readers know what you think
  21. Assessments
    1. Chapter 1: Introducing Network Forensics
    2. Chapter 6: Investigating Good, Known, and Ugly Malware
    3. Chapter 7: Investigating C2 Servers
    4. Chapter 9: WLAN Forensics

Product information

  • Title: Hands-On Network Forensics
  • Author(s): Nipun Jaswal
  • Release date: March 2019
  • Publisher(s): Packt Publishing
  • ISBN: 9781789344523