Add to collection(s) Add to saved
  1. Social Science
  2. Psychology
  3. Forensic Psychology

Network forensics

advertisement 
NETWORK FORENSICS
We’ve got what it takes to take what you got!
INTRODUCTION AND COURSE OVERVIEW
•
What is network forensics
•
Sources of Network Data and Evidence
•
Forensically Sound Evidence Acquisition Techniques
•
Packet Analysis
•
Statistical Analysis
•
Event Log Aggregation, Correlation and Analysis
•
Active Evidence Acquisition
•
Analysis of Wireless Network Traffic
WHAT IS NETWORK FORENSICS
“Network forensics is a sub-branch of digital forensics relating to the monitoring and analysis
of computer network traffic for the purposes of information gathering, legal evidence, or
intrusion detection.”1
DEAD-BOX vs. NETWORK FORENSICS
Dead-box
•
•
•
•
•
Data is static and preserved once
power is removed
Network
•
Data is changing constantly
•
Evidence is contained within the file
system
Pinpointing direct location of needed
evidence is problematic
•
Easy to make a forensically sound
image
Physical access to network devices can
be difficult
•
Seizing a businesses computer/s
usually involves limited disruption
Most network devices do not have
persistent data storage
•
Legal precedence in place and is
routinely admitted into court
Investigators must minimize investigation
impact on business network
•
Conflicting precedence and not yet
standardized
WHY DO WE NEED TO WORRY ABOUT
NETWORK CRIME?
•
“The Federal Bureau of Investigation (FBI) estimates that cyber crime costs more than
$100 billion per year.” 2
•
Attacks can come from both inside and outside of the network.
•
Not just basement hackers anymore
• Employees
• Business competition
• Professional hackers for hire
• City-states
QUICK EVIDENCE REVIEW
•
•
Real evidence - physical objects that play a relevant role in the crime
•
Physical HHD or USB
•
Computer – box, keyboard, etc.
Best evidence - can be produced in court
•
Recovered file
•
Bit – for – bit snapshot of network transaction
•
Direct evidence – eye witness
•
Circumstantial evidence – linked with other evidence to draw conclusion
•
•
Email signature
•
USB serial number
Hearsay – second-hand information
•
•
•
Text file containing personal letter
Business records – routinely generated documentation
•
Contracts and employee policies
•
Logs
Digital evidence – electronic evidence
•
Emails / IM
•
Logs
INVESTIGATIVE METHODOLOGY
•
OSCAR 3
• Obtain information
• Strategize
• Collect evidence
• Analyze
• Report
OBTAIN INFORMATION
•
Incident description
•
Information regarding incident discovery
•
Known persons involved
•
Systems and / or data known to be involved
•
Actions taken by organization since discovery
•
Potential legal issues
•
Working time frame for investigation and resolution
•
Specific goals
•
Etc.
3
THE ENVIRONMENT
3
•
Working business model and enforceable policies
•
Potential legal issues involved with said business model and policies
•
Organizational structure
•
Network topology
•
Possible network evidence sources
•
Incident response management procedures
•
Central communication systems (investigator communication and evidence repository)
•
Available resources
•
Staff
•
Equipment
•
Funding
•
Time
STRATEGIZE
3
•
Understand the goals and time frame for investigation
•
Organize and list resources
•
Identify and document evidence sources
•
Estimate value of evidence versus value of obtaining it
•
Prioritize based on this estimate
•
Plan of attack – both for acquisition and analysis
•
Set up schedule for regular communication between investigators
•
Remember that this is fluid and will most likely have to be adjusted
COLLECT EVIDENCE
•
Document, document, document
•
Lawfully capture evidence
•
Make cryptographically verifiable copies
•
Setup secure storage of collected evidence
•
Establish chain of custody
•
Analyze copies only
•
Use legally obtained, reputable tools
•
Document every step
3
ANALYZE
3
•
Show correlation with multiple sources of evidence
•
Establish a well documented timeline of activities
•
Highlight and further investigate events that are potentially more relevant to incident
•
Corroborate all evidence, which may require more evidence gathering
•
Reevaluate initial plan of attack and make needed adjustments
•
Make educated interpretations of evidence that lead to a thorough investigation, look for
all possible explanations
•
Build working theories that can be backed up by the evidence (this is only to ensure a
thorough investigation)
•
SEPARATE YOUR INTERPRETATIONS FROM THE FACTS
REPORT
•
Every report must be:
• Understandable by nontechnical people
• Complete and meticulous
• Defensible in every detail
• Completely factual
3
WORKS CITED
1. http://en.wikipedia.org/wiki/Network_forensics#cite_ref-0
2. http://www.evidencemagazine.com/index.php?option=com_content&task=view&id=116&It
emid=49
3. Davidoff, S., & Ham, J. (2012). Network Forensics Tracking Hackers Through
Cyberspace. Boston: Prentice Hall.
Related documents
Forensics – Chapters 1-3 Study Guide Helpers
Forensics – Chapters 1-3 Study Guide Helpers
Pertemuan 26 Contingency Planning Matakuliah :A0334/Pengendalian Lingkungan Online
Pertemuan 26 Contingency Planning Matakuliah :A0334/Pengendalian Lingkungan Online
15. Legal, Regulations, Compliance, and Investigations
15. Legal, Regulations, Compliance, and Investigations
PowerPoint slides
PowerPoint slides
review3
review3
chapter1
chapter1
Lecture 7 - The University of Texas at Dallas
Lecture 7 - The University of Texas at Dallas
Evidence - WordPress.com
Evidence - WordPress.com
Network Forensics
Network Forensics
Basics of IT Security
Basics of IT Security
Chapter 1
Chapter 1
3-introduction
3-introduction
Download
advertisement