1. THE ENEMY INSIDE THE GATES – A GUIDE TO USING OPEN SOURCE TOOLS FOR NETWORK FORENSICS ANALYSIS
by Phill Shade, Certified instructor for Wireshark University, Expert and Speaker at SHARKFEST’13, internationally recognized Network Security and Forensics Expert
The goal of this brief tutorial is to introduce the concepts and techniques of Network Forensics Analysis including:
- Understanding the principles of Network Forensics Analysis and situations in which to apply them to evidence analysis
- Selecting and configuring Wireshark for Network Forensics Analysis to capture and recognize traffic patterns associated with suspicious network behavior.
- Specialized Network Forensics Analysis techniques including suspicious data traffic reconstruction and viewing techniques such as Web-Browsing sessions, Emails or file transfer activities or for detailed analysis and evidentiary purposes.
- Network security principles including encryption technologies, defensive configurations of network infrastructure devices and understanding and recognizing potential network security infrastructure mis-configurations
2. USING WIRESHARK TO ANALYZE SSL CONFIGURATIONS AND CERTIFICATES
by Larry Greenblatt, WCNA, CISM, CISSP, CEH, SHARKFESTS speaker, security specialist with three decades of information security, computer networking and protocol analysis experience. Founder of InterNetwork Defense, a consulting and training organization.
With all the talk these days of internet spying and theft, people are becoming increasingly concerned with protecting their information. As Laura Chappell, the founder of Wireshark University, might say, you can have opinions from people on security, but packets don’t lie. In this article I will show you how to use some simple Wireshark display filters and settings to view SSL/TLS capabilities in browsers, the negotiated cipher suite (the asymmetric, symmetric and hashing algorithms in use for the current session) and the information stored in the certificate.
3. Two Real Network Forensics Analysis: CASE STUDIES OF THE ATTACKS ON PHP.NET AND THE BOSTON BOMBS MALWARE
by Javier Nieto Arévalo, FCNSA, FCNSP, author of http://www.behindthefirewalls.com and our regular contributor
We could say that we live an era where the signature-based Antivirus has less sense if we want to fight against hackers who are creating customized malware only for their targets. Also, there are a lot of Zero-Days attacks which are being used to infect millions of computers just visiting a website. These Zero-Days attacks take advantages of unknown vulnerabilities for example Adobe or Flash player plugins installed in the web browser to download and install malware which has not been recognized yet. Also the majority of them make connections with the Command and Control servers to get the instructions of the hackers. Sometimes it is easier to detect infected hosts looking at their behavior in our network if we analyze the network traffic than using an Antivirus running on the host.
4. WIRESHARK FILTERS FOR NETWORK ANALYSIS
by Amandeep Kaur, CISC, CPH, CPFA, lecturer in Information Technology
Network Analysis is the process of listening to and analyzing network traffic. It offers an insight into network communication to identify performance problems, analyze application behavior, locate security breaches, and perform capacity planning. IT professionals use these processes to validate network performance and security.
5. CAPTURING E-MAILS AND GOOGLE IMAGE SEARCHES FROM YOUR NETWORK
by Jessica Riccio, computer forensics technician, your favourite expert and our regular contributor
Imagine that you are the manager of a company and receive a tip from an employee that another employee is using his computer to view images that violate the company’s computer use policy. After hearing this information, you want to decide if the allegations made against your employee are true. All you need to do is launch Wireshark and follow Jessica’s guide!
6. SNOOPING ON CALLS USING WIRESHARK
by Milind Bhargava, CEH, ECSA, ethical hacker performing vulnerability assessment and penetration testing services
(VoIP, n.d.) – Voice over Internet Protocol, is the new fashion in market. Everyone is moving towards it. Not that I feel there is anything wrong with it. It is not really that secure. Irrespective of if you are a forensic expert or a malicious user, using a tool as simple as Wireshark can help you listen to the calls made on a network.
