Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Learning Network Forensics
Learning Network Forensics

Learning Network Forensics: Identify and safeguard your network against both internal and external threats, hackers, and malware attacks

eBook
zł59.99 zł177.99
Paperback
zł221.99
Subscription
Free Trial

What do you get with eBook?

Product feature icon Instant access to your Digital eBook purchase
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
Table of content icon View table of contents Preview book icon Preview Book

Learning Network Forensics

Chapter 1. Becoming Network 007s

Welcome to the world of spies, glamor, high technology, and fast...

Wait a minute!

Are you sure you are reading the right book? Wasn't this book supposed to be about network forensics?

Yes, you are reading the right book!

Let me put you at ease. This is about network forensics. That said it also is a glamorous world full of high-tech spies and fast data (no cars, unfortunately). This is a world where the villains want to own the world (or at the very least, your digital world) and if they can't own it, they would like to destroy it.

This world needs a hero. A person who can track down spies, identify stolen secrets, beat the villains at their own game, and save the world in the bargain.

A tech-savvy, cool, and sophisticated hero! A digital 007! Come on, admit it, who doesn't fancy themselves as James Bond? Here's your chance, an opportunity to become a network 007.

Interested? Read on…

In this chapter, we will build an understanding of what we need to know in order to venture in the area of network forensics. We will cover the following topics here:

  • 007 characteristics in the network world
  • Identifying threats to the enterprise
  • Data breach surveys
  • Defining network forensics
  • Differentiating between computer forensics and network forensics
  • Strengthening our technical fundamentals
  • Understanding network security
  • Network security goals
  • Digital footprints

007 characteristics in the network world

In 007's world, everything begins with a trigger. The trigger is an event or incident that alerts the organization about unsavory activities by persons known or unknown.

This could be reactive or proactive.

As part of its defense-in-depth defense strategy, an organization's network is protected by a number of preventive and detective (monitoring) controls. A trigger could be considered reactive in the case of an organization realizing that their competitors seem to be getting inside information, which is limited in circulation and extremely confidential in nature.

Similarly, a proactive trigger could be the result of an organization's authorized penetration testing and vulnerability assessment exercise.

Subsequent to a trigger event, a preliminary information-gathering exercise is initiated, which culminates in a briefing to the 007 (the investigator), outlining all the currently-known details of the breach/incident. Certain hypotheses are floated based on the information gathered so far. Possible cause and effect scenarios are explored. Likely internal and external suspects may be shortlisted for further investigation.

The investigator initiates a full-fledged information/evidence collection exercise using every sort of high-end technology available. The evidence collection may be done from network traffic, endpoint device memory, and hard drives of compromised computers or devices. Specialized tools are required to achieve this. This is done with the view of proving or disproving the hypotheses that were floated earlier. Just like a closed-circuit television (CCTV) camera or a spy cam that is used to collect information in real life, on a network, network traffic is collected using tools such as Wireshark, volatile memory data is collected by tools such as Forensic Toolkit (FTK) Imager, and media images are collected by tools such as EnCase.

The information collected is carefully and painstakingly analyzed with a view to extract evidence relating to the incident to help answer questions, as shown in the following diagram:

007 characteristics in the network world

An attempt is made to answer the following critical questions:

  • Who is behind the incident?
  • What actually happened?
  • When did it happen?
  • Where was the impact felt? Or which resources were compromised?
  • Why was it done?
  • How was it done?

Based on the analysis result, a conclusion is drawn and certain recommendations are made. These recommendations result in an action. The action may include remediation, strengthening of defenses, employee/insider termination, prosecution of suspects, and so on based on the objectives of the investigation. The following flow diagram neatly sums up the complete process:

007 characteristics in the network world

Bond characteristics for getting to satisfactory completion of the case

Network forensic investigations can be very time consuming and complex. These investigations are usually very sensitive in nature and can be extremely time critical as well. To be an effective network forensics Bond, we need to develop the following characteristics:

  • Preparation: The preparation stage is essential to ultimately arrive at a satisfactory conclusion of a case. A calm thought-out response with a proper evidence-collection process comes from extensive training and the knowledge of what to do in the event of the occurrence of most likely scenarios that are happening in the real world. Practice leads to experience, which leads to the ability to innovate and arrive at out-of-the-box investigative insights for solving the case. A situation where the investigator is unable to identify a compromised system could lead to years of data theft, resulting in bleeding of the organization and its ultimate and untimely demise. A scenario where an investigator is able to identify the problem but is unable to decide what action to take is equally bad. This is where preparation comes in. The key is knowing what to do in most situations.

    A clear-cut incident response plan needs to be in place. Trained personnel with the necessary tools and processes should be available to tackle any contingency. Just as organizations carry out fire drills on a regular basis, incident response drills should be institutionalized as part of the organization policy.

  • Information gathering/evidence gathering: A comprehensive system to monitor network events & activity, store logs, and back them up is essential. Different inputs are generated by different event logging tools, firewalls, intrusion prevention & detection systems, and so on. These need to be stored and/or backed up at a secure location in order to prevent incidental or intentional tampering.
  • Understanding of human nature: An understanding of human nature is critical. This helps the investigator to identify the modus operandi, attribute a motive to the attack, and anticipate and preempt the enemy's next move.
  • Instant action: Just as Bond explodes into action at the slightest hint of danger, so must an investigator. Based on the preparations done and the incident response planned, immediate action must be taken when a network compromise is suspected. Questions such as should the system be taken off the network? or should we isolate it from the network and see what is going on? should be already decided upon at the planning stage. At this stage, time is of essence and immediate action is required.
  • Use of technology: An investigator should have Bond's love of high technology. However, a thorough knowledge of the tools is a must. A number of hi-tech surveillance tools play an important role in network-based investigations. Specialized tools monitor network traffic, identify and retrieve hidden and cloaked data, analyze and visualize network logs and activities, and zero in on in-memory programs and malicious software and tools used by the bad guys.
  • Deductive reasoning: A logical thought process, the ability to reason through all the steps involved, and the desire to see the case to its rightful conclusion are the skills that need to be a part of a network 007's arsenal. Questioning all the assumptions, questioning the unquestionable, understanding cause and effect, examining the likelihood of an event occurring, and so on are the hallmarks of an evolved investigator.

