lo, further to http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=1938
prehaps a quick mail here might prove valuable in providing some further info from those that know the area best (thats you guys!).
with regards to network forensics, and specifically looking at the analysis of pcap files (thinking along the lines of ethereal type applications here) - how might the forensic examiner employ such a tool (and if they wouldnt, why?).
i'm going to try and include some functionality to give information for abnormal network traffic (dos attacks, possible port scanning etc) in my tool to analyse pcap files, as well as timelineing connection streams in the file, but im wondering if there's any other information which a forensic examiner looks for in network traffic which might prove useful.
i might look into reconstructing files passed over the session, but it depends on the framework im using to open the pcap files, i dont know if there's enough session information avaliable including packet contents to do that, so for now its just on the drawing board.
Not a firm answer, but you might do well to approach this from a different angle.
Have a look at what an IDS looks for in their rule sets. This will give you a good idea of the sort of thing that you should be looking for with regard to network security.
Probably the best place to start looking is http//
Azrael.
I highly recommend you read anything by Richard Bejtlich. The Tao of Network Security Monitoring, Extrusion Detection, and Real Digital Forensics, all cover detecting anomalies and intrusions by analyzing network based evidence (NBE).
coming at it from the IDS viewpoint is a pretty good idea, i'll look into that.
I guess i just wasn't sure what information a forensically minded person might obtain from a network traffic capture file. Or which information from the file they might rely upon or use to draw conclusions about the significance of the information their viewing.
im aware that network capture files can be huge, so hopefully some of the tedious tasks such as looking at timestamps can be streamlined.
p.s i have the "real digital forensics" book. very good so far, only half way into it at the moment. On a similar vein, "file system forensic analysis" by B.Carrier is a great read too, also published by A&W
Sirex,
If you go down the IDS type route, you can run previously captured logfiles through Snort with the rules loaded - this would then allow you to highlight areas of interest, rather than pouring over them by hand ! It is even possible to do anomally detection with Snort, provided that you have sufficent data to set the baseline to dectect from …
PM or e-mail me if you want any help down the Snort route …
azrael at open-forensics dot com
yea, the problem is this is an acedemic project, so to some degree i cant pull in too much functionality from elsewhere, i can replicate the effects of snort though and state where the idea came from.
-)
Fair enough - at least you can read the source code to see how it's done !
😉
Enjoy !
we use CA NF (formely eTrust Network Forensics)
IT satisfies all aims
TIA
Sirex,
If you go down the IDS type route, you can run previously captured logfiles through Snort with the rules loaded - this would then allow you to highlight areas of interest, rather than pouring over them by hand ! It is even possible to do anomally detection with Snort, provided that you have sufficent data to set the baseline to dectect from …
PM or e-mail me if you want any help down the Snort route …
azrael at open-forensics dot com
How can Snort do anomaly detection? I've read a few books on Snort, and don't think I've ever read anything about that.
Only if there's a rule written for the anomaly, it's a signature based program.