This week’s topic is about switch, routers, and firewalls. In a cooperation, there are core routers which are connected to many different servers, while for personal use, there is a home router. After a router, there is a switch, and after that is a firewall, and then the network.

There are different types of storage media:
– ROM: read only memory, contain things that cannot be changed (e.g. OS, factory configuration.
– NVRAM: while RAM is volatile memory that use electrical to store memory in the media, NVRAM is non volatile, data is still stored inside even if there is no electrical.
– DRAM: common memory that is used in computer
– CAM: content addressable memory, used in application that need to be regularly used and fast
– hard disk

Switches is in OSI layer 2, it contain the physical address (MAC address) in hexa code, the code is important, just a few characters in the code can help identify which device are being used in the network, however, people can fake their MAC address. By using ARP, it is possible to convert the MAC address to IP address, it will request the DHCP server to give the IP address, however, in a limited time. By providing the lease time, it will be able to help identify the device used in the attack of a network, (e.g. which devices are being used during the lease time). Switch use CAM to track the countless traffics in the network.

Routers is in OSI layer 3, main difference between routers and switch is router can make routing but switch are not able to. Routing is used to make a connection between different network, while switch is only used in a more internal network.

Firewalls, contain information such as successful/failure of connection attempts, the protocols used in the network, and the application used in the network. There are several capabilities that firewalls have:
– NAT, DHCP, VPN tunneling
– load balancing
– fragmentation reassembly
– stateful filtering, performance monitoring
– HW upgrades

This week’s topic is about network intrusion detection, and analysis. There are 4 types of system that could help with detection and prevention:
– NIDS (network based intrusion detection system): this are used to detect whether or not there are any suspicious activities by analyzing the traffic flow in the network. And to prevent these activities;
– NIPS (network based intrusion prevention system): this are used to prevent the attack recognized in the system. If there is an attack, the system will isolate the server under attack;
– HIDS (host based intrusion detection system)
– HIPS (host based intrusion prevention system)

HIDS and NIDS are both based on rules that have been researched by people (e.g. pattern of attack), and if the research found a new type of pattern, the researcher will add it to the rules. It is made to capture all suspicious packets in the network.

There are 2 types of IDS:
Commercial:
– check point IPS software blade
– next generation intrusion prevention system (NGIPS)
– extreme nips
– tipping point IPS
Open source:
– snort
– bro
– suricata
– sagan
HIDS:
– OSSEC
– fail2ban
– aide
– samhain

This week’s topic is about event log correlation and analysis. There are a lot of types of logs that exist in a computer, for example, event logs and security logs. These logs can be obtained from a lot of sources; server, mainframe, or workstation. 

Logs from OS usually store records on system level, like, login/logout, or system crashes. Logs from Windows usually count in thousands or even millions since there are more activities going on, in a case where the system is attacked, finding the data will be similar to finding a needle in a haystack. To view the event logs in windows 10, simply search for ‘Event Viewer’, there are also other type of logs available:

• IE browsing history
• Set up
• Firewall
• Recycle bin
• Shortcut files

Regarding the collection of data of the logs, there is a need for consideration from the party involved. They are not to disclose anything about the investigation, thus, all employees from the involved party must not know and maybe be given a break for the IT staff to be able to do their work properly. It is usually through a passive acquisition and an active search through the log.

There are several analysis tools that can be used to analyze the logs:
Commercial:

• Splunk
• Retrace
• Logentries
• Logmatic

Open source:

• Graylog
• Logstash

By connecting all servers available in a company to graylog, graylog will be able to analyze all the logs. In the case that there is an attack on one of the systems, it can be investigated by using the data analyzed in the graylog. Graylog provides the time/date, source, and event of each log. It can be used to analyze whether someone tried to brute force a password in the system. By using graylog, data can be searched by protocol or services, which will aid in investigation.

The best possible outcome during evidence acquisition is when there is no footprint left behind during the acquisition, and the evidence acquired are verified by cryptography means such as md5, sha512, etc.