The TAARA methodology for network forensics

There is a considerable overlap between incident response and network forensics in the corporate world, with information security professionals being tasked with both the roles. To help simplify the understanding of the process, we have come up with the easy-to-remember TAARA framework:

  • Trigger: This is the incident that leads to the investigation.
  • Acquire: This is the process that is set in motion by the trigger—this is predefined as a part of the incident response plan—and it involves identifying, acquiring, and collecting information and evidence relating to the incident. This includes getting information related to the triggers, reasons for suspecting an incident, and identifying and acquiring sources of evidence for subsequent analysis.
  • Analysis: All the evidence that is collected so far is collated, correlated, and analyzed. The sequence of events is identified. Pertinent questions such as whether the incident actually occurred or not; if it did, what exactly happened; how it happened; who was involved; what is the extent of the compromise; and so on are answered. Based on the information that is gathered during this stage, it may be necessary to go back to the acquire stage in order to gather additional evidence. Analysis is then initiated on the newly acquired evidence.
  • Report: Based on the preceding analysis, a report is produced before the stakeholders in order to determine the next course of action.
  • Action: The action recommended in the report is usually implemented during this stage.

This is pictorially represented in the following image:

The TAARA methodology for network forensics

Identifying threats to the enterprise

Based on the source of the threat, attacks can be broadly classified into the following types:

  • Internal
  • External
  • Hybrid

Internal threats

Threats or attacks that originate from within the network or organization are classified as internal threats. These can be intentional or unintentional.

Typically, such threats involve an insider with a mala fide intention, insider knowledge and/or access. This insider is looking to steal, misuse, modify, corrupt, or destroy enterprise resources. Quite naturally, the insider has no intention of getting caught and hence, makes every attempt to cover their tracks. However, as we will see later in this chapter, every interaction with the crime scene leaves a trace as per Locard's exchange principle.

Weak and ill-defined rules, network policies, security systems, and so on aid and abet such insiders. Unlimited and unmonitored access of network resources and data by the users are a sure recipe for disaster. Improperly implemented controls, random permissions, unsecured physical access to server rooms, and poor password hygiene contribute to serious threats to the network resources.

External threats

External threats are those that originate from outside the perimeter of the network. This could be from individuals, groups, or even governments. A spate of network attacks world-wide have been traced to state actors such as China, North Korea, and even the USA. Revelations by Snowden have opened everyone's eyes to the real threat of state-sponsored surveillance.

External threats come in all shapes and sizes. Just like internal threats, these can be intentional or unintentional. There are all sorts of people out there who want to get into your network. Some want to do it to get the information you store, some do it to shut down your network, some do it as they did not like the statement your company's CEO gave out last Wednesday, and some want to do it just because they can. Let's leave motivations aside for the moment. I say for the moment as a part of our network forensics investigations requires answering the Why part of the equation at a later date.

Any outsider wanting access to your network has to carry out a number of concrete steps before they can gain access of any sort. It's best to be disabused of the notion that, like in the movies, a hacker sits before his computer, starts typing, and has Administrator-level access within a couple of minutes. That is unadulterated fiction.

The first step any attacker has to take is to reconnoiter the target. Just as any good or accomplished thief will case the neighborhood to identify the potential targets, locate their weak spots, plan the right time to break in, and figure out a way to get in; any criminal with the intent to get into the network has to undergo a similar process. This process is called footprinting. This consists of a number of steps followed by scanning for open UDP & TCP ports, which can be exploited. An attempt is then made to try and get the password via multiple means such as social engineering, password lists, brute forcing, or rainbow tables. This mode of password discovery is the most difficult method of getting into the network. Another example would be to exploit the weakness such as unpatched OS and run programs that exploit a vulnerable software leading to open access, followed by privilege escalation to administrator level.

Once in, the accomplished spy will not do anything to give away the fact that they have administrator-level access. It is only script kiddies or publicity-hungry hackers that go ahead to deface websites to earn their two minutes of fame or notoriety.

The next objective is to create a backdoor for uninterrupted access and take every precaution to cover their tracks.

It can be months and, in some cases, years before an intrusion of such sort can be discovered or detected. That is the holy grail of the attacker. Spying undetected! Forever!

However, that is exactly where you come in, Mr. 007. You have to figure out what's going on in the network. At times, this needs to be done extremely covertly. Once the data breach is detected, you need to go into your licensed to kill mode to identify such intrusions and gather all the evidence of the related processes!

You need to identify the perpetrator, interrogate him or the witnesses (forensic interrogation of data packets, media, and memory) to identify the what, when, where, why, and how.

Intention →

Source ↓

Intentional

Accidental

Internal

Insider data theft

Insider sabotage

Information leakage

Assistance to outsiders

Sexual harassment within the enterprise

Tampering with sensitive data

Accidental assistance to outsiders

Inadvertently letting malicious software loose on the network

Unintentional use of compromised software on bring your own device (BYOD)

Insiders social engineered to give away information such as passwords and so on

External

Targeted phishing or spear phishing to extract confidential information

Network scans / OS fingerprinting / vulnerability assessments of outside-facing network components

Denial of Service attacks

State-sponsored surveillance

An outsider accidentally stumbling onto sensitive data because of a flaw/vulnerability in the network

Accidental power outage

Natural disasters

An unsuspecting user's system can be taken over and used as part of a bot herd

Network threat examples

Data breach surveys

There are many data breach / information security / cyber crime surveys unfailingly published every year by the those of the consulting industry.

From a reference perspective, you may want to visit a few references on the net, listed as follows:

All of them point to a single unassailable fact—data breaches are becoming increasingly expensive and will continue to be so.

