FOR572: Advanced Network Forensics and Analysis

سرفصل ها


  • Web Proxy Server Examination
    • Role of a web proxy
    • Proxy solutions - commercial and open source
    • Squid proxy server
      • Configuration
      • Logging
      • Automated analysis
      • Cache extraction
  • Foundational Network Forensics Tools: tcpdump and Wireshark
    • tcpdump re-introduction
      • pcap file format
      • Berkeley Packet Filter (BPF)
      • Data reduction
      • Useful command-line flags
    • Wireshark re-introduction
      • User interface
      • Display filters
      • Useful features for network forensic analysis
  • Network Evidence Acquisition
    • Three core types: full-packet, Logs, NetFlow
    • Capture devices: switches, taps, Layer 7 sources, NetFlow
    • Planning to capture: Strategies; commercial and home-built platforms
  • Network Architectural Challenges and Opportunities
    • Challenges provided by a network environment
    • Future trends that will affect network forensics
  • Hypertext Transfer Protocol (HTTP): Protocol and Logs
    • Forensic value
    • Request/response dissection
    • Useful HTTP fields
    • Artifact extraction
    • Log formats
    • Analysis methods
  • Domain Name Service (DNS): Protocol and Logs
    • Architecture and core functionality
    • Tunneling
    • Fast flux and domain name generation algorithms (DGAs)
    • Logging methods
    • Amplification attacks
  • Firewall, Intrusion Detection System, and Network Security Monitoring Logs
    • Firewalls
      • Families of firewall solutions
      • Additional features
      • Syntax and log formats
    • Intrusion Detection Systems
      • Rules and signatures
      • Families of IDS and NSM solutions
      • Bro NSM
        • Basics and use cases
        • Logging
  • Logging Protocol and Aggregation
    • Syslog
      • Dual role: server and protocol
      • Source and collection platforms
      • Event dissection
      • rsyslog configuration
    • Microsoft Eventing
      • History and capabilities
      • Eventing 6.0
        • Architecture
        • Analysis mode
    • Log Data Collection, Aggregation, and Analysis
      • Benefits of aggregation: scale, scope, independent validation, efficiency
      • Known weaknesses and mitigations
      • Evaluating a comprehensive log aggregation platform
  • ELK Stack and the SOF-ELK Platform
    • Basics and pros/cons of the ELK stack
    • SOF-ELK
      • Inputs
      • Log-centric dashboards
  • NetFlow Collection and Analysis
    • Origins and evolution
    • NetFlow v5 and v9 protocols
    • Architectural components
    • NetFlow artifacts useful for examining encrypted traffic
  • Open-Source Flow Tools
    • Using open-source tool sets to examine NetFlow data
      • SiLK
      • nfcapd, nfpcapd, and nfdump
      • SOF-ELK: NetFlow ingestion and dashboards
  • File Transfer Protocol (FTP)
    • History and current use
    • Shortcomings in today's networks
    • Capture and analysis
  • Microsoft Protocols
    • Architecture and capture positioning
    • Exchange/Outlook
    • SMB v1, v2, and v3
    • Sharepoint and internal web sites
  • Simple Mail Transfer Protocol (SMTP)
    • Lifecycle of an email message
    • Adaptations and extensions
  • Commercial Network Forensics
    • Trade-offs between commercial and open-source solutions
    • Common commercial platforms that you may encounter
    • Using existing platforms and tools in a client environment
  • Wireless Network Forensics
    • Translating analysis of wired networks to the wireless domain
    • Device modes of operation
    • Capture methodologies: Hardware and Software
    • Useful protocol fields
    • Inherent weaknesses
    • Typical attack methodologies based on protection mechanisms
  • Automated Tools and Libraries
    • Common tools that can facilitate large-scale analysis and repeatable workflows
    • Libraries that can be linked to custom tools and solutions
    • Chaining tools together effectively
  • Full-Packet Hunting with Moloch
    • Moloch basics and architecture
    • Limitations in practical use
    • Session awareness, filtering, typical forensic use cases
  • Encoding, Encryption, and SSL
    • Encoding algorithms
    • Encryption algorithms
      • Symmetric
      • Asymmetric
    • Profiling SSL connection with useful negotiation fields
    • Analytic mitigation
    • Perfect forward secrecy
  • Man-in-the-Middle
    • Methods to accomplish
    • Benevolent uses
    • Common MITM tools
  • Network Protocol Reverse Engineering
    • Using known protocol fields to dissect unknown underlying protocols
    • Pattern recognition for common encoding algorithms
    • Addressing undocumented binary protocols
    • What to do after breaking the protocol
  • Investigation OPSEC and Threat Intel
    • Operational Security
      • Basic analysis can tip off attackers
      • How to mitigate risk without compromising quality
    • Intelligence
      • Plan to share smartly
      • Protect intelligence to mitigate risks
  • Network Forensic Case
    • Analysis using only network-based evidence
      • Determine the original source of an advanced attacker's compromise
      • Identify the attacker's actions while in the victim's environment
      • Confirm what data the attacker stole from the victim
    • Reporting
      • Present executive-level summaries of your findings at the end of the day-long lab
      • Document and provide low-level technical backup for findings
      • Establish and present a timeline of the attacker's activities
      • Time permitting, provide recommendations on how the victim can prevent, detect, or mitigate a repeat compromise by the same or another similarly advanced attacker