Network Forensics

Оглавление

Messier Ric. Network Forensics

Introduction

What This Book Covers

How This Book Is Organized

1. Introduction to Network Forensics

What Is Forensics?

Incident Response

The Need for Network Forensic Practitioners

Summary

References

2. Networking Basics

Protocols

Request for Comments

Internet Registries

Internet Protocol and Addressing

Transmission Control Protocol (TCP)

User Datagram Protocol (UDP)

Ports

Domain Name System

Support Protocols (DHCP)

Support Protocols (ARP)

Summary

References

3. Host-Side Artifacts

Services

Connections

Tools

Summary

4. Packet Capture and Analysis

Capturing Packets

Packet Analysis with Wireshark

Network Miner

Summary

5. Attack Types

Denial of Service Attacks

Vulnerability Exploits

Insider Threats

Evasion

Application Attacks

Summary

6. Location Awareness

Time Zones

Using whois

Traceroute

Geolocation

Location-Based Services

WiFi Positioning

Summary

7. Preparing for Attacks

NetFlow

Logging

Antivirus

Incident Response Preparation

Security Information and Event Management

Summary

8. Intrusion Detection Systems

Detection Styles

Host-Based versus Network-Based

Architecture

Alerting

Summary

9. Using Firewall and Application Logs

Syslog

Event Viewer

Firewall Logs

Common Log Format

Summary

10. Correlating Attacks

Time Synchronization

Packet Capture Times

Log Aggregation and Management

Timelines

Security Information and Event Management

Summary

11. Network Scanning

Port Scanning

Vulnerability Scanning

Port Knocking

Tunneling

Passive Data Gathering

Summary

12. Final Considerations

Encryption

Cloud Computing

The Onion Router (TOR)

Summary

About the Author

About the Technical Editor

Credits

WILEY END USER LICENSE AGREEMENT

Отрывок из книги

One of the best things about the different technology fields, should you have the stomach for it – and many don't – is the near constant change. Over the decades I have been involved in technology-based work, I've either had to or managed to reinvent myself and my career every handful of years or less. The world keeps changing and in order to maintain pace, we have to change too. In one of my incarnations that ended not many months ago now, I ran graduate and undergraduate programs at Champlain College in its online division. One of my responsibilities within that role was overseeing development of course materials. Essentially, either I or someone I hired developed the course and then I hired people who could teach it, often the people who did the development, though not always.

In the process of developing a course on network forensics, I discovered that there wasn't a lot of material around that covered it. At the time, I was able to find a single book but it wasn't one that we could make use of at the college because of policies focused on limiting costs to students. As a result, when I was asked what my next book would be, a book on network forensics that would explore in more detail the ideas I think are really important to anyone who is doing network investigations made the most sense to me.

.....

The MD5 hash value for that file is 2583a3fab8faaba111a567b1e44c2fa4. No matter how many times I run the MD5 hash utility against that file, I will get the same value back. The MD5 hash algorithm is non-linear, however. This means that a change to the file of a single bit will yield an entirely different result, and not just a result that is one bit different from the original hash. Every bit in the file will make a difference to the calculation. If you have an extra space or an end of line where there wasn't one in the original input, the value will be different. To demonstrate this, changing the first letter of the text file from an H to a G is a single-bit difference in how it is stored on the computer since the value for H is 72 and the value for G is 71 on the ASCII table. The hash value resulting from this altered file is 2a9739d833abe855112dc86f53780908. This is a substantive change, demonstrating the complexity of the hashing function.

One of the problems with the MD5 algorithm, though, is that it is only 128 bits. This isn't an especially large space in which to be generating values, leading it to be vulnerable to collisions. As a result, for many purposes, the MD5 hash has been superseded by the Secure Hash Algorithm 1 (SHA-1) hash. The SHA-1 hash generates a 160-bit value, which can be rendered using 40 hexadecimal digits. Even this isn't always considered large enough. As a result, the SHA-2 standard for cryptographic hashing has several alternatives that generate longer values. One that you may run into, particularly in the encryption space, is SHA-256, which generates a 256-bit value. Where the 128-bit MD5 hash algorithm has the potential to generate roughly 3.4 × 10^38 unique values, the SHA-256 hash algorithm can yield 1.15 × 10^77 unique values. It boggles the mind to think about how large those numbers are, frankly. Generating a SHA-1 hash against our original text file gives us a value of 286f55360324d42bcb1231ef5706a9774ed0969e. The SHA-256 hash value of our original file is 3ebcc1766a03b456517d10e315623b88bf41541595b5e9f60f8bd48e06bcb7ba. These are all different values that were generated against the same input file.

.....