Module 16 Network Forensics, Investigating Logs and Investigating Network Traffic.pptx
efrizalzaida
12 views
118 slides
Jun 06, 2024
Slide 1 of 118
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
About This Presentation
ITenabler
Slide Content
Module 16
Designed by s . Presented by Professionals.
C/HFI
Forensic
Computes
dol IGATOR
Designed by s . Presented by Professionals.
C/HFI
Forensic
Computes
dol IGATOR
SECURITY NEWS
28 Jul 2011
Reported widely in the general media, wholesale ISP and international IP capacity
provider Platform Networks has played a critical part in the arrest of a 25-year-
old Cowra man on 49 hacking charges by the Australian Federal Police (AFP)
Providing the AFP High Tech Crimes unit with access to network traffic, resources
and logs over a period of 6 months,
Ina letter to customers, David Hooton, Platform Networks’ managing director,
assured his customers that they were not at risk.
“The activity in question was far reaching, involved a large number of networks
both in and outside of Australia, and was not focused on either Platform
Networks or any of its customers specifically." Talking to searchSecurity.com.au
Wednesday morning Mr Hooton made it clear that Platform Networks had the
network monitoring and intelligence in place to identify issues on the network as
part of routine systems checks and “real-time” security monitoring
http://searchsecurity.techtarget.com.au
Copyright © by FE-Coumeil
Al Rights Reserved. Reproduction is Strictly Prohibited.
28 Jul 2011
Reported widely in the general media, wholesale ISP and international IP capacity
provider Platform Networks has played a critical part in the arrest of a 25-year-
old Cowra man on 49 hacking charges by the Australian Federal Police (AFP)
Providing the AFP High Tech Crimes unit with access to network traffic, resources
and logs over a period of 6 months,
Ina letter to customers, David Hooton, Platform Networks’ managing director,
assured his customers that they were not at risk.
“The activity in question was far reaching, involved a large number of networks
both in and outside of Australia, and was not focused on either Platform
Networks or any of its customers specifically." Talking to searchSecurity.com.au
Wednesday morning Mr Hooton made it clear that Platform Networks had the
network monitoring and intelligence in place to identify issues on the network as
part of routine systems checks and “real-time” security monitoring
http://searchsecurity.techtarget.com.au
Copyright © by FE-Coumeil
Al Rights Reserved. Reproduction is Strictly Prohibited.
Jessica was missing from her home for a week. She left a note
for her father mentioning that she was going to meet her school
friend. A few weeks later Jessica’s dead body was found near a
dumping yard.
Investigators were called in to investigate Jessica’s death. A
preliminary investigation of Jessica’s computer and logs revealed
some facts that helped the cops trace the killer.
CHFI . ,
Copyright © by’
All Rights Reserved. Reproduction is Strictly Prohibited.
for her father mentioning that she was going to meet her school
friend. A few weeks later Jessica’s dead body was found near a
dumping yard.
Investigators were called in to investigate Jessica’s death. A
preliminary investigation of Jessica’s computer and logs revealed
some facts that helped the cops trace the killer.
CHFI . ,
Copyright © by’
All Rights Reserved. Reproduction is Strictly Prohibited.
Module ©) ectives
r 7 r 7
rar '3 Timestamp Injection Attack
9 Network Forensics Analysis Mechanism nara £6 Look fon Evidence?
@ Intrusion Detection Systems (IDS) Handle oes as Evidence
® Firewall @ Condensing Log Files
® Honeypot pol, = Why Investigate Network Traffic?
Boites © Acquiring Traffic Using DNS Poisoning
Techniques
WP Tepes on Network Mars '3 Evidence Gathering from ARP Table
I Newline Injection Altacie © Traffic Capturing and Analysis Tools
L J bk 4
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited,
r 7 r 7
rar '3 Timestamp Injection Attack
9 Network Forensics Analysis Mechanism nara £6 Look fon Evidence?
@ Intrusion Detection Systems (IDS) Handle oes as Evidence
® Firewall @ Condensing Log Files
® Honeypot pol, = Why Investigate Network Traffic?
Boites © Acquiring Traffic Using DNS Poisoning
Techniques
WP Tepes on Network Mars '3 Evidence Gathering from ARP Table
I Newline Injection Altacie © Traffic Capturing and Analysis Tools
L J bk 4
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited,
Module Flow
Log
Injection
Attacks
Network
Attacks
Network
Forensics
Traffic
Capturing
and Analysis
Tools
Investigating
and
Analyzing
Logs
Investigating
Network
Traffic
C\HFI .:.0. Copyright © by F6-Coureil
All Rights Reserved. Reproduction is Strictly Prohibited.
Log
Injection
Attacks
Network
Attacks
Network
Forensics
Traffic
Capturing
and Analysis
Tools
Investigating
and
Analyzing
Logs
Investigating
Network
Traffic
C\HFI .:.0. Copyright © by F6-Coureil
All Rights Reserved. Reproduction is Strictly Prohibited.
Network Attack Statistics
Kaspersky Lab
Number of Vulnerabilities
©
Access Bypass Of Sensitive of System —of Data
Information
Attacks http://www.securelist.com
CHFI eo...
Copyright © by EC-Couneil
won ‚All Rights Reserved. Reproduction is Strictly Prohibited.
Kaspersky Lab
Number of Vulnerabilities
©
Access Bypass Of Sensitive of System —of Data
Information
Attacks http://www.securelist.com
CHFI eo...
Copyright © by EC-Couneil
won ‚All Rights Reserved. Reproduction is Strictly Prohibited.
Network Forensics
Network forensics is the process of identifying criminal activity and the
people behind it
Network forensics can be defined as the sniffing, recording, acquisition
and analysis of the network traffic and event logs in order to investigate a
network security incident
It allows investigators to inspect network traffic and logs to identify and
locate the attack system
Network forensics can reveal:
© Source of security incidents and network attacks
8 Path of the attack
© Intrusion techniques used by attackers
Copyright © by FC-Counell
All Rights Reserved. Reproduction is Strictly Prohibited.
Network forensics is the process of identifying criminal activity and the
people behind it
Network forensics can be defined as the sniffing, recording, acquisition
and analysis of the network traffic and event logs in order to investigate a
network security incident
It allows investigators to inspect network traffic and logs to identify and
locate the attack system
Network forensics can reveal:
© Source of security incidents and network attacks
8 Path of the attack
© Intrusion techniques used by attackers
Copyright © by FC-Counell
All Rights Reserved. Reproduction is Strictly Prohibited.
Network Forensics Analysis Mechanism
Interface
an un | "Bi Asset Knowledge Base
a Attack Reasoning
CHFI = u Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
Interface
an un | "Bi Asset Knowledge Base
a Attack Reasoning
CHFI = u Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
Network Addressing Schemes
[+9 There are two types of network addressing schemes
LAN Addressing Internet Addressing
& Each node in LAN has a MAC 2 Internet is a collection of LANs
address that is factory- and/or other networks that are
programmed into its NIC connected with routers
© Data packets are addressed to Each network has a unique
either one of the nodes or all of address and each node on the
the nodes network has a unique address, so
an Internet address is a
combination of network and
node addresses
IP is responsible for network
layer addressing in the TCP/IP
protocol
CHFI e.:. Copyright © by FC-Gouncil
= All Rights Reserved. Reproduction is Strictly Prohibited.
[+9 There are two types of network addressing schemes
LAN Addressing Internet Addressing
& Each node in LAN has a MAC 2 Internet is a collection of LANs
address that is factory- and/or other networks that are
programmed into its NIC connected with routers
© Data packets are addressed to Each network has a unique
either one of the nodes or all of address and each node on the
the nodes network has a unique address, so
an Internet address is a
combination of network and
node addresses
IP is responsible for network
layer addressing in the TCP/IP
protocol
CHFI e.:. Copyright © by FC-Gouncil
= All Rights Reserved. Reproduction is Strictly Prohibited.
Overview of Network Protocols
|| pataunit | Layer | Function |
Application Network process to application
HTTP, SMTP,
Presentation Data representation and encryption NNTP, TELNET,
FTP, NMP, TFTP
Host Layer
Session Interhost communication
Segments Transport End-to-end connections and reliability UDP, TCP
Packets Path determination and logical ARP, RARP,
addressing (IP) ICMP,IGMP, IP
Media Layer
Data Link Physical addressing (MAC and LLC) PPP, SLIP.
Physical Media, signal and binary transmission
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
|| pataunit | Layer | Function |
Application Network process to application
HTTP, SMTP,
Presentation Data representation and encryption NNTP, TELNET,
FTP, NMP, TFTP
Host Layer
Session Interhost communication
Segments Transport End-to-end connections and reliability UDP, TCP
Packets Path determination and logical ARP, RARP,
addressing (IP) ICMP,IGMP, IP
Media Layer
Data Link Physical addressing (MAC and LLC) PPP, SLIP.
Physical Media, signal and binary transmission
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
Overview of Physical and Data-Link
Layer of the OSI Model
Physical Layer
© It helps in transmitting data bits
over a physical channel
© Ithas a set of predefined rules It controls error in transmission
that physical devices and by adding a trailer to the end of
interfaces on a network have to the data frame
follow for data transmission to
take place
Data-Link Layer
Copyright © by FG-Couneil
‚All Rights Reserved. Reproduction is Strictly Prohibited.
Layer of the OSI Model
Physical Layer
© It helps in transmitting data bits
over a physical channel
© Ithas a set of predefined rules It controls error in transmission
that physical devices and by adding a trailer to the end of
interfaces on a network have to the data frame
follow for data transmission to
take place
Data-Link Layer
Copyright © by FG-Couneil
‚All Rights Reserved. Reproduction is Strictly Prohibited.
Overview of Network and Transport
Layer of the OSI Model
de Network Layer
© Itis responsible for sending
information from the source to
a destination address across
various links
8 It adds logical addresses of the
sender and receiver to the
header of the data packet
e
I
x
© The transport layer ensures the
integrity and order of the
message sent by the source to
its destination
«= Transport Layer
8 Italso controls the error and
flow control in the transmission
Copyright O by
All Rights Reserved. Reproduction is Strictly Prohibited.
Layer of the OSI Model
de Network Layer
© Itis responsible for sending
information from the source to
a destination address across
various links
8 It adds logical addresses of the
sender and receiver to the
header of the data packet
e
I
x
© The transport layer ensures the
integrity and order of the
message sent by the source to
its destination
«= Transport Layer
8 Italso controls the error and
flow control in the transmission
Copyright O by
All Rights Reserved. Reproduction is Strictly Prohibited.
Network Layer
Copyright © by Fe-Couneil
All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © by Fe-Couneil
All Rights Reserved. Reproduction is Strictly Prohibited.
Protocol
Applications
resentation
pe FTP HTTP oe
Session
Protocols defined by the underlying networks
Copyright © by F0-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Applications
resentation
pe FTP HTTP oe
Session
Protocols defined by the underlying networks
Copyright © by F0-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Intrusion Detection Systems (IDS)
and Their — ——
Internet Router tps DMZ
User Intranet IDs
@ An intrusion detection system (IDS) gathers and analyzes information from within a computer or a network to
identify the possible violations of security policy, including unauthorized access, as well as misuse
© An [DS is also referred to as a “packet-sniffer,” which intercepts packets traveling along various communication
mediums and protocols, usually TCP/IP
/3 The packets are analyzed after they are captured
@ An IDS evaluates a suspected intrusion once it has taken place and signals an alarm
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
and Their — ——
Internet Router tps DMZ
User Intranet IDs
@ An intrusion detection system (IDS) gathers and analyzes information from within a computer or a network to
identify the possible violations of security policy, including unauthorized access, as well as misuse
© An [DS is also referred to as a “packet-sniffer,” which intercepts packets traveling along various communication
mediums and protocols, usually TCP/IP
/3 The packets are analyzed after they are captured
@ An IDS evaluates a suspected intrusion once it has taken place and signals an alarm
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
How IDS Works
Internet
E
Signaturefile Cisco log sever
database :
Alarm notifies
admin and packet
can be dropped
>
Connections are
> cut down from that
3 iPsource
tl
Packet is
dropped
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
Internet
E
Signaturefile Cisco log sever
database :
Alarm notifies
admin and packet
can be dropped
>
Connections are
> cut down from that
3 iPsource
tl
Packet is
dropped
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
Types of Intrusion Detection Systems
Network-Based
Ee
© These mechanisms typically consist of a black
Host-Based
Intrusion Detection
These mechanisms usually include auditing for
box that is placed on the network in the events that occur on a specific host
® These are not as common, due to the overhead
they incur by having to monitor each system
event
promiscuous mode, listening for patterns
indicative of an intrusion
So ©
Log File
Monitoring
=
These mechanisms check for Trojan horses,
or files that have otherwise been modified,
indicating an intruder has already been there,
for example, Tripwire
N —
@ These mechanisms are typically programs
that parse log files after an event has already
occurred, such as failed login attempts
Copyright © by Fe-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Network-Based
Ee
© These mechanisms typically consist of a black
Host-Based
Intrusion Detection
These mechanisms usually include auditing for
box that is placed on the network in the events that occur on a specific host
® These are not as common, due to the overhead
they incur by having to monitor each system
event
promiscuous mode, listening for patterns
indicative of an intrusion
So ©
Log File
Monitoring
=
These mechanisms check for Trojan horses,
or files that have otherwise been modified,
indicating an intruder has already been there,
for example, Tripwire
N —
@ These mechanisms are typically programs
that parse log files after an event has already
occurred, such as failed login attempts
Copyright © by Fe-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
General Indications of Intrusions
File System Intrusions
© The presence of new, unfamiliar
© Unexplained changes in the file’s size
2 Rogue files on the system that do not
correspond to your master list of
signed files
Unfamiliar file names in directories
Missing files
Network Intrusions
Repeated probes of the available
services on your machines
Connections from unusual
locations
Repeated login attempts from
remote hosts
Arbitrary data in log files, indicating
an attempt at creating either a
Denial of Service, or a crash service
Cor
All Rights Reserved. Reproductic
©
O
it © by EC-Gouneil
trictly Prohibited.