Some of the points brought up by most of them are:

  • The cost of a data breach is on the rise.
  • Post a breach—customers loose confidence and tend to change service providers. This is particularly common in the financial services industry.
  • For many countries, malicious or criminal attacks are at the top spot as the root cause of the data breaches.
  • In over 50% of the cases, insiders were involved in one way or the other.

What does this mean for us? It just means that we are in the right place at the right time. There will always be a very strong demand for the Sherlocks of the net. Professionals who can detect, collect, collate, analyze, and investigate will find themselves on the must hire list of most large-scale corporates.

Let's get started with the underlying principle of forensics of any sort.

Locard's exchange principle

No study of digital investigations can be considered well begun without an understanding of the underpinning of the science. Locard's exchange principle is the foundation on which scientific investigation methodologies are built.

Dr Edmond Locard (1877-1966) was a French scientist who worked with the French Secret Service in the First World War. He was a pioneer in forensic science and criminology. He developed a methodology to identify the nature and cause of death of French soldiers and prisoners by examining the wounds, damage stains, and other marks on the body.

He was known as the Sherlock Holmes of France.

He is often credited with saying every contact leaves a trace!

He speculated that anybody or anything that enters or leaves the crime scene (interaction with the crime scene) either leaves something behind or leaves with something from it (inadvertently or intentionally) and this can be used as forensic evidence. Let's consider a murder. Anybody that walks into a murder spot may leave the evidence of their presence in the form of footprints, fingerprints, and so on. Similarly, when someone leaves the crime scene, they may take specks of blood with them, local dust may adhere to their shoes, and so on.

How does this translate into the network world?

Essentially, every attempt to communicate with a device on the network leaves a trace somewhere; this could be at firewalls, intrusion detection systems, routers, event logs, and so on. Similarly, any attempt by an internal miscreant to access unauthorized resources will also leave a trace. This is depicted in the following image:

Locard's exchange principle

Locard's exchange principle in a digital world

Let's take the example of a phishing attack. As we are all aware, it begins with an innocuous mail with a massively appealing subject. The phishing mail may carry a payload in the form of an attachment (for example, a Trojan) or have a link that leads to a similar result. In this case, according to Locard's exchange principle, the two entities interacting would be the affected computer and the computer sending out the phish. Some of the evidence in this case would be the e-mail itself, Trojan horse/malware/keylogger, stolen passwords, changed passwords, attempts to cover tracks, and so on. The backdoor, once discovered, could reveal a lot of details and the IP addresses of devices that control it or receive the stolen data would also count as evidence. The command and control center for the phishing operation (if identified) would also be a goldmine of evidence.

As a network 007, it is our job to figure out what is going on and draw our conclusions accordingly.

Defining network forensics

What exactly is network forensics?

As per National Institute of Standards and Technology (NIST), Digital forensics, also known as computer and network forensics, has many definitions. Generally, it is considered the application of science to the identification, collection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data.

Refer to http://csrc.nist.gov/publications/nistpubs/800-86/SP800-86.pdf for more information.

As per WhatIs.com, network forensics is the capture, recording, and analysis of network events in order to discover the source of security attacks or other problem incidents.

Broadly speaking, network forensics, in most people's perception, involves the CIA process. In this case, CIA stands for the following:

  • Capture (capture packets)
  • Identify (identify packets based on certain filtering criterion, such as date and time)
  • Analyze (both known and unknown packets to understand what's going on)

The following image illustrates this:

Defining network forensics

Broadly speaking, network forensics is the subset of digital forensics that deals with the investigation of events and activities related to digital networks. This involves monitoring and capturing network traffic and its related data from devices on the network with the objective of gathering evidence in a manner that is acceptable in the court of law.

Differentiating between computer forensics and network forensics

Network forensics is a branch of digital forensics. That said; it is significantly different from conventional forensic investigations. It is necessary to highlight the differences so that things are a lot clearer in the network investigator's mind.

Unlike other areas of digital forensics, network forensic investigations deal with volatile and dynamic information. Disk or computer forensics primarily deals with data at rest. The simplified normal process is to identify the media that to be investigated, create and authenticate a forensic image, identify the different artifacts to be investigated, carry out an in-depth analysis, and follow it up with a report highlighting the findings. Usually, these can include deleted, misnamed, and hidden files and artifacts; registry entries; password-protected files; e-mail communications; carved data; and so on. However, all these represent the state of the system at the time of the collection and imaging. This is what we call a post-mortem investigation (this does not include live-memory forensics, which, as the name suggests, is very much alive).

Network forensics by its very nature is dynamic. In fact, it would not be possible to conduct a network forensic investigation if prior arrangements were not made to capture and store network traffic. It is not possible to analyze what transpired with the network flow without having a copy of it. This is similar to having a CCTV footage for a particular incident. In its absence, one can only surmise what happened based on other circumstantial evidence. When the actual footage is available, as long as the investigator knows what to look for, the complete incident can be reconstructed and it becomes a lot easier to identify the perpetrator.

Additionally, network forensics involves the analysis of logs. This can be a bit of art as well as science.

Usually various network devices, applications, operating systems in use, and other programmable and intelligent devices on the network generate logs. Logs are time-sequenced. They can be quite cryptic in nature and different devices will address the same event in different ways. Some operating systems will call a login action as a login; whereas, another device may call it a log on and a third may call it a user authentication event. The message content and syntax of logs are vendor-specific. It may also vary from application to application.

Disk forensics does not have these sorts of intricacies. While logs exist and do vary across applications and operating systems, the level of dependency on logs in the case of disk forensics is not as high as that of network forensics.

That said, all disk, network, and memory forensics go hand in hand. Most investigations may involve at least a few, if not all, of the disciplines of digital forensics in any case of a reasonable magnitude.

In fact, a case where disk forensics is not used in an investigation could be considered equivalent to a conventional case where CCTV evidence has been overlooked.

Strengthening our technical fundamentals

Before we develop our skills on network forensics, we need to have certain basic fundamentals in place.

