Description

Network forensics is an evolution of typical digital forensics, in which evidence is gathered from network traffic in near real time. This book will help security and forensics professionals as well as network administrators build a solid foundation of processes and controls to identify incidents and gather evidence from the network. Forensic scientists and investigators are some of the fastest growing jobs in the United States with over 70,000  individuals employed in 2008. Specifically in the area of cybercrime and digital forensics, the federal government is conducting a talent search for 10,000 qualified specialists. Almost every technology company has developed or is developing a cloud computing strategy.  To cut costs, many companies are moving toward network-based applications like SalesForce.com, PeopleSoft, and HR Direct. Every day, we are moving companies’ proprietary data into a cloud, which can be hosted anywhere in the world. These companies need to understand how to identify where their data is going and what they are sending.

Key Features

  • Key network forensics skills and tools are discussed—for example, capturing network traffic, using Snort for network-based forensics, using NetWitness Investigator for network traffic analysis, and deciphering TCP/IP.
  • The current and future states of network forensics analysis tools are addressed.
  • The admissibility of network-based traffic is covered as well as the typical life cycle of a network forensics investigation.

Readership

Forensic Investigators (corporate and law enforcement) and Incident Response Professionals, IT Security and System Administrator professionals.

Table of Contents

PART I INTRODUCTION

CHAPTER 1 What Is Network Forensics?
Introduction to Cloud Computing
Introduction to the Incident Response Process
Investigative and Forensics Methodologies
Where Network Forensics Fits In

PART II GATHERING EVIDENCE

CHAPTER 2 Capturing Network Traffic
The Importance of DHCP Logs
Using tcpdump/WinDump
Limitations of tcpdump
tcpdump Command Line
Troubleshooting tcpdump
Using Wireshark
Wireshark GUI
Limitations of Wireshark
Limitations of Using Libpcap and Derivatives
Wireshark Utilities
TShark
Rawshark
Dumpcap
Mergecap
Editcap
Text2pcap
Using SPAN Ports or TAPS
SPAN Port Issues
Network Tap
Using Fiddler
Firewalls
Placement of Sensors
Summary

CHAPTER 3 Other Network Evidence
Overview of Botnets and Other Network-Aware Malware
The Botnet Life Cycle
Temporal, Relational, and Functional Analyses and Victimology
First Responder Evidence Sources of Network-Related Evidence
Dynamic Evidence Capture
Malware Analysis: Using Sandbox Technology
Summary

PART III ANALYZING EVIDENCE WITH OPEN SOURCE SOFTWARE

CHAPTER 4 Deciphering a TCP Header
OSI and TCP Reference Models
TCP Header
Source Port Number
Destination Port Number
Sequence Number
Acknowledgment Number
Data Offset
Reserved
TCP Flags
Windows Size
TCP Checksum
Urgent Pointer
TCP Options
Padding
Decipherment of a TCP Segment
TCP Signature Analysis
Summary

CHAPTER 5 Using Snort for Network-Based Forensics
IDS Overview
Snort Architecture
Real-Time Network Traffi c Capturing
Playback Binary Network Traffic (pcap Format)
Snort Preprocessor Component
Snort Detection Engine Component
Network Forensics Evidence Generated with Snort
Summary

PART IV COMMER

Details

No. of pages:
368
Language:
English
Copyright:
© 2010
Published:
Imprint:
Syngress
Print ISBN:
9781597495370

About the author

Terrence Lillard

Terrence V. Lillard (Linux+, CISSP) is an IT Security architect and cybercrime and cyberforensics expert. He is actively involved in computer, intrusion, network, and steganography cybercrime and cyberforensics cases, including investigations, security audits, and assessments both nationally and internationally. Terrence has testified in U.S. District Court as a Computer Forensics/Security Expert Witness. He has designed and implemented security architectures for various government, military, and multi-national corporations. Terrence's background includes positions as principal consultant at Microsoft, the IT Security Operations manager for the District of Columbia's government IT Security Team, and instructor at the Defense Cyber Crime Center's (DC3) Computer Investigation Training Academy Program. He has taught IT security and cybercrime/cyberforensics at the undergraduate and graduate level. He holds a B.S. in Electrical Engineering, Master of Business Administration (MBA), and is currently pursuing a Ph.D. in Information Security.

Affiliations and Expertise

(Linux+, CISSP)

Reviews

"Syngress [is] by far the best publisher of digital forensics and general security books…I would strongly recommend that you read Digital Forensics for Network, Internet and Cloud Computing…as this book really does cover a plethora of issues that we’ll all have to face, maybe sooner than we think." –Tony Campbell, Publisher, Digital Forensics Magazine