Physical interception is capturing packet in the wire where packet normally transmitted from. There are several tools available for this:
– inline network tap. When computer connected to access point(AP) are connected with other devices trying to connect with the same AP, the packet from the devices will naturally go through the computer.
– vampire tap. It is used to directly interfere with the wire and read the data from the wire.
– induction coil. This is not available to public.
– fiber optic glass. This work similarly to inline tap.
Radio frequency, hub and switch can also be used to capture packet traffic from devices connected to them.

There are several software that can help with capturing and sniffing packet traffic:
– wireshark
– tcpdump
– ngrep
– nmap
tcpdump is unix tool that work similarly to wireshark. It is used for capturing network traffic of a period of time. Common command for tcpdump:
– tcpdump -D to list out all possible network interfaces
– tcpdump -i interface list all packet captured from the specified network interface
– tcpdump -i interface -w filename.pcap to save the packet captured into pcap file
wireshark is the GUI version of tcpdump as it work similarly as tcpdump.

Common interfaces for active acquisition:
– console
– SSH
– telnet
– SNMP
– etc

In network forensic, it is important to find appropriate tools necessary to find sample, seal, and dissect the evidence acquired. Evidence could be acquired through means like pcap file.
Flow analysis is used to identify pattern in the traffic, activity, or to find data in the operating system. One of the example to find out is by using the command netstat -an in the command prompt, it will show the list of active connection from the local address.

Wireshark is used as one of the tools for flow analysis. This tool is available for both windows and kali linux, both operating system are capable to use this tool to read the packet traffic in the operating system. By using wireshark, we can clearly see both source and destination address, as well as the information. Each details of the packet captured can be seen. Tshark is also a similar tool to wireshark, the only difference is wireshark use GUI while tshark use cli to capture the traffic.
There are also other available tools for flow analysis:
– tcpflow
– pcapcat, discontinued
– tcpxtract
Several flow analysis techniques are:
– list conversation and flows
– export a flow
– file and data craving

In file carving knowing the file extension is important, in every file, whether it is png or gif, they all contain data that can be deciphered by the hexadecimal.
DHCP is a protocol that helps to provide IP address that will connect you to the network. The IP address provided by the protocol will give you the information of expiration, the expiration will be carried out after several hours or minutes after not using the device. The expiration time will differ from network to network, some will have hours, some will have minutes when device is turned off. This information will be important to proof whether or not the user is a suspect or not, by knowing if there is an attack within the time they usage of the IP address.

Some tools to analyze higher layer:
– oftcat
– smtpdump
– findsmptpinfo.py
– networkminer

This week’s topic, we discussed about all the possible source of evidence in the network. Which is:
On the wire – in the inside of a network cable (e.g. fibre optic), it can provide real time network data.
In the Air – through radio frequency for data such as access points (AP) and Mac Address
Switches – it can capture data traffic using packet sniffing
Routers – it connect traffic between networks and can act as a packet sniffer
DHCP Server – obtain data such as the IP address, Mac address of the host device requesting the data
DNS Server – it can create timelines of the network activities
Authentication Server – it can see the logs of account attack, such as failure attempt to brute force password
NIDS/NIPS – it is used to monitor the network traffic real time
Firewalls – used for packet inspection (forward / backward)
and many more…

Internetworking is about a connection and communication between many networks (2 or more). To have internetworking, a link between network must be established, routing for delivery of data packets, an account to keep track of the status information of the network, and also proving service without the modification of the network architecture.

For internet protocol suite, it is needed to know the concept of TCP/IP model and an understanding of the flow of flow record analysis, packet analysis, and web proxy discretion.

Network forensic is a legal search of evidence in network traffic. The same as the ‘Forensic’ in medical term, it is used to dissect the victim / party involved to search for involvement of a crime. The term is used for finding evidence, information, and detection.

We need Network Forensic for incident response. When there is a network attack, several questions need to be answered, such as, why, how, what, when, and where, to find the root of the cause to help better prevention in the future attack.

There are many source of evidence from the network that can be taken to account, such as:
– Email
– CCTV
– ISP Log
– Wifi usage history
– etc..

There are 2 investigation method, OSCAR and TAARA
– Obtain information, it is information gathering of the incident and the environment where it occurred.
– Strategize, strategizing from the information obtained and list the priorities.
– Collect evidence, it is legally obtained copy of evidence according to the law.
– Analyze, using the information and evