Network Forensics

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
17 hours 41 minutes
Difficulty
Beginner
CEU/CPE
18
Video Transcription
00:00
>> Hi, everyone. Welcome back to the course.
00:00
In the last module, we wrapped up
00:00
our discussion on operating system forensics.
00:00
In this module, we're going to
00:00
talk about network forensics.
00:00
Just a quick pre-assessment question.
00:00
Real-time analysis occurs after an attack is complete,
00:00
is that true or false?
00:00
That's false, so the name gives it away there.
00:00
Real-time would actually be in
00:00
real time. Network forensics.
00:00
Basically, as the name implies,
00:00
this is related to the monitoring or
00:00
analysis of network traffic.
00:00
Basically, that's used to
00:00
discover the source of attacks or other problems.
00:00
If there's a crime committed and we feel
00:00
that the information might
00:00
be in different packets on the network,
00:00
for example, thinking like child pornography.
00:00
The bad person is going out to
00:00
this child porn website, they're downloading files.
00:00
We may be able to grab some good information about
00:00
that communication stream inside of the network traffic.
00:00
One thing to keep in mind is that
00:00
network traffic is going to be volatile.
00:00
Generally, our best bet is going to be
00:00
real-time analysis if we can get it.
00:00
However, we could do postmortem as well.
00:00
Speaking of both of those,
00:00
the real-time as I mentioned,
00:00
is going to be the event is actually still occurring.
00:00
The attacker is still accessing that website,
00:00
an attacker is still hacking our systems,
00:00
whatever the case might be.
00:00
Then postmortem, as the name implies, it's after.
00:00
Nobody dies, hopefully not.
00:00
But postmortem is going to be after the event.
00:00
Log files as evidence.
00:00
You just want to understand how we can
00:00
use log files as evidence in some of the aspects of it.
00:00
With the federal rules of evidence or
00:00
FRE as I have abbreviated there,
00:00
it goes over the hearsay rule.
00:00
Normally, things are not admissible if it's hearsay.
00:00
Technically, if you think about it in that context,
00:00
we'll talk about the exclusion in a moment here.
00:00
But if you think about it in that context,
00:00
you can't really question the log server.
00:00
You can't go up and say, "Hey,
00:00
were you really at the club on
00:00
Friday night at 3:00 AM to witness this?"
00:00
The log server is just a machine.
00:00
It doesn't talk to you. In that context,
00:00
they had to put an exclusion for things like that.
00:00
Thinking about it that way,
00:00
the exclusion is if things are
00:00
collected as part of normal business operations,
00:00
if you can prove that we always collect logs,
00:00
we didn't just collect it
00:00
on Friday at 3:00 AM at the club.
00:00
We collected it Monday,
00:00
Tuesday, Wednesday, Thursday, Friday,
00:00
and we've done this forever,
00:00
and we have also collected it after the event as well.
00:00
Basically, the way it's admissible here,
00:00
again, this is not legal advice by any means.
00:00
But the way it's admissible here is basically you have to
00:00
prove that you've been collecting these logs before,
00:00
during, and after the event
00:00
and you have to be able to produce that, etc.
00:00
Basically, that establishes trustworthiness
00:00
as well to show that yes,
00:00
we are doing it this way.
00:00
These are the logs,
00:00
this is the information. These are not altered.
00:00
Going back to the chain of custody
00:00
that we've hammered out throughout this entire course,
00:00
going back to that aspect of it of making sure that
00:00
this data is the data that is actually from the logs.
00:00
Event correlation.
00:00
Just a few ones that you'll want to know here.
00:00
There's other ones as well.
00:00
As I mentioned throughout the course,
00:00
you have the free notes and
00:00
everything in the supplemental resources,
00:00
download those and study them.
00:00
They're going to help you immensely for
00:00
the CHFI exam if you decide to go take it.
00:00
If you decide not to take it,
00:00
they're definitely going to be helpful for you to
00:00
understand different knowledge points for
00:00
a career in digital forensics.
00:00
Codebook-based, rule-based,
00:00
automated field correlation, Bayesian,
00:00
and then also time and role-based,
00:00
we'll talk about each one of those at a high level.
00:00
Code-based. Here, as the name implies, have a codebook.
