CSI Network Forensics
Overview & Analysis

Practical techniques for forensic analysis of suspicious network traffic

Course Details:

Audience:This course is designed for law enforcement personnel and network security professionals. Participants will gain real-world knowledge and skills to help them analyze network traffic from criminals' computers, investigate network-based crimes, and improve network security and reliability. Personnel who already have a working knowledge of host-based forensics should also attend this course as a means of gaining expertise in the end-to-end digital forensics process.

Course Prerequisites:

For maximum effectiveness, attendees should have some familiarity with TCP/IP networking and network infrastructure devices such as switches and routers. Attendees will also be required to bring their own laptop.

Course Description

Network Forensics Overview and Analysis combines two of ANI's popular 3-day network forensics classes into one 5-day "bootcamp" style class. This intense class encompasses the complete skill set of capturing not only suspicious data, but also discerning unusual patterns hidden within seemingly normal network traffic. This course will provide the student with a set of investigate techniques focusing on the use of vendor-neutral, open-source tools to provide insight into network-based crimes.

Real-world examples are used throughout the course in conjunction with numerous hands-on exercises to develop field-proven, practical forensics analysis skills. Attendees will receive a comprehensive set of training binders and a set of DVDs with numerous reference trace files, networking and forensics tools, and a library of network forensics analysis reference documents.

Course Objectives

As a result of successful completion of this workshop, participants will be able to:

• Explain the principles of network forensics analysis and how to apply them
• Deploy open-source tools for network forensics analysis
• Use forensics tools to recognize traffic patterns associated with suspicious network behavior such as illegal file transfers, hacking, infectious behavior, and more
• Connect into a network to identify reconnaissance processes, active attacks, and evidence of compromised systems
• Identify which computer is engaged in infecting another computer with a virus
• Research Internet Protocol addresses, names, and port numbers
• Analyze logs from web, FTP, e-mail, and DHCP servers
• Dissect forensic information from Cisco routers and switches
• Reconstruct suspicious e-mails, file transfers, web-browsing, and VoIP sessions for detailed analysis and evidentiary purposes
• Recognize potential network security infrastructure misconfigurations

Course Content

DAY 1

• Network Forensics Overview
  i) Five key questions
  ii) Six-step network forensics analysis methodology
  iii) Network forensics definitions and tools
• Understanding Normal Network Traffic
  i) Service name to port number resolution
  ii) Name to Internet Protocol (IP) address resolution
  iii) Local versus remote resolution
  iv) Media Access Control (MAC) address resolution
  v) Lab: Using open-source network analysis tools to examine normal network traffic
• Researching IP Addresses
  i) Public versus private addresses
  ii) Address assignment and Regional Internet Registries
  iii) Geo-location of IP addresses
  iv) Lab: Researching IP addresses
• Researching TCP and UDP Port Numbers
  i) Understanding port numbers
  ii) Using Internet Assigned Numbers Authority (IANA) documents
  iii) Lab: Researching port numbers
• Researching Domain Name System Names
  i) Understanding DNS
  ii) Using whois, nslookup, dig, dnsstuff.com, and other DNS tools
  iii) Lab: Researching DNS information
• Tracing an E-mail
  i) Understanding email full headers
  ii) Recognizing faked headers
  iii) Lab: Finding the source of a phishing scheme
• Reconstructing a Suspect's Web-Browsing Activity
  i) Parsing index.dat and cookie files
  ii) Lab: Using open-source tools to reconstruct web-browsing activity

DAY 2

• Capturing Network Traffic
  i) Legal considerations
  ii) How switches and routers affect forensics analysis
  iii) Switch port mirroring
  iv) Network hardware taps
  v) Stealth (silent-mode) collection of data
  vi) Tapping into wired versus wireless networks
  vii) Lab: Using open-source network analysis tools to analyze traffic that was captured using a tap
• Recognizing Network Traffic Associated with Reconnaissance Missions
  i) Port scans
  ii) TCP flags scans
  iii) IP scans
  iv) OS Fingerprinting
  v) Application mapping scans
  vi) Lab: Using open-source network analysis tools to analyze a reconnaissance mission
• Recognizing Network Traffic Associated with Security Breaches
  i) Spoofed MAC addresses
  ii) Spoofed IP addresses
  iii) Botnet infections
  iv) Unauthorized applications
  v) Lab: Using open-source network analysis tools to analyze a security breach
• Recognizing Network Traffic Associated with Active Attacks
  i) Viruses and worms
  ii) Cracking passwords
  iii) Denial of service attacks
  iv) Poisoning DNS caches
  v) Poisoning ARP caches
  vi) Lab: Using open-source network analysis tools to watch a suspected criminal in the process of attacking
• Reconnaissance and Attack Signatures
  i) Looking into packets for signatures
  ii) Pattern signatures
  iii) Header signatures
  iv) Payload signatures
  v) Lab: Using open-source network analysis tools to find signatures of attacks