7. CARVING BINARY DATA FROM PACKET CAPTURES
by Kelly Doyle, CISSP, GAWN, GPEN, GCIH, GCFA, ECSA, C|EH, CPT, successful participant at Cyberlympics and Hacker Halted 2013
Imagine you are an incident responder and are notified that your company’s network has been compromised for the last several weeks. Your boss tasks you with identifying what information was exfiltrated from the network. Where do you start? This article will introduce you to some of the basic concepts for finding and carving out forensic artifacts off the wire.
8. NETWORK BASED FILE CARVING
by Gavin Stroy, CompTIA A+, Net+, Security+, CCNA, CCNP, independent security researcher with a passion for network attack and defense
File carving is the name of the technique of pulling files out of a stream of bytes without the use of a particular file system; much like finding a word in a word search puzzle. Network based file carving is used to extract files from saved network traffic data that has been collected from tools such as Wireshark or TCPdump. This is useful for extracting viruses to be analyzed, identifying exfiltration, and forensic investigations.
9. CATCHING GHOSTS OF THE AIR – INVESTIGATING TRADITIONAL WEP ATTACKS
by Nipun Jaswal, CISE, C|EH, OSWP, M.tech, web application penetration tester and IT security trainer
Wireless attacks are so common these days, and if a hacker finds a WEP enabled network, there is no bigger jackpot for them. People have become smart and tend to use a WPA/WPA2 enabled network these days, but still vulnerabilities in the wireless architecture seem yet unsolved. In this article we will look at those traditional WEP attacks and will try investigating who, actually who, tried to break into the network and what activities they performed? Basically we will reconstruct the entire crime scene that happened over the wireless network.
10. SYN-FLOOD ATTACK – ANATOMY AND COUNTERMEASURES
by Mubarak Altheeb, technology enthusiast, MSc Networtk Security
SYN-flood attack is a serious threat to web servers and has been used to launch attacks against websites all around the globe. Attackers can launch the attack with a spoofed source IP address to prevent being detected. If you have a website for your business, your server can be targeted by SYN-flood at any time.
11. NETWORK FORENSIC WITH WIRESHARK – DISCOVERING AND ISOLATING DOS/DDOS ATTACKS
by Yoram Orzach, author of “Network Analysis Using Wireshark Cookbook” and various technical articles, experienced in design, implementation, and troubleshooting, along with training for R&D, engineering, and IT groups.
Denial-of-Service (DoS) or Distributed Denial-of-Service (DDoS) attacks are attempts to make a computing or network resource unavailable to its users. There are various types of DoS/DDoS attacks, some load the network to the point it is blocked for applications traffic, some load servers to that point, and some are more sophisticated and try to “confuse” the application servers with bad data. Although there are various tools for detection and prevention of these types of attacks, good old Wireshark can also be used for this purpose. In this article we will see some important features of Wireshark, were to place it for capturing data, and how to use it to identify attack patterns
12. SNEAKY DNS: FORENSIC ANALYSIS ON HTTP TUNNELLING OVER DNS
by Andrius Januta, Teaching Assistant at Cyber Systems Security Lab in Stokholm University, author of “Information Security Audit Under Performance ISO/ IEC 27000 Family Standard Requirements “ in Journal of young scientist 2011
This article describes how one of the Internet’s core protocols is usually overlooked in organization’s network security. This protocol is DNS, which in recent years gets more and more implemented in various cyber attacks. This paper unravels how DNS tunnelling is used for malicious communications or for data exfiltration.
13. AUTOMATED INSPECTION OF X-RAY CARGO IMAGES USING WIRESHARK, IMAGE STENOGRAPHY, AND MACHINE LEARNING
by Wilbert A. McClay, PhD, Research Scientist on digital forensics, machine learning and signal processing; and Akshay Nayak
We have seen numerous movies in which smugglers and mobsters smuggle drugs or even weapons in a port until they are interrupted by a Rogue cop or a vigilante who catches them red handed and gives them a beating of their life. What if there was a more subtle way to do this? This article involves a real life scenario in which something similar occurs. Here, we show how a good network administrator or forensic investigator can catch a corrupt port official involved with a syndicate. This official is supposedly sending the bad guys inside information regarding the containers such as container number, weapon contained and location of drop. Wireshark is used to sniff network packets and a host of other tools (i.e. machine learning algorithms and stenography tools) are used to uncover the information.