This week we studied all the different types of sources of evidence to be searched for in forensics.
- On the wire
- In the Air
- Switches
- Routers
- DHCP Server
- DNS Server
- Authentication Server
- NIDS/NIPS
- Firewalls
- Web Proxies
- Application Server
- Centralized Log Server
- Modem
On the wire is the physical cabling can provide real time network data. 3 tap types. vamire, surreptitious fiber and infrastructure
In the air consists of checking radio frequency and infrared can obtain management and control frames, access point names and capabilities, MAC addresses and traffic analysis.
Switches are physical connection between network segments. can obtain Content addressable memory which stores the mapping between ports and macaddresses. Switches can also be used to capture and preserve network. can also be used to mirror traffic from one port to another.
Routers connect traffic between subnets. can be used to check routing tables. can function as packet filters which checks incoming and outgoing packet traffic. basic intrusion detection usually placed here.
DHCP provides automatic assignment of IP addresses. Therefore is the place to look for IP addresses and the logs related with it such as the mac address time lease and host name.
DNS Servers maps ip addresses to host names. can be used to create a timeline of suspect activities and can be configuresd to provide logs of queries.
Authentication servers provision accounts and audit. gives logs of anything to do with accounts such as unusual login location unexpected login, and brute force password
NIDS and NIPS were specifically designed for forensic purposes. gives information regarding in progress attack and traffic. can be configured to store entire network packets.
Firewalls mainly provide protection and packet inspection. can provide detailed logs of packets and also provide infrastructure protection.
Web proxies cache web pages and inspect web surfing. we can obtain web surfing patterns, phishing email successes, end user content in cache.
application servers can come in many shapes and sizes, therefore the result of what we can get depend on what application is being used.
Centralized Log Server a combination of logs from the different types of the tcp/ip layer. an optional part hence can vary depending on organization. can be designed to respond to network security event, save data, and retain logs.
Modem converts analog to digital. provides authentication information and access log
We also studied some basics of internetworking which is the connection between multiple networks working independently yet work together to be part of a greater whole.
Lastly we studied TCP to know its header fields and how its important to network forensics. we also compared TCP with UDP to know their difference