Hi everyone,
I'm getting more and more interested in network investigations. So far I've just made investigations on dead systems, but I really believe the most interesting field of investigation would be the live network analysis.
For monitoring purposes I have just used Ethereal and Tcpdump, but I'm sure you guys can advise me a complete architecture/environment/software bundle for network monitoring (and a possible network investigation making use of that architecture). Any suggestions?
P.D. Please… no EnCase Enterprise suggestion. Too expensive!! ?
Thanks.
iruiper,
I guess it really depends on the network and incident but some of the more obvious things I've done….
Installed a snort IDS at the network perimeter.
Installed a netoptics teeny tap.
Used Ettercap to man in the middle a box on a switched network.
Used Argus to capture network flow data.
The backtrack live CD can come in handy during network investigations.
I'd also read the books by RIchard Bejtlich for network based investigations. Tao of network security monitoring and Extrusion Detection are probably the best books around on this topic.
iruiper,
I guess it really depends on the network and incident but some of the more obvious things I've done….Installed a snort IDS at the network perimeter.
Installed a netoptics teeny tap.
Used Ettercap to man in the middle a box on a switched network.
Used Argus to capture network flow data.The backtrack live CD can come in handy during network investigations.
I'd also read the books by RIchard Bejtlich for network based investigations. Tao of network security monitoring and Extrusion Detection are probably the best books around on this topic.
With the existance of tools like etercap, nemesis and the dsniff suite, how do you go about verifing that that the information you capture with etheral or tcp dump is really comming from the system/network you think it is?
Then there is the issue of encryption, do you try to break it all? What if the data you capture off the network is on the small end of a proxy, and all the traffic from IP 192.168.2.3 is really from 250 different computers and 250 different people?
I think that when its all said and done, you still go back to the "dead" system and image the HD and etc etc….
Now, for network security… a big ol X2 for this one
Tao of network security monitoring and Extrusion Detection are probably the best books around on this topic.
Very interesting topic,
Skip
Has anyone ever used
Currently, in my work, we have never focused on detecting network security vulnerabilites, but I'm begining to believe that it could be an interesting field of study (and hence, more work to do!) to do a kind of Security Audit (a "light" one) before a proper Forensic Investigation (acquisition, investigation and reporting).
And that is why I'd like to know how many of you, make wide use of these kind of tools usually in your jobs. Also some advise on lectures about this subject will be welcome! )
Skip makes a good point about how do you know if the source is actually the source that you are looking at. For me, any networked based investigation, I will try to get as close to the source as possible… meaning on the same switch with a spanned / tapped port. Other options you can do is to tie the MAC address to the switch port and also to the DHCP server. Yes, MAC addressed are trivial to forge. Tools like Back Track and Auditor do come in handy for pen testing also. If you’re going to rely on capturing data, you should do it with a sniffer or some sort of network based forensic tool, IDS/IPS, Firewall, where the data can not be altered. Snort is a great tool, and not just for the fact that it’s free, but the fact that it offers a lot of flexible rule creations, easily portable, and exportable.
Chris
Not sure how much information you're looking at tracking but check out
iruiper,
Regarding Auditor, it's latest incarnation is Backtrack. I can't see much of a traditional forensic use for it. It does have uses in computer security courses to teach penetration testing. YMMV.
iruiper,
Regarding Auditor, it's latest incarnation is Backtrack. I can't see much of a traditional forensic use for it. It does have uses in computer security courses to teach penetration testing. YMMV.
Back|Track does have forensic tools…but you are right I think that the distro is more for testing security controls.
Now, in terms of the network…if there was a breach then perhaps discovering weaknesses in the existing security controls would give you some forensic information about the network…or perhaps information on where to look for evidence (not just info).
Skip
While you're expirementing with TCPdump and Ethereal (Wireshark) I recommend you try out
Honeysnap is designed to be a command-line tool for parsing single or multiple pcap data files and producing a 'first-cut' analysis report that identifies significant events within the processed data. This presents security analysts with a pre-prepared menu of high value network activity, aimed at focusing manual forensic analysis and saving significant incident investigation time.
I don't know about the Unix version, but in order to get the Windows version installed I had to install
I also recommend the previous books mentioned, authored by