Network Forensics

Network Forensics - 10/7/2011 Network Forensics Wm. Arthur...

Info iconThis preview shows pages 1–8. Sign up to view the full content.

View Full Document Right Arrow Icon
10/7/2011 1 Network Forensics Wm. Arthur Conklin, PhD Assistant Professor Department of Information & Logistics Technology College of Technology 2 Agenda o Network Flow Analysis o Network Forensics 2011 Wm. Arthur Conklin, PhD
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
10/7/2011 2 3 Netflow Overview o Developed by Cisco Systems in 1996 o The value of information in the cache was a secondary discovery » Initially designed as a switching path o NetFlow is now the primary network accounting technology in the industry o Answers questions regarding IP traffic: who, what, where, when, and how o NetFlow version 9 an IETF standard NetFlow Versions
Background image of page 2
10/7/2011 3 5 NetFlow o Version 9 is designed for Export o Analysis by separate tools o Sampling vs. Billing 2011 Wm. Arthur Conklin, PhD What is a flow? Defined by seven unique keys: 1. Source IP address 2. Destination IP address 3. Source port 4. Destination port 5. Layer 3 protocol 6. TOS byte (DSCP) 7. Input interface (ifIndex) Exported Data A Flow is Unidirectional!
Background image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
10/7/2011 4 7 A B A - sending to B is one flow entry on every NetFlow capable router / switch in the path B - acknowledging A is a 2 nd flow 8 Flow data o Things to keep in mind » This is easy data to get, so make sure you do. » Better used to figure out where to look, than to figure out exactly what happened. » Even when you’re not on an investigation, you should collect flow data to do baselining. » Visualization helps a lot.
Background image of page 4
10/7/2011 5 Flow data Visualization o http://www.networkuptime.com/tools/netflow/ o ects o TONS more Source: plixer.com, vizworld.com, networkuptime.com Network Forensics
Background image of page 5

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
10/7/2011 6 11 Definition o Network forensics is the capture , recording , and analysis of network events in order to discover the source of security attacks or other problem incidents. o (The term, attributed to firewall expert Marcus Ranum, is borrowed from the legal and criminology fields where forensics pertains to the investigation of crimes.) 2011 Wm. Arthur Conklin, PhD 12 Paths o All data leaves a trail. o The search for data leaves a trail. o The erasure of data leaves a trail. o The absence of data, under the right circumstances, can leave the clearest trail of all. 2011 Wm. Arthur Conklin, PhD
Background image of page 6
7 13 Basic Principles o Principle 1 » Preserve the evidence in an unchanged state o Principle 2 » Document the investigative process…thoroughly » and completely Investigate as if LE will be called in and the attackers will be prosecuted 2011 Wm. Arthur Conklin, PhD 14 Who to Call o If there is even the slightest chance that you may prosecute an individual or organization based on evidence obtained during your forensic investigation, I highly recommend that you obtain assistance from qualified forensic analysts and/or technology-minded law enforcement officers. o
Background image of page 7

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Image of page 8
This is the end of the preview. Sign up to access the rest of the document.

Page1 / 23

Network Forensics - 10/7/2011 Network Forensics Wm. Arthur...

This preview shows document pages 1 - 8. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online