To perform the exercises covered in this chapter, you will require the following:

• A laptop/desktop computer with an i5/i7 processor or any other equivalent AMD processor with at least 8 GB RAM and around 100 GB of free space.
• VMware Player/VirtualBox installation with Kali OS installed. You can download it from https://www.offensive-security.com/kali-linux-vm-vmware-virtualbox-image-download/.
• Installing Wireshark on Windows: https://www.wireshark.org/docs/wsug_html_chunked/ChBuildInstallWinInstall.html.
• Netcat From Kali Linux (already installed).
• Download NetworkMiner from https://www.netresec.com/?page=Networkminer.
• The PCAP files for this chapter, downloaded from https://github.com/nipunjaswal/networkforensics/tree/master/Ch1.

Every investigation requires a precise methodology. We will discuss the popular network forensics methodology used...

To assure accurate and meaningful results at the end of a network forensic exercise, you, as a forensic investigator, must follow a rigid path through a methodological framework. This path is shown in the following diagram:

Obtain, Strategize, Collect, Analyze, and Report (OSCAR) is one such framework that ensures appropriate and constant results. Let's look at each phase from a network forensics point of view:

• Obtain information: Obtaining information about the incident and the environment is one of the first things to do in a network forensics exercise. The goal of this phase is to familiarize a forensic investigator with the type of incident. The timestamps and timeline of the event, the people, systems, and endpoints involved in the incident—all of these facts are crucial in building up a detailed...

Network evidence can be collected from a variety of sources and we will discuss these sources in the next section. The sources that we will be discussing are:

• Tapping the wire and the air
• CAM table on a network switch
• Routing tables on routers
• Dynamic Host Configuration Protocol logs
• DNS server logs
• Domain controller/ authentication servers/ system logs
• IDS/IPS logs
• Firewall logs
• Proxy Server logs

One of the purest and most raw forms of information capture is to put taps on network and optical fiber cables to snoop on traffic.

 Many commercial vendors provide network taps and SPAN ports on their devices for snooping...

Readers who are familiar with the basics of Wireshark can skip this section and proceed with the case studies; however, readers who are unfamiliar with the basics or who need to brush up on Wireshark essentials, can feel free to continue through this section. Let's look at some of the most basic features of Wireshark. Look at the following screenshot:

Once we execute Wireshark, we are presented with a screen similar to the preceding picture. On the left-hand side, we have a list of the available interfaces to capture packets from. In the middle, we have recent packet capture files and on the right- hand side, we have online help and user guides. To start a new packet-capture, you can select an interface, such as Ethernet, if you are connected over the wire, or Wi-Fi, if you are connected on a wireless network. Similarly...

Consider a scenario where an attacker has planted a keylogger on one of the systems in the network. Your job as an investigator is to find the following pieces of information:

• Find the infected system
• Trace the data to the server
• Find the frequency of the data that is being sent
• Find what other information is carried besides the keystrokes
• Try to uncover the attacker
• Extract and reconstruct the files that have been sent to the attacker

Additionally, in this exercise, you need to assume that the packet capture (PCAP) file is not available and that you have to do the sniffing-out part as well. Let's say that you are connected to a mirror port on the network where you can see all the data traveling to and from the network.

Let's analyze another capture file from https://github.com/nipunjaswal/networkforensics/blob/master/Ch1/Two%20to%20Many/twotomany.pcap, that we currently don't know any details about and try reconstructing the chain of events.

We will open the PCAP in Wireshark, as follows:

From the preceding screenshot, we can see that numerous SYN packets are being sent out to the 64.13.134.52 IP address. However, looking closely, we can see that most of the packets are being sent every so often from a single port, which is 36050 and 36051, to almost every port on 64.13.134.52. Yes, you guessed right: this looks like a port scan. Initially the SYN packet is sent out, and on receiving a SYN/ACK, the port is considered open.

We know that the originating IP address, 172.16.0.8, is an internal one and the server being contracted...

Over the course of this chapter, we learned about the basics of network forensics. We used Wireshark to analyze a keylogger and packets from a port scan. We discovered various types of network evidence sources and also learned the basics methodology that we should follow when performing network forensics.

In the next chapter, we will look at the basics of protocols and other technical concepts and strategies that are used to acquire evidence, and we will perform hands-on exercises related to them.

To improve your confidence in your network forensics skills, try answering the following questions:

1. What is the difference between the ftp and ftp-data display filter in Wireshark?
2. Can you build an http filter for webpages with specific keywords?
3. We saved files from the PCAP using NetworkMiner. Can you do this using Wireshark? (Yes/No)
4. Try repeating these exercises with Tshark.

For further information on Wireshark, refer to https://www.packtpub.com/networking-and-servers/mastering-wireshark