Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Learning Network Forensics

You're reading from   Learning Network Forensics Identify and safeguard your network against both internal and external threats, hackers, and malware attacks

Arrow left icon
Product type Paperback
Published in Feb 2016
Publisher
ISBN-13 9781782174905
Length 274 pages
Edition 1st Edition
Concepts
Arrow right icon
Author (1):
Arrow left icon
Samir Datt Samir Datt
Author Profile Icon Samir Datt
Samir Datt
Arrow right icon
View More author details
Toc

Table of Contents (12) Chapters Close

Preface 1. Becoming Network 007s FREE CHAPTER 2. Laying Hands on the Evidence 3. Capturing & Analyzing Data Packets 4. Going Wireless 5. Tracking an Intruder on the Network 6. Connecting the Dots – Event Logs 7. Proxies, Firewalls, and Routers 8. Smuggling Forbidden Protocols – Network Tunneling 9. Investigating Malware – Cyber Weapons of the Internet 10. Closing the Deal – Solving the Case Index

Data breach surveys

There are many data breach / information security / cyber crime surveys unfailingly published every year by the those of the consulting industry.

From a reference perspective, you may want to visit a few references on the net, listed as follows:

All of them point to a single unassailable fact—data breaches are becoming increasingly expensive and will continue to be so.

Some of the points brought up by most of them are:

  • The cost of a data breach is on the rise.
  • Post a breach—customers loose confidence and tend to change service providers. This is particularly common in the financial services industry.
  • For many countries, malicious or criminal attacks are at the top spot as the root cause of the data breaches.
  • In over 50% of the cases, insiders were involved in one way or the other.

What does this mean for us? It just means that we are in the right place at the right time. There will always be a very strong demand for the Sherlocks of the net. Professionals who can detect, collect, collate, analyze, and investigate will find themselves on the must hire list of most large-scale corporates.

Let's get started with the underlying principle of forensics of any sort.

Locard's exchange principle

No study of digital investigations can be considered well begun without an understanding of the underpinning of the science. Locard's exchange principle is the foundation on which scientific investigation methodologies are built.

Dr Edmond Locard (1877-1966) was a French scientist who worked with the French Secret Service in the First World War. He was a pioneer in forensic science and criminology. He developed a methodology to identify the nature and cause of death of French soldiers and prisoners by examining the wounds, damage stains, and other marks on the body.

He was known as the Sherlock Holmes of France.

He is often credited with saying every contact leaves a trace!

He speculated that anybody or anything that enters or leaves the crime scene (interaction with the crime scene) either leaves something behind or leaves with something from it (inadvertently or intentionally) and this can be used as forensic evidence. Let's consider a murder. Anybody that walks into a murder spot may leave the evidence of their presence in the form of footprints, fingerprints, and so on. Similarly, when someone leaves the crime scene, they may take specks of blood with them, local dust may adhere to their shoes, and so on.

How does this translate into the network world?

Essentially, every attempt to communicate with a device on the network leaves a trace somewhere; this could be at firewalls, intrusion detection systems, routers, event logs, and so on. Similarly, any attempt by an internal miscreant to access unauthorized resources will also leave a trace. This is depicted in the following image:

Locard's exchange principle

Locard's exchange principle in a digital world

Let's take the example of a phishing attack. As we are all aware, it begins with an innocuous mail with a massively appealing subject. The phishing mail may carry a payload in the form of an attachment (for example, a Trojan) or have a link that leads to a similar result. In this case, according to Locard's exchange principle, the two entities interacting would be the affected computer and the computer sending out the phish. Some of the evidence in this case would be the e-mail itself, Trojan horse/malware/keylogger, stolen passwords, changed passwords, attempts to cover tracks, and so on. The backdoor, once discovered, could reveal a lot of details and the IP addresses of devices that control it or receive the stolen data would also count as evidence. The command and control center for the phishing operation (if identified) would also be a goldmine of evidence.

As a network 007, it is our job to figure out what is going on and draw our conclusions accordingly.

You have been reading a chapter from
Learning Network Forensics
Published in: Feb 2016
Publisher:
ISBN-13: 9781782174905
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime