Week 2.1 - Network Forensics
- tcpdump
- -D (lists interfaces)
- -h (Help)
- Wireshark
- mergecap - Combines pcap files
- editcap - Manipulates packet capture files
- dnstop - isolates only DNS traffic
- Switches - CAM table,direct traffic capture
- Routers - Routing table, Logs
- Firewalls - Vast logs
- Network intrusion detection systems
- Web Proxy servers
- Authentication Servers
- Application Servers
- Manual Log review
- Manually going through the log files looking for interesting information
- Filtered log review
- Filtering the log files to make it easier to find information from the logs
- Searching
- Search through the log files
- Correlation
- Correlating the logs against known data
- Data Mining
Scripts can be used to automate log analysis and review
- Allows you to focus on specific areas
- Automates the log analysis tasks
A Common Script that uses regular expressions to filter log files. it pulls out IP addresses and hostnames from logs and then compares it with another directory to find common items.
- Fire Department Analogy
- Take Notes, Record actions, Document decisions and individual contributions
- Sift through the evidence
- Same workflow in forensic investigations
- Root Cause analysis
- After-action Review
- Who?
- When?
- Where?
- What?
- Why?
- How?
- Ticketing Systems
- Written Reports
- Executive Summary
- Incident Report
- Forensic Report