Digital ForensicsOutlineMeeting on October 21stNetwork AttacksSlide 5Slide 6Securing a NetworkNetwork Security MechanismsSlide 9Network ForensicsWhat is Network ForensicsWhat is Network Forensics?Slide 13Network AnalysisNetwork Forensics Analysis Tools (NFAT): Relationships between IDS, Firewalls and NFATNFAT TasksNetwork Forensics: NetworkMinerHoneynets/HoneypotsHoneynet projectPolicies: Computer Attack TaxonomyPolicies to enhance forensicsExample Prototype System: Iowa State UniversityExample Prototype System: ModulesNetwork ToolsSome Popular ToolsNetwork Forensics: Open Source ToolsNetwork Forensics: Commercial ToolsSlide 28Performing Live AcquisitionsPerforming Live Acquisitions: WindowsStandard proceduresNetwork LogsPacket SniffersSummarySlide 35LinksReference Books for Digital ForensicsSpecial PresentationSlide 39Social Network Analysis of 9/11 Terrorists (www.orgnet.com)Social Network Analysis of 9/11 TerroristsSlide 42Slide 43Slide 44Slide 45Social Network Analysis of Steroid Usage in Baseball (www.orgnet.com)Applying to Network ForensicsReadings for October 26 and October 28Digital ForensicsDr. Bhavani ThuraisinghamThe University of Texas at DallasLecture #17Network ForensicsOctober 19, 2008OutlinePlans for October 21Network Forensics-Network Attacks-Security Measures-Network Forensics and Tools-Types of Networks-Other infoSummary/Conclusion and LinksSpecial presentation of network forensichttp://www.infragard.net/library/congress_05/computer_forensics/network_primer.pdfAppendix: Social network ForensicsReadings for October 26 and 28Meeting on October 21stTour of North Texas FBI Lab at 2pm301 N. market street, suite 500 (5th floor) Dallas, Texas. www.ntrcfl.orgMichael S. MorrisLab DirectorNTRCFL(972) 559-5800Network Attacks Denial of service Denial of service attacks cause the service or program to cease functioning or prevent others from making use of the service or program. These may be performed at the network layer by sending carefully crafted and malicious datagrams that cause network connections to fail. They may also be performed at the application layer, where carefully crafted application commands are given to a program that cause it to become extremely busy or stop functioning. Preventing suspicious network traffic from reaching hosts and preventing suspicious program commands and requests are the best ways of minimizing the risk of a denial of service attack. It is useful to know the details of the attack method, so you should educate yourself about each new attack as it gets publicized.Network Attacks Spoofing This type of attack causes a host or application to mimic the actions of another. Typically the attacker pretends to be an innocent host by following IP addresses in network packets. For example, a well-documented exploit of the BSD rlogin service can use this method to mimic a TCP connection from another host by guessing TCP sequence numbers. To protect against this type of attack, verify the authenticity of datagrams and commands. Prevent datagram routing with invalid source addresses. Introduce unpredictablility into connection control mechanisms, such as TCP sequence numbers and the allocation of dynamic port addresses.Network Attacks Eavesdropping This is the simplest type of attack. A host is configured to "listen" to and capture data not belonging to it. Carefully written eavesdropping programs can take usernames and passwords from user login network connections. Broadcast networks like Ethernet are especially vulnerable to this type of attack. To protect against this type of threat, avoid use of broadcast network technologies and enforce the use of data encryption.IP firewalling is very useful in preventing or reducing unauthorized access, network layer denial of service, and IP spoofing attacks. It not very useful in avoiding exploitation of weaknesses in network services or programs and eavesdropping.Securing a NetworkNeed measures to secure a network and prevent breachesApply patches; User a layered network defense strategyNSA (National Security Agency) ahs developed DiD Defense in Depth) and has three models of protection-People, Technology, Operations-People: Employees are trained well-Technology: Strong network architecture and testing tools-Operations: applying security patches, anti-virus software, etc.Network Security MechanismsNetwork security starts from authenticating any user, most likely a username and a password. Once authenticated, a stateful firewall enforces access policies such as what services are allowed to be accessed by the network usersThough effective to prevent unauthorized access, this component fails to check potentially harmful contents such as computer worms being transmitted over the network. An intrusion prevention system (IPS) helps detect and prevent such malware. IPS also monitors for suspicious network traffic for contents, volume and anomalies to protect the network from attacks such as denial of service. Communication between two hosts using the network could be encrypted to maintain privacy. Individual events occurring on the network could be tracked for audit purposes and for a later high level analysis.Network Security MechanismsHoneypots, essentially decoy network-accessible resources, could be deployed in a network as surveillance and early-warning tools. Techniques used by the attackers that attempt to compromise these decoy resources are studied during and after an attack to keep an eye on new exploitation techniques. Such analysis could be used to further tighten security of the actual network being protected by the honeypotSome tools: Firewall, Antivirus software and Internet Security Software. For authentication, use strong passwords and change it on a bi-weekly/monthly basis. When using a wireless connection, use a robust password. Network analyzer to monitor and analyze the network.Network ForensicsWhat is Network Forensics?-http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci859579,00.htmlNetwork Forensics AnalysisRelationship to Honeynets/HoneypotsPolicies for Networks ForensicsExample Prototype SystemSome Popular Networks Forensics Analysis Tools (NFAT)What is Network ForensicsNetwork forensics is the process of capturing information that moves over a network and trying to make sense of it in some kind of forensics capacity. -Network
View Full Document
Unlocking...