A network, in general parlance, is a group of computers/devices that are connected to each other. The connection could be wired or wireless. Every device on the network has a unique network address. This can be temporary (session specific) or permanent. Addresses are numeric quantities that are easy for computers to work with; however, they are not for humans to remember. These are known as IP addresses. For example 206.166.240.9. Consider the following diagram:

Strengthening our technical fundamentals

A simple network

To make these numeric addresses easy for humans to remember, they are stored as textual addresses as Domain Name Server (DNS) records. DNS servers are responsible for translating textual Internet addresses into numeric Internet addresses.

While numeric IP addresses identify a specific host machine working on a network, a numeric port number is used to identify specific processes that are running on a host machine. The number of ports is not functionally limited. Some of the common ports are as follows:

Port number

Application

20

FTP

21

FTP

23

Telnet

25

SMTP (mail)

79

Finger

80

HTTP

110

POP3 (mail)

443

HTTPS

When devices are connected to each other; they can communicate. The mode of communication between devices is via exchange of data. Data is transferred using packet switching. Messages are broken into packets and transmitted over the network. Each of these packets have a specified maximum size, and are split in to a header and data area. As each packet is being sent from a source computer to a destination computer or device, their addresses and the information that is necessary to properly sequence the packets at the reconstruction stage is included in the header.

Communications between two connected computers on a network are governed by rules known as protocols.

Protocols define the following:

  • Addressing of messages
  • Routing of messages
  • Error detection
  • Error recovery
  • Packet sequence
  • Flow controls

Protocol design is based on a layered architecture model such as the Open Systems Interconnection (OSI) reference model.

This is also known as the seven-layer model.

The seven-layer model

As the name suggests, this model consists of seven layers. Each of these are explained in the following:

  • Layer 1: This is called the physical layer. This is the actual physical infrastructure over which the data travels. This consists of the cables, hubs, and so on. This is the electronics that ensures the physical transmission and reception of raw and unstructured bits and bytes.
  • Layer 2: This is called the data link layer. This layer is responsible for the data encapsulation in the form of packets and their interpretation at the physical layer. This will initiate and terminate a logical link between two nodes on a network. Layer 2 is responsible for error-free transfer of data over the physical layer.
  • Layer 3: This is called the network layer. This layer is in charge of a packet's transmission from a source to its destination. This layer decides the route, mapping of the logical and physical addresses, and data traffic control.
  • Layer 4: This is called the transport layer. The transport layer is in charge of the delivery of the packets from a source to a destination. This ensures that the message is delivered in a sequence without duplication or loss and is error-free.
  • Layer 5: This is called the session layer. The session layer manages the network access. It establishes sessions among the processes running on different nodes via different logical ports. Layer 5 also handles session establishment, maintenance, and termination.
  • Layer 6: This is called the presentation layer. The role of the presentation layer is to format the data transmitted to applications, data conversion, compressing/decompressing, encrypting, and so on. This allows access to end user for various Windows services such as resource sharing, remote printing, and so on.
  • Layer 7: This is called the application layer. This is the end user layer. This layer contains the applications, such as Java, Microsoft Word, and so on, that are used by the end user.

As the data travels between layers, each layer adds or removes its header to the data unit. At the destination, each added header is removed one-by-one until the receiving application gets the data that is intended for it.

The TCP/IP model

The TCP/IP model consists of only four layers. These are application, transport, internet, and network.

These layers are shown in the following table:

Layer Name

Description

Application

This is responsible for applications and processes running on the network

Transport

This provides end-to-end data delivery

Internet

This makes datagrams and handles data routing

Network

This allows access to the physical network

Let's take a look at each of these one by one, starting from the network interface layer and working our way upwards.

  • Network layer: The network (or network interface layer, as it is also known) is the bedrock of the TCP/IP model. This drives the signals across the network. It transmits and receives bits over the network hardware such as co-axial or twisted pair copper cable. This exists over the physical layer and includes the following protocols:
    • Ethernet
    • Token-ring
    • Frame relay
    • FDDI
    • X.25
    • RS-232
    • v.35
  • Internet layer: The Internet layer is at the heart of the TCP/IP model. This packages the data into IP datagrams and performs routing for these datagrams based on the source and destination information in the header. The protocols used at this layer include the following:
    • Internet Protocol (IP)
    • Internet Control Message Protocol (ICMP)
    • Address Resolution Protocol (ARP)
    • Reverse Address Resolution Protocol (RARP)
  • Transport layer: This layer manages the communication session between the host computers. During the data transportation process, this defines the level of service and the connection status. The transport layer uses the following protocols:
    • Transmission Control Protocol (TCP)
    • User Datagram Protocol (UDP)
    • Real-time Transport Protocol (RTP)
  • Application layer: The application layer combines the functions of the OSI application, presentation, and session layers. This layer defines how the host programs interface with transport layer services as well as their related application protocols. Some of the protocols in this layer are as follows:
    • Simple Mail Transfer Protocol (SMTP)
    • HTTP
    • FTP
    • Telnet
    • Simple Network Management Protocol (SNMP)
    • DNS
    • Trivial File Transfer Protocol (TFTP)
    • X-Windows

The following image depicts both models in graphic form. It also shows their interrelation:

The TCP/IP model

Understanding the concept of interconnection between networks/Internet

In 1966, the Defense Advanced Research Project Agency Network, implemented a research network of networks. This consisted of connecting several computer networks based on different protocols.

This threw up a unique problem of having to define a common interconnection protocol on top of the local protocols. The Internet Protocol (IP) plays this role by defining unique addresses for a network device and host machines. The following diagram depicts this interconnection of devices using IP routing:

Understanding the concept of interconnection between networks/Internet

Internet Protocol (IP)

Whenever we see a stranger that we want to speak to, it always helps if we speak the same language. In computer world, the language of communication is called a protocol. IP is one of the languages that multiple computers use to communicate with each other as a part of the layered architecture model.

On top of the IP, there are TCP, UDP, and some others.

There are two versions of the IP being used, as follows:

  • Internet Protocol version 4 (IPv4)
  • Internet Protocol version 6 (IPv6)

The Internet Protocol has the following two main functions:

  • Splitting the data stream into standard size packets at the source and then putting them together again in the correct order at the destination.
  • Guiding or routing a packet through a number of intermediary networks, starting from the source device IP address to the destination device IP address.

