Rio's musings

This is a forum based learning class where we learned about malware.

Malware is short for Malicious Software. It refers to any software that is specifically designed and used in order to either gain access to unauthorized sensitive information or cause disruptions in the system it is attacking. The definition specifically states that malware is characterised by its intent hence software that unintentionally causes disruptions are not classified as Malware. Examples of malware include trojans, viruses and worms

There are a number of approaches that network forensics can use to detect malware. An example would be SIEM which stands for Security information and event management. This method attempts to log and monitor multiple traffic and activities to see anomalies which could be attributed to malware. Key features that it has includes Monitoring of traffic parameters deviation, Behavioral analysis,Operating system audit log monitoring of unauthorized software setup and Operating system audit log monitoring of a soaring number of endemic modifications in the file system.

C&C refers to command and control. Which is the server or workstation where cybercriminals receive and send commands to systems that is compromised by malware

For the last week of lecture based class we learned about routers, switches and firewalls.

Switches

• mas MAC addresses to switch ports
• locate physical location of MAC
• contains ARP tables
  • MAC address to IP address resolution
  • location for the ARP request
  • IP address
  • Mac address
  • age from initial ARP request
• contains CAM tables
  • very fast memory
  • maps mac addresses to physical switch ports
  • very volatile

Routers

• Network topology
• traffic throguh the router
• logged data
• may be compromised

Firewalls

• vast logs
  • Connection attempts
  • protocols used
  • application
• configurable to collect more data

in week 10 we learned deeper regarding event log analysis and correlation.

log sources

• OS logs
  • windoews – event logs
  • linux -syslog
• Application Logs
  • SMTP logs
  • Web Server logs
  • Access logs
• Physical device
  • Camera logs
  • UPS logs
• Network Equipment logs
  • Router logs
  • Switch logs

Windows logs

• immensely important as it usually is the early detection system
• provides data and trigger for an investigation
• Snort finds the key points in the mass amount of data that windows logs has
• has event logs
• setup logs
• firewalls
• browsing history
• short cuts

we used a forum based learning method.

This lesson we learn loosely about log correlation. where investigators collect logs from multiple sources and make a correlation between those logs to find anomalies, incident response in the network. the task this week is to create 2 vms and set up a graylog server for use in the following week. gray log is a tool that investigators to performs log correlation as it collects the log and gather them in one secure location with a gui that helps set up rules

This is the lesson where we learned about network intrusion detection and analysis

• HIDS= host-based intrusion detection systems
• NIDS = network intrusion detection systems
• Modes of detection
  • signature based analysis
  • protocol analysis
  • behavioral analysis
• Types oF IDSes
  • Commercial
    • Check point I{S software blade
    • NGIPS
    • Extreme NIPS
    • Tipping point IPS
  • Open source
    • NIDS
      • Snort
      • Bro
      • Suricata
      • Sagan
    • HIDS
      • OSSEC
      • Fail2Ban
      • AIDE
      • Samhain

This week’s focus is on wireless data and how we can extract that data for use in forensics.

common wireless devices includes:

• AM/FM radios
• cell phones
• bluetooth headsets
• Wi-Fi (802.11)
• WiMax

802 series includes internet , trunking and lan based authentication

can come in a number of cases such as recovery of a stolen laptop by tracking on a wireless network or capture traffic in transit through Wi-Fi for flow analysis

Thhis week sia n online class and hence we learned it through forum based learning.

the main topic of this class is statistical flow analysis. statistical flow analysis is the method where we find anomalies in the flow of packet traffic by looking at the statistics of the data. This can include a sudden spike of data transport among other anomalies. we are also tasked with implementing this technique with the traffic we had in our last class. This technique was used to find a ssh tunnel.

The fifth week there was a focus on evidence acquisition. the important topics included here are

• Goal
• Physical interception
• Acquisition software
• Active acquisition
• Strategy

Goal

• best fidelity possible
• minimize the impact on netwrok environment
• verify the evidence authenticity
• two kinds
  • passive – without emitting to layer 2 and above
  • active – directly interacting with workstations

Physical interception

this is the passive packet acquistion as it’s being transmitted through a wire. ways to do so include:

• inline network tap – between wires
• vampire taps – physically touch the wire
• induction coils
• fiber optic taps

The last thing we learned this lesson is TCPDUMp and some of its commands which includes

• tcpdump -D – possible network interface
• tdpdump -i – capture packets

Week 4 is amore practical lecture as compared to the other lectures. in this lecture we learn about the tools we can use to analyze files more specifically pcap files. These type of files we learn to use tools such as tshark and the more commonly used wireshark.

Additionally we also learned about traffic flow analysis. traffic flow analysis is the packet traffic between endpoints is copied, recorded, and analysed by specific tools in order to find discrepancies or unusual behaviour. Commonly, we use wireshark as the main tool of flow analysis because it allows for many different analysis methods while keeping it easy to use with the GUI. The use includes the sorting between source and destination IPs, package source, port source and destination, as well as object extraction.

Week three was an online class however there was no classes being setup at this time hence there is no lessons being learned during this week