File System Intrusions
© The presence of new, unfamiliar
© Unexplained changes in the file’s size
2 Rogue files on the system that do not
correspond to your master list of
signed files
Unfamiliar file names in directories
Missing files
Network Intrusions
Repeated probes of the available
services on your machines
Connections from unusual
locations
Repeated login attempts from
remote hosts
Arbitrary data in log files, indicating
an attempt at creating either a
Denial of Service, or a crash service
Cor
All Rights Reserved. Reproductic
©
O
it © by EC-Gouneil
trictly Prohibited.
o
œ
Firewall
Firewall is hardware, software, or a combination of
both designed to prevent unauthorized access to or
from a private network
It is placed at the junction point, or gateway
between the two networks, which is usually a private
network and a public network such as the Internet
œ
œ
Q
Firewall examines all messages entering or
leaving the intranet and blocks those that do
not meet the specified security criteria
Firewalls may be concerned with the type of
traffic or with the source or destination
addresses and ports
Secure Private Local Area Network
Public Network
Internet }
W = Specified traffic allowed
X = Restricted unknown traffic
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
œ
Firewall
Firewall is hardware, software, or a combination of
both designed to prevent unauthorized access to or
from a private network
It is placed at the junction point, or gateway
between the two networks, which is usually a private
network and a public network such as the Internet
œ
œ
Q
Firewall examines all messages entering or
leaving the intranet and blocks those that do
not meet the specified security criteria
Firewalls may be concerned with the type of
traffic or with the source or destination
addresses and ports
Secure Private Local Area Network
Public Network
Internet }
W = Specified traffic allowed
X = Restricted unknown traffic
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
Honeypot
$
Honeypot is an information
system resource that is
expressly set up to attract and
trap people who attempt to
penetrate an organization's
network
»
It has no authorized activity, A honeypot can be used to log
does not have any access attempts to those ports
> 5 including the attacker's
production value and is
x keystrokes. This could send
susceptible a probe, attack, early warnings of a more
or compromise concerted attack
Honeypot
DMZ
Internal
Network /
Firewall Packet Filter Internet Attacker
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
$
Honeypot is an information
system resource that is
expressly set up to attract and
trap people who attempt to
penetrate an organization's
network
»
It has no authorized activity, A honeypot can be used to log
does not have any access attempts to those ports
> 5 including the attacker's
production value and is
x keystrokes. This could send
susceptible a probe, attack, early warnings of a more
or compromise concerted attack
Honeypot
DMZ
Internal
Network /
Firewall Packet Filter Internet Attacker
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
Module Flow
Log
Injection
Attacks
Network A Network
Forensics Attacks
Traffi y i N 1 tigati
ra’ FA J : Investigating : nvestigating
Capturing fl Network and
and Analysis Analyzing
Tools Traffic | Logs
e : 9
Copyright ©
All Rights Reserved. Reproduction is suai Prohibited.
Log
Injection
Attacks
Network A Network
Forensics Attacks
Traffi y i N 1 tigati
ra’ FA J : Investigating : nvestigating
Capturing fl Network and
and Analysis Analyzing
Tools Traffic | Logs
e : 9
Copyright ©
All Rights Reserved. Reproduction is suai Prohibited.
Network Vulnerabilities
4 Network Attacks -
nsion of
bottlenecks
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited
4 Network Attacks -
nsion of
bottlenecks
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited
Session
Modification 2
lo! Attacks pairing
IP Address Packet Port mh
Spoofing Sniffing Scanning
Man-in-the-
Middle Attack
Trojan Horse
Enumeration Oval
Virus and
Infection
Attacks Worms
>» Á
Types of Network Attacks
CHFI e...
Copyright © by Fe-Counell
All Rights Reserved. Reproduction is Strictly Prohibited.
Modification 2
lo! Attacks pairing
IP Address Packet Port mh
Spoofing Sniffing Scanning
Man-in-the-
Middle Attack
Trojan Horse
Enumeration Oval
Virus and
Infection
Attacks Worms
>» Á
Types of Network Attacks
CHFI e...
Copyright © by Fe-Counell
All Rights Reserved. Reproduction is Strictly Prohibited.
IP Address Spoofing -
IP spoofing refers to a process in which an attacker
changes his or her IP address so that he or she
appears to be someone else
Attacker sending a
packet with a spoofed
When the victim replies to the address, it goes sles Sia
back to the spoofed address and not to the
attacker's real address
Mo
Victim 1P address 7 = —
Sr Real address
IP spoofing using Hping2: 7.777
Hping2 www.juggyboy.com -a 7.7.7.7
You will not be able to complete the three-way handshake and open a successful TCP connection by
spoofing an IP address
All Rights Reserved. Reproductionis Strictly Prohibited,
IP spoofing refers to a process in which an attacker
changes his or her IP address so that he or she
appears to be someone else
Attacker sending a
packet with a spoofed
When the victim replies to the address, it goes sles Sia
back to the spoofed address and not to the
attacker's real address
Mo
Victim 1P address 7 = —
Sr Real address
IP spoofing using Hping2: 7.777
Hping2 www.juggyboy.com -a 7.7.7.7
You will not be able to complete the three-way handshake and open a successful TCP connection by
spoofing an IP address
All Rights Reserved. Reproductionis Strictly Prohibited,
Man-in-the-Middle Attack
Attackers use different techniques and split
the TCP connection into two connections
1. Client-to-attacker connection
2. Attacker-to-server connection
After the successful interception of a TCP
connection, an attacker can read, modify,
and insert fraudulent data into the
intercepted communication
In the case of an http transaction, the TCP
connection between the client and the
server becomes the target
Copyright © by FC-Gouneil
All Rights Reserved. Reproduction is Strictly Prohibited.
Attackers use different techniques and split
the TCP connection into two connections
1. Client-to-attacker connection
2. Attacker-to-server connection
After the successful interception of a TCP
connection, an attacker can read, modify,
and insert fraudulent data into the
intercepted communication
In the case of an http transaction, the TCP
connection between the client and the
server becomes the target
Copyright © by FC-Gouneil
All Rights Reserved. Reproduction is Strictly Prohibited.
Packet Sniffing
y e.
By placing a packet
hs 2 Telnet Email a
spifer ona neiwor Passwords Traffic : A packet sniffer can
in promiscuous —_
I only capture packet
mode, an attacker can an E ” Br
information within a
capture and analyze 5 Dee
all of the network Syslog Web \ : SENSE
traffic Traffic yr Traffic
i E | Anattacker can steal Er i
A DNS \¥ sensitive information by Chat H
Traffic sniffing the network Sessions / Usually any laptop
Many enterprises’ a > can plug in to the
switch ports are ie , « network and gain
open Router FTP E access to the
Configuration md network
Copyright © by EC-Comncil
All Rights Reserved. Reproduction is Strictly Prohibited.
y e.
By placing a packet
hs 2 Telnet Email a
spifer ona neiwor Passwords Traffic : A packet sniffer can
in promiscuous —_
I only capture packet
mode, an attacker can an E ” Br
information within a
capture and analyze 5 Dee
all of the network Syslog Web \ : SENSE
traffic Traffic yr Traffic
i E | Anattacker can steal Er i
A DNS \¥ sensitive information by Chat H
Traffic sniffing the network Sessions / Usually any laptop
Many enterprises’ a > can plug in to the
switch ports are ie , « network and gain
open Router FTP E access to the
Configuration md network
Copyright © by EC-Comncil
All Rights Reserved. Reproduction is Strictly Prohibited.
How a !nil!er Works
ld Sniffer turns the NIC of a system to the promiscuous mode so that it listens to all the
data transmitted on its segment
© Sniffer can constantly read all information entering the computer through the NIC by
decoding the information encapsulated in the data packet
NIC Card in
Promiscuous
Mode
Sniffer
Copyright © by’
All Rights Reserved. Reproduction is Strictly Prohibited.
ld Sniffer turns the NIC of a system to the promiscuous mode so that it listens to all the
data transmitted on its segment
© Sniffer can constantly read all information entering the computer through the NIC by
decoding the information encapsulated in the data packet
NIC Card in
Promiscuous
Mode
Sniffer
Copyright © by’
All Rights Reserved. Reproduction is Strictly Prohibited.
Enumeration
M Enumeration is defined as the process of extracting user names, machine names, network
resources, shares, and services from a system
M Enumeration techniques are conducted in an intranet environment
ES Users Applications Auditing
resources and >
FR andgroups and banners settings
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
M Enumeration is defined as the process of extracting user names, machine names, network
resources, shares, and services from a system
M Enumeration techniques are conducted in an intranet environment
ES Users Applications Auditing
resources and >
FR andgroups and banners settings
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
Denial of Service Attack
© Denial of Service (DoS) is an attack on a computer or network that prevents legitimate
use of its resources
9 In a Dos attack, attackers flood a victim system with non-legitimate service requests or
traffic to overload its resources, which prevents it from performing intended tasks
Malicious Traffic
Malicious traffic takes control over all the
available bandwidth
A
Internet
A
Bn DEN Attack Traffic
Regular Traffic DIN Regular Traffic
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
© Denial of Service (DoS) is an attack on a computer or network that prevents legitimate
use of its resources
9 In a Dos attack, attackers flood a victim system with non-legitimate service requests or
traffic to overload its resources, which prevents it from performing intended tasks
Malicious Traffic
Malicious traffic takes control over all the
available bandwidth
A
Internet
A
Bn DEN Attack Traffic
Regular Traffic DIN Regular Traffic
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
Session Sniffing
© Attacker uses a sniffer to capture a valid session token called a “Session ID”
‘© Attacker then uses the valid token session to gain unauthorized access to the
web server
Attacker sniffs a
Victim legitimate session Web Server
Copyright © by.
All Rights Reserved. Reproduction is Strictly Prohibited.
© Attacker uses a sniffer to capture a valid session token called a “Session ID”
‘© Attacker then uses the valid token session to gain unauthorized access to the
web server
Attacker sniffs a
Victim legitimate session Web Server
Copyright © by.
All Rights Reserved. Reproduction is Strictly Prohibited.
sp. >
End of Stack
A normal stack
Buffer Overflow
3 A buffer overflow occurs when a buffer has been overrun in the stack space
Segment
4 Bytes Return Address
More Data on
n Bytes Stack Segment
sP--> End of Stack
Stack when attacker
calls a function
4 Bytes
n Bytes +
new data
©) Attacker injects malicious code on the stack and overflows it to overwrite the return
pointer so that the flow of control switches to the malicious code
Data on Stack Some data.
maybe
Segment overwritten
New Return Address 4
Overwritten Data y
on Stack Segment | Malicious code.
Ex Execve(/bin/sh}
End of Stack
Stack when function
smashes a stack
Copyright O by
AllRights Reserved. Reproduction is Strictly Prohibited.
End of Stack
A normal stack
Buffer Overflow
3 A buffer overflow occurs when a buffer has been overrun in the stack space
Segment
4 Bytes Return Address
More Data on
n Bytes Stack Segment
sP--> End of Stack
Stack when attacker
calls a function
4 Bytes
n Bytes +
new data
©) Attacker injects malicious code on the stack and overflows it to overwrite the return
pointer so that the flow of control switches to the malicious code
Data on Stack Some data.
maybe
Segment overwritten
New Return Address 4
Overwritten Data y
on Stack Segment | Malicious code.
Ex Execve(/bin/sh}
End of Stack
Stack when function
smashes a stack
Copyright O by
AllRights Reserved. Reproduction is Strictly Prohibited.
Trojan Horse
® Itis a program in which the malicious or harmful code is contained inside apparently harmless
programming or data in such a way that it can get control and cause damage, such as ruining the file
allocation table on your hard disk
© With the help of a Trojan, an attacker gets access to the stored passwords in the Trojaned computer and
would be able to read personal documents, delete files and display pictures, and/or show messages on
the screen
Send me credit card details
Victim in Chicago
infected with Trojan
Here is my credit card number and expiry date
Send me Facebook à
account information _, a 4
Victim in London
pe, infected with Trojan
Y
login and profile
Send me e-banking login info
Victim in Paris
infected with
Trojan
Copyright O by
All Rights Reserved. Reproduction is Strictly Prohibited.