How does it work?

It splits or breaks up the initial data (that is to be sent) into datagrams. Each datagram will have a header, including the IP address and the port number of the destination. Datagrams are then sent to selected gateways, that is, IP routers. These routers are connected to the local network and to an IP service provider network at the same time. These routers start the relay process, wherein datagrams are transferred from gateway to gateway until they arrive at their final destination.

The following diagram illustrates this concept in a simple-to-understand manner:

Internet Protocol (IP)

Whenever two hosts communicate with each other using the Internet Protocol, there is no need for a continuous connection. One host sends the data to another via a data packet. Each packet header contains the source destination addresses as well as the sequence number and is treated as an independent unit of data. The TCP is responsible for reading the packet headers and putting the packets in the correct sequence so that the message is readable.

Today, the most widely used version of IP is the IPv4. However, IPv6 is also beginning to be supported. IPv6 was introduced when it was realized that IPv4 addresses were running out. The exponential increase in the number of devices connected to the Internet resulted in the anticipation of IPv4 address exhaustion. IPv6 provides for much longer addresses and also the possibility of many more Internet users. IPv6 includes the capabilities of IPv4 and any server that can support IPv6 packets can also support IPv4 packets.

Structure of an IP packet

Let's take a look at the following structure of an IP packet:

  • The IP's functionality and limitations are defined by the fields at the beginning of the packet. This is called the frame header.
  • The source and destination address fields have 32 bits allocated to encode their data.
  • Various additional information, such as the total packet length in bytes, is encoded in 16 bytes in the remainder of the header.

Normally, the application layer sends the data that is to be transmitted to the transport layer. The transport layer adds a header and sends it to the Internet layer. The Internet layer adds its own header to this and sends it to the network layer for physical transmission in the form of an IP datagram. The network layer adds its own frame header and footer and then physically transmits it over the network.

At the other end, when the datagram is received, this process is reversed and the different headers are stripped as the data moves from layer to layer. The following diagram represents how headers are added and removed as we move from layer to layer:

Structure of an IP packet

Datagram headers as we move from layer to layer

Transmission Control Protocol (TCP)

IP packets are a basic service that do not guarantee safe delivery. TCP remedies this by adding the following elements:

  • Error detection
  • Safe data transmission
  • Assurance that data is received in the correct order

Before sending the data, TCP requires the computers that are communicating to establish a connection with each other:

Transmission Control Protocol (TCP)

TCP/IP communications

Whereas IP is limited to sending 64-kb data streams, large data streams can be sent as one big stream of data using TCP. TCP does this by breaking up the data stream into separate data packets. Each packet is numbered and its sequence number is stored in the header. On arrival, these disparate packets are reassembled using sequence and sequence acknowledgement numbers. TCP specifies the port numbers. This improves the capabilities over IP. Every TCP/IP machine can communicate using 65,536 different ports or sockets.

All data in a TCP packet is accompanied by a header. The header contains information related to the source port, destination port, sequence number, sequence acknowledgement number, and some miscellaneous header data.

User Datagram Protocol (UDP)

Similar to the TCP, the UDP is also built on top of the IP. It has the same packet-size limit (64 kb) as IP; however, it allows specifying port numbers. This provides 65,536 different ports, which is the same as TCP. Therefore, every machine has two sets of 65,536 ports: one for TCP and the other for UDP.

The difference between the two is that UDP is a connection-less protocol, without any error detection facility. It only provides support for data transmission from one end to other without any verification. As it does not do any further verification, UDP is very fast. This is its main feature and it is extremely useful in sending small and repetitive data at a very high speed. Some examples of this are audio and video streaming, games, time information that is continuously streamed, and so on.

Internet application protocols

On top of the TCP/IP layers is the application layer. The Internet Engineering Task Force (IETF) definition document for the application layer in the Internet protocol suite is RFC 1123. The application layer's role is to support network applications by the means of application protocols.

Some of the application protocols include the following:

  • Telnet: This is a text input-based protocol that allows the user to perform a remote login on another computer
  • File Transfer Protocol (FTP): This is for the file transfer
  • SMTP: This is for the transportation of electronic mail
  • DNS: This is for the networking support
  • SNMP: This is for the remote host management
  • Hypertext Transfer Protocol (HTTP)
  • Network News Transfer Protocol (NNTP): This is allow the users to create news groups around specific subjects

Newer applications can also spawn additional application protocols such as BitTorrent, Bitcoin, eDonkey, and so on.

Understanding network security

We live in a wired world (could be wireless too), which is increasingly interconnected. These interconnected networks are privy to most of the world's data, which is at great risk.

Today, the more interconnected we are, the more at risk we are. With attacks of increasing sophistication becoming automated, easily available, and usable by most low-grade criminals, the threat to our resources is at an all-time high. Evolved and sophisticated detection-evasion techniques help in making things even more complicated. Criminals too have learned to follow the money. Attacks are more focused and targeted with a preponderance of effort being directed towards the targets that could result in a monetary payoff.

Let's take a look at the type of threats that exist.

Types of threats

When we connect our network to the outside world (I know, I know, we have to!), we introduce the possibility of outsiders attempting to exploit our network, stealing our data, infecting our systems with viruses and Trojans, or overloading our servers, thus impacting and impeding our performance.

However, if our network were disconnected from the outside world, threats would still exist. In fact, most surveys and studies (as mentioned earlier) point to the indisputable fact that most of the threats (over 50%) are caused by intentional or unintentional activities performed by insiders.

While it is rarely possible to isolate or air gap a business network from the outside world, even if we were to do so, there is no guarantee that it would ensure network security.

Based on this understanding, we must consider both internal and external threats.

Internal threats

Looking back at the history, we will see many notable examples of entire kingdoms being lost due to the actions of the insiders. Valuable information such as hidden routes to reach behind an army (backdoors), type, strengths & weaknesses of the defenses (scans & vulnerabilities), and access codes and passwords (open sesame) when leaked to the enemy can cause irreparable loss. Kingdoms and corporations can fall. Sun Tzu, the ancient Chinese strategist and general, in his martial treatise, The Art of War, strongly recommends the use of insiders to win battles. His opinion on the best way to win a battle is without firing a single shot.

Threats that originate from within the network tend to be way more serious than those that originate outside.

Just like an unknown enemy within the walls of a citadel can be lethal; similarly, the insider within your network can be very damaging unless identified and contained very quickly.

Insiders usually have plenty of knowledge about the network, its available resources, and structure. They already have been granted a certain level of access in order to be able to do their job. Network security tools such as firewalls, intrusion prevention systems (IPS), intrusion detection system (IDS), and so on are deployed at the periphery of the network and are usually outward facing and such insiders are under the radar in this context.

An insider can steal information in many low-tech ways. Simply inserting a USB drive and copying data off the network is a very common way of stealing data. Burning a DVD with the organization's intellectual property and walking off the premises with this stuck inside a laptop's DVD drive happens quite often. Some smart guys copy the data onto a USB stick and then delete it so that when checked, they can demonstrate that the USB device is empty and once they get home, they can then recover the data using free recovery tools.

A single insider can be quite dangerous; however, when there are multiple insiders working in tandem, the situation can be quite grave. These threats need to be addressed and mitigated quickly in order to prevent substantial damage.

External threats

Usually, external attackers do not have in-depth knowledge of your network. When they start out, they do not have login or access credentials to get into the network.

Once a potential target is identified, the first step is to carry out a reconnaissance on the network. To do this, they perform a ping sweep. This helps in identifying the IP addresses that respond to the pings and are accessible from the outside. Once these IP addresses are identified, a port scan is performed. The objective is to identify open services on these IP addresses. The operating system (OS) is fingerprinted to understand the make, model, and build deployed. This helps the attacker in identifying the possible unpatched vulnerabilities. An outsider will identify and exploit a known vulnerability to compromise any one of the earlier discovered services on the host. Once the attacker has gained access to the host, the attacker will work at escalating the privileges, covering tracks, and creating backdoors for future unmonitored access. They will then use this system as a platform to attack and compromise other systems in this network and the world at large.

Network security goals

In today's high-speed, always-on-the-go world, no man is an island. The same is the case with corporate networks. Constant communications and contact with the outside world, cloud-based applications, cloud and offsite storage of data, and BYOD lead to an increasingly connected network environment. A global economy that thrives on information, advanced technology that enables seamless transactions, and the constant human need to access information that is online are the factors leading to higher security risks.

Today, one can safely assume that most corporate networks are interconnected with other networks.

These networks run standards-based protocols.

These networks will also have a number of applications, which may have proprietary protocols. As such applications are bespoke, the focus of the developers is more on functionality and less on security. Further, there is no regular system of patching vulnerabilities in these applications.

The multitude of connected devices and diverse applications in corporate networks are quite complex and their volume is constantly increasing.

From a network security perspective, the primary goals are as follows:

  • Confidentiality
  • Integrity
  • Availability
Network security goals

Information security goals

Confidentiality

The data that resides on the networks is the lifeblood of any organization. The confidentiality aspect of network security involves keeping the data private.

This entails restricting physical access to the networked devices and components as well as logical access to the node data and network traffic.

To do this, network administrators set up firewalls and intrusion detection & prevention systems. Access control lists (ACL) prevent unauthorized access to the network resources. Encrypted network traffic prevents any data leakage caused by traffic interception by an attacker. Specific credentials, such as usernames and passwords, are required to access the network resources.

Snowden's revelations are an example of a breach of the confidentiality goal of network security. The recent headlines relating to the data leakage at Sony Pictures is another glaring example.

Integrity

Networks have data in motion. Should an attacker gain access to a network, they would have the ability to silently modify/tamper with the traffic that would cause, at the very least, a misunderstanding between the people communicating and at the other end of the spectrum, it could cause irreparable harm to the people and organizations.

The examples of network security violations that affect the integrity goal include the following:

  • Interception of communications related to electronic payments, modifying them to reflect different bank details, and diverting the payment from the unsuspecting remitter. This is a common problem that is being observed these days, especially between small-scale exporters and their buyers.
  • A government taxation entity had their website compromised. The attacker very carefully only modified the section relating to tax rates. These were substantially reduced. As a result, the government lost substantial revenues as most of the remittances were made as per the rates posted on the website.

A number of organizations deploy a data integrity solution to perform origin authentication and verify that the traffic is originating from the source that should be sending it.

Availability

Data at rest and in transit is actually performing a task for the organization. As long as this data or information is accessible to authorized and authenticated users, the task can be performed. The moment an incident interrupts the access, preventing the users from performing their tasks, the availability goal of network security is breached.

There have been a number of high-profile examples of availability compromise in the past, as shown in the following:

  • On April 26, 2007, Estonia, a small Baltic state experienced a wave of denial-of-service (DoS) attacks. These cyber attacks were launched as a protest against the Estonian government's removal of the Bronze Soldier monument in Tallinn. This was erected in 1947 as a Soviet World War II war monument. The effect was felt on a number of institutions, including banks, government, and universities, taking the network resources offline. This attack lasted for three weeks and shook the whole country. In fact, one of the repercussions of this attack was the formation of the US government's policy on cyber war.
  • A very popular example was demonstrated in the movie Die Hard 4—Live Free or Die Hard—where super cop, John McClane took on an Internet-based terrorist, who worked at systematically attacking and shutting down the United States government, transport, and economy. This movie is widely credited for adding the word Fire Sale to the vocabulary of the common man in a cyber context.

Today, some of the most common attacks compromising the availability goal are flood attacks, logic/software attacks, mail bombing, DoS attacks, accidental DoS attacks, and distributed denial-of-service (DDoS) attacks.

How are networks exploited?

Just as all humans have weaknesses, networks too have weaknesses. These are known as vulnerabilities. Vulnerability, in an information system, is a weakness that an attacker leverages to gain unauthorized access to the system or its data.

