Читать книгу Network Forensics - Messier Ric - Страница 9

In this chapter, you will learn about:

What protocols are and how they work

The basics of TCP/IP

The difference between the OSI model and the TCP/IP architecture

Sitting at his desk, he was looking for his next target. A couple of quick Google searches and digging through various job sites gave him some ideas but he needed to know more. He was in need of addresses and hostnames and he knew of several places he would be able to locate that information. With just a few commands in his open terminal window he had a number of network addresses that he could start poking at. That gave him a starting point, and a few DNS queries later he had not only network addresses but some hostnames that went along with them. He was also able to get some contact information that could be useful later on.

Once he had his hostnames and addresses, he could figure out what programs may be listening on the ports that were open at those addresses. He knew that the application layer was where the money was – all of the problems lower down in the stack had long since been corrected, so the best way into a system was going to be through any program that was sitting behind one of those open ports. Once he knew what applications he needed to target, he would be golden and he could make his move. There was so much that he might be able to do with a poorly implemented web application environment, for example. He could just see his bank account growing with all of the credit cards and other information he may be able to steal.

I wouldn't be doing much of a job of talking about network forensics without going over the basics of networking protocols and where all of the important information about the Internet and all of the networks attached to it is stored. The people who are attacking networks know at least enough to make their way around the Internet and local networks so forensics investigators need to know at least as much as the adversaries do in order to determine what they are doing. Even if the adversary is a piece of malware or someone internal to the company, you'll need to understand how it got to the system and interacted with the applications there.

We're going to start by talking about what a protocol is. In the course of going deeper into analysis, we'll be talking about protocols a lot so it's important to have a foundation on which to build those later conversations. When we are talking about networking, the different protocols are sometimes best thought about in layers, and that's actually how you will see them represented. There are two conceptual ideas for thinking about the layers of network protocols. One of them is the Open Systems Interconnect (OSI) model, which describes seven layers in its stack. The other is the Transmission Control Protocol/Internet Protocol (TCP/IP) suite, which has only four layers and evolved into a model after it had finally stabilized in its implementation.

The Internet protocols associated with the Advanced Research Projects Agency (ARPA) and later the Internet Engineering Task Force (IETF) have, almost since the very beginning, been created in an open, collaborative manner. As such, they start as documents that are called requests for comments (RFCs). Understanding these documents can be very useful. If there is ever a question about what you are looking at in practice, you can refer back to the original documentation to look up details about the protocols and standards to see what it is expected to look like.

The Internet is collaborative because it's a global entity, and as a result a number of interested parties want a say in how it's managed. As a global network, information related to networks and domains is stored a number of places. Knowing where the information is stored and how you can look up that information will provide essential information during the course of an investigation. Once we are done here, you will have a better understanding of how all of the information is stored and where you can get at it.