00:00
It just stores sets of events in code.
00:00
Think of it like a master codebook
00:00
or like a cheat codebook for your games.
00:00
Rule-based, as the name applies,
00:00
rules are used to correlate different events.
00:00
Automated field correlation,
00:00
basically this compares different fields of
00:00
the data and determines
00:00
if there's any actual correlation.
00:00
Almost thinking along the lines of AI type of thing.
00:00
Bayesian, this one uses statistics and probability.
00:00
You just want to make sure you
00:00
memorize that aspect for your exam.
00:00
If you ever see anything
00:00
asked about which one uses statistics,
00:00
it's going to be the Bayesian.
00:00
Then time or role-based,
00:00
this one just monitors a user or
00:00
computer behavior for abnormal activity.
00:00
Network time protocol,
00:00
you just want to know basically what
00:00
NTP stands for for the exam.
00:00
This one essentially is synchronizing the clocks across
00:00
all the network devices and synchronizing
00:00
those to coordinated universal time or UTC.
00:00
UTC is something you just want to
00:00
memorize what that stands for.
00:00
Again, it stands for coordinated universal time.
00:00
Just memorize that for your exam.
00:00
What devices have logs?
00:00
A whole lot of them essentially is the answer.
00:00
But your router, your firewall,
00:00
your intrusion detection and prevention systems,
00:00
your honeypots, DHCP, ODBC,
00:00
which is open database connectivity, etc.
00:00
Essentially, almost all the devices on
00:00
your network are going to have some type of logging,
00:00
which presents an inherent challenge.
00:00
If all of them are sending us logs, what do we do?
00:00
Talking about challenges here.
00:00
Again, all of them are sending us logs
00:00
so we have a variety of logs.
00:00
The sources of data are distributed as well.
00:00
Also the data sources change a lot.
00:00
Depending on what we're plugging into our network,
00:00
the data sources can change or even with updates,
00:00
a provider may actually change the way
00:00
the logs are being disseminated from the machine.
00:00
All those things can be very fluid.
00:00
Sensitivity of data is another challenge.
00:00
If we're working with classified information,
00:00
but not all our systems
00:00
are working with classified data,
00:00
what do we do? How do we handle that?
00:00
Formatting of the log data,
00:00
the logs themselves can
00:00
come with different formatting on the files.
00:00
Also, log fatigue is a challenge.
00:00
Basically, as a network admin
00:00
or security engineer or analyst,
00:00
you're going to be inundated with a larger company
00:00
possibly terabytes of data coming in
00:00
daily that are coming to you and it's like,
00:00
okay, well, how do I look through all this?
00:00
You get log fatigue in the aspect
00:00
of everything starts jumbling
00:00
together and looking the same.
00:00
That's where AI and stuff like that is important in
00:00
different scripts to try to reduce some of that
00:00
on you. Retention of logs.
00:00
If we're getting terabytes of data a day
00:00
, where are storing this?
00:00
How long do we want to store certain log information for?
00:00
When can we purge it to try to clear
00:00
up some stuff and not make it cost so much?
00:00
Then also centralized logging is one solution
00:00
to all of this, [NOISE] excuse me,
00:00
where we can just have
00:00
all the logging information come to a central location.
00:00
Think of a tool like Splunk, for example,
00:00
where we point all our log stuff to Splunk
00:00
and then Splunk gives us that wonderful dashboard
00:00
where we can go in there and we can set
00:00
custom scripts and then we can just get
00:00
it spitting out information that we actually care about.
00:00
Syslog is something else that you can use.
00:00
Basically, this separates the log generation,
00:00
log storage, and log analysis.
00:00
It's a central repository for printers, routers, etc.
00:00
It just gives that central repository for the logs.
00:00
Just one post-assessment question.
00:00
Routers are the only device on
00:00
a network that do not have logs.
00:00
Is that true or false?
00:00
That one is actually really easy.
00:00
That one is obviously false
00:00
because routers do have logs and
00:00
basically almost every device on
00:00
the network should have a log attached to it.
00:00
In this video, we just covered at
00:00
a high level network forensics,
00:00
some of the key points that you want
00:00
to just know for your exam.
00:00
In the next module, we're going to go
00:00
over the investigation of web attacks.
Up Next