Scribd Logo
Upload

Welcome to Scribd!

  • 7 NetworkAnalysis

    Uploaded by

    Saic
    25 views30 pages
    This document contains summaries of presentations and lectures on digital forensics and network analysis. This week's presentations include topics on web analysis, wireless network traffic, and the collection and analysis of network traffic. Upcoming presentations will cover cell phones, PDAs, non-traditional devices like cars and washers, MP3 players, flash media, and digital cameras. The lectures discuss goals in network investigations, types of network evidence like full content and session data, and tools for collection and analysis including packet capture software, routers, and statistical analysis programs.

    Original Description:

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document contains summaries of presentations and lectures on digital forensics and network analysis. This week's presentations include topics on web analysis, wireless network traffic, and the collection and analysis of network traffic. Upcoming presentations will cover cell phones, PDAs, non-traditional devices like cars and washers, MP3 players, flash media, and digital cameras. The lectures discuss goals in network investigations, types of network evidence like full content and session data, and tools for collection and analysis including packet capture software, routers, and statistical analysis programs.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    25 views30 pages

    7 NetworkAnalysis

    Uploaded by

    Saic
    This document contains summaries of presentations and lectures on digital forensics and network analysis. This week's presentations include topics on web analysis, wireless network traffic, and the collection and analysis of network traffic. Upcoming presentations will cover cell phones, PDAs, non-traditional devices like cars and washers, MP3 players, flash media, and digital cameras. The lectures discuss goals in network investigations, types of network evidence like full content and session data, and tools for collection and analysis including packet capture software, routers, and statistical analysis programs.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 30

    Digital Forensics

    Lecture 7
    0011 0010 1010 1101 0001 0100 1011

    Network Analysis
    This Week’s Presentations

    • Johnathan Ammons: Web Analysis


    0011 0010 1010 1101 0001 0100 1011

    • Kelcey Tietjen: Wireless Network Traffic


    • David Burton: Collection and Analysis of
    Network Traffic
    • David Burton: Network Devices: Routers,
    Switches, … (EC)
    Week after Next Presentations

    • Maggie Castillo: Cell Phones


    0011 0010 1010 1101 0001 0100 1011

    • Jim Curry: PDAs


    • Ryan Ware: Investigation of Non-traditional
    Equipment: Autos, Washers, …
    • Nicholas Gallegos: MP3 Players
    • Barry Gavrich: Flash Media (EC)
    • Ron Prine: Digital Cameras

    Next Week: Midterm Exam


    Lecture Overview
    0011 0010 1010 1101 0001 0100 1011
    Legal/Policy
    Findings/ Reporting/
    Preparation Collection Analysis
    Evidence Action

    • Investigative Goals
    • Investigation Centric Analysis
    • Data Centric Analysis
    • General Tools and Methods
    Module 1
    0011 0010 1010 1101 0001 0100 1011

    First Steps
    Goals
    • Collect evidence
    0011 0010 1010 1101 0001 0100 1011

    • Identify:
    – Scope of activity
    – Other parties involved
    • Support or refute allegation
    • Timeline
    • Ensure compliance
    Types of Network-Based Evidence
    • Full content data
    0011 0010 1010 1101 0001 0100 1011

    – Every bit, every sound, lots of disk space


    • Session data
    – Addresses, phone numbers, trap&trace
    • Alert data
    – Triggered, keywords, addresses, services, event
    • Statistical data
    – Whole picture, causal, patterns
    Characteristics of Network Data
    • Ephemeral
    0011 0010 1010 1101 0001 0100 1011

    • Many locations
    – Computer systems
    – Network components
    • Can be large in size
    • Might be encrypted
    • Could be fragmented
    Tying it Together
    • Role is a key factor in all decisions
    0011 0010 1010 1101 0001 0100 1011

    • Goals determine Type of collection


    • Type of collection determines Tools
    Module 2
    0011 0010 1010 1101 0001 0100 1011

    Setup
    • Consider a network diagram to show
    0011 0010 1010 1101 0001 0100 1011

    – Route diversity
    – Switched networks
    – Convergence
    – Wireless (hidden node problem)
    • Difficulties resulting from this
    – Incomplete observation
    – Difficulty in collecting on a network that’s not
    well prepped
    – Well trained investigators
    – Large data
    System Tools
    • Used for after-incident collection
    0011 0010 1010 1101 0001 0100 1011

    – Volatile data on running system


    • Placed prior to need
    – How do you trust the data collected?
    Network Tools
    • Part of infrastructure
    0011 0010 1010 1101 0001 0100 1011

    – Routers, switches, hubs, access points


    – Packet capture, SNMP, other
    • Additional taps
    – Workstations, “sniffers”
    – Packet capture, IDS’s, other
    Module 3
    0011 0010 1010 1101 0001 0100 1011

    Investigation Centric Analysis


    Roles
    • User
    0011 0010 1010 1101 0001 0100 1011

    • Owner of personal system


    • Corporation or organization
    – Company
    – Service Provider
    • Local investigators
    • Federal investigators
    • International investigators
    Role-Based Motivation
    • Private owner
    – 1101
    0011 0010 1010 Maintain system
    0001 0100 security
    1011 (i.e., Title 18)
    • Corporation
    – Maintain system security, ensure operational continuity
    – Investigate system misuse
    – Identify and manage compromise
    • Various investigative authorities
    – Investigate computer-related criminal activity
    • Fraud, theft, damage, use of IT in other crimes, etc.
    – Investigate other criminal activity
    • Murder, kidnap, fraud, etc.
    – Counter-terrorism
    Approach
    • Identify communicating parties
    0011 0010 1010 1101 0001 0100 1011

    • Geo-locate the source/destination


    • Help provide individual attribution
    • Determine intent/nature of suspected
    communications
    • Capture and provide evidence of crime
    • Identify social networks
    • Others?
    Processes
    • Store and post-analyze vs. real time analysis
    0011 0010 1010 1101 0001 0100 1011

    • Implement a corporate framework


    • Court order to wire tap
    • Others?
    Analysis Techniques
    • Log analysis
    0011 0010 1010 1101 0001 0100 1011

    – Network device
    – Computer network logs
    • Statistics
    – Protocol
    – Conversations
    – Time of day
    – Flow size
    – Number of connections
    • Signatures
    – Well known crime
    Module 4
    0011 0010 1010 1101 0001 0100 1011

    Data Centric Analysis


    Tools for Collection
    • Packet capture and interpretation
    0011 0010 1010 1101 0001 0100 1011

    – ethereal
    – tcpdump
    – windump
    – Limitations
    • For example, stream reassembly
    • Statistical tools
    Tools for Analysis
    • tcptrace – identify sessions
    0011 0010 1010 1101 0001 0100 1011

    • snort – event scanner


    • tcpflow – reassembling sessions
    • ethereal – jack of all trades
    Network Equipment
    • Routers
    0011 0010 1010 1101 0001 0100 1011

    • Switches
    • SNMP enabled devices
    • Firewalls
    • DHCP servers
    • IDS sensors
    • Proxy servers
    Routers/Switches
    • Caches (Live analysis)
    0011 0010 1010 1101 0001 0100 1011

    – ARP
    – Route tables
    • Logs
    – Previously setup for capture
    Network Computer Information
    • Similar to network device commands
    0011 0010 1010 1101 0001 0100 1011

    • From computer point-of-view


    • Corresponding connections to network
    devices
    Module 5
    0011 0010 1010 1101 0001 0100 1011

    Future Needs
    Gaps
    • What are the features that each role would
    0011 0010 1010 1101 0001 0100 1011

    enjoy having?
    – Home user
    – Parent
    – Corporate IT investigator
    – Criminal investigator
    – Counter terrorism authority
    More Gaps
    • What are the difficult problems?
    0011 0010 1010 1101 0001 0100 1011

    E.g., observation, interpretation, large data analysis, etc.


    More Gaps
    • Balancing privacy with security
    0011 0010 1010 1101 0001 0100 1011

    • Data collection on switched or multi-path


    networks
    • Volume of data to be collected
    • Analysis techniques
    Questions?
    0011 0010 1010 1101 0001 0100 1011

    After all, you are an investigator

    You might also like