CSI Network Forensics Overview

Practical Tools for Investigating and Preventing Computer Network Crimes

Course Details:

Audience: Law Enforcement Computer Forensics Investigators and Corporate Security Personnel

Course Description

This 3-day hands-on workshop is targeted for law enforcement computer forensics investigators and corporate security personnel with a basic understanding of computer forensics. Participants will gain real-world knowledge and skills to analyze network traffic from criminals’ computers, improve network security and reliability, and protect networks from malicious and criminal attacks. You will receive a training binder including Wireshark trace files and a DVD with networking and forensics tools.

Registration

To register for this class please go to the registration page.

Learning Objectives

As a result of successful completion of this workshop, participants will be able to:

• Recognize traffic patterns associated with security breaches
• Legally tap into a network to identify reconnaissance processes, active attacks, and evidence of compromised systems
• Watch network traffic from a computer engaged in infecting another computer with a virus
• Deploy open-source tools to analyze network-based evidence
• Trace an email
• Recognize a phishing scheme
• Reconstruct web-browsing activity
• Research Internet Protocol addresses, names, and port numbers
• Analyze server logs
• Dissect forensic information from Cisco routers and switches

Facilitator: Priscilla Oppenheimer

Priscilla Oppenheimer has more than 25 years of experience in the networking field and has trained network engineers and forensics specialists around the world. In 2006 and 2007 she helped conduct a Counter Terrorism Crime Scene Investigation exercise where students analyzed a realistic crime scene involving computer evidence, explosives, and a plot to blow up critical infrastructure. Participants included the Jackson County Oregon Sheriff’s Department, the Central Point Oregon Police Department, the U.S. Drug Enforcement Agency, and the U.S. Fish and Wildlife Service National Forensics Lab. Priscilla teaches Cisco, Wireshark, and forensics classes, and is the author or co-author of five books on computer networking.

"Her classroom presentations are well organized and easy to follow making complex analysis easy to understand. I have great confidence she can provide law enforcement organizations with a quality learning experience.”
– R. Brian Horne, Forensics Scientist – Computers, National Forensics Lab, U.S. Fish & Wildlife Service

Course Content

1) Day 1

1. Network forensics overview and definitions
2. Network forensics tools
3. Understanding normal network traffic
1. Service name to port number resolution
2. Name to Internet Protocol (IP) address resolution
3. Local versus remote resolution
4. Media Access Control (MAC) address resolution
5. Building a packet
6. Lab: Use the open-source Wireshark protocol analyzer to examine normal network traffic
4. Researching IP addresses
1. Public versus private addresses
2. Address assignment and Regional Internet Registries
3. Geo-location of IP addresses
4. Lab: Research IP addresses
5. Researching TCP and UDP port numbers
1. Understanding port numbers
2. Using Internet Assigned Numbers Authority (IANA) documents
3. Lab: Research port numbers
6. Researching Domain Name System names
1. Understanding DNS
2. Using whois, nslookup, dig, dnsstuff.com, and other DNS tools
3. Lab: Research DNS information
7. Tracing an e-mail
1. Understanding email full headers
2. Recognizing faked headers
3. Lab: Find the source of a phishing scheme
8. Reconstructing a suspect's Web-browsing activity
1. Parsing index.dat and cookie files
2. Lab: Use open-source tools to reconstruct web-browsing activity

2) Day 2

1. Capturing network traffic
1. Legal considerations
2. Capturing full content data versus session data
3. Network hardware taps
4. Switch port mirroring
5. Tapping into wired versus wireless networks
6. Lab: Use Wireshark to analyze traffic that was captured using a tap
2. Reconnaissance missions
1. Port scans
2. TCP flags scans
3. IP scans
4. OS Fingerprinting
5. Application mapping scans
6. Lab: Use Wireshark to analyze a reconnaissance mission
3. Security breaches
1. Spoofed MAC addresses
2. Spoofed IP addresses
3. Botnet infections
4. Unauthorized applications
5. Lab: Use Wireshark to analyze a security breach
4. Active Attacks
1. Viruses and worms
2. Cracking passwords
3. Denial of service attacks
4. Poisoning DNS caches
5. Poisoning ARP caches
6. Lab: Use Wireshark to watch a suspected criminal in the process of attacking
5. Reconnaissance and Attack Signatures
1. Looking into packets for signatures
2. Pattern signatures
3. Header signatures
4. Payload signatures
5. Lab: Use Wireshark to find signatures of attacks

3) Day 3

1. Introduction to server logs
1. Web versus email, DHCP, and DNS servers
2. Introduction to syslog
3. Introduction to Windows event logs
4. Tools for log analysis
5. Lab: Analyze an Apache web server log
2. Introduction to router and switch forensics
1. Cisco router and switch architecture
2. Cisco logging (console, versus buffer, terminal, syslog)
3. Attacks on routers
4. Attacks on switches
5. Router and switch attack incident response
6. Cisco "show" commands
7. Lab: Analyze output from Cisco show commands
3. Putting it all together
1. Comparing normal traffic to suspect traffic
2. Comparing tools and their applications
3. Lab: Use Wireshark to analyze an attack on a Cisco router