DFTT week14 DB
Chapter 12
Searching the Network
1
Purpose of Investigation
Internal investigations
Misuse of company resources
Penetration analysis
Intrusion detection
Scope of the Investigation
Local area networks
Application Service Providers (ASP)
Cloud computing
Initial Response
Identify the actual problem
Decide on an action
Should the connections be broken or back-traced?
Is conviction worth the risk of data loss?
Lock down a time frame
Isolate the source of the nefarious activity
Identify the potential suspect(s)
Point of a Response Plan
Have a list of IT personnel available
Have tools in place for analyzing network activity
Prepare secure lines of communication that can’t be tapped
Create and test a plan of action for returning systems to normal
Have a good review process in place
When to do Proactive Collection
Current and ongoing intrusions
Ongoing theft of data
Misuse of company resources
Suspicion of data export
Internal systems may have been compromised
When ascertaining whether malicious software has been embedded in the system
To determine how the intrusion was accomplished
Proactive Methods
Keyloggers
Can be hardware or software based
May be subject to legal challenge
System auditing
Know what to audit and how
Collect audit logs before they are automatically deleted
Network Capture
Determining authenticity
Proxy servers alter IP addresses
Onion routing encapsulates original packets
IP spoofing rewrites the originating IP address
Identifying traffic
Narrow the range of targeted traffic
Identify a specific acquisition window
Performing a Network Capture
Put network interface into promiscuous mode
Configure utility (such as Wireshark) to collect packets
Identify and configure a storage pool for captured traffic
Analyzing the Capture
Protocol identification
IP address inventory
Message sessionizing
A to B
B to A
A or B to any
Collecting Live Connection Data
A small batch file can collect:
Time/data information
NetBIOS connections
User statistics
File shares open
Open sessions
Collect information only as it currently exists
Post Incident Collection
Event logs
Application log
Security log
System log
Application logs (not Windows)
Router and Switch Forensics
Don’t analyze device over network
Enable logging before connecting to the device
Record all volatile information first
Record time-date stamps
Router Data to Collect
Router OS
Router logs
Startup and running configurations
Routing tables
Access lists
NAT translation tables
List of interfaces