Scribd
Upload
15 views11 pages

DF Unit2

Network forensics is a critical component of digital forensics that involves examining network traffic and data to investigate cybercrimes and security incidents. The process includes steps such as identification, preservation, collection, examination, analysis, presentation, and incident response, utilizing various tools for data collection. Additionally, live data acquisition focuses on capturing volatile information from systems in real-time to preserve evidence for legal proceedings.

Uploaded by

utkarshkumarvaish
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
15 views11 pages

DF Unit2

Network forensics is a critical component of digital forensics that involves examining network traffic and data to investigate cybercrimes and security incidents. The process includes steps such as identification, preservation, collection, examination, analysis, presentation, and incident response, utilizing various tools for data collection. Additionally, live data acquisition focuses on capturing volatile information from systems in real-time to preserve evidence for legal proceedings.

Uploaded by

utkarshkumarvaish
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 11

Network Forensics

• Network forensics has become an essential aspect of digital


forensics in recent years
• The examination of a network can provide critical information about
how a company functions and the activities that have taken place on
its systems.
• To conduct a successful network forensic examination, following the
correct steps and using the appropriate tools is essential.
What is Network Forensics?

• Network forensics investigates network traffic patterns and data acquired


while in transit in a networked environment.
• It involves examining traffic data, logs, and other data that can be used to
investigate cybercrime, network security incidents, and data breaches.
• A network forensic examination aims to identify and preserve digital
evidence that can be used in a court of law.
• By analyzing records of network events provided by network forensics, law
enforcement agencies and cybercrime investigators can piece together
communications and timelines to better understand what happened during
a crime or other mysterious event
• Analysts check for evidence of human communication, file tampering, and
keyword usage, among other indicators
Network Forensics Examination Steps

• Identification
• determine what data needs to be collected and which tools will be required.
• Preservation
• Collection
• manually or through automated tools
• Examination
• analyzing the data to look for patterns or anomalies indicative of a security incident
• Analysis
• Investigators use the data they find in packets of network traffic to determine what
happened and why it’s important.
• Presentation
• report or presentation
• Incident Response
Types of Tools Available

• These tools collect data from various sources, including routers,


switches, and servers
• Packet capture tools
• Full-packet capture tools
• Log analysis tools
• NetFlow analysis tools
• SIEM tools
• Digital forensics platforms
• Intrusion detection system tools
Live data acquisition
• Live Data Acquisition is the process of extracting volatile
information present in the
• Registers
• Cache
• RAM
• The volatile information is dynamic in nature and changes with
time; therefore, the investigators should collect the data in real-
time
• Types of Volatile data
• System Information
• current configuration
• running state of the suspicious computer
• system profile
• login activity, current system date and time,
• command history, current system uptime,
• running processes, open files, startup files,
• clipboard data, logged on users,
• shared libraries
• slack spaces of hard disk drive
• Network Information
• open connections and ports,
• routing information and configuration,
• ARP cache, shared files, services accessed, etc.
• Order of Volatility
• Registers, cache
• Routing table, process table, kernel statistics, and memory
• Temporary file systems
• Disk or other storage media
• Remote logging and monitoring data related to the target system
• Physical configuration, network topology
• Archival media
• Step-by-step procedure of the volatile data collection
methodology
• Step 1: Incident Response Preparation
• A first responder toolkit (responsive disk)
• An incident response team (IRT) or designated first responder
• Forensic-related policies that allow forensic data collection
• Step 2: Incident Documentation
• Ensure to store the logs and profiles in organized and readable format
• Document all the information about the security incident needs and maintain a
logbook to record all actions during the forensic collection
• Step 3: Policy Verification
• Ensure that the actions planned do not violate the existing network and computer
usage policies
• Step 4: Volatile Data Collection Strategy
• Security incidents are not similar
• Devise a strategy based on considerations such as the type of volatile data, the
source of the data, type of media used, type of connection, etc
• Step 5: Volatile Data Collection Setup
• Establish a trusted command shell
• Establish the transmission and storage method
• Ensure the integrity of forensic tool output:
• Step 6: Volatile Data Collection Process
• Record the time, date, and command history of the system
• To establish an audit trail generate dates and times while executing each
forensic tool or command
• Start a command history to document all the forensic collection activities.
Collect all possible volatile information from the system and network
• Do not shut down or restart a system under investigation until all relevant
volatile data has been recorded
• Maintain a log of all actions conducted on a running machine
• Photograph the screen of the running system to document its state
• identify the operating system (OS) running on the suspect machine
• Note system date, time and command history, if shown on screen, and record
with the current actual time
• Check the system for the use of whole disk or file encryption
• As each forensic tool or command is executed, generate the date and time to
establish an audit trail
• Dump the RAM from the system to a forensically sterile removable storage
device
• Collect other volatile OS data and save to a removable storage device

• Complete a full report documenting all steps and actions taken


• Case study: Network intrusion investigation – lessons in forensic
preparation

You might also like