® Itis a program in which the malicious or harmful code is contained inside apparently harmless
programming or data in such a way that it can get control and cause damage, such as ruining the file
allocation table on your hard disk
© With the help of a Trojan, an attacker gets access to the stored passwords in the Trojaned computer and
would be able to read personal documents, delete files and display pictures, and/or show messages on
the screen
Send me credit card details
Victim in Chicago
infected with Trojan
Here is my credit card number and expiry date
Send me Facebook à
account information _, a 4
Victim in London
pe, infected with Trojan
Y
login and profile
Send me e-banking login info
Victim in Paris
infected with
Trojan
Copyright O by
All Rights Reserved. Reproduction is Strictly Prohibited.
Module Flow
Log
Injection
Attacks
Network A Network
Forensics 3
Traffic 1 — \ i Investigating
A Investigating M i
Capturing A and
and Analysis a Analyzing
Tools 1 | EE j ; Logs
0::0 Copyright © by FE-Counel
All Rights Reserved. Reproduction is Strictly Prohibited.
Log
Injection
Attacks
Network A Network
Forensics 3
Traffic 1 — \ i Investigating
A Investigating M i
Capturing A and
and Analysis a Analyzing
Tools 1 | EE j ; Logs
0::0 Copyright © by FE-Counel
All Rights Reserved. Reproduction is Strictly Prohibited.
New Line Injection Attack
a In this attack, the attacker injects plaintext into the log files
The attacker tries to divert the attention of the investigator towards another person
The log files application relates the user to the action performed
) The attacker changes the log file source code by inserting [LINEBREAK] and changing
the user name “Tester01” to say “Manager01”
Code Fragment 1a
The log file after attack
| Cade Fragment 1b
Copyright © by FC-Couneil
All Rights Reserved. Reproduction is Strictly Prohibited.
a In this attack, the attacker injects plaintext into the log files
The attacker tries to divert the attention of the investigator towards another person
The log files application relates the user to the action performed
) The attacker changes the log file source code by inserting [LINEBREAK] and changing
the user name “Tester01” to say “Manager01”
Code Fragment 1a
The log file after attack
| Cade Fragment 1b
Copyright © by FC-Couneil
All Rights Reserved. Reproduction is Strictly Prohibited.
New Line Injection Attack
® Remove all the new line characters such as carriage return (0x0D) and line feed (0x0A)
characters
= The resulting log file would be as shown below:
Code Fragment Ic
Copyright © by E-Couneil
All Rights Reserved. Reproduction is Strictly Prohibited.
® Remove all the new line characters such as carriage return (0x0D) and line feed (0x0A)
characters
= The resulting log file would be as shown below:
Code Fragment Ic
Copyright © by E-Couneil
All Rights Reserved. Reproduction is Strictly Prohibited.
Separator Injection Attack (Cont’d)
Sample log file
Consider the example if the
value in the value field is
replaced as “9.99 | WRITE”
The values are shifted from one
column to the next as shown:
ey
. In this attack, the attacker injects a single pipe
character or multiple pipe characters into the log files
Some systems contain log files that have several data
columns; these log files contain single lines of text files
and data fields separated by a pipe character
. When the attacker injects single or multiple pipe
characters, the previous values are replaced and
shifted from one column to the next
aR
Code Fragment 2b
Replaced value field
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
Sample log file
Consider the example if the
value in the value field is
replaced as “9.99 | WRITE”
The values are shifted from one
column to the next as shown:
ey
. In this attack, the attacker injects a single pipe
character or multiple pipe characters into the log files
Some systems contain log files that have several data
columns; these log files contain single lines of text files
and data fields separated by a pipe character
. When the attacker injects single or multiple pipe
characters, the previous values are replaced and
shifted from one column to the next
aR
Code Fragment 2b
Replaced value field
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
Separator Injection Attack
Shifting log columns causes inconsistency um &
in a log file’s m Sem
Copyright © by F&-Eounci
‘All Rights Reserved. Reproduction is Strictly Prohibited.
Shifting log columns causes inconsistency um &
in a log file’s m Sem
Copyright © by F&-Eounci
‘All Rights Reserved. Reproduction is Strictly Prohibited.
Defending Separator Injection Attacks
Sanitize the inputs by morphing incoming data to
a different representation
URL encoding and slash (“\”) encoding techniques
can be used to sanitize the inputs
In the URL encoding technique, the pipe character is
encoded to a percentage sign followed by the
hexadecimal representation of its ASCII value
(Gade Fogment2e
Log file after implementing URL encoding
Copyright © by’
Al Rights Reserved. Reproduction is Strictly Prohibited.
Sanitize the inputs by morphing incoming data to
a different representation
URL encoding and slash (“\”) encoding techniques
can be used to sanitize the inputs
In the URL encoding technique, the pipe character is
encoded to a percentage sign followed by the
hexadecimal representation of its ASCII value
(Gade Fogment2e
Log file after implementing URL encoding
Copyright © by’
Al Rights Reserved. Reproduction is Strictly Prohibited.
Attack (Cont’d)
174 This attack uses a
combination of the
eh A
F
A
Consider a stock trading system that stores all
trade information in a log file as shown:
| Trades.dat
Core Fragment 3a
Copyright © by FC Council
All Rights Reserved. Reproduction is Strictly Prohibited.
174 This attack uses a
combination of the
eh A
F
A
Consider a stock trading system that stores all
trade information in a log file as shown:
| Trades.dat
Core Fragment 3a
Copyright © by FC Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Timestamp Injection Attack (Cont’d)
o may look like:
1-05-2010 : 1002 :
Traderl has
Log output for new line input injection
CHFI ene
Copyright © by FC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
o may look like:
1-05-2010 : 1002 :
Traderl has
Log output for new line input injection
CHFI ene
Copyright © by FC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Timestamp Injection
Attack
The attacker must know the date and time of the logging component
2 The entries cannot be injected in a chronological order
3 ' ~The timestamp should lie between the surrounding timestamps
It is easy to determine a region of uncertainty if a limited number of
lines are injected
y These scenarios create doubts in a legal case
Copyright © by EG-Goumeil
All Rights Reserved. Reproduction is Strictly Prohibited.
Attack
The attacker must know the date and time of the logging component
2 The entries cannot be injected in a chronological order
3 ' ~The timestamp should lie between the surrounding timestamps
It is easy to determine a region of uncertainty if a limited number of
lines are injected
y These scenarios create doubts in a legal case
Copyright © by EG-Goumeil
All Rights Reserved. Reproduction is Strictly Prohibited.
Defending Timestamp Injection Attacks
Use sequence numbering, it is similar to time stamping and
helps in overcoming the predictable entry creation problems
| Code Fragment 3c
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
Use sequence numbering, it is similar to time stamping and
helps in overcoming the predictable entry creation problems
| Code Fragment 3c
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
Word Wrap Abuse Attack
= Ina word wrap abuse attack, unusual log entries are created by using
The line may and cause an attack similar to a new line injection attack
Instead of the new line removal technique, the attacker may use the following
input:
The log file looks like: || ... | Fail o 11 files for Manager01. 4
Code Fragment 4a
Copyright © by F6-Gouneil
All Rights Reserved. Reproduction is Strictly Prohibited.
= Ina word wrap abuse attack, unusual log entries are created by using
The line may and cause an attack similar to a new line injection attack
Instead of the new line removal technique, the attacker may use the following
input:
The log file looks like: || ... | Fail o 11 files for Manager01. 4
Code Fragment 4a
Copyright © by F6-Gouneil
All Rights Reserved. Reproduction is Strictly Prohibited.
Defending Word Wrap Abuse
Attacks
The solution for this type of attack is © Insert a marker to indicate that
entry splitting splitting has occurred
This technique provides generalized
Log is split into multiple lines after (4) protection from forms of injection
a specific length as they depend on long inputs being
undetectable
The log file entry after splitting
software has inserted a
| 2 Here [CR] indicates that login
carriage return
8 The disadvantage of this
method is that it may ; :
compromise the integrity of | |
entries
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
Attacks
The solution for this type of attack is © Insert a marker to indicate that
entry splitting splitting has occurred
This technique provides generalized
Log is split into multiple lines after (4) protection from forms of injection
a specific length as they depend on long inputs being
undetectable
The log file entry after splitting
software has inserted a
| 2 Here [CR] indicates that login
carriage return
8 The disadvantage of this
method is that it may ; :
compromise the integrity of | |
entries
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
Injection Attack
E In this attack, the attacker injects into a log
This will control the display of the subsequent entries
Consider an HTML log file that is potentially not secure
The browser under normal conditions displays a list of all
the along with a timestamp
Line7 in the example shows the potentially malicious
which is under the attacker's control
= The attacker can disable logging to perform other
attacks by changing the Session ID to:
>
>
Table's current row is closed effectively and a new table is
started at the background color which is as same as before
Due to this, the session IDs will be logged in white font color,
which makes it difficult to identify them against the
background color
‘The HTML log file
The log file after change
CHI |
Copyright © by!
All Rights Reserved. Reproduction is Strictly Prohibited.
E In this attack, the attacker injects into a log
This will control the display of the subsequent entries
Consider an HTML log file that is potentially not secure
The browser under normal conditions displays a list of all
the along with a timestamp
Line7 in the example shows the potentially malicious
which is under the attacker's control
= The attacker can disable logging to perform other
attacks by changing the Session ID to:
>
>
Table's current row is closed effectively and a new table is
started at the background color which is as same as before
Due to this, the session IDs will be logged in white font color,
which makes it difficult to identify them against the
background color
‘The HTML log file
The log file after change
CHI |
Copyright © by!
All Rights Reserved. Reproduction is Strictly Prohibited.
Defending HTML Injection Attacks
Token removal is e—
the solution for this
kind of attack
Remove ‘<’ and ‘>’ characters
wherever you find that a
malicious input is given
Identify the inputs 2)
given by the attacker
ie
Copyright O by
All Rights Reserved. Reproduction is Strictly Prohibited,
Token removal is e—
the solution for this
kind of attack
Remove ‘<’ and ‘>’ characters
wherever you find that a
malicious input is given
Identify the inputs 2)
given by the attacker
ie
Copyright O by
All Rights Reserved. Reproduction is Strictly Prohibited,
Attack
It is an attack on the log viewing interface
In this attack, terminal emulation is used to interpret character sequence as the special
action directives to the terminal
Terminal injection can be used on an FTP client log file on a Linux system
As an example, a bash shell command is used asa backdoor by an attacker to display
all the users’ passwords
Finally, the FTP client leaves the log file with passwords
If the attacker knows that the administrator of the system inspects the log file via a cat
command that displays its output in a terminal window, he can abuse its use of ANSI
terminal sequences to clear the screen and make the log file appear empty
2004,05.26 4 /home/jenny/t g /test
2004. 26 enn if ysite.org /backup
2004.05.26 / r.com fhackedbash
Code Fragment 6a |
©
Copyright © by FC Council
All Rights Reserved. Reproduction is Strictly Prohibited.
It is an attack on the log viewing interface
In this attack, terminal emulation is used to interpret character sequence as the special
action directives to the terminal
Terminal injection can be used on an FTP client log file on a Linux system
As an example, a bash shell command is used asa backdoor by an attacker to display
all the users’ passwords
Finally, the FTP client leaves the log file with passwords
If the attacker knows that the administrator of the system inspects the log file via a cat
command that displays its output in a terminal window, he can abuse its use of ANSI
terminal sequences to clear the screen and make the log file appear empty
2004,05.26 4 /home/jenny/t g /test
2004. 26 enn if ysite.org /backup
2004.05.26 / r.com fhackedbash
Code Fragment 6a |
©
Copyright © by FC Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Defending Terminal Injection Attacks
These attacks can be defended using a raw viewer such as a hex editor
[I | Using hex editor, the file contents can be viewed without any interpretation
[IN | It provides a hexadecimal output, which is difficult to identify as shown:
88888866: 32 38 38 34 2E 38 95 2E|32 36 28 31 35 JA 33 28 | 2604.05.26 15:38
00000010: 20 2F 62 69 6E 2F 62 61173 68 20 3C 2D 2D 20 61 | /binfbash <-- a
00000020: 74 74 61 63 6B 65 72 2E|63 6F 6D 29 2F 68 61 63 | ttacker.com /hac
VUUUUUIV: 5B 65 64 62 61 F3 68 UD|VA 32 30 34 34 2E 34 35 | kedbasniEZUU4. 55
I
]
06090046: 2E 32 36 20 31 35 3A 33/38 26 2F 68 6F 6D 65 2F „26 15:38 /home/
6668686656: 5A 65 6E 6E 79 28 3C A ere 74 61 63 6B | jenny
66666666: 55 72 2E 63 6F 6D 28 2F|MB 5B 32 MA
er.com
l'injection attack
Hex output, of a termi
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
These attacks can be defended using a raw viewer such as a hex editor
[I | Using hex editor, the file contents can be viewed without any interpretation
[IN | It provides a hexadecimal output, which is difficult to identify as shown:
88888866: 32 38 38 34 2E 38 95 2E|32 36 28 31 35 JA 33 28 | 2604.05.26 15:38
00000010: 20 2F 62 69 6E 2F 62 61173 68 20 3C 2D 2D 20 61 | /binfbash <-- a
00000020: 74 74 61 63 6B 65 72 2E|63 6F 6D 29 2F 68 61 63 | ttacker.com /hac
VUUUUUIV: 5B 65 64 62 61 F3 68 UD|VA 32 30 34 34 2E 34 35 | kedbasniEZUU4. 55
I
]
06090046: 2E 32 36 20 31 35 3A 33/38 26 2F 68 6F 6D 65 2F „26 15:38 /home/
6668686656: 5A 65 6E 6E 79 28 3C A ere 74 61 63 6B | jenny
66666666: 55 72 2E 63 6F 6D 28 2F|MB 5B 32 MA
er.com
l'injection attack
Hex output, of a termi
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
Module
Log
Injection
Attacks
Network
Forensics
Traffic
Capturing |
and Analysis |
Tools
: Investigating E
Network
Traffic
CHE!
> u Copy
ight © by
All Rights Reserved. Reproduction is Strictly Prohibited.
Log
Injection
Attacks
Network
Forensics
Traffic
Capturing |
and Analysis |
Tools
: Investigating E
Network
Traffic
CHE!
> u Copy
ight © by
All Rights Reserved. Reproduction is Strictly Prohibited.
Postmortem and Real-Time Analysis
Forensic examination of logs are divided into two categories :
on
Postmortem —
Postmortem of logs is done
for the investigation of
something that has already
happened
Real-Time analysis is
done for the ongoing
process
Note: Practically, IDS is the real-time analysis, whereas the forensic examination is postmortem
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
Forensic examination of logs are divided into two categories :
on
Postmortem —
Postmortem of logs is done
for the investigation of
something that has already
happened
Real-Time analysis is
done for the ongoing
process
Note: Practically, IDS is the real-time analysis, whereas the forensic examination is postmortem
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
Where to Look for
Use r to capture log files of various devices and applications
Log files from the following devices and applications can be used as evidence for network
security incidents:
Routers i a
ooo E ee i Business
: Applications
Switches
Servers,
Desktops,
and
Mainframes
Intrusion
Detection
Systems
Intrusion
Prevention
C HFI : > Copyright O by
All Rights Reserved. Reproduction is Strictly Prohibited.
Use r to capture log files of various devices and applications
Log files from the following devices and applications can be used as evidence for network
security incidents:
Routers i a
ooo E ee i Business
: Applications
Switches
Servers,
Desktops,
and
Mainframes
Intrusion
Detection
Systems
Intrusion
Prevention
C HFI : > Copyright O by
All Rights Reserved. Reproduction is Strictly Prohibited.
Log Capturing Tool: ManageEngine
m EventLog Analyzer is a web-
based, real time and
monitoring
and management software
BD It collects, analyzes, reports,
and archives:
a from distributed
Windows hosts
from distributed Unix
hosts, routers, switches, and
other SysLog devices
from IIS Web
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
m EventLog Analyzer is a web-
based, real time and
monitoring
and management software
BD It collects, analyzes, reports,
and archives:
a from distributed
Windows hosts
from distributed Unix
hosts, routers, switches, and
other SysLog devices
from IIS Web
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
Log Capturing Tool: ManageEngine
Firewall Analyzer
m ManageEngine Firewall
Analyzer is a firewall log
analysis tool for security
event management that
collects, analyzes, and
archives logs from
network perimeter
security devices and
generates reports
sich
ii
Minas
‘Seeerty Stati
“eat 00) ral ren 0)
rn our 6).
http://www.manageengine.com
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited
Firewall Analyzer
m ManageEngine Firewall
Analyzer is a firewall log
analysis tool for security
event management that
collects, analyzes, and
archives logs from
network perimeter
security devices and
generates reports
sich
ii
Minas
‘Seeerty Stati
“eat 00) ral ren 0)
rn our 6).
http://www.manageengine.com
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited
Log Capturing Tool: GFI EventsManager
@ GFI EventsManager automatically processes and archives logs, collecting the information
you need to know about the most important events occurring in your network
© It supports a wide range of event types such as W3C, Windows events, Syslog, SQL Cd
Server and Oracle audit logs and SNMP traps generated by devices such as firewalls,
routers and sensors
0 8 ©
“ of
- | Real-time alerts, Detection of Windows
SNMPv2 traps alerting Cospralized event events that referto
included en logging — administrators
O © 6
Collect events data i <p Report scheduling
distributed over a Eventiog scanning | (2 1 | and automated
WAN into one central profiles distribution via email
database
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
@ GFI EventsManager automatically processes and archives logs, collecting the information
you need to know about the most important events occurring in your network
© It supports a wide range of event types such as W3C, Windows events, Syslog, SQL Cd
Server and Oracle audit logs and SNMP traps generated by devices such as firewalls,
routers and sensors
0 8 ©
“ of
- | Real-time alerts, Detection of Windows
SNMPv2 traps alerting Cospralized event events that referto
included en logging — administrators
O © 6
Collect events data i <p Report scheduling
distributed over a Eventiog scanning | (2 1 | and automated
WAN into one central profiles distribution via email
database
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
TH ehivensianage
| Fite Configure Help
stskare - A Evarte 99,22 event)
$
$
a
$
à
a
a:
$
N
$
$
econo Ace
Screenshot
16: 4
or 100
http://www.gfi.com
‘Copyright © by!
‘Ni Rights Reserved. Reproduction is Strictly Prohibited.
| Fite Configure Help
stskare - A Evarte 99,22 event)
$
$
a
$
à
a
a:
$
N
$
$
econo Ace
Screenshot
16: 4
or 100
http://www.gfi.com
‘Copyright © by!
‘Ni Rights Reserved. Reproduction is Strictly Prohibited.
Log Capturing Tool: Kiwi Syslog Server
© Kiwi Syslog Server is a syslog server for Windows that receives logs and displays and forwards syslog ©
messages from hosts such as routers, switches, Unix hosts and other syslog-enabled devices
View syslog data from anywhere on the
network via web access
Log to any database with ODBC
logging
Automatically perform actions based on
alerts such as sending email, forwarding
messages, triggering audible alarms, etc.
ES
Filter messages and create advanced
alerts with Advanced Script Processing
View syslog messages in multiple
windows simultaneously
Produce trend analysis graphs and
email syslog traffic statistics
we =,
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
© Kiwi Syslog Server is a syslog server for Windows that receives logs and displays and forwards syslog ©
messages from hosts such as routers, switches, Unix hosts and other syslog-enabled devices
View syslog data from anywhere on the
network via web access
Log to any database with ODBC
logging
Automatically perform actions based on
alerts such as sending email, forwarding
messages, triggering audible alarms, etc.
ES
Filter messages and create advanced
alerts with Advanced Script Processing
View syslog messages in multiple
windows simultaneously
Produce trend analysis graphs and
email syslog traffic statistics
we =,
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
Kiwi Syslog Server Screenshot
14820 e e index rtm
14:45:24. Daemondolo, 2165.10 2 ingen tient
Lasa i index hied
RE 06-05-2007 14:45:14
Me 06-05-2007 144541
@ 06.25.2007 124508
144607
06-05-20
o DU 16459:
16-25-2007
06-05-2007 63.83/indexsntml
I 06.05.2007 5 2eD/inex html
18Lindexhen
ndec tm
1010
1
144424 1104
Jee 0202500
c\HFI 0650 . Copyright © by Fe-Council
| Be All Rights Reserved. Reproduction is Strictly Prohibited.
nn VA, LCA | De]
14820 e e index rtm
14:45:24. Daemondolo, 2165.10 2 ingen tient
Lasa i index hied
RE 06-05-2007 14:45:14
Me 06-05-2007 144541
@ 06.25.2007 124508
144607
06-05-20
o DU 16459:
16-25-2007
06-05-2007 63.83/indexsntml
I 06.05.2007 5 2eD/inex html
18Lindexhen
ndec tm
1010
1
144424 1104
Jee 0202500
c\HFI 0650 . Copyright © by Fe-Council
| Be All Rights Reserved. Reproduction is Strictly Prohibited.
nn VA, LCA | De]
Handling Logs as Evidence
2 Avoid Missing Logs a
© When no log files exist, there is no way
of knowing if the server got no hits (say
it was offline for a day) or if the log file
was actually deleted
© Determine whether the server was
running and online during the time for
which log entries are not available by
monitoring the server uptime records
Copyright © by FC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
2 Avoid Missing Logs a
© When no log files exist, there is no way
of knowing if the server got no hits (say
it was offline for a day) or if the log file
was actually deleted
© Determine whether the server was
running and online during the time for
which log entries are not available by
monitoring the server uptime records
Copyright © by FC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Log File Authenticity
EE —
An investigator can prove If the server is Move the logs to a master
authenticity of log files if compromised investigator server and then to
they are unaltered from should move the logs off secondary storage media
the time they were the compromised server such as a DVD or disk
originally recorded
Copyright © by
AllRights Reserved. Reproduction is Strictly Prohibited.
EE —
An investigator can prove If the server is Move the logs to a master
authenticity of log files if compromised investigator server and then to
they are unaltered from should move the logs off secondary storage media
the time they were the compromised server such as a DVD or disk
originally recorded
Copyright © by
AllRights Reserved. Reproduction is Strictly Prohibited.
Use ;
To ensure that the log file is not modified,
by using the public-key encryption scheme
Store the and with the log
Store a secure in a separate location
Use L to generate the hash code
Copyright © by H-Eouneil
All Rights Reserved. Reproduction is Strictly Prohibited.
To ensure that the log file is not modified,
by using the public-key encryption scheme
Store the and with the log
Store a secure in a separate location
Use L to generate the hash code
Copyright © by H-Eouneil
All Rights Reserved. Reproduction is Strictly Prohibited.
Work with Copies
Do not use original log files for analysis; always
work on copies
e original logs are never touched to
authenticity of the original log files
s court evidence, you must
files in their original form
Copyright © by
‚All Rights Reserved. Reproduction is Strictly Prohibited.
Do not use original log files for analysis; always
work on copies
e original logs are never touched to
authenticity of the original log files
s court evidence, you must
files in their original form
Copyright © by
‚All Rights Reserved. Reproduction is Strictly Prohibited.
Ensure System’s Integrity
Always stay up-to-date
on service packs and
hotfixes to assure that
the system’s file is
valid
chrı
Audit all changes to
binary files in
If an intruder modifies
the system files that
record log files, then
the log files are not
valid as evidence
Copyright © by Fe-Council
‚All Rights Reserved. Reproduction is Strictly Prohi
ted.
Always stay up-to-date
on service packs and
hotfixes to assure that
the system’s file is
valid
chrı
Audit all changes to
binary files in
If an intruder modifies
the system files that
record log files, then
the log files are not
valid as evidence
Copyright © by Fe-Council
‚All Rights Reserved. Reproduction is Strictly Prohi
ted.
Access Control
4 Once a log file is created, it is important to prevent the file from being accessed and to audit any
authorized and unauthorized access
@ Ifyou properly secure and audit a log file using NTFS permissions, you will have documented evidence to
establish its credibility
NTFS
permissions
Authorized
Person
Unauthorized
Person
Copyright © by’
All Rights Reserved. Reproduction is Strictly Prohibited.
4 Once a log file is created, it is important to prevent the file from being accessed and to audit any
authorized and unauthorized access
@ Ifyou properly secure and audit a log file using NTFS permissions, you will have documented evidence to
establish its credibility
NTFS
permissions
Authorized
Person
Unauthorized
Person
Copyright © by’
All Rights Reserved. Reproduction is Strictly Prohibited.
Chain of Custody
B As you move log files from the server and later to an offline device, you should keep
track of where the file goes
® This can be done either through technical or non-technical methods such as MD5
authentication
--=1-A
mi
Server Offline Computer Chain of Custody
Document
0 5:0 Copyright © by FU-Council
All Rights Reserved. Reproduction is Strictty Prohibited.
B As you move log files from the server and later to an offline device, you should keep
track of where the file goes
® This can be done either through technical or non-technical methods such as MD5
authentication
--=1-A
mi
Server Offline Computer Chain of Custody
Document
0 5:0 Copyright © by FU-Council
All Rights Reserved. Reproduction is Strictty Prohibited.
Condensing Log File
Log files can be sorted by using a syslog, but the output of the syslog contains a large log
file
It is difficult for the forensic team to look for the important log entry
Log entries need to be filtered as per the requirement
Tools that can be used:
> Swatch (http://swatch.sourceforge.net)
> Logcheck (http://logcheck.org)
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited
Log files can be sorted by using a syslog, but the output of the syslog contains a large log
file
It is difficult for the forensic team to look for the important log entry
Log entries need to be filtered as per the requirement
Tools that can be used:
> Swatch (http://swatch.sourceforge.net)
> Logcheck (http://logcheck.org)
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited
Module Flow
Log
Injection
Attacks
Network Network
Forensics Attacks
Traffic Investigating
Investigating Él
Capturing ad and
and Analysis Network Analyzin,
dé Traffic ue
Tools : ; Logs
© 5 © Copyright © by Fe-Couneil
All Rights Reserved. Reproduction is Strictly Prohibited.
Log
Injection
Attacks
Network Network
Forensics Attacks
Traffic Investigating
Investigating Él
Capturing ad and
and Analysis Network Analyzin,
dé Traffic ue
Tools : ; Logs
© 5 © Copyright © by Fe-Couneil
All Rights Reserved. Reproduction is Strictly Prohibited.
To know who is generating
the troublesome traffic,
and where the traffic is
Network Traffic?
; [mun]
- > = |
=
> Y E =,
\ To locate \
JA | suspicious y
ER network F
r traffic y À
7
à ce lee
TY E = é
A
f To identify \ Y
network
problems N
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
the troublesome traffic,
and where the traffic is
Network Traffic?
; [mun]
- > = |
=
> Y E =,
\ To locate \
JA | suspicious y
ER network F
r traffic y À
7
à ce lee
TY E = é
A
f To identify \ Y
network
problems N
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
Evidence Gathering via Sniffing
Investigators should configure |
sniffers for the size of frames
Sniffers collect traffic from to pe arte 3 that can intercept and log
the network and transport em. ser" traffic passing over a
layers other than the digital network or part of
physical and data-link layer a network
Sniffer is computer
software or hardware
e.
Spanned ports, hardware
taps help sniffing in a
Sniffers, which put NICs in
switched network
promiscuous mode, are used to
collect digital evidence at the
physical layer
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
Investigators should configure |
sniffers for the size of frames
Sniffers collect traffic from to pe arte 3 that can intercept and log
the network and transport em. ser" traffic passing over a
layers other than the digital network or part of
physical and data-link layer a network
Sniffer is computer
software or hardware
e.
Spanned ports, hardware
taps help sniffing in a
Sniffers, which put NICs in
switched network
promiscuous mode, are used to
collect digital evidence at the
physical layer
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
Capturing Live Data Packets Using Wireshark
Wireshark is a traffic capturing and sniffing tool
Wireshark uses Winpcap to capture packets, so it can only
capture the packets on the networks supported by Winpcap
Captures live network traffic from Ethernet, IEEE 802.11,
PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay,
FDDI networks
— O_O OO
Captured files can be programmatically edited via command-
line
A set of filters for customized data display can be refined using
a display filter
Investigator Wireshark Tool Network
CHFI ee
All Rights Reserved. Reproductior sei Prohibited,
Wireshark is a traffic capturing and sniffing tool
Wireshark uses Winpcap to capture packets, so it can only
capture the packets on the networks supported by Winpcap
Captures live network traffic from Ethernet, IEEE 802.11,
PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay,
FDDI networks
— O_O OO
Captured files can be programmatically edited via command-
line
A set of filters for customized data display can be refined using
a display filter
Investigator Wireshark Tool Network
CHFI ee
All Rights Reserved. Reproductior sei Prohibited,
Wireshark Screenshot
Seg Areas 2e Tac Le Es
GxeeiyereFs
ae
wens
mens
3e
mee has
w ethernet 11, srcı In Ost: mroancast CITANTENTENT
à Interner Pron qe . 4), Ore: 292,208,1208,090 (192 |
bit fore: natblor~
Wireshark: Filter Expression - Profile: Default
Patrons
ET
osasay-18 w
y DIO BRE Crk of ratico 4
IG IAE Lan
ALAN BE wees La nennen
02,11 atop IEEE aD Cartan Copa hes
ZA ay procs Som Potente
woran
Pott -AMAALL
http://www.wireshark. org
e Copyright © by F-Eauneil
All Rights Reserved. Reproduction is Strictly Prohibited.
Seg Areas 2e Tac Le Es
GxeeiyereFs
ae
wens
mens
3e
mee has
w ethernet 11, srcı In Ost: mroancast CITANTENTENT
à Interner Pron qe . 4), Ore: 292,208,1208,090 (192 |
bit fore: natblor~
Wireshark: Filter Expression - Profile: Default
Patrons
ET
osasay-18 w
y DIO BRE Crk of ratico 4
IG IAE Lan
ALAN BE wees La nennen
02,11 atop IEEE aD Cartan Copa hes
ZA ay procs Som Potente
woran
Pott -AMAALL
http://www.wireshark. org
e Copyright © by F-Eauneil
All Rights Reserved. Reproduction is Strictly Prohibited.
Display Filters in Wireshark
Display filters are used to change the view of packets in the captured files
tcp.port==23
=-192.168.1.100
Example: Type the protocol in
the filter box; arp, http, tcp,
udp, dns
ip.addr=-192.168.1.100 ££
tep.port=23
ip. det — 10.0.1.50 &£ frame pkt len >
400
ip.addr == 10.0.1.12 £6 icap 66
geome number > 15 46 frame number < 30 Filtering by IP Address
ip. 2xe==205.153.63.30 ox
ip. dst==205.153. 63.30
ip.addr == 10.0.0.4
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
Display filters are used to change the view of packets in the captured files
tcp.port==23
=-192.168.1.100
Example: Type the protocol in
the filter box; arp, http, tcp,
udp, dns
ip.addr=-192.168.1.100 ££
tep.port=23
ip. det — 10.0.1.50 &£ frame pkt len >
400
ip.addr == 10.0.1.12 £6 icap 66
geome number > 15 46 frame number < 30 Filtering by IP Address
ip. 2xe==205.153.63.30 ox
ip. dst==205.153. 63.30
ip.addr == 10.0.0.4
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
Additional Filters
a
>
«e
Displays all TCP packets that > =
© contain the word “traffic” tep conti
©)
~
CHFI
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
a
>
«e
Displays all TCP packets that > =
© contain the word “traffic” tep conti
©)
~
CHFI
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
Acquiring Traffic Using DNS
Poisoning Techniques
1. DNS poisoning is a technique that tricks a DNS server into believing that it has received authentic
information when, in reality, it has not
2. It results in substitution of a false Internet provider address at the domain name service level where
web addresses are converted into numeric Internet provider addresses
3. Perform DNS poisoning by setting up a fake website
ea
Intranet DNS
seveevesseeven Spoofing (Local
Network)
Internet DNS
Spoofing (Remote
Network)
Proxy Server
DNS Poisoning
DNS Attack Scripts
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
Poisoning Techniques
1. DNS poisoning is a technique that tricks a DNS server into believing that it has received authentic
information when, in reality, it has not
2. It results in substitution of a false Internet provider address at the domain name service level where
web addresses are converted into numeric Internet provider addresses
3. Perform DNS poisoning by setting up a fake website
ea
Intranet DNS
seveevesseeven Spoofing (Local
Network)
Internet DNS
Spoofing (Remote
Network)
Proxy Server
DNS Poisoning
DNS Attack Scripts
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
Intranet DNS Spoofing (Local Network)
=) For this technique, you must be connected to the local area network (LAN) and be able
to sniff packets
y lt works well against switches with ARP poisoning the router
¢ perhaps, > Router IP 10.0.0.254
Vas xsecurity. com DNS Request - wen
2 > aaa www.xsecurity.com
IP: 200.0.0.45
Investigator poisons the
router and redirects DNS
requests to his machine
Investigator sniffs the
credential and
redirects the request
to real website
is located at
10.005
a
Attacker runs Fake Website
arpspoof/dnsspoof
Copyright © by!
All Rights Reserved. Reproduction is Strictly Prohibited.
=) For this technique, you must be connected to the local area network (LAN) and be able
to sniff packets
y lt works well against switches with ARP poisoning the router
¢ perhaps, > Router IP 10.0.0.254
Vas xsecurity. com DNS Request - wen
2 > aaa www.xsecurity.com
IP: 200.0.0.45
Investigator poisons the
router and redirects DNS
requests to his machine
Investigator sniffs the
credential and
redirects the request
to real website
is located at
10.005
a
Attacker runs Fake Website
arpspoof/dnsspoof
Copyright © by!
All Rights Reserved. Reproduction is Strictly Prohibited.
Intranet DNS Spoofing (Remote Network)
J In this example of Internet DNS spoofing, the investigator infects Rebecca’s
machine with a Trojan and changes her DNS IP address to that of the investigator
‘What isthe IP )
= Rebecca's Browser
connects to 65.0.0.2
Investigator sniffs the
= Ns we 2
credential and redirects the
request to real website
F
Sr Real website
a wewrw aseeurity.com
(P:10.0.0.5) co
Attacker runs DNS Server in
Russia (1P-200.0.0.2)
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
J In this example of Internet DNS spoofing, the investigator infects Rebecca’s
machine with a Trojan and changes her DNS IP address to that of the investigator
‘What isthe IP )
= Rebecca's Browser
connects to 65.0.0.2
Investigator sniffs the
= Ns we 2
credential and redirects the
request to real website
F
Sr Real website
a wewrw aseeurity.com
(P:10.0.0.5) co
Attacker runs DNS Server in
Russia (1P-200.0.0.2)
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
Proxy Server DNS Poisoning
=] In this example, the investigator sends a Trojan to Rebecca’s machine and changes her
proxy server settings in Internet Explorer to those of the investigator
What the Pro serre
abe ron ana are kit (rom cn nt set
an
Adress: [mcoz | Pat: [ton Cages
Real Website
www.xsecurity.com |
(IP: 200.0.0.45) ai
Clone pra save fera unser
Rebecca
(IP: 10.0.0.5)
investigator's fake
website sniffs the
credential and redirects
he request to the real
eo
Investigator sends Rebecca's
0
>
Attacker runs Proxy Server in Fake Website
Russia IP: 200.0.0.2 (IP: 65.0.0.2)
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
=] In this example, the investigator sends a Trojan to Rebecca’s machine and changes her
proxy server settings in Internet Explorer to those of the investigator
What the Pro serre
abe ron ana are kit (rom cn nt set
an
Adress: [mcoz | Pat: [ton Cages
Real Website
www.xsecurity.com |
(IP: 200.0.0.45) ai
Clone pra save fera unser
Rebecca
(IP: 10.0.0.5)
investigator's fake
website sniffs the
credential and redirects
he request to the real
eo
Investigator sends Rebecca's
0
>
Attacker runs Proxy Server in Fake Website
Russia IP: 200.0.0.2 (IP: 65.0.0.2)
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
DNS Cache Poisoning
£ DNS cache poisoning involves changing or adding records in the resolver cache of a DNS so that a
DNS query for a domain returns an IP address of a fake website set by the investigator
e = If the server cannot validate that DNS responses have come from an authoritative source, it will
cache the incorrect entries locally and serve them to users who make the same request
Whats the IP address
of wow xsceurity com?)
85 DNS cache at user Is updated
6
with IP of fake website
Authoritative server
Internal
for xsecurity.com
DNS
Redirected to a
fake website
Attacker Rogue DNS
Copyright © by!
All Rights Reserved. Reproduction is Strictly Prohibited.
£ DNS cache poisoning involves changing or adding records in the resolver cache of a DNS so that a
DNS query for a domain returns an IP address of a fake website set by the investigator
e = If the server cannot validate that DNS responses have come from an authoritative source, it will
cache the incorrect entries locally and serve them to users who make the same request
Whats the IP address
of wow xsceurity com?)
85 DNS cache at user Is updated
6
with IP of fake website
Authoritative server
Internal
for xsecurity.com
DNS
Redirected to a
fake website
Attacker Rogue DNS
Copyright © by!
All Rights Reserved. Reproduction is Strictly Prohibited.
Evidence Gathering from
MAC address:
Apart of the
data-link layer is
associated with
the system
ae
Copyright © by FE-Couneil
All Rights Reserved. Reproduction is Strictly Prohibited.
MAC address:
Apart of the
data-link layer is
associated with
the system
ae
Copyright © by FE-Couneil
All Rights Reserved. Reproduction is Strictly Prohibited.
Y The DHCP database determines the MAC addresses associated with the computer in custody
Y The DHCP server maintains a list of recent queries along with the MAC address and IP
address
Documentation of the ARP table is
done by:
© Photographing the computer
screen
© Taking the screenshot of the table
and saving it on a disk
© Using the HyperTerminal logging
facility
Copyright © by F6-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
Y The DHCP server maintains a list of recent queries along with the MAC address and IP
address
Documentation of the ARP table is
done by:
© Photographing the computer
screen
© Taking the screenshot of the table
and saving it on a disk
© Using the HyperTerminal logging
facility
Copyright © by F6-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
Gathering Evidence by IDS
IDS can be configured to capture the network traffic
and generate alerts
Results of networking devices such as routers and firewalls,
can be recorded through a serial cable using the Windows
HyperTerminal program or using a UNIX script
If the amount of information to be captured is huge,
then record the onscreen event using a video camera or
a relative software program
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
IDS can be configured to capture the network traffic
and generate alerts
Results of networking devices such as routers and firewalls,
can be recorded through a serial cable using the Windows
HyperTerminal program or using a UNIX script
If the amount of information to be captured is huge,
then record the onscreen event using a video camera or
a relative software program
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
Module Flow
Log
Injection
Attacks
Network * 4 Network
Forensics y H Attacks
Investigating
mat. nvestigating #
Capturing eating » and
and Analysis Network Analyzing
Traffic
Tools E ; Logs
CHHFI ..:0 Copyright © byFG-Comed
Lis All Rights Reserved. Reproduction is Strictly Prohibited.