The usual modus operandi to take advantage of a network vulnerability is to write a program that does this. These kind of programs are called exploits. Most exploits are malicious in nature. As the name suggests, an exploit is meant to exploit the system's weakness.

Vulnerabilities can be of many types. Some examples are shown as follows:

  • Physical vulnerabilities or natural disasters (such as, the tsunami in Southeast Asia)
  • Network design vulnerabilities
  • Network configuration vulnerabilities
  • Protocol vulnerabilities
  • Application vulnerabilities
  • Targeted vulnerabilities such as malicious software
  • Standard operating procedure/controls vulnerabilities
  • Physical security vulnerabilities
  • Human vulnerabilities

As we are all aware, a chain is only as strong as its weakest link. In the case of network security, the weakest link is usually human. Statistics show that an insider usually launches the most amount of attacks against information assets. Thus, most organizations set up controls to prevent insider abuse.

Digital footprints

For a moment, let's flashback to the Locard's exchange principle section. To reiterate, it basically expounds that every contact leaves a trace. What this means, in the digital context, is that all interactions with the digital system/network will leave some sort of an artifact/data behind as evidence of this event. These artifacts are known as digital footprints. They are of the following two types:

  • Passive
  • Active

Passive digital footprints are created by the system without the knowledge of the user, such as in the case of pasting passwords from a file to an application evidence or copies can be found in the volatile memory. Cookies are another example of this.

The user creates active digital footprints deliberately, such as in the case of a Facebook post, sending an e-mail, or storing and transmitting pictures.

These will usually exist and can be recovered from the following:

  • Device memory
  • Disk space including logs
  • Network traffic capture

Summary

Our journey into the realm of network forensics has begun. We started out by identifying the characteristics that would make us 007 in the network forensics world. This was followed by learning about the TAARA methodology for investigations. We also learned about the various threats to an enterprise while strengthening our technical fundamentals. By the end of the chapter, we deepened our understanding of network security as well as network forensics.

In the next chapter, we will learn how to identify the different sources of evidence that are essential for a network forensic investigation. We will also learn how to collect and safely handle the evidence. So...let's get started!!!

Left arrow icon Right arrow icon

Key benefits

  • Lay your hands on physical and virtual evidence to understand the sort of crime committed by capturing and analyzing network traffic
  • Connect the dots by understanding web proxies, firewalls, and routers to close in on your suspect
  • A hands-on guide to help you solve your case with malware forensic methods and network behaviors

Description

We live in a highly networked world. Every digital device—phone, tablet, or computer is connected to each other, in one way or another. In this new age of connected networks, there is network crime. Network forensics is the brave new frontier of digital investigation and information security professionals to extend their abilities to catch miscreants on the network. The book starts with an introduction to the world of network forensics and investigations. You will begin by getting an understanding of how to gather both physical and virtual evidence, intercepting and analyzing network data, wireless data packets, investigating intrusions, and so on. You will further explore the technology, tools, and investigating methods using malware forensics, network tunneling, and behaviors. By the end of the book, you will gain a complete understanding of how to successfully close a case.

Who is this book for?

If you are a network administrator, system administrator, information security, or forensics professional and wish to learn network forensic to track the intrusions through network-based evidence, then this book is for you. Basic knowledge of Linux and networking concepts is expected.

What you will learn

  • Understand Internetworking, sources of network-based evidence and other basic technical fundamentals, including the tools that will be used throughout the book
  • Acquire evidence using traffic acquisition software and know how to manage and handle the evidence
  • Perform packet analysis by capturing and collecting data, along with content analysis
  • Locate wireless devices, as well as capturing and analyzing wireless traffic data packets
  • Implement protocol analysis and content matching; acquire evidence from NIDS/NIPS
  • Act upon the data and evidence gathered by being able to connect the dots and draw links between various events
  • Apply logging and interfaces, along with analyzing web proxies and understanding encrypted web traffic
  • Use IOCs (Indicators of Compromise) and build real-world forensic solutions, dealing with malware

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : Feb 29, 2016
Length: 274 pages
Edition : 1st
Language : English
ISBN-13 : 9781785282126
Category :
Concepts :
Tools :

What do you get with eBook?

Product feature icon Instant access to your Digital eBook purchase
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want

Product Details

Publication date : Feb 29, 2016
Length: 274 pages
Edition : 1st
Language : English
ISBN-13 : 9781785282126
Category :
Concepts :
Tools :

Packt Subscriptions

See our plans and pricing
Modal Close icon
$19.99 billed monthly
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
$199.99 billed annually
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just zł20 each
Feature tick icon Exclusive print discounts
$279.99 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just zł20 each
Feature tick icon Exclusive print discounts

Frequently bought together


Stars icon
Total 625.97
Practical Windows Forensics
zł221.99
Mastering Python Forensics
zł181.99
Learning Network Forensics
zł221.99
Total 625.97 Stars icon

Table of Contents

11 Chapters
1. Becoming Network 007s Chevron down icon Chevron up icon
2. Laying Hands on the Evidence Chevron down icon Chevron up icon
3. Capturing & Analyzing Data Packets Chevron down icon Chevron up icon
4. Going Wireless Chevron down icon Chevron up icon
5. Tracking an Intruder on the Network Chevron down icon Chevron up icon
6. Connecting the Dots – Event Logs Chevron down icon Chevron up icon
7. Proxies, Firewalls, and Routers Chevron down icon Chevron up icon
8. Smuggling Forbidden Protocols – Network Tunneling Chevron down icon Chevron up icon
9. Investigating Malware – Cyber Weapons of the Internet Chevron down icon Chevron up icon
10. Closing the Deal – Solving the Case Chevron down icon Chevron up icon
Index Chevron down icon Chevron up icon

Customer reviews

Rating distribution
Full star icon Half star icon Empty star icon Empty star icon Empty star icon 1.5
(2 Ratings)
5 star 0%
4 star 0%
3 star 0%
2 star 50%
1 star 50%
Alejandro Castillo Apr 03, 2016
Full star icon Full star icon Empty star icon Empty star icon Empty star icon 2
The book is extremely high level to be practical or useful. Take the tunneling chapter for example, in the tunneling chapter, tunneling is only explained. No methods or ideas are ever brought up as to how to detect it or investigate it.The some sections do have tools , but even these sections aren't useful. The author painfully does a step by step process that literally just acts as filler for the book as it fills it with screenshots. I mean who hasn't gone through a click click next next installer?If you are a manager who has just transitioned to the incident response side and want to get your hands wet to understand what your employees are doing this book is for you! For everyone else trying to actually solve this problem on a network with more than one PC and needs a deeper understanding of the subject ... This book may not be for you.
Amazon Verified review Amazon
Mr. Kevin J. Ross Mar 09, 2016
Full star icon Empty star icon Empty star icon Empty star icon Empty star icon 1
I have only read some of this so far in bits and I am not impressed. I got the impression from this book that this book would have good information on the latest methods of analysing complex network data to find bad guys and if you look at the "what you will learn in this book" blurb you will be led to believe this too. However:- The actual content of the book is minimal. Some pages literally have 4 or 5 sentences on it, a picture and then 1/3 to 1/2 the page blank where the content continues on the next page.- Everything I have read feels like a summary that leads no where. It may be common to provide a short description in order to provide the groundwork for coming content but the book feels largely structured like this. For instance in the chapter on tunnelling there is some description on very basic "what is a VPN", what is an SSH tunnel etc and there is nothing really else. It could have gone onto discuss for instance finding DNS tunnelling through abnormal message sizes, frequencies, responses and protocol violations but there is nothing. The IDS chapter is a similar how to install snort on windows (which most networks you will use a *nix OS) and how to run it.- There was very little I saw on actually detecting real attacker techniques. Dissecting exploits on the network, malware command and control, lateral movement etc would have provided excellent content.As such save your money and avoid this even if you are just starting out and looking for an easy introduction (even though the description on the book suggests more would be covered) as you will learn very little applicable knowledge and I have managed to quite a bit of different parts of the book very quickly finding nothing of interest for application to real network defence against modern criminals.Better books would be:Network: Applied Network Security Analysis (proper design, IDS including Suricata, Snort and BRO and analysis, IOC consumption etc), Network Security Through Data Analysis, The Practice of Network Security Monitoring (more if using Security Onion), Network forensics: tracking hackers through cyberspace, Crafting the InfoSec playbook (more queries and concepts. basically where this book should have gone when they started talking about Splunk install of how to install and adding data though a read up on ELK stack and setting that up and you can ingest your IDS and network logs like firewall logs and bro logs into that).Malware & Exploit: Malware Analysts Cookbook, Practical Malware Analysis, Gray Hat hacking 4th edition, Android Malware and analysis etc.
Amazon Verified review Amazon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

How do I buy and download an eBook? Chevron down icon Chevron up icon

Where there is an eBook version of a title available, you can buy it from the book details for that title. Add either the standalone eBook or the eBook and print book bundle to your shopping cart. Your eBook will show in your cart as a product on its own. After completing checkout and payment in the normal way, you will receive your receipt on the screen containing a link to a personalised PDF download file. This link will remain active for 30 days. You can download backup copies of the file by logging in to your account at any time.

If you already have Adobe reader installed, then clicking on the link will download and open the PDF file directly. If you don't, then save the PDF file on your machine and download the Reader to view it.

Please Note: Packt eBooks are non-returnable and non-refundable.

Packt eBook and Licensing When you buy an eBook from Packt Publishing, completing your purchase means you accept the terms of our licence agreement. Please read the full text of the agreement. In it we have tried to balance the need for the ebook to be usable for you the reader with our needs to protect the rights of us as Publishers and of our authors. In summary, the agreement says:

  • You may make copies of your eBook for your own use onto any machine
  • You may not pass copies of the eBook on to anyone else
How can I make a purchase on your website? Chevron down icon Chevron up icon

If you want to purchase a video course, eBook or Bundle (Print+eBook) please follow below steps:

  1. Register on our website using your email address and the password.
  2. Search for the title by name or ISBN using the search option.
  3. Select the title you want to purchase.
  4. Choose the format you wish to purchase the title in; if you order the Print Book, you get a free eBook copy of the same title. 
  5. Proceed with the checkout process (payment to be made using Credit Card, Debit Cart, or PayPal)
Where can I access support around an eBook? Chevron down icon Chevron up icon
  • If you experience a problem with using or installing Adobe Reader, the contact Adobe directly.
  • To view the errata for the book, see www.packtpub.com/support and view the pages for the title you have.
  • To view your account details or to download a new copy of the book go to www.packtpub.com/account
  • To contact us directly if a problem is not resolved, use www.packtpub.com/contact-us
What eBook formats do Packt support? Chevron down icon Chevron up icon

Our eBooks are currently available in a variety of formats such as PDF and ePubs. In the future, this may well change with trends and development in technology, but please note that our PDFs are not Adobe eBook Reader format, which has greater restrictions on security.

You will need to use Adobe Reader v9 or later in order to read Packt's PDF eBooks.

What are the benefits of eBooks? Chevron down icon Chevron up icon
  • You can get the information you need immediately
  • You can easily take them with you on a laptop
  • You can download them an unlimited number of times
  • You can print them out
  • They are copy-paste enabled
  • They are searchable
  • There is no password protection
  • They are lower price than print
  • They save resources and space
What is an eBook? Chevron down icon Chevron up icon

Packt eBooks are a complete electronic version of the print edition, available in PDF and ePub formats. Every piece of content down to the page numbering is the same. Because we save the costs of printing and shipping the book to you, we are able to offer eBooks at a lower cost than print editions.

When you have purchased an eBook, simply login to your account and click on the link in Your Download Area. We recommend you saving the file to your hard drive before opening it.

For optimal viewing of our eBooks, we recommend you download and install the free Adobe Reader version 9.