DAY 3

• Introduction to Server Logs
  i) Web versus email, DHCP, and DNS servers
  ii) Introduction to syslog
  iii) Introduction to Windows event logs
  iv) Tools for log analysis
  v) Lab: Analyzing an Apache web server log
• Introduction to Router and Switch Forensics
  i) Cisco router and switch architecture
  ii) Cisco logging (console, versus buffer, terminal, syslog)
  iii) Attacks on routers
  iv) Attacks on switches
  v) Router and switch attack incident response
  vi) Cisco "show" commands
  vii) Lab: Analyzing output from Cisco show commands
• Forensics Analysis in Wired vs. WLAN Environments
  i) IEEE 802.3 Ethernet vs. IEEE 802.11 frame formats
  ii) WLAN device analysis
• Forensic Assessment and Evaluation of Protocol Statistics
  i) Assessment of key network and forensics statistics
  ii) Lab: Analyzing node and protocol statistics for suspicious activities
  iii) Lab: Statistical assessment of the network

DAY 4

• Forensics Analysis Using Expert Systems
  i) Using expert systems to determine suspicious activity
  ii) Determining which conversations have problems – analyzing latency and throughput
  iii) Lab: A tale of two networks
• Protocol and Conversation Forensic Analysis
  i) Analyzing the three different network communication architectures
  ii) Analyzing suspicious conversations and activities
  iii) Interpreting protocol decodes and packet file navigation tips
  iv) Lab: Protocol and conversation forensic analysis
• Forensic Filtering Techniques
  i) Constructing and applying specialty forensics filters
  ii) Importing and exporting filters
  iii) Case Study: Locating key text strings and identifying information
  iv) Lab: Advanced filtering for forensic analysis
• Tracking and Reconstructing Packet Flows
  i) Diagramming and interpreting a conversation
  ii) Packet flow reconstruction and analysis
  iii) Deep-level forensic analysis of packet contents
  iv) Case Study: Reconstructing suspicious multiple segment conversations
  v) Lab: Diagramming a conversation – packets never lie
• Forensics Analysis of Network Applications and User Traffic
  i) Forensics analysis of IP
  ii) Structure and analysis of IPv4 vs. IPv6
  iii) IP fragmentation, IP header checksums, and forensic analysis of IPv4 option fields
  iv) Common IP exploits and examples of intrusion signatures
  v) Lab: Evaluating IP security

DAY 5

• Internet Control Message Protocol (ICMP) and Network Forensics
  i) Structure and analysis of ICMP
  ii) Analyzing ICMP messages and suspicious ICMP traffic analysis
  iii) Lab: Forensic analysis of ICMP
  iv) Case Study: Who is knocking on the door – identifying a network mapping intrusion
• Forensics Analysis of TCP
  i) Structure and analysis of TCP
  ii) TCP header checksums and forensic analysis of TCP option fields
  iii) Common TCP exploits and examples of intrusion signatures
  iv) Case Study: Determining the source of a TCP SYN flood attack
• Forensic Analysis of User Traffic and Common User Protocol Exploits
  i) Email applications using SMTP, POP, and IMAP
  ii) Web-based applications using HTTP
  iii) VoIP applications
  iv) Lab: Forensic analysis of user traffic
  v) Lab: VoIP call interception and playback
  vi) Case Study: Application reconstruction – e-mail, web, instant messenger, file transfers
• Challenge Labs
  i) Lab: What is happening to my e-mail server?
  ii) Lab: Who is scanning the network?
  iii) Lab: What a mess! – multiple threats and simultaneous attacks