Rough Cuts are manuscripts that are developed but not yet published, available through Safari. Rough Cuts provide you access to the very latest information on a given topic and offer you the opportunity to interact with the author to influence the final publication.
Also available in other formats.
This is the Rough Cut version of the printed book.
“This is a must-have work for anybody in information security, digital forensics, or involved with incident handling. As we move away from traditional disk-based analysis into the interconnectivity of the cloud, Sherri and Jonathan have created a framework and roadmap that will act as a seminal work in this developing field.”– Dr. Craig S. Wright (GSE), Asia Pacific Director at Global Institute for Cyber Security + Research.
“It’s like a symphony meeting an encyclopedia meeting a spy novel.”
–Michael Ford, Corero Network Security
On the Internet, every action leaves a mark–in routers, firewalls, web proxies, and within network traffic itself. When a hacker breaks into a bank, or an insider smuggles secrets to a competitor, evidence of the crime is always left behind.
Learn to recognize hackers’ tracks and uncover network-based evidence in Network Forensics: Tracking Hackers through Cyberspace.Carve suspicious email attachments from packet captures. Use flow records to track an intruder as he pivots through the network. Analyze a real-world wireless encryption-cracking attack (and then crack the key yourself). Reconstruct a suspect’s web surfing history–and cached web pages, too–from a web proxy. Uncover DNS-tunneled traffic. Dissect the Operation Aurora exploit, caught on the wire.
Throughout the text, step-by-step case studies guide you through the analysis of network-based evidence. You can download the evidence files from the authors’ web site (lmgsecurity.com), and follow along to gain hands-on experience.
Hackers leave footprints all across the Internet. Can you find their tracks and solve the case? Pick up Network Forensicsand find out.
Foreword xvii
Preface xix
Acknowledgments xxv
About the Authors xxvii
Part I: Foundation 1
Chapter 1: Practical Investigative Strategies 3
1.1 Real-World Cases 3
1.2 Footprints 8
1.3 Concepts in Digital Evidence 9
1.4 Challenges Relating to Network Evidence 16
1.5 Network Forensics Investigative Methodology (OSCAR) 17
1.6 Conclusion 22
Chapter 2: Technical Fundamentals 23
2.1 Sources of Network-Based Evidence 23
2.2 Principles of Internetworking 30
2.3 Internet Protocol Suite 35
2.4 Conclusion 44
Chapter 3: Evidence Acquisition 45
3.1 Physical Interception 46
3.2 Traffic Acquisition Software 54
3.3 Active Acquisition 65
3.4 Conclusion 72
Part II: Traffic Analysis 73
Chapter 4: Packet Analysis 75
4.1 Protocol Analysis 76
4.2 Packet Analysis 95
4.3 Flow Analysis 103
4.4 Higher-Layer Traffic Analysis 120
4.5 Conclusion 133
4.6 Case Study: Ann’s Rendezvous 135
Chapter 5: Statistical Flow Analysis 159
5.1 Process Overview 160
5.2 Sensors 161
5.3 Flow Record Export Protocols 166
5.4 Collection and Aggregation 168
5.5 Analysis 172
5.6 Conclusion 183
5.7 Case Study: The Curious Mr. X 184
Chapter 6: Wireless: Network Forensics Unplugged 199
6.1 The IEEE Layer 2 Protocol Series 201
6.2 Wireless Access Points (WAPs) 214
6.3 Wireless Traffic Capture and Analysis 219
6.4 Common Attacks 224
6.5 Locating Wireless Devices