DNS Forensic analys...
 
Notifications
Clear all

DNS Forensic analysis

4 Posts
2 Users
0 Likes
519 Views
(@ofaheemaus)
Posts: 3
New Member
Topic starter
 

Hello everybody,

My professor have given me an assignment which is as under

Select a network protocol in use (preferably an application layer protocol) and conduct practical research and literature review into the protocol. Prepare a report (as an academic paper) describing how to extract evidence in relation to this protocol. You should consider all potential sources of evidence, for example applications, servers and network captures.

Now his requirement is as under

My professor says

Ensure that you read the assignment specification carefully and complete the deliverables for all components Part A of Assignment 2 requires two major deliverables for the application layer protocol that you select, “conduct practical research and literature review into the protocol”. Please ensure that your academic paper includes both a literature review component and the results of your practical research on the protocol (in addition to the standard mandatory paper sections outlined in the Course Outline). Your practical research should be directed by your literature review findings and there should be links/flow between your practical findings and your literature review findings. These components should be presented in the style and structure common for papers published in the field of digital forensics (in line with the “Further Assessment Information” section of the course outline).

The specification also notes that you should, “[p]repare a report (as an academic paper) describing how to extract evidence in relation to this protocol”. As such, please ensure that your key findings, particularly those in your conclusion, relate to evidence extraction. Please note, that this is evidence extraction, as opposed to data extraction/collection, and as such should outline (at least) identification, preservation and (particularly) analysis processes for your protocol. If you choose to focus on one of these processes for your practical research, whilst still addressing the others (but to a lesser extent), the process you are focusing on should be made clear in your introduction.

Finally, “[y]ou should consider all potential sources of evidence, for example applications, servers and network captures”. This is an important part of the specification to note as it provides you with guidance on the types of evidence you should be searching for in your literature review and practical research. For example, if you were to select HTTP as your application layer protocol, you need a discussion of the forensic aspects of the protocol itself for network captures, you may also look at the academic literature and standards outside of forensics for HTTP network captures and draw your findings back to forensic issues. However, you also have the applications (e.g. web browsers) and servers (e.g. HTTP servers) topics to include, and there are numerous papers discussing browser and HTTP server forensic issues. These are only examples and, if you were to select HTTP as your protocol, there are other applications and servers that make use of HTTP that you should also consider. There are also evidence sources other than applications, servers and network captures you should consider.

Ensure that you have an appropriate number of reputable references from a variety of academic sources As with Assignment 1 you should include as many references as possible to backup your arguments. You should focus your literature search on a variety of distinguished publication outlets, for example the journal "Digital Investigation" is widely held to be one of the best digital forensic outlets, although you need to use a range of sources. Try searching the library catalogue for digital forensics and the protocol you select and also search ScienceDirect, which should find Digital Investigation articles. You can also extend your search to Google Scholar (http//scholar.google.com.au), however you must be cautious with the sources it returns, as not all of them are of suitable quality for this assessment. The use of RFCs as a literature source is acceptable for this submission, however they should be used sparingly, in favor of the above academic publications.

Practical Research Limitations Please keep in mind that you should only be conducting experiments on your own virtual machines, not internet connected machines. There is no need to (and you should not) keep the virtual machines you use for your experiments connected to the internet. You should setup a server (or servers), several client applications and a NFAT all in a virtual environment on a virtual (LAN) network completely disconnected from the internet, for example, using VMWare Workstation

I have selected DNS as a protocol but the biggest problem for me is the Practical Research Limitations section. I have setup the windows 2012 R2 server with active directory and DNS Server but how can I do forensic analysis like acquiring the data, preservation, extraction of digital evidence and then documenting each and very step of Wireshark

I need an advice from all of experience colleagues how to perform practical part as I know we have to use Wireshark to capture the packets but how to make report from it so please help

Thanks & regard,

Osama Faheem

 
Posted : 04/05/2015 9:47 pm
(@bithead)
Posts: 1206
Noble Member
 

What research have you done on the DNS protocol? Since you are using Windows Server, Microsoft would be a good start. Or perhaps some research on the Wireshark Wiki. If you would have done some research, I am sure you could have found a 100 level Wireshark lesson. Maybe you knew all that and just needed a quick little command line reference.

However the most important thing you could do is read THIS.

 
Posted : 05/05/2015 5:36 am
(@ofaheemaus)
Posts: 3
New Member
Topic starter
 

Thanks for your reply.

Well I am using RFC 1034, a book called dns and bind 5th edition and a paper from a journal http//ojs.jdfsl.org/index.php/jdfsl/article/viewFile/117/2 so whats your advice is it correct

The only problem is to setup lab because my professor is not allowing me to access internet he is saying all the extraction of digital evidence of DNS protocol must be done on a virtual machine using VMware workstation. I have setup a VMware workstation for windows server 2012 r2 having active directory and Active-Directory integrated DNS and a windows 7 professional client but how can I perform an extraction and then document all these steps this is an issue as reading Wireshark logs is not so easy so please advice

Thanks & regard,

Osama Faheem

 
Posted : 05/05/2015 6:44 am
(@bithead)
Posts: 1206
Noble Member
 

The video and command line reference show you how to filter for DNS.

Is there some other part you need help with? It is very difficult to answer such a general question as 'I need help'.

 
Posted : 06/05/2015 5:57 am
Share: