This week, we learned about Malware.

Malware, or Malicious Software, is a software that is specifically created to damage, disrupt, or gain unauthorized access to a computer system. One way to identify malware using network forensics methodology is through Security Information and Event Management (SIEM). It involves collecting log and event data generated by an organization’s applications, security devices and host systems and bringing it together into a single centralized platform, it detects threats and creates security alerts.

Example of Malware:

1. Worms: spread via phishing or software vulnerabilities. When a worm has installed itself into your computer’s memory, it self-replicates and infects the whole machine and potentially the whole network. Worms can modify or delete files, steal data, install backdoors, inject malware onto computers. You can identify and remove worms using anti-virus tools and dedicated removal tools.
2. Trojan Horse: malicious program that is disguised to look like a legitimate file so users will download them. Trojans are a doorway and they need a host to work. Trojan horses can delete, modify, and capture data, spy on your device, gain access to your network, harvest your device as part of a botnet. They can be identified and removed using anti-malware softwares.

This week, we learned about routers, switches, and firewall.

Switches map MAC addresses to switch ports. Switches are also able to locate the physical locations of MAC addresses. ARP(Address Resolution Protocol) tables allow users to convert MAC Addresses into IP addresses.

Routers connect multiple devices to the Internet and also connect these devices to each other. Routers can be used to create local networks of devices. Unlike switches, routers can route connections between different networks. Routers can be classified as enterprise, consumer, custom.

Firewalls are systems created to prevent unauthorized access to or from a private network. Firewalls contain info on successful or failed connection attempts, the protocols used, and applications.

This week, we learned about Log Correlation and Analysis. There are various sources of logs including OS logs(event logs, syslog), Application Logs(SMTP logs, server logs), Physical Device logs(Camera logs, UPS, logs), and Net Equip logs.

Windows logs are usually the trigger that starts the investigation, in Windows 10 you can access the logs through Event Viewer. Windows logs include event logs, firewall, setup logs, browsing history, and shortcuts.

Log Analysis is reviewing computer generated records called logs, it can be done using splunk.com. Splunk.com is free for <500mb a day and it works on many platforms.

This week, we learned about Network Intrusion Detection and Analysis.

NIDS(Network Intrusion Detection System) is a system that detects malicious traffic on a network. NIDS require promiscuous network access to analyze traffic such as unicast traffic. NIDS do not interfere with the traffic they monitor so they can be considered as passive devices.

NIPS(Network Intrusion Prevention System) is a network threat prevention technology that examines network traffic flows to detect and prevent exploits to the existing vulnerabilities. It works by actively scanning forwarded network traffic for malicious activities.

HIDS(Host Intrusion Detection System)

This week, we learned about network forensics in wireless networks. Cases involving wireless network include recovering stolen gadgets by tracking it on wireless network, investigate malicious or suspicious activity in wireless network, investigate attack on wireless network including DDoS, encryption cracking, and authentication bypass attack.

Common wireless devices involved are am/fm radios, smartphones, bluetooth headsets, infrared devices, wi-fi, etc.

This week, we learned about the techniques and tools that can be used for evidence acquisition through capturing or sniffing packets. Physical interception can be referred to as passive packet acquisition of data that is transmitted through wire. The tools that can be used to perform packet sniffing include Inline Network Tap, Vampire Taps, Induction Coils, Fiber Optic Taps.

Evidence Acquisition using software can be done using tools such as wireshark, tcpdump, nmap, ssh, etc.

tcpdump -D lists all possible network interfaces

tcpdump -I shows all captured packets

This week, we learned about the tools required to acquire evidence and to analyze them. A pcap file can be used as evidence alongside many others.

Flow Analysis is a technique of monitoring network activity to identify anomalies such as security or operational issues. It involves collecting real time and historical record of network activities. You can also detect malware such as ransomware activity. Wireshark is one of the most popular and reliable tool to perform flow analysis.

This week, we learned about the sources of network-based evidence such as:

• On the wire: physical cabling that carries data over the network, can provide real time network data through wire tapping .
• In the air: wireless signals between stations(radio frequency, infrared), can gather Access Points and Mac addresses.
• Switches: physically connect network segment, can capture and preserve network traffic.
• Routers: connect traffic on networks or subnets, can function as packet sniffer, intrusion detection.
• DHCP Server: assigns IP addresses automatically to LAN stations, can gather IP addresses and MAC address of requesting device.
• DNS Server: map IP address to host names, create timeline of suspect activity.
• NIDS/NIPS: monitor real time network traffic, provide timely information.
• Centralized Log Server: combine event log from various sources, can identify and respond to network security events, save data if one server is compromised, etc.

Internetworking is the process of connecting different networks using devices such as routers to ensure networks owned and operated by different entities can communicate together using the Internet Routing Protocol and common data communication.

The Internet Protocol Suite that forensic investigators must know is the TCP/IP Model which consists of 4 layers: Application, Transport, Internet, and Network Access. they must also have clear understanding of flow record analysis, packet analysis, and web proxy dissection.

Network Forensics is a sub-branch of digital forensics concerning the capture, recording, and analysis of network events with the purpose of discovering the source of security attacks, information gathering, and find legal evidence.

There are a lot of resources that can be used as evidence such as CCTV, emails, logs, browser history, cache files, ISP’s logs, etc. These evidences can be categorized as real, best, direct, circumstantial, hearsay, and business records.

There are 2 investigation methods in network forensics:

OSCAR:

• Obtain Information
• Strategize: identify possible source of evidence and estimate cost to obtain it
• Collect evidence
• Analyze
• Report

TAARA:

• Trigger: incident that leads to investigation
• Acquire: collect evidence
• Analysis
• Report
• Action