i have been trying ...
 
Notifications
Clear all

i have been trying to get information from this below

15 Posts
8 Users
0 Likes
356 Views
(@omajiman)
Posts: 12
Active Member
Topic starter
 

If there is identity theft attack or phishing attack. What information can I gather about this attack using network forensics.

 
Posted : 04/09/2014 9:57 am
Jamie
(@jamie)
Posts: 1288
Moderator
 

Please keep in mind our guidelines when starting a new forum topic, i.e.

1. Provide as much information as possible. Explain why you're asking the question, describe any software or hardware in detail (including version numbers), include details about your own background or experience (if relevant).

2. Describe what you have already done to answer the question or solve the problem. Have you searched these forums? Have you Googled? What did you find?

Thank you.

 
Posted : 04/09/2014 11:05 am
(@omajiman)
Posts: 12
Active Member
Topic starter
 

i have search the search engine(Google) but could not not get any vital information. i am doing my internship program with Comsats institute of information and technology and i have to give a report about my finding using any network forensics tool(likely Wireshark).
Being a novice in this field i humbly request the forum to assist me in the area of network forensics.
thanks so much !

 
Posted : 04/09/2014 2:01 pm
(@athulin)
Posts: 1156
Noble Member
 

If there is identity theft attack or phishing attack. What information can I gather about this attack using network forensics.

Anything you can. Or anything you can apply in the given situation. Your question is very wide, so there's no way of saying. In particular, there is not one single 'identity theft attack' or 'phishing attack'. One phising attack is the well known Nigeria letters, but so is rougue WiFi APs, and web and DNS forgeries. Spearfishing attacks are unexpected and convincing, so they are unlikely to don't follow a set rule … It's a bit like asking about structure, contents, and other relevant data about jazz solos. Bill Watrous (trombone) is likely to do different things than … say, Oscar Peterson (piano) … for any reason from the differences in instruments to the differences in music style and personality.

Can you focus your question on a more specific subarea? That may help give you better replies.

If not, what I think you need to do is

1. List the various ways how either of the two attack types you mention can be performed over a network (WAN, LAN, … whatever). Well, at least some of them. If you're only interested in some network types, restrict your work accordingly.

If you don't know how that may be happen, you probably need to start by examining known and documented attacks, and boil them down to essentials.

2. Assuming that you have a wide knowledge of networks, itemize each way that the attack scenarios may or will leave traces in the network equipment or logs or what-have-you.

If you don't have that knowledge … you may need to get it. If your question is general, there's little left to say. If your question is specific for a company, go to whoever knows the network architecture of that company, and ask for information.

3. Now, combine the results.

(4. For extra credits, invent your own attacks, then repeat the steps above.)

It also matters if your work is proactive (i.e. you want to prevent these attacks from happening or being successful), if it's is intended to detect or trace attacks as they happen, or if you're called in after the fact to investigate an attack that took place siome time in the past. It may help you restrict your investigations to artifacts of a certain life span. For example, if you're called in for an investigation of something that happened a week ago, you're looking for traces that remain in the system for at least that time.

 
Posted : 06/09/2014 11:51 am
pbobby
(@pbobby)
Posts: 239
Estimable Member
 

If the identity theft attack was conducted over a network and you were able to capture all that network traffic - then the information you can get about that attack is in your packet capture.

If the phishing attack was conducted over a network and you were able to capture all that network traffic - then the information you can get about that attack is in your packet capture.

Consider a full packet capture of that attack as if you had a full image of a hard drive. You have the data you need in front of you - the skill of the forensicator is in understanding what that data means/how to reconstruct the event of interest.

 
Posted : 06/09/2014 8:49 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

If I may, being particularly picky, IMHO there exist not "phishing attacks" nor "identity theft attacks" 😯 (strictly speaking).

Phishing get's it's name from fishing, you basically put a fishhook at the end of fishing line with some bait on it and wait until (if) something bytes the bait and gets hooked.
Or you place a net and as well wait until (if) some fish gets trapped in it.

An attack is something IMHO targeted, like - say - fishing whales with harpoons, or hunting with a gun, but it doesn't apply to "our" phishing.

Once you have your phish hooked, you may use the information gathered for several things

  • if you managed to get the network login an intrusion attack <- though still since you actually have the right credential it is not really really an intrusion attack, but rather an "unauthorized access"
  • if you managed to get the identity data identity theft
  • if you more plainly managed to get just a credit card number and related details "only" getting the phish's money

As well, the "identity theft attack" is IMHO mainly an "intrusion" attack, and again, it may be a more simple "unathorized access" leading to gather the identity data.

I hope the above makes sense. ?

jaclaz

 
Posted : 06/09/2014 10:08 pm
(@kbertens)
Posts: 88
Trusted Member
 

Still not sure what youre looking for.
What is the goal, is it to prevent these attacks or did these attacks happen and are you looking for evidence?
Is the packet capture based on the victim or suspect side?
Please provide some more information and of course im willing to help.

 
Posted : 07/09/2014 12:37 pm
(@omajiman)
Posts: 12
Active Member
Topic starter
 

Hello Dears!
I really appreciate all your comments toward my recently placed post. However my goal is to gather evident about identity theft attack in my network.
I was ask to get this evident using network forensics.

 
Posted : 07/09/2014 12:51 pm
(@bithead)
Posts: 1206
Noble Member
 

Our goal is to help you. However you must provide specific information about the attack.

- Who do you believe attacked you? External adversary? Insider threat?
- What was attacked? A server? A database? Some other device?
- What was stolen? User account info? Database info? Some sort of PII?

Do you see a pattern of "W"s emerging here? https://en.wikipedia.org/wiki/Five_Ws

Without this most basic information being provided how do you expect anyone to help?

 
Posted : 07/09/2014 4:16 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Do you see a pattern of "W"s emerging here? https://en.wikipedia.org/wiki/Five_Ws

And add to it a C 😯
for cui bono or cui prodest
http//en.wikipedia.org/wiki/Cui_bono

jaclaz

 
Posted : 07/09/2014 4:33 pm
Page 1 / 2
Share: