Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Advanced Search Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Book Overview & Buying Hands-On Network Forensics
  • Table Of Contents Toc
  • Feedback & Rating feedback
Hands-On Network Forensics

Hands-On Network Forensics

By : Nipun Jaswal
3.2 (6)
Buy this Book
close
close
Hands-On Network Forensics

Hands-On Network Forensics

3.2 (6)
By: Nipun Jaswal
Buy this Book

Overview of this book

Network forensics is a subset of digital forensics that deals with network attacks and their investigation. In the era of network attacks and malware threat, it’s now more important than ever to have skills to investigate network attacks and vulnerabilities. Hands-On Network Forensics starts with the core concepts within network forensics, including coding, networking, forensics tools, and methodologies for forensic investigations. You’ll then explore the tools used for network forensics, followed by understanding how to apply those tools to a PCAP file and write the accompanying report. In addition to this, you will understand how statistical flow analysis, network enumeration, tunneling and encryption, and malware detection can be used to investigate your network. Towards the end of this book, you will discover how network correlation works and how to bring all the information from different types of network devices together. By the end of this book, you will have gained hands-on experience of performing forensics analysis tasks.
Table of Contents (16 chapters)
close
close
close
Preface
Icon
Preface
Icon
Who this book is for
Icon
What this book covers
Icon
To get the most out of this book
Icon
Get in touch
Icon
Disclaimer
Free Chapter
1
Section 1: Obtaining the Evidence
Icon
Section 1: Obtaining the Evidence
2
Introducing Network Forensics
Icon
Introducing Network Forensics
Icon
Technical requirements
Icon
Network forensics investigation methodology
Icon
Source of network evidence
Icon
Wireshark essentials
Icon
Exercise 1 – a noob's keylogger
Icon
Exercise 2 – two too many
Icon
Summary
Icon
Questions and exercises
Icon
Further reading
3
Technical Concepts and Acquiring Evidence
Icon
Technical Concepts and Acquiring Evidence
Icon
Technical requirements
Icon
The inter-networking refresher
Icon
Log-based evidence
Icon
Case study – hack attempts
Icon
Summary
Icon
Questions and exercises
Icon
Further reading
4
Section 2: The Key Concepts
Icon
Section 2: The Key Concepts
5
Deep Packet Inspection
chevron up
Icon
Deep Packet Inspection
Icon
Technical requirements
Icon
Protocol encapsulation
Icon
Analyzing packets on TCP
Icon
Analyzing packets on UDP
Icon
Analyzing packets on ICMP
Icon
Case study – ICMP Flood or something else
Icon
Summary
Icon
Questions and exercises
Icon
Further reading
6
Statistical Flow Analysis
Icon
Statistical Flow Analysis
Icon
Technical requirements
Icon
The flow record and flow-record processing systems (FRPS) 
Icon
Sensor deployment types
Icon
Analyzing the flow
Icon
Summary
Icon
Questions
Icon
 Further reading
7
Combatting Tunneling and Encryption
Icon
Combatting Tunneling and Encryption
Icon
Technical requirements
Icon
Decrypting TLS using browsers
Icon
Decoding a malicious DNS tunnel
Icon
Decrypting 802.11 packets
Icon
Decoding keyboard captures
Icon
Summary
Icon
Questions and exercises
Icon
Further reading
8
Section 3: Conducting Network Forensics
Icon
Section 3: Conducting Network Forensics
9
Investigating Good, Known, and Ugly Malware
Icon
Investigating Good, Known, and Ugly Malware
Icon
Technical requirements
Icon
Dissecting malware on the network
Icon
Intercepting malware for fun and profit
Icon
Behavior patterns and analysis
Icon
A real-world case study – investigating a banking Trojan on the network
Icon
Summary
Icon
Questions and exercises
Icon
Further reading
10
Investigating C2 Servers
Icon
Investigating C2 Servers
Icon
Technical requirements
Icon
Decoding the Metasploit shell
Icon
Case study – decrypting the Metasploit Reverse HTTPS Shellcode
Icon
Analyzing Empire C2
Icon
Case study – CERT.SE's major fraud and hacking criminal case, B 8322-16
Icon
Summary
Icon
Questions and exercises
Icon
Further reading
11
Investigating and Analyzing Logs
Icon
Investigating and Analyzing Logs
Icon
Technical requirements
Icon
Network intrusions and footprints
Icon
A case study – defaced servers
Icon
Summary
Icon
Questions and exercises
Icon
Further reading
12
WLAN Forensics
Icon
WLAN Forensics
Icon
Technical requirements
Icon
The 802.11 standard
Icon
Packet types and subtypes
Icon
Locating wireless devices
Icon
Identifying rogue access points
Icon
Identifying attacks
Icon
Case study – identifying the attacker
Icon
Summary
Icon
Questions
Icon
Further reading
13
Automated Evidence Aggregation and Analysis
Icon
Automated Evidence Aggregation and Analysis
Icon
Technical requirements
Icon
Automation using Python and Scapy
Icon
Automation through pyshark – Python's tshark
Icon
Merging and splitting PCAP data
Icon
Large-scale data capturing, collection, and indexing
Icon
Summary
Icon
 Questions and exercises
Icon
Further reading
14
Other Books You May Enjoy
Icon
Other Books You May Enjoy
Icon
Leave a review - let other readers know what you think
15
Assessments
Icon
Assessments
Icon
Chapter 1: Introducing Network Forensics
Icon
Chapter 6: Investigating Good, Known, and Ugly Malware
Icon
Chapter 7: Investigating C2 Servers
Icon
Chapter 9: WLAN Forensics

Analyzing packets on ICMP

Let's take a look at the Internet Control Message Protocol (ICMP). It is one of the most popular protocols, and is better known for being used in ping commands, which is where an ICMP echo request is sent to an IP address with some random data, and it then denotes whether the system is alive. A typical ICMP packet would look like this:

The ICMP has many messages, which are identified by the Type of Message field. The Code field indicates the type of message. The Identifier and Sequence Number can be used by the client to match the reply with the request that caused the reply.

The Data field may contain a random string or a timestamp to compute the round-trip time in a stateless manner. Let's ping https://www.google.com/ and analyze it in Wireshark:

We can see that we have four Echo request and four Echo reply packets. Let...

Unlock full access

Continue reading for free

A Packt free trial gives you instant online access to our library of over 7000 practical eBooks and videos, constantly updated with the latest in tech
Start a 7-day FREE trial
End of Section 6
Next Section

Create a Note

Modal Close icon
You need to login to use this feature.
notes
bookmark search playlist font-size

Change the font size

margin-width

Change margin width

day-mode

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Delete Bookmark

Modal Close icon
Are you sure you want to delete it?
Cancel
Yes, Delete

Delete Note

Modal Close icon
Are you sure you want to delete it?
Cancel
Yes, Delete

Edit Note

Modal Close icon
Write a note (max 255 characters)
Cancel
Update Note

Confirmation

Modal Close icon
claim successful
Order Page Read Now

Buy this book with your credits?

Modal Close icon
Are you sure you want to buy this book with one of your credits?
Close
YES, BUY