Responsetodiscussions-DF.docx

Topic Since information extracted from router or switch interfaces to not provide specific evidence of a particular crime in most cases, what use is the information collected from these devices.

Read and respond to atleast two other students Discussions. (5-6 lines would be more sufficient)

#1.Posted by Srikanth

Routers and switches give the availability, both inside the demilitarized Zone (DMZ) environment and to different tareas of the system to which the DMZ is connected. This makes Routers and switches prime targets for hackers to exploit and gather data about the system or just use as springboards on other devices. This section presents data on the best way to information and arrange some significant router and switch security includes that enable run safely and ensure the devices that they associate. Routers direct traffic all through the undertaking system and are normally the first line of barrier when the system is associating with the Internet. Hackers try to infiltrate routers to gather data or use them as launching pads for further attacks. This is the reason it is critical to secure switches' management interfaces and services to make them trouble for an interloper to hack. Similarly as with routers, switches have an expanding job in system security. The switch gives numerous highlights, including port security. VLANs and PVLANs give the tools to keep the devices on the DMZ secure. It is additionally imperative to secure the switch's management interfaces and services with the goal that hackers can't break into the switch to change VLAN designs, change port settings, or utilize the switch to connect with different parts of the network.

Network forensics is capture, recording and analysis of network packets in order to determine the source of network security attacks. The major goal of network forensics is to collect evidence. It tries to analyze network traffic data, which is collected from different sites and different network equipment, such as firewalls and IDS. In addition, it monitors on the network to detect attacks and analyze the nature of attackers. Network forensics is also the process of detecting intrusion patterns, focusing on attacker activity.

Computer documents, emails, text and instant messages, transactions, images and Internet histories are examples of information that can be gathered from electronic devices and used very effectively as evidence. For example, mobile devices use online-based based backup systems, also known as the “cloud”, that provide forensic investigators with access to text messages and pictures taken from a particular phone. These systems keep an average of 1,000–1,500 or more of the last text messages sent to and received from that phone.In addition, many mobile devices store information about the locations where the device traveled and when it was there. To gain this knowledge, investigators can access an average of the last 200 cell locations accessed by a mobile device. Satellite navigation systems and satellite radios in cars can provide similar information. Even photos posted to social media such as Facebook may contain location information. Photos taken with a Global Positioning System (GPS)-enabled device contain file data that shows when and exactly where a photo was taken. By gaining a subpoena for a particular mobile device account, investigators can collect a great deal of history related to a device and the person using it.

#2.Posted by Naresh

Digital forensics is a special branch of forensic science and playing a vital role in lower down the cyber-crimes including the identification, recovery, investigation, validation, and presentation of facts regarding digital evidence found on computers, network devices  and storage media devices which deals with  digital data.  In solving cyber-crimes evidences collected from network devices like Routers and switches used as a second source of event corroboration which is extremely useful in determining the root cause of an incident.   The ability to attain network-based evidence is mainly dependent on the preparations that are untaken by business organization prior to an incident. Without some critical components of a proper infrastructure security program, key pieces of evidence will not be available for incident responders in a timely manner and the critical components for this preparation includes appropriate network documentation, up to date configurations of network devices and a central  syslog server deployment and maintenance.   

 

Coming to the network device as evidence in investigation need to mention about what king of evidences can be extracted from these devices. There are a range of companies provides  these network devices  and in the evidence collecting process specialist should become familiar on how to access these devices and obtain the necessary evidences.  Switches are back-bone of the local area networks where handle the traffic for individual segments. Switches have two key points of evidence, first is the Content Addressable Memory (CAM) table. This CAM table maps the physical ports on the switch to the Network Interface Card (NIC) on each device connected to the switch. This can aid in the identification of possible rogue devices. The second way switches can aid in an incident investigation is through facilitating network traffic capture.  The second type of network device is Router, it allows organizations to connect multiple LANs into either Metropolitan Area Networks or Wide Area Networks and handled an extensive amount of traffic. The key piece of evidentiary information that routers contain is the routing table. This table holds the information for specific physical ports that map to the networks.

To identify potential sources of evidence, incident responders need to have a solid understanding of evidence from a wide range of sources. Different types of LOGS are the key thing when it comes to evidence collection including logging as close to the event, document Failures, logs from compromised systems. Data collected by Discovery on network routers and switches identified by table field corresponding source or destination for example “IP address  cmdb_ci_network_adapter   source from SNMP, IP MIB”,  in Router Forensics  some CLI commands ´”Show access list, Show clock, Show ip route  and  Show startup” produces the relative evidences can be used as secondary evidences in most of the cyber-crime investigations.