You are previewing Network Forensics: Tracking Hackers through Cyberspace.
O'Reilly logo
Network Forensics: Tracking Hackers through Cyberspace

Book Description

“This is a must-have work for anybody in information security, digital forensics, or involved with incident handling. As we move away from traditional disk-based analysis into the interconnectivity of the cloud, Sherri and Jonathan have created a framework and roadmap that will act as a seminal work in this developing field.”

– Dr. Craig S. Wright (GSE), Asia Pacific Director at Global Institute for Cyber Security + Research.

“It’s like a symphony meeting an encyclopedia meeting a spy novel.”

–Michael Ford, Corero Network Security

On the Internet, every action leaves a mark–in routers, firewalls, web proxies, and within network traffic itself. When a hacker breaks into a bank, or an insider smuggles secrets to a competitor, evidence of the crime is always left behind.

Learn to recognize hackers’ tracks and uncover network-based evidence in Network Forensics: Tracking Hackers through Cyberspace.Carve suspicious email attachments from packet captures. Use flow records to track an intruder as he pivots through the network. Analyze a real-world wireless encryption-cracking attack (and then crack the key yourself). Reconstruct a suspect’s web surfing history–and cached web pages, too–from a web proxy. Uncover DNS-tunneled traffic. Dissect the Operation Aurora exploit, caught on the wire.

Throughout the text, step-by-step case studies guide you through the analysis of network-based evidence. You can download the evidence files from the authors’ web site (lmgsecurity.com), and follow along to gain hands-on experience.

Hackers leave footprints all across the Internet. Can you find their tracks and solve the case? Pick up Network Forensicsand find out.

Table of Contents

  1. Title Page
  2. Copyright Page
  3. Dedication Page
  4. Contents
  5. Foreword
  6. Preface
    1. 0.1 The Changing Landscape
    2. 0.2 Organization
    3. 0.3 Tools
    4. 0.4 Case Studies
    5. 0.5 Errata
    6. 0.6 Final Notes
  7. Acknowledgments
  8. About the Authors
  9. Part I. Foundation
    1. Chapter 1. Practical Investigative Strategies
      1. 1.1 Real-World Cases
      2. 1.2 Footprints
      3. 1.3 Concepts in Digital Evidence
      4. 1.4 Challenges Relating to Network Evidence
      5. 1.5 Network Forensics Investigative Methodology (OSCAR)
      6. 1.6 Conclusion
    2. Chapter 2. Technical Fundamentals
      1. 2.1 Sources of Network-Based Evidence
      2. 2.2 Principles of Internetworking
      3. 2.3 Internet Protocol Suite
      4. 2.4 Conclusion
    3. Chapter 3. Evidence Acquisition
      1. 3.1 Physical Interception
      2. 3.2 Traffic Acquisition Software
      3. 3.3 Active Acquisition
      4. 3.4 Conclusion
  10. Part II. Traffic Analysis
    1. Chapter 4. Packet Analysis
      1. 4.1 Protocol Analysis
      2. 4.2 Packet Analysis
      3. 4.3 Flow Analysis
      4. 4.4 Higher-Layer Traffic Analysis
      5. 4.5 Conclusion
      6. 4.6 Case Study: Ann’s Rendezvous
    2. Chapter 5. Statistical Flow Analysis
      1. 5.1 Process Overview
      2. 5.2 Sensors
      3. 5.3 Flow Record Export Protocols
      4. 5.4 Collection and Aggregation
      5. 5.5 Analysis
      6. 5.6 Conclusion
      7. 5.7 Case Study: The Curious Mr. X
    3. Chapter 6. Wireless: Network Forensics Unplugged
      1. 6.1 The IEEE Layer 2 Protocol Series
      2. 6.2 Wireless Access Points (WAPs)
      3. 6.3 Wireless Traffic Capture and Analysis
      4. 6.4 Common Attacks
      5. 6.5 Locating Wireless Devices
      6. 6.6 Conclusion
      7. 6.7 Case Study: HackMe, Inc.
    4. Chapter 7. Network Intrusion Detection and Analysis
      1. 7.1 Why Investigate NIDS/NIPS?
      2. 7.2 Typical NIDS/NIPS Functionality
      3. 7.3 Modes of Detection
      4. 7.4 Types of NIDS/NIPSs
      5. 7.5 NIDS/NIPS Evidence Acquisition
      6. 7.6 Comprehensive Packet Logging
      7. 7.7 Snort
      8. 7.8 Conclusion
      9. 7.9 Case Study: InterOptic Saves the Planet (Part 1 of 2)
  11. Part III. Network Devices and Servers
    1. Chapter 8. Event Log Aggregation, Correlation, and Analysis
      1. 8.1 Sources of Logs
      2. 8.2 Network Log Architecture
      3. 8.3 Collecting and Analyzing Evidence
      4. 8.4 Conclusion
      5. 8.5 Case Study: L0ne Sh4rk’s Revenge
    2. Chapter 9. Switches, Routers, and Firewalls
      1. 9.1 Storage Media
      2. 9.2 Switches
      3. 9.3 Routers
      4. 9.4 Firewalls
      5. 9.5 Interfaces
      6. 9.6 Logging
      7. 9.7 Conclusion
      8. 9.8 Case Study: Ann’s Coffee Ring
    3. Chapter 10. Web Proxies
      1. 10.1 Why Investigate Web Proxies?
      2. 10.2 Web Proxy Functionality
      3. 10.3 Evidence
      4. 10.4 Squid
      5. 10.5 Web Proxy Analysis
      6. 10.6 Encrypted Web Traffic
      7. 10.7 Conclusion
      8. 10.8 Case Study: InterOptic Saves the Planet (Part 2 of 2)
  12. Part IV. Advanced Topics
    1. Chapter 11. Network Tunneling
      1. 11.1 Tunneling for Functionality
      2. 11.2 Tunneling for Confidentiality
      3. 11.3 Covert Tunneling
      4. 11.4 Conclusion
      5. 11.5 Case Study: Ann Tunnels Underground
    2. Chapter 12. Malware Forensics
      1. 12.1 Trends in Malware Evolution
      2. 12.2 Network Behavior of Malware
      3. 12.3 The Future of Malware and Network Forensics
      4. 12.4 Case Study: Ann’s Aurora
  13. Afterword
  14. Index