Log
Injection
Attacks
Network * 4 Network
Forensics y H Attacks
Investigating
mat. nvestigating #
Capturing eating » and
and Analysis Network Analyzing
Traffic
Tools E ; Logs
CHHFI ..:0 Copyright © byFG-Comed
Lis All Rights Reserved. Reproduction is Strictly Prohibited.
il NetworkMiner is a Network
Forensic Analysis Tool (NFAT) for
Windows that is used as a passive
Ein
Fremen (1343 topa [Ging | ums
bape | Mose | dre | oo 3) | ONS A
network sniffer/packet capturing
tool in order to detect operating
systems, sessions, hostnames,
open ports etc.
ul Itextract files and certificates
transferred over the network by
parsing a PCAP file or by sniffing
traffic directly from the network
ive Siting Bares
http://www.netresec.com
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
Forensic Analysis Tool (NFAT) for
Windows that is used as a passive
Ein
Fremen (1343 topa [Ging | ums
bape | Mose | dre | oo 3) | ONS A
network sniffer/packet capturing
tool in order to detect operating
systems, sessions, hostnames,
open ports etc.
ul Itextract files and certificates
transferred over the network by
parsing a PCAP file or by sniffing
traffic directly from the network
ive Siting Bares
http://www.netresec.com
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
Tcpdump/Windump
TCPdump is a very powerful command line interface packet sniffer that runs on
Linux and Windows
TCPDump WinDump
Runs on Linux and Runs on Windows
UNIX systems systems
0:x:0 Copyright © by Fe-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
TCPdump is a very powerful command line interface packet sniffer that runs on
Linux and Windows
TCPDump WinDump
Runs on Linux and Runs on Windows
UNIX systems systems
0:x:0 Copyright © by Fe-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Intrusion Detection Tool:
Snort is an open source network
intrusion detection system, capable of
performing real-time
Dy martin Roesch ¢ the Snort Toma: httpi//wov.anort.org/eoct/anort-team
It can perform and Copyright (0) 1996-2019 Seuroefize, Ino., er al
10 2010-06-25
and is used
to detect a variety of
such as buffer overflows, stealth port
scans, CGI attacks, SMB probes, and OS 85: Session exceeded configured max bytes to queue 1048275 using 1048979 bytes (
bring attempts ‘Ligne wenn. 108.260, 168,7 12636 —-> 92, 46,09,369 40 (0) ı Znntate Oxi Duringe
It uses a flexible to iia
describe traffic that it should collect or A en ain
pass, as well as a that ae er for 0 dat eg 39 minutes 45 seconds
utilizes a modular plug-in architecture vets ain: 118
A enart: 05: Prat session from cache that was using 1098947 bytes (puego whole cache.
192.168.168.7 11616 --> 92.46,53.163 80 (0) : LMstate Ox1 Plaga 0x222003
Straight packet sniffer like tcpdump
Packet logger (useful for network
traffic debugging, etc.)
# Network intrusion prevention system
http://www.snort.org
Copyright © by FE-Couneil
All Rights Reserved. Reproductions Strictly Prohibited.
Snort is an open source network
intrusion detection system, capable of
performing real-time
Dy martin Roesch ¢ the Snort Toma: httpi//wov.anort.org/eoct/anort-team
It can perform and Copyright (0) 1996-2019 Seuroefize, Ino., er al
10 2010-06-25
and is used
to detect a variety of
such as buffer overflows, stealth port
scans, CGI attacks, SMB probes, and OS 85: Session exceeded configured max bytes to queue 1048275 using 1048979 bytes (
bring attempts ‘Ligne wenn. 108.260, 168,7 12636 —-> 92, 46,09,369 40 (0) ı Znntate Oxi Duringe
It uses a flexible to iia
describe traffic that it should collect or A en ain
pass, as well as a that ae er for 0 dat eg 39 minutes 45 seconds
utilizes a modular plug-in architecture vets ain: 118
A enart: 05: Prat session from cache that was using 1098947 bytes (puego whole cache.
192.168.168.7 11616 --> 92.46,53.163 80 (0) : LMstate Ox1 Plaga 0x222003
Straight packet sniffer like tcpdump
Packet logger (useful for network
traffic debugging, etc.)
# Network intrusion prevention system
http://www.snort.org
Copyright © by FE-Couneil
All Rights Reserved. Reproductions Strictly Prohibited.
Reporting and Alerting
Engine (ACID)
>
7] Primary NIC
Snort Engine }
oras
A
NiCin y
promicuous
mode 1
sniffing Output Plugins
network a |
traffic
Rule Set
|
~~ Rules Files: These are plain text files that
contain a list of rules with a known syntax
How Snort
Works
Administrator
@ Decoder: Saves the captured
packets into heap, identifies link
level protocols, and decodes IP
# Detection Engine: It matches
packets against rules previously
charged into memory since Snort
initialization
€
Output Plug-ins: These modules
format the notifications for the
user to access them in different
ways (console, external files,
databases, etc)
All Rights Reserved. Reproduction is Strictly Prohibited.
Engine (ACID)
>
7] Primary NIC
Snort Engine }
oras
A
NiCin y
promicuous
mode 1
sniffing Output Plugins
network a |
traffic
Rule Set
|
~~ Rules Files: These are plain text files that
contain a list of rules with a known syntax
How Snort
Works
Administrator
@ Decoder: Saves the captured
packets into heap, identifies link
level protocols, and decodes IP
# Detection Engine: It matches
packets against rules previously
charged into memory since Snort
initialization
€
Output Plug-ins: These modules
format the notifications for the
user to access them in different
ways (console, external files,
databases, etc)
All Rights Reserved. Reproduction is Strictly Prohibited.
IDS Policy Manager has been the for managing Snort rules on Windows
IDS Pelic)
Fle Opsers Hep
Policy Manager
Descrpion
Poil Snot24 Test Polcy
http: //activeworx.org
Copyright O by
All Rights Reserved. Reproduction is Strictly Prohibited.
IDS Pelic)
Fle Opsers Hep
Policy Manager
Descrpion
Poil Snot24 Test Polcy
http: //activeworx.org
Copyright O by
All Rights Reserved. Reproduction is Strictly Prohibited.
MaaTec Network Analyzer is a tool
that allows you to capture, save, and
analyze network traffic on a LAN or
a DSL Internet connection
It is used for network
troubleshooting, to analyze an
existing network infrastructure, or
for long-term network monitoring
Silas Te Notion Analyser Captere mn [Capture mn
ur se
ICI PWS oS
Nese mae NB Gens corn Lociones
http://www.maatec.com
Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
that allows you to capture, save, and
analyze network traffic on a LAN or
a DSL Internet connection
It is used for network
troubleshooting, to analyze an
existing network infrastructure, or
for long-term network monitoring
Silas Te Notion Analyser Captere mn [Capture mn
ur se
ICI PWS oS
Nese mae NB Gens corn Lociones
http://www.maatec.com
Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Iris Network Traffic Analyzer
Iris Network Traffic
Analyzer is a vulnerability
forensics solution used for
network traffic analysis
and reporting
He Yen Cite Deeds Fiz Ice Yee
Jal
Dow fly o suso mom > 70)
md Paceline = + |e, Lmnoihmsme)[ ra ansce ses
Pree = irene (inten) > NE
E MAC header (themet | + ACER.
uo 5 Gest tee 000GE| 5 COMES. on
I Source Bd
toc ota
POS
bl ote
CE Bands
E Pr header
Help Suppen À
9 ype 18.99 Deo
pese] Ya
D bo tai
PES
© nca samt
Cea
8 Grenade ren)
al N
m bln; rm it ty be dd Sit >
Rx
bee Gravee EEE
http://www.eeye.com
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
Iris Network Traffic
Analyzer is a vulnerability
forensics solution used for
network traffic analysis
and reporting
He Yen Cite Deeds Fiz Ice Yee
Jal
Dow fly o suso mom > 70)
md Paceline = + |e, Lmnoihmsme)[ ra ansce ses
Pree = irene (inten) > NE
E MAC header (themet | + ACER.
uo 5 Gest tee 000GE| 5 COMES. on
I Source Bd
toc ota
POS
bl ote
CE Bands
E Pr header
Help Suppen À
9 ype 18.99 Deo
pese] Ya
D bo tai
PES
© nca samt
Cea
8 Grenade ren)
al N
m bln; rm it ty be dd Sit >
Rx
bee Gravee EEE
http://www.eeye.com
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
NetWitness Investigator can locally capture live traffic and process packet files from virtually
any existing network collection device for quick and easy analysis
Analyze Layer 7 Summary
Traffic Analytics View
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
any existing network collection device for quick and easy analysis
Analyze Layer 7 Summary
Traffic Analytics View
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
Screenshot
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
Colasoft Capsa Network Analyzer
ul Capsa network analyzer captures all data transmitted over the network and provides a wide range of
analysis statistics in an intuitive and graphic way
‘lal itidentifies and analyzes more than 300 network protocols, as well as network applications based on the
protocols
—
ca fa NE | capone] mp
A em Er an]
Fate | 13
— a mn. Ss um mm.
san de pe |
, rep co
mars tps 0
EE
En»
Sn
gun
Son,
EEE 27.
ssw za
1a 18060 on 0
oe 0 0
oso 0
Packs Desc Pac. Dyson Faden =
S E preve
MD jt SA Me iv St
mio 10300 am ane Eu
Su ue
Sum 42m
aus
EM asin
Emo Va
[a vo.
EST
Stipe? Duron
Buus... ceo LEME ESAS La HE.
Dia, S32. CONLIN LOMME NE 1051 MB
Buin. Buaw. mom zum 1028. 2000
our. Biss. com Lime ease Lane
Sun wa | ins MB 45865
Er PUT
Sum ce. HORT.
Lau Am IMSS aramın 1057
Dee be
=
All Rights Reserved. Reproduction is Strictly Prohibited.
http://www.colasoft.com
Copyright © by
ul Capsa network analyzer captures all data transmitted over the network and provides a wide range of
analysis statistics in an intuitive and graphic way
‘lal itidentifies and analyzes more than 300 network protocols, as well as network applications based on the
protocols
—
ca fa NE | capone] mp
A em Er an]
Fate | 13
— a mn. Ss um mm.
san de pe |
, rep co
mars tps 0
EE
En»
Sn
gun
Son,
EEE 27.
ssw za
1a 18060 on 0
oe 0 0
oso 0
Packs Desc Pac. Dyson Faden =
S E preve
MD jt SA Me iv St
mio 10300 am ane Eu
Su ue
Sum 42m
aus
EM asin
Emo Va
[a vo.
EST
Stipe? Duron
Buus... ceo LEME ESAS La HE.
Dia, S32. CONLIN LOMME NE 1051 MB
Buin. Buaw. mom zum 1028. 2000
our. Biss. com Lime ease Lane
Sun wa | ins MB 45865
Er PUT
Sum ce. HORT.
Lau Am IMSS aramın 1057
Dee be
=
All Rights Reserved. Reproduction is Strictly Prohibited.
http://www.colasoft.com
Copyright © by
Sniff - O - Matic
“3 Sniff - O - Matic is a network protocol analyzer and packet sniffer that captures the network
traffic and enables you to analyze the data
Features
Capture IP packets on LAN without packet
loss
Monitor network activity in real time
Real-time checksum calculation
Auto start capturing and continuous
capture
Traffic charts with filter info
http://www. kwakkelflap.com
Copyright © by
Al Rights Reserved, Reproduction is Strictly Prohibited.
“3 Sniff - O - Matic is a network protocol analyzer and packet sniffer that captures the network
traffic and enables you to analyze the data
Features
Capture IP packets on LAN without packet
loss
Monitor network activity in real time
Real-time checksum calculation
Auto start capturing and continuous
capture
Traffic charts with filter info
http://www. kwakkelflap.com
Copyright © by
Al Rights Reserved, Reproduction is Strictly Prohibited.
NetResident
== = —
NetResident is a network
content monitoring program es
that captures, stores, analyzes,
and reconstructs network events
such as email messages, web
pages, downloaded files, instant Een
messages, and VoIP .
conversations
Copyright © by EC-Couneil
All Rights Reserved. Reproduction is Strictly Prohibited.
== = —
NetResident is a network
content monitoring program es
that captures, stores, analyzes,
and reconstructs network events
such as email messages, web
pages, downloaded files, instant Een
messages, and VoIP .
conversations
Copyright © by EC-Couneil
All Rights Reserved. Reproduction is Strictly Prohibited.
Network Probe
Network Probe identifies what
is causing the problem in
network traffic
It shows who is generating the
troublesome traffic, and where
the traffic is being transmitted
or received
Copyright © by E6-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
Network Probe identifies what
is causing the problem in
network traffic
It shows who is generating the
troublesome traffic, and where
the traffic is being transmitted
or received
Copyright © by E6-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
NetFlow Analyzer
@ NetFlow Analyzer is a “web-based” bandwidth monitoring, network forensics and network
traffic analysis tool
@ It generates instant reports on network traffic and users using NetFlow from Cisco devices
http://www.manageengine.com
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
@ NetFlow Analyzer is a “web-based” bandwidth monitoring, network forensics and network
traffic analysis tool
@ It generates instant reports on network traffic and users using NetFlow from Cisco devices
http://www.manageengine.com
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
OmniPeek Network Analyzer
= OmniPeek sniffer displays a Google Map in the OmniPeek capture window showing the locations
of all the public IP addresses of captured packets
® This feature is a great way to monitor the network in real time, and show from where in the
world traffic is coming
Le Les Lin]
http://www.wildpackets.com
CHFI
Copyright © by F6-Somnci
All Rights Reserved. Reproduction is Strictly Prohibited.
= OmniPeek sniffer displays a Google Map in the OmniPeek capture window showing the locations
of all the public IP addresses of captured packets
® This feature is a great way to monitor the network in real time, and show from where in the
world traffic is coming
Le Les Lin]
http://www.wildpackets.com
CHFI
Copyright © by F6-Somnci
All Rights Reserved. Reproduction is Strictly Prohibited.
Firewall Evasion Tool: Traffic IO
Professional
Traffic 1Q Professional enables security professionals to audit and validate the behavior of
security devices by generating the standard application traffic or attack traffic between two
virtual machines
te ones U sem QU nome Ey | Ft + so
assess, audit, and test the behavioral
ENTE,
characteristics of any non-proxy packet-
filtering device including:
|
Traffic 1Q Professional can be used to |
|
Application layer firewalls
Intrusion detection systems
oO
Intrusion prevention systems 8
Routers and switches à)
Q
y)
œ
http://www.blade-software.com
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
Professional
Traffic 1Q Professional enables security professionals to audit and validate the behavior of
security devices by generating the standard application traffic or attack traffic between two
virtual machines
te ones U sem QU nome Ey | Ft + so
assess, audit, and test the behavioral
ENTE,
characteristics of any non-proxy packet-
filtering device including:
|
Traffic 1Q Professional can be used to |
|
Application layer firewalls
Intrusion detection systems
oO
Intrusion prevention systems 8
Routers and switches à)
Q
y)
œ
http://www.blade-software.com
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
NetworkView
J NetworkView is a network discovery and management tool for Windows
J Discover TCP/IP nodes and routes using DNS, SNMP, Ports, NetBIOS and WMI
http://www. networkview.com
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
J NetworkView is a network discovery and management tool for Windows
J Discover TCP/IP nodes and routes using DNS, SNMP, Ports, NetBIOS and WMI
http://www. networkview.com
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
CommView
CommView is a network monitor
and analyzer that captures every
packet on the wire to display vital
information such as a list of
packets and network connections,
vital statistics, protocol
distribution charts, etc.
| rte seach eo Teds stas tues Heb
CES
828-012 0%
lala
a y
| orina cameos [ous | ora Orun | Same]
Gar om Im
EEE
CE EE CE
‘hn arte
Data Tan u
= - za. eine
ranas Ol
ee alos + le
ass Late 1P Conc Ae
Gex Le Ir carece
Ep Y paa tamos.com |
Copyright © by.
All Rights Reserved. Reproduction is Strictly Prohibited.
CommView is a network monitor
and analyzer that captures every
packet on the wire to display vital
information such as a list of
packets and network connections,
vital statistics, protocol
distribution charts, etc.
| rte seach eo Teds stas tues Heb
CES
828-012 0%
lala
a y
| orina cameos [ous | ora Orun | Same]
Gar om Im
EEE
CE EE CE
‘hn arte
Data Tan u
= - za. eine
ranas Ol
ee alos + le
ass Late 1P Conc Ae
Gex Le Ir carece
Ep Y paa tamos.com |
Copyright © by.
All Rights Reserved. Reproduction is Strictly Prohibited.
Observer
Observer provides a comprehensive drill-down into network traffic and provides back-in-time
analysis, reporting, trending, alarms, application tools, and route monitoring capabilities
ERSAHSS OdAoAarziare
http://www.netinst.com
HFI LEUR } Copyright © by FE-Gouncil
2 ‚All Rights Reserved. Reproduction is Strictly Prohibited.
Observer provides a comprehensive drill-down into network traffic and provides back-in-time
analysis, reporting, trending, alarms, application tools, and route monitoring capabilities
ERSAHSS OdAoAarziare
http://www.netinst.com
HFI LEUR } Copyright © by FE-Gouncil
2 ‚All Rights Reserved. Reproduction is Strictly Prohibited.
SoftPerfect Network Protocol Analyzer
is a tool for analyzing, debugging, al
er ER wel ce AA Gas Chee Corse 9216007
maintaining and monitoring local TE —
# D Came | Dato tons | GB Pocket Bude |
networks and Internet connections
SC) ere! Fede [0 WED. [fine [Pret Tessa 2]
D Cntr DIOL. IP UDP Nets Oi.
CNE. IP PAPEdo eu I EBT
MAO. IP UDPoMeorden 1a BIG
nou ane
? ana OWED. 1P
It captures the data passing through 1351 DMC. IP
a dial-up connection or network
Ethernet card, analyzes this data and
then represents it in an easily E S 5
readable form 238 6 373 2 76501234567890
Feed 1000 irespesc 0 usage x
http://www.softperfect.com
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
is a tool for analyzing, debugging, al
er ER wel ce AA Gas Chee Corse 9216007
maintaining and monitoring local TE —
# D Came | Dato tons | GB Pocket Bude |
networks and Internet connections
SC) ere! Fede [0 WED. [fine [Pret Tessa 2]
D Cntr DIOL. IP UDP Nets Oi.
CNE. IP PAPEdo eu I EBT
MAO. IP UDPoMeorden 1a BIG
nou ane
? ana OWED. 1P
It captures the data passing through 1351 DMC. IP
a dial-up connection or network
Ethernet card, analyzes this data and
then represents it in an easily E S 5
readable form 238 6 373 2 76501234567890
Feed 1000 irespesc 0 usage x
http://www.softperfect.com
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
EffeTech HTTP Sniffer 4
= EffeTech HTTP Sniffer is an HTTP
packet sniffer, protocol analyzer and
file reassembly software based on the et
Windows platform = oo
J Itcaptures IP packets containing HTTP R = ix ie H ;
protocol, rebuilds the HTTP sessions, is ERAS
and reassemble files sent through AS
HTTP protocol m m es
pz ws
=) Features ee wma
ede sis
© Real-time packet analyzer pis. Bas A
HTTP Request Header [HTTP Response Header
© Powerful HTTP file rebuilder GET 7imeges/logo_ibe.git MTTP/1.1 AA perre/i.1 200 06
| Iecepe: 977 bate 07 Jun 2003
© Supports various file types caiga à ee emo: ton,
[arr
© Powerful packet-capturing filter Fleet
Icontent-tenatn:
© Exact timestamp y keop-alsver cimoour=s,
ini oe Fakes
http://www.effetech.com
Copyright O by
All Rights Reserved. Reproduction is Strictly Prohibited.
= EffeTech HTTP Sniffer is an HTTP
packet sniffer, protocol analyzer and
file reassembly software based on the et
Windows platform = oo
J Itcaptures IP packets containing HTTP R = ix ie H ;
protocol, rebuilds the HTTP sessions, is ERAS
and reassemble files sent through AS
HTTP protocol m m es
pz ws
=) Features ee wma
ede sis
© Real-time packet analyzer pis. Bas A
HTTP Request Header [HTTP Response Header
© Powerful HTTP file rebuilder GET 7imeges/logo_ibe.git MTTP/1.1 AA perre/i.1 200 06
| Iecepe: 977 bate 07 Jun 2003
© Supports various file types caiga à ee emo: ton,
[arr
© Powerful packet-capturing filter Fleet
Icontent-tenatn:
© Exact timestamp y keop-alsver cimoour=s,
ini oe Fakes
http://www.effetech.com
Copyright O by
All Rights Reserved. Reproduction is Strictly Prohibited.
© Big-Mother Is an eavesdropping
program that uses a switch sniffer
to
overa
home network
er URL visits,
email, chats, games, FTP, and data
flows, and also takes webpage
snapshots, duplicates email and
FTP copies, records MSN
messenger content, and gives
statistical reports
CHFI
19
era Tode) Mb)
Dei)
UAL.
mn bostormegeci..— www bostoemagocir
à Maat 2 ur hcatormagasi— | seu bostonmagesie
2 Host 3 IP memboctormegecl...— veu bortommageeir
à Haat 3 ie hostormagazl._. mn bostommagaar
baten
gr resouben recon
http://www.tupsoft.com
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
program that uses a switch sniffer
to
overa
home network
er URL visits,
email, chats, games, FTP, and data
flows, and also takes webpage
snapshots, duplicates email and
FTP copies, records MSN
messenger content, and gives
statistical reports
CHFI
19
era Tode) Mb)
Dei)
UAL.
mn bostormegeci..— www bostoemagocir
à Maat 2 ur hcatormagasi— | seu bostonmagesie
2 Host 3 IP memboctormegecl...— veu bortommageeir
à Haat 3 ie hostormagazl._. mn bostommagaar
baten
gr resouben recon
http://www.tupsoft.com
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
EtherDetect Packet Sniffer
EtherDetect Packet sniffer enables you to
capture full packets, organized by TCP
connection or UDP threads
Y It passively monitors the network, with no
need to install program on target PCs
3 Features |
© Organize captured packets in a connection-
oriented view
e
Capture IP packets on LAN without losing
nearly any packets
Smart real-time analyzer enables on-the-fly
content viewing while capturing and
analyzing
© Parse and decode a variety of network
protocols
a
Support saving captured packets for
reopening afterward
C HFI @ 1 ©
All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © by FE-Goumeil
EtherDetect Packet sniffer enables you to
capture full packets, organized by TCP
connection or UDP threads
Y It passively monitors the network, with no
need to install program on target PCs
3 Features |
© Organize captured packets in a connection-
oriented view
e
Capture IP packets on LAN without losing
nearly any packets
Smart real-time analyzer enables on-the-fly
content viewing while capturing and
analyzing
© Parse and decode a variety of network
protocols
a
Support saving captured packets for
reopening afterward
C HFI @ 1 ©
All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © by FE-Goumeil
Ntop
© Ntop is a network traffic
probe that shows network
usage on the user terminal
© Itis based on libcap and it
has been written in a
Ele Et Ven Go Boo Task Beh
+ Sam
ar
E osa
Metin Adin Lin 11008 20042 au
Notwotk Traftlo[T GP AP]: AN Hosts - Data SenteReceived
= SEE
CT ows sox] ojeawofmans] e| of mare)
mansos OO am 0
oem 80 | m | oftware
cose $ q fo
carnes à | BE O LALO
mas sort EC ETTT NO
huis das cnc indy ar com ©) MD 42758 D TO a a!
CRE AA
Er sam » aa
ESTACA zw LEC ANC
fos 13051200 axe] oa~| ol coxa CNC EN:
faa eae 3 daa
era © E CI |
2 Æ 4 1
http//www.ntop.org
Copyright © by FC-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
© Ntop is a network traffic
probe that shows network
usage on the user terminal
© Itis based on libcap and it
has been written in a
Ele Et Ven Go Boo Task Beh
+ Sam
ar
E osa
Metin Adin Lin 11008 20042 au
Notwotk Traftlo[T GP AP]: AN Hosts - Data SenteReceived
= SEE
CT ows sox] ojeawofmans] e| of mare)
mansos OO am 0
oem 80 | m | oftware
cose $ q fo
carnes à | BE O LALO
mas sort EC ETTT NO
huis das cnc indy ar com ©) MD 42758 D TO a a!
CRE AA
Er sam » aa
ESTACA zw LEC ANC
fos 13051200 axe] oa~| ol coxa CNC EN:
faa eae 3 daa
era © E CI |
2 Æ 4 1
http//www.ntop.org
Copyright © by FC-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
It supports Ethernet, FDDI, Token Ring, ISDN, PPP, SLIP and WLAN devic several encapsulation
© Node and link color
shows the most used
protocol
© Data display can be
refined using a
network filter using
pcap syntax
© Display averaging and
node persistence times
are fully configurable
http://etherape.sourceforge.net
Copyright © by F6-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
© Node and link color
shows the most used
protocol
© Data display can be
refined using a
network filter using
pcap syntax
© Display averaging and
node persistence times
are fully configurable
http://etherape.sourceforge.net
Copyright © by F6-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
AnalogX Packetmon
AnalogX Packetmon allows you to capture IP packets that pass through
the network interface - whether they originate from the machine on
which PacketMon is installed, or a completely different machine on the
network
http://www.analogx.com
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
AnalogX Packetmon allows you to capture IP packets that pass through
the network interface - whether they originate from the machine on
which PacketMon is installed, or a completely different machine on the
network
http://www.analogx.com
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
; viel ana do 4 om
lElnspector HTTP Analyzer annee mana pe
allows you to monitor, trace, — =a
debug and analyze HIT >
in “real time”
Integrate with Internet Explorer
and Firefox
Support HTTPS/SSL connection
Real-time page and request level
time chart
Native support for flash remoting
http://www. ieinspector.com
CHFI . , copyright© by
Al Rights Reserved. Reproduction is Strictly Prohibited.
lElnspector HTTP Analyzer annee mana pe
allows you to monitor, trace, — =a
debug and analyze HIT >
in “real time”
Integrate with Internet Explorer
and Firefox
Support HTTPS/SSL connection
Real-time page and request level
time chart
Native support for flash remoting
http://www. ieinspector.com
CHFI . , copyright© by
Al Rights Reserved. Reproduction is Strictly Prohibited.
SmartSniff
'3 SmartSni
>nITACESÉA
is a TCP/IP packet capture program that allows you to inspect the network traffic
that passes through the network adapter
Jenna | tocadas [Remote Address
Tolar [Remi [Sevieetone [Pastas
13 LOS
1»
1064
cos huy
ces har
7 bis
Eo
se
te
DE
laccept-Encading: qzip, deflate
Moz Lata sie
an-con
Keep-Alive
IHrirs1.0 200 UK
Jpate: Wed, 30 Jun 200% 08:37:19 er
Iran: poricyrer:
28 TOP) conversos, 1 Sch
(compatible; HSIE 6.05 Windows NT 5.
1
htt p2//pap-yahoo-con/ude/pap-xmi", CP="CA0 DSP COR CUR ADI DEU
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
'3 SmartSni
>nITACESÉA
is a TCP/IP packet capture program that allows you to inspect the network traffic
that passes through the network adapter
Jenna | tocadas [Remote Address
Tolar [Remi [Sevieetone [Pastas
13 LOS
1»
1064
cos huy
ces har
7 bis
Eo
se
te
DE
laccept-Encading: qzip, deflate
Moz Lata sie
an-con
Keep-Alive
IHrirs1.0 200 UK
Jpate: Wed, 30 Jun 200% 08:37:19 er
Iran: poricyrer:
28 TOP) conversos, 1 Sch
(compatible; HSIE 6.05 Windows NT 5.
1
htt p2//pap-yahoo-con/ude/pap-xmi", CP="CA0 DSP COR CUR ADI DEU
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
Distinct Network Monitor
=) Distinct Network Monitor displays live network traffic statistics for up to the
J The statistics analysis module allows you to get a very good
for any given network segment monitored. It displays the following:
© The that are active
on the network segment, showing total
number of bytes received at each IP
lala]
=a
address =
e List of or >
showing how many bytes were sent and '
received for each protocol pe
£ The list of and the total
number of bytes and packets ® >
transmitted for each one = E mes oe
e €
showing the number of packet :
transmitted in various size ranges ‘ bl
© The list of that are =
active on the network segment
http://v5.network-monitor.com
Copyright © by FG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
=) Distinct Network Monitor displays live network traffic statistics for up to the
J The statistics analysis module allows you to get a very good
for any given network segment monitored. It displays the following:
© The that are active
on the network segment, showing total
number of bytes received at each IP
lala]
=a
address =
e List of or >
showing how many bytes were sent and '
received for each protocol pe
£ The list of and the total
number of bytes and packets ® >
transmitted for each one = E mes oe
e €
showing the number of packet :
transmitted in various size ranges ‘ bl
© The list of that are =
active on the network segment
http://v5.network-monitor.com
Copyright © by FG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Give Me Too
O @
® Give Me Too is a packet sniffer, Fs
network analyzer, and network
sniffer that plugs in to computer i sorte, i oo Rs
networks and monitors any e : E re therein tae
Internet and email activity that
occurs in them
© It captures all data transferred
through the network via HTTP,
FTP, SMTP, IMAP, POP3 and IRC
protocols
ow
CR
we -
leon RE rm
http://www.givemetoo.com
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
O @
® Give Me Too is a packet sniffer, Fs
network analyzer, and network
sniffer that plugs in to computer i sorte, i oo Rs
networks and monitors any e : E re therein tae
Internet and email activity that
occurs in them
© It captures all data transferred
through the network via HTTP,
FTP, SMTP, IMAP, POP3 and IRC
protocols
ow
CR
we -
leon RE rm
http://www.givemetoo.com
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
M EtherSnoop is a network
sniffer, designed for capturing
and analyzing the packets going
through the network
It captures the data passing
through your dial-up
connection or network
Ethernet card, analyzes the
data, and represents it in a
readable form a
=
Beda
Babes
¡eses
http://www.arechisoft.com
Copyright © by
Al Rights Reserved. Reproduction is Strictly Prohibited.
sniffer, designed for capturing
and analyzing the packets going
through the network
It captures the data passing
through your dial-up
connection or network
Ethernet card, analyzes the
data, and represents it in a
readable form a
=
Beda
Babes
¡eses
http://www.arechisoft.com
Copyright © by
Al Rights Reserved. Reproduction is Strictly Prohibited.
WE Sn Ta > veria TEO FES TE PELE FSM hart E
Command Fit View Hep
E Fer] > | O www li Bow Ps ©
[sxc poa] Destination des pod] Proto] Tati] Speed] Average sp. [
soos 911277470 1 13% E] =
a 325 rm imo = a
123661889 anzu 26 pr
[ES Lao an
maaan sos
Desa Es]
ann 1
Su su
eu» sa
Sum
Sina
al
a
E
a
a
2
E
a
a
a
a
a
E
NS
pore yy
same
eckes 1035 Tota 276513 byes icon JO b/s, sun Pr Wie
http://www.demosten.com
Copyright © by FG-Couneil
All Rights Reserved. Reproduction is S
Command Fit View Hep
E Fer] > | O www li Bow Ps ©
[sxc poa] Destination des pod] Proto] Tati] Speed] Average sp. [
soos 911277470 1 13% E] =
a 325 rm imo = a
123661889 anzu 26 pr
[ES Lao an
maaan sos
Desa Es]
ann 1
Su su
eu» sa
Sum
Sina
al
a
E
a
a
2
E
a
a
a
a
a
E
NS
pore yy
same
eckes 1035 Tota 276513 byes icon JO b/s, sun Pr Wie
http://www.demosten.com
Copyright © by FG-Couneil
All Rights Reserved. Reproduction is S
Top Routers
ame Routers ‚Argus allows investigators to monitor
os D network connectivity (Ping test),
Status TCP/UDP ports, output or exit code of a
program, content of a web page,
seb authoritativeness of a name server,
results of SQL queries, etc.
Stems: down since Wet 11 Sep 13:47:36 2002
sat elapsed time Sb up% dawn times down
Today" 16527 Nos 002002008 xeon Doo mM. — -_
Yenerduy Weo26Ner0090q2%02 12000 020 1000 Top Temmlngrsschner DNELnerzochart. 5OA_uhakpıLnereschaet Thee sor
2Dwye Age Tae 25 Nar0000002008
This Mouth $1 No00 9000 2008
Laman — Weel OCT zi
03
SOON wee UDP/Dematyhetreochnet
um LL Wud sur O
Moms Ago Mec 1Sept09001205 ab Do 1000 este nslncreachoet
a À pe
layer PRES iPNQ A amändänam 020 Pi LE al JP
Th 22 May 18 11:992008 doom TRANSITION - Bey Mas 1 ‘Stats: up since Thon 30 Oct 17.49.13 2003
Thu 22 May 12 11202008 dewnovemide TRANSITION - eya Marz | star lapsed tone % wp So den tes den
Fa 26 Mer 103812006 dem TRANSITION. Bon Mer Joie Tka27NosDODOID2008—— 120000-1000 oD f]
Wea) AOL tent TRANSITION Amer Fey WeereNevcocoio2005 100900 ID ni o
ed ON ALORS doom TRANSITION Amsler ZDaye Age ‘Tee?SNovUOUOIDIm0s Icbundı 1000 u A
” MA ne 18 LANTA dario darmentda MD À NEVDIAR Babe “This Monts Sar1Nor00:00002002 — 264120200 1000 000 o
Los Mee Weit OMA m1 0000 FEN DAD 2
Zions age Meas SION ann 1000 ni 5
TeVe Weil MOON AmSAENT I DU 15
[oie E SE Ui
Tu Cet 17:48-183008 up TRANSITION up fern
Thu C1509.182003 down TRANSITION - coven
http://argus.tcp4me.com
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
ame Routers ‚Argus allows investigators to monitor
os D network connectivity (Ping test),
Status TCP/UDP ports, output or exit code of a
program, content of a web page,
seb authoritativeness of a name server,
results of SQL queries, etc.
Stems: down since Wet 11 Sep 13:47:36 2002
sat elapsed time Sb up% dawn times down
Today" 16527 Nos 002002008 xeon Doo mM. — -_
Yenerduy Weo26Ner0090q2%02 12000 020 1000 Top Temmlngrsschner DNELnerzochart. 5OA_uhakpıLnereschaet Thee sor
2Dwye Age Tae 25 Nar0000002008
This Mouth $1 No00 9000 2008
Laman — Weel OCT zi
03
SOON wee UDP/Dematyhetreochnet
um LL Wud sur O
Moms Ago Mec 1Sept09001205 ab Do 1000 este nslncreachoet
a À pe
layer PRES iPNQ A amändänam 020 Pi LE al JP
Th 22 May 18 11:992008 doom TRANSITION - Bey Mas 1 ‘Stats: up since Thon 30 Oct 17.49.13 2003
Thu 22 May 12 11202008 dewnovemide TRANSITION - eya Marz | star lapsed tone % wp So den tes den
Fa 26 Mer 103812006 dem TRANSITION. Bon Mer Joie Tka27NosDODOID2008—— 120000-1000 oD f]
Wea) AOL tent TRANSITION Amer Fey WeereNevcocoio2005 100900 ID ni o
ed ON ALORS doom TRANSITION Amsler ZDaye Age ‘Tee?SNovUOUOIDIm0s Icbundı 1000 u A
” MA ne 18 LANTA dario darmentda MD À NEVDIAR Babe “This Monts Sar1Nor00:00002002 — 264120200 1000 000 o
Los Mee Weit OMA m1 0000 FEN DAD 2
Zions age Meas SION ann 1000 ni 5
TeVe Weil MOON AmSAENT I DU 15
[oie E SE Ui
Tu Cet 17:48-183008 up TRANSITION up fern
Thu C1509.182003 down TRANSITION - coven
http://argus.tcp4me.com
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
Documenting the Evidence
Gathered on a Network
If the network logs are small, you can take a print-out and attest
CHHFI ex: © copys © by Fe Emme
| cn All Rights Reserved. Reproduction is Strictly Prohibited.
Gathered on a Network
If the network logs are small, you can take a print-out and attest
CHHFI ex: © copys © by Fe Emme
| cn All Rights Reserved. Reproduction is Strictly Prohibited.
Module Summary
A
a
DI.
Network forensics is the process of identifying criminal activity and the people behind it
An intrusion detection system (IDS) gathers and analyzes information from within a computer or a
network to identify the possible violations of security policy, including unauthorized access, as well as
misuse
Honeypot is an information system resource that is expressly set up to attract and trap people who
attempt to penetrate an organization's network
The man-in-the-middle attack is used to intrude into an existing connection between systems and to
intercept messages being exchanged
Log files from various devices and applications can be used as evidence for network security incidents
To ensure that the log file is not modified, encrypt the log by using some public-key encryption scheme
A sniffer is computer software or hardware that can intercept and log traffic passing over a digital
network or part of a network
DNS poisoning is a technique that tricks a DNS server into believing that it has received authentic
information when, in reality, it has not
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
A
a
DI.
Network forensics is the process of identifying criminal activity and the people behind it
An intrusion detection system (IDS) gathers and analyzes information from within a computer or a
network to identify the possible violations of security policy, including unauthorized access, as well as
misuse
Honeypot is an information system resource that is expressly set up to attract and trap people who
attempt to penetrate an organization's network
The man-in-the-middle attack is used to intrude into an existing connection between systems and to
intercept messages being exchanged
Log files from various devices and applications can be used as evidence for network security incidents
To ensure that the log file is not modified, encrypt the log by using some public-key encryption scheme
A sniffer is computer software or hardware that can intercept and log traffic passing over a digital
network or part of a network
DNS poisoning is a technique that tricks a DNS server into believing that it has received authentic
information when, in reality, it has not
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
“Network is down.”
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
© 2000 Randy Glasbergen.
wwwglasbergen.com
"We rarely back up our data. We'd rather not
keep a permanent record of everything
that goes wrong around here!"
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
wwwglasbergen.com
"We rarely back up our data. We'd rather not
keep a permanent record of everything
that goes wrong around here!"
Copyright © by
All Rights Reserved. Reproduction is Strictly Prohibited.
Tags
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 12
- Slides 118
- Age 544 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
32 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
33 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
31 views
14
Fertility awareness methods for women in the society
Isaiah47
30 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
27 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
29 views