Detection network forensic investigation
I've been struggling with this topic for a while now and I decided to join the forum and ask for help.
Actually, my aim is to find in which conditions an attacker can guess that the network(LAN) is monitored and avoid detection. My setup should be simple; I have a computer in LAN which the attacker will try and gain access to. The computer is behind LAN equipment (Switches). The attacker may come from the same LAN or from outside behind a firewall.
What are the indicators of the monitored environment?(delay?, jitter?, packet loss?)
Which environment allow for easy detection from the attacker (SPAN, sniffling, TAPs)?
how does the attacker do to exflitrate those information from LAN (covert channel)?
I'll appreciate if you would help with documentation that further explain the process.
Depends on the knowledge of the attacker. Are you gonna use VM and/or existing monitoring or a honeypot?