Network Forensic

0

Week 1

True evidence (computer or HDD), best evidence (recovered file), direct evidence (eye witness), circumstantial evidence (email signature), hearsay (personal letter file), company documents (contacts and logs), and digital evidence are part of the evidence examination (emails and logs).

Investigative methodologies still exist. An example is OSCAR, an acronym for collecting information, strategizing, gathering data, reviewing and publishing. TAARA, which is also an acronym for Cause, Obtain, Evaluate, Report, Perform, is another example.

Week 2

Internetworking Principles. Connectivity between two or more networks and contact between them. Study on the heterogeneity between network forms. Suite for Internet Protocol. In order to provide a thorough masterful understanding of TCP/IP, including main protocols and header fields, forensics investigators are needed.

Week 4

The Proof Acquisition priorities. The best possible result is proof of absolute fidelity, zero effects on network conditions, and retention of evidence. In fact, however, these standards are almost difficult to accomplish, since a zero footprint investigation can not be accomplished and best practices need to be used to minimize the footprint.

In addition, cryptographic checksums validate the validity of evidence.

Capturing or sniffing packets may be used for physical interception since these data are usually sent over the cable. Inline network taps, fiber optic taps, induction coils and “vampire” taps are all available instruments. Radio waves, hubs, and switches may also be tapped.

Week 5

The object of collecting data. Its aim is to gather data from an enterprise’s network equipment without leaving a profound effect on the company itself. However, a zero footprint investigation is impossible to obtain.

Week 7

The discrepancies between CSMA/CD and CSMA/CA. In CSMA/CD, the Ethernet medium can only be used by one device at a time. If another device (let’s assume computer B) wants to connect to another device, it must wait for the ethernet medium to be unoccupied. In CSMA/CA, the device which wants to communicate using the occupied ethernet medium will be advised that the medium is currently in use. 

Week 8

Functionality-IDS, which issues warnings, is rule-based. Typically, it is designed to capture suspicious sequences or events in packets. For different layer inspections, protocol reassembly and understanding, you can sniff out packets. A type of normalization of packet content may be required.

Forms of IDSes-Trade (check point IPS software blade, extreme NIPS, tipping point IPS, and next-gen intrusion prevention system). NIDS (snort, bro, suricata, sagan and HIDS-OSSEC, fail2ban, AIDE, samhain) are also open source. Proof acquisition-evidence forms include initialization, warning information, information about the packet header, and correlation across various sensors.

Week 10

ROM, NVRAM, DRAM, CAM, and hard drive storage media are included. This is where saved data can be found.

Switches map MAC addresses to the ports of the switch. So, machine MAC addresses are attached to a port on the switch. It will find MACs’ physical location.

CAM tables have a very fast memory and map the physical transfer ports to the MAC addresses. The CAM tables include the data where there is traffic and the switch looks up the MAC address in the table when the data needs to be transmitted and writes the packet to the correct port. When an intruder sniffs nearby traffic, the CAM table would be shown such that the CAM table is very volatile.

ARP tables contain MAC addresses for resolving IP addresses. The table entry format is: the location of the ARP file, the IP address, the MAC address, and the time after the original ARP request in seconds.

Week 11

Network Proxy acts as a gateway between us and the Internet. It offers a high degree of privacy as it has the potential to have anonymity. Other notable web proxy functionalities are caching, URI filtering, page filtering, and distributed caching. There are several forms of proof that are continuous, erratic, and off-system. 

Both HTTP/https traffic history, configuration files for site proxy, etc. Will contain permanent facts. Volatile evidence refers to cached content, such as RAM, etc., found in volatile memory. Off-system confirmation means facts that comes from structured reporting and logging.

Leave a Reply

Your email address will not be published. Required fields are marked *