Source of Evidence
Week #2 | Network Forensics | Hengky Sanjaya
This article contains a summary of what I’ve learned in the Network Forensics class.
This article or tutorial is 100% for Education Purpose only. Any time the word “Hacking” that is used on this site shall be regarded as Ethical Hacking. Do not attempt to violate the law with anything contained here. If you planned to use the content for illegal purposes, then please leave this site immediately! We will not be responsible for any illegal actions.
Source of Network-based Evidence
There are several sources where we could get the evidence:
On the wire
Example:
Forensic Value:
- Wire tapping can provide real-time network data.
In the Air
Forensic Value:
Most of the time, we will get trivial value as the information is often encrypted. However valuable information can still be obtained:
- Management and controls frames are usually not encrypted
- Access Points(AP) advertise their names, presence, and capabilities
- MAC addresses of legitimately authenticated stations
- Volume-based statistical traffic analysis
Switches
Forensic Value:
- Content Addressable Memory(CAM) that stores the mapping between physical ports and MAC addresses.
- Platform to capture and preserve network traffic
Routers
Forensic Value:
- Routing tables
- It could function as packet filters
- Logging functions and flow records
DHCP Server
DHCP stands for Dynamic Host Configuration Protocol.
Forensic Value:
- IP addresses
- DHCP leases IP addresses
Authentication Server
Example: Radius, Takacplus.
Forensic Value:
- Logs
• Successful and/or failed attempts
• Brute-force password attacks
• Suspicious login hours
• Unusual login locations
• Unexpected privileged logins
DNS Server
DNS is used to map IP addresses to hostnames and vice versa.
Forensic Value:
- Configured to log queries
- Create a timeline of suspect activities
NIDS/NIPS
NIDS → Network Intrusion Detection System
NIPS → Network Intrusion Prevention System
Forensic Value:
- Provide timely information
- Can be possible to recover entire contents of network packets
Firewalls
Forensic Value:
- Granular logging
- Function as both infrastructure protection and IDSs
Web Proxies
Forensic Value:
- Granular logs can be retained for an extended period of time
- Visual reports of web surfing patterns according to IP addresses or usernames (Active Directory logs)
Application server
Forensic Value:
- Application logs
- Authorization
- Data
- Client Information
- Chat Log
Centralized Log Server
Forensic Value:
- Designed to identify and respond to network security events
- Save data if one server is compromised
Modem
Forensic Value:
- Access log
- Authentication Information (Username/Password)
- Serial number/Type
Thanks!