book

Learning Network Forensics

Name: Learning Network Forensics
Author: Samir Datt
ISBN: 9781782174905

by Samir Datt

February 2016

Beginner

274 pages

6h 6m

English

Packt Publishing

Read now

Unlock full access

Learning Network Forensics
Table of Contents
Learning Network Forensics
Credits
About the Author
About the Reviewers
www.PacktPub.com
eBooks, discount offers, and moreWhy subscribe?
Preface
What this book covers
What you need for this book
Who this book is for

Conventions
Reader feedback
Customer support
Downloading the color images of this bookErrataPiracyQuestions
1. Becoming Network 007s
007 characteristics in the network worldBond characteristics for getting to satisfactory completion of the caseThe TAARA methodology for network forensics
Identifying threats to the enterprise
Internal threatsExternal threats
Data breach surveys
Locard's exchange principle
Defining network forensics
Differentiating between computer forensics and network forensics
Strengthening our technical fundamentals
The seven-layer modelThe TCP/IP modelUnderstanding the concept of interconnection between networks/InternetInternet Protocol (IP)Structure of an IP packetTransmission Control Protocol (TCP)User Datagram Protocol (UDP)Internet application protocols
Understanding network security
Types of threatsInternal threatsExternal threats
Network security goals
ConfidentialityIntegrityAvailabilityHow are networks exploited?
Digital footprints
Summary
2. Laying Hands on the Evidence
Identifying sources of evidenceEvidence obtainable from within the networkEvidence from outside the network
Learning to handle the evidence
Rules for the collection of digital evidenceRule 1: never mishandle the evidenceRule 2: never work on the original evidence or systemRule 3: document everything
Collecting network traffic using tcpdump
Installing tcpdumpUnderstanding tcpdump command parametersCapturing network traffic using tcpdump
Collecting network traffic using Wireshark
Using Wireshark
Collecting network logs
Acquiring memory using FTK Imager
Summary
3. Capturing & Analyzing Data Packets
Tapping into network trafficPassive and active sniffing on networks
Packet sniffing and analysis using Wireshark
Packet sniffing and analysis using NetworkMiner
Case study – tracking down an insider
Summary
4. Going Wireless
Laying the foundation – IEEE 802.11
Understanding wireless protection and security
Wired equivalent privacyWi-Fi protected accessWi-Fi Protected Access IISecuring your Wi-Fi network
Discussing common attacks on Wi-Fi networks
Incidental connectionMalicious connectionAd hoc connectionNon-traditional connectionsSpoofed connectionsMan-in-the-middle (MITM) connectionsThe denial-of-service (DoS) attack
Capturing and analyzing wireless traffic
Sniffing challenges in a Wi-Fi worldConfiguring our network cardSniffing packets with WiresharkAnalyzing wireless packet capture
Summary
5. Tracking an Intruder on the Network
Understanding Network Intrusion Detection Systems
Understanding Network Intrusion Prevention Systems
Modes of detection
Pattern matchingAnomaly detection
Differentiating between NIDS and NIPS
Using SNORT for network intrusion detection and prevention
The sniffer modeThe packet logger modeThe network intrusion detection/prevention mode
Summary
6. Connecting the Dots – Event Logs
Understanding log formats
Use case
Discovering the connection between logs and forensics
Security logsSystem logsApplication logs
Practicing sensible log management
Log management infrastructureLog management planning and policies
Analyzing network logs using Splunk
Summary
7. Proxies, Firewalls, and Routers
Getting proxies to confessRoles proxies playTypes of proxiesUnderstanding proxiesExcavating the evidence
Making firewalls talk
Different types of firewallsPacket filter firewallsStateful inspection firewallsApplication layer firewallsInterpreting firewall logs
Tales routers tell
Summary
8. Smuggling Forbidden Protocols – Network Tunneling
Understanding VPNsTypes of VPNsRemote access VPNsPoint-to-point VPNsThe AAA of VPNs
How does tunneling work?
SSH tunneling
Types of tunneling protocols
The Point-to-Point Tunneling ProtocolLayer 2 Tunneling ProtocolSecure Socket Tunneling Protocol
Various VPN vulnerabilities & logging
Summary
9. Investigating Malware – Cyber Weapons of the Internet
Knowing malwareMalware objectivesMalware origins
Trends in the evolution of malware
Malware types and their impact
AdwareSpywareVirusWormsTrojansRootkitsBackdoorsKeyloggersRansomwareBrowser hijackersBotnets
Understanding malware payload behavior
DestructiveIdentity theftEspionageFinancial fraudTheft of dataMisuse of resources
Malware attack architecture
Indicators of Compromise
Performing malware forensics
Malware insight – Gameover Zeus Trojan
Summary
10. Closing the Deal – Solving the Case
Revisiting the TAARA investigation methodology
Triggering the case
Trigger of the case
Acquiring the information and evidence
Important handling guidelinesGathering information and acquiring the evidence
Analyzing the collected data – digging deep
Reporting the case
Action for the future
Future of network forensics
Summary
Index

Content preview from Learning Network Forensics

Differentiating between NIDS and NIPS

At first sight, both the solutions seem quite similar; however, there is a clear difference in that one is a passive monitoring and detection system that limits itself to raising an alarm at an anomaly or signature match, and the other is an active prevention system that takes proactive action when detecting a malicious packet by dropping it.

Usually, a NIPS is inline (between the firewall and rest of the network) and takes proactive action based on the set of rules provided to it. In the case of a NIDS, the device/computer is usually not inline but may get mirrored traffic from a network tap or mirrored port.

The network overhead in the case of a NIPS is more than that of a NIDS.

Another issue with a NIDS is ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781782174905

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Learning Network Forensics

by Samir Datt

Differentiating between NIDS and NIPS

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.