Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Advanced Search Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Book Overview & Buying Hands-On Network Forensics
  • Table Of Contents Toc
  • Feedback & Rating feedback
Hands-On Network Forensics

Hands-On Network Forensics

By : Nipun Jaswal
3.2 (6)
Buy this Book
close
close
Hands-On Network Forensics

Hands-On Network Forensics

3.2 (6)
By: Nipun Jaswal
Buy this Book

Overview of this book

Network forensics is a subset of digital forensics that deals with network attacks and their investigation. In the era of network attacks and malware threat, it’s now more important than ever to have skills to investigate network attacks and vulnerabilities. Hands-On Network Forensics starts with the core concepts within network forensics, including coding, networking, forensics tools, and methodologies for forensic investigations. You’ll then explore the tools used for network forensics, followed by understanding how to apply those tools to a PCAP file and write the accompanying report. In addition to this, you will understand how statistical flow analysis, network enumeration, tunneling and encryption, and malware detection can be used to investigate your network. Towards the end of this book, you will discover how network correlation works and how to bring all the information from different types of network devices together. By the end of this book, you will have gained hands-on experience of performing forensics analysis tasks.
Table of Contents (16 chapters)
close
close
close
Preface
Icon
Preface
Icon
Who this book is for
Icon
What this book covers
Icon
To get the most out of this book
Icon
Get in touch
Icon
Disclaimer
Free Chapter
1
Section 1: Obtaining the Evidence
Icon
Section 1: Obtaining the Evidence
2
Introducing Network Forensics
chevron up
Icon
Introducing Network Forensics
Icon
Technical requirements
Icon
Network forensics investigation methodology
Icon
Source of network evidence
Icon
Wireshark essentials
Icon
Exercise 1 – a noob's keylogger
Icon
Exercise 2 – two too many
Icon
Summary
Icon
Questions and exercises
Icon
Further reading
3
Technical Concepts and Acquiring Evidence
Icon
Technical Concepts and Acquiring Evidence
Icon
Technical requirements
Icon
The inter-networking refresher
Icon
Log-based evidence
Icon
Case study – hack attempts
Icon
Summary
Icon
Questions and exercises
Icon
Further reading
4
Section 2: The Key Concepts
Icon
Section 2: The Key Concepts
5
Deep Packet Inspection
Icon
Deep Packet Inspection
Icon
Technical requirements
Icon
Protocol encapsulation
Icon
Analyzing packets on TCP
Icon
Analyzing packets on UDP
Icon
Analyzing packets on ICMP
Icon
Case study – ICMP Flood or something else
Icon
Summary
Icon
Questions and exercises
Icon
Further reading
6
Statistical Flow Analysis
Icon
Statistical Flow Analysis
Icon
Technical requirements
Icon
The flow record and flow-record processing systems (FRPS) 
Icon
Sensor deployment types
Icon
Analyzing the flow
Icon
Summary
Icon
Questions
Icon
 Further reading
7
Combatting Tunneling and Encryption
Icon
Combatting Tunneling and Encryption
Icon
Technical requirements
Icon
Decrypting TLS using browsers
Icon
Decoding a malicious DNS tunnel
Icon
Decrypting 802.11 packets
Icon
Decoding keyboard captures
Icon
Summary
Icon
Questions and exercises
Icon
Further reading
8
Section 3: Conducting Network Forensics
Icon
Section 3: Conducting Network Forensics
9
Investigating Good, Known, and Ugly Malware
Icon
Investigating Good, Known, and Ugly Malware
Icon
Technical requirements
Icon
Dissecting malware on the network
Icon
Intercepting malware for fun and profit
Icon
Behavior patterns and analysis
Icon
A real-world case study – investigating a banking Trojan on the network
Icon
Summary
Icon
Questions and exercises
Icon
Further reading
10
Investigating C2 Servers
Icon
Investigating C2 Servers
Icon
Technical requirements
Icon
Decoding the Metasploit shell
Icon
Case study – decrypting the Metasploit Reverse HTTPS Shellcode
Icon
Analyzing Empire C2
Icon
Case study – CERT.SE's major fraud and hacking criminal case, B 8322-16
Icon
Summary
Icon
Questions and exercises
Icon
Further reading
11
Investigating and Analyzing Logs
Icon
Investigating and Analyzing Logs
Icon
Technical requirements
Icon
Network intrusions and footprints
Icon
A case study – defaced servers
Icon
Summary
Icon
Questions and exercises
Icon
Further reading
12
WLAN Forensics
Icon
WLAN Forensics
Icon
Technical requirements
Icon
The 802.11 standard
Icon
Packet types and subtypes
Icon
Locating wireless devices
Icon
Identifying rogue access points
Icon
Identifying attacks
Icon
Case study – identifying the attacker
Icon
Summary
Icon
Questions
Icon
Further reading
13
Automated Evidence Aggregation and Analysis
Icon
Automated Evidence Aggregation and Analysis
Icon
Technical requirements
Icon
Automation using Python and Scapy
Icon
Automation through pyshark – Python's tshark
Icon
Merging and splitting PCAP data
Icon
Large-scale data capturing, collection, and indexing
Icon
Summary
Icon
 Questions and exercises
Icon
Further reading
14
Other Books You May Enjoy
Icon
Other Books You May Enjoy
Icon
Leave a review - let other readers know what you think
15
Assessments
Icon
Assessments
Icon
Chapter 1: Introducing Network Forensics
Icon
Chapter 6: Investigating Good, Known, and Ugly Malware
Icon
Chapter 7: Investigating C2 Servers
Icon
Chapter 9: WLAN Forensics

Exercise 1 – a noob's keylogger

Consider a scenario where an attacker has planted a keylogger on one of the systems in the network. Your job as an investigator is to find the following pieces of information:

  • Find the infected system
  • Trace the data to the server
  • Find the frequency of the data that is being sent
  • Find what other information is carried besides the keystrokes
  • Try to uncover the attacker
  • Extract and reconstruct the files that have been sent to the attacker

Additionally, in this exercise, you need to assume that the packet capture (PCAP) file is not available and that you have to do the sniffing-out part as well. Let's say that you are connected to a mirror port on the network where you can see all the data traveling to and from the network.

The capture file for this network capture is available at https://github.com/nipunjaswal...

Unlock full access

Continue reading for free

A Packt free trial gives you instant online access to our library of over 7000 practical eBooks and videos, constantly updated with the latest in tech
Start a 7-day FREE trial
End of Section 6
Next Section

Create a Note

Modal Close icon
You need to login to use this feature.
notes
bookmark search playlist font-size

Change the font size

margin-width

Change margin width

day-mode

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Delete Bookmark

Modal Close icon
Are you sure you want to delete it?
Cancel
Yes, Delete

Delete Note

Modal Close icon
Are you sure you want to delete it?
Cancel
Yes, Delete

Edit Note

Modal Close icon
Write a note (max 255 characters)
Cancel
Update Note

Confirmation

Modal Close icon
claim successful
Order Page Read Now

Buy this book with your credits?

Modal Close icon
Are you sure you want to buy this book with one of your credits?
Close
YES, BUY