What type of network forensic experments can be carried out on a network
I have a list of the following
Email
Web Server
Instant Messenger
IDS-Intrusion Detection
Database
Print Server
If it possible can you list any more ideas please
Can you explain what you're asking better because I don't see how what you listed are network forensic experiments.
What type of network forensic experments can be carried out on a network
What kind of network are you interested in?
From your list it would appear to be Domain/WAN networks. These are of limited interest to me because I deal with law enforcement scenarios which mostly means a few machines behind a router.
My interpretation of network forensics would mean any interaction with the wider Internet as well as the internal LAN communications.
In this context (and just as a taster) you could include(on the Internet Side)
Torrents
P2P (Gnutella, etc)
Email
Instant messaging
Usenet
Web
IRC
On the local side typically it might include (amongst others)
Printing
File sharing
Syncing with devices
Essentially your question encompasses any communication between two computational devices (Turing machines). In this context it can mean virtually anything sent and received by a computer. You might want to monitor all input and output ports on a machine and then you'll truly get an idea of the scale of your question.
Would you now like to narrow your definition and explain what you really need?
It would help if you gave us some context too so that we can tailor any answers to what you require (i.e. why do you need to know?).
Paul
What I intend on doing is to create a small virtual network enviroment and create steps(investigation procedures) for diffrent aspects of a network,as anyone got what other areas I could also test and held create these procedures,also want to look a free opnsource network forensic tool which are available to determine usabitly and specific requiremnts
I would suggest that you start out with different types of scenarios to investigate which involve a network. For example, your first list mentioned a web server or email server but what is the purpose of investigating these servers. Did the email server get infected with a virus? Did the web server get hacked? Is the email server being examined to locate an exchange of emails? Are the web server logs being reviewed for policy violations? Did person X upload files to the file server?
The list of different scenarios could go one but the purpose of the investigation would steer the procedure being used. I would pick a scenario on a topic of interest or a type of investigation you might encounter. The small virtual network could then be setup to support the scenario you picked. For example, if the scenario is to determine if person X accessed certain folders on a file server then the network could include a client and file server. If this is a Windows environment then the network could be branched out to include a Windows domain with a domain controller. The test could involve you accessing some files on the server then investigate it to locate the artifacts of this occurring.
Corey Harrell
"Journey into Incident Response"
http//journeyintoir.blogspot.com
Small caveat, virtual networks don't necessarily behave the same way as real ones, in much the same way as virtual machines aren't quite the same.
Other areas of network interest to me would also include DHCP and DNS.
Wireshark is good, and open source. If you have the inclination, you could configure Snort to capture the traffic you are interested in too, again, open source. See Jonathan's post on open source tools.