Professional Documents
Culture Documents
Sec C DF
Sec C DF
Sec C DF
Section C
Analyzing Network Evidences
• Network Evidences Overview
• Analyzing Firewall and Proxy Logs
• NetFlow
• Packet captures
Analyzing Evidence
• Analyzing Network Evidence
• Ananlyzing System Memory
• Analyzing System Storage
• Analyzing Log Files
Analyze Network Evidence
• Analyzing packet capture
• Analyzing Firewall and proxy logs
– Manual Log Riview
– Filtered Log review
– Log file searching
– Log file correlation
– Log file data mining
Analyzing System Memory
• it contains the following :
• Running Processes
• Loaded device drivers
• Open registry keys
• Network connections
• Command history
SANS six-part methodology
• Identify rogue processes
• Analyze process DLL’s handles
• Review network artifacts
• Look for evidence of code injection
• Check for signs of a rootkit
• Dump suspicious process and drivers
Network Connection Methodology
• Suspicious Network connection
• Process name
• Parent process ID
• Associated entities
Analyzing system Storage
https://www.ultimatewindowssecurity.com/
Analyzing Windows Event Logs
• It is a detailed process.
• It encountered by responders is the sheer number of log
• That they may have to potentially analyze during an incident
• In case of multiple system, the responder have to deal with
millions of seperate event log enteries.
• Analysis start with acquisition, moving into triage, and then
focusing on analyzing the key event log.
Acquisition
• Idealy, log files should be sent to a SIEM to allow the
responder to search log enteries across the enterprise.
• It has an issue of storage costs with commerical, open src
• It used a simple technique is to store in removable disk
from the local system
• It also has the option of scripting the acquisition of log file
through simple bash script.
• These types of scripts can be run from a USB device or
through remote sessions to reduce interaction with system
Scripts can be run from a USB device
Triage
• It is a PowerShell script, developed by Eric Conrad.
• It can detect Suspicious Windows event log enteries
• It can detect service creation, account creation
• It can detect high number of Logon failures
• It can detect malicious Powershell usage.
Analysis
• event logs are available will require the use of specialized
tools to digdeeper into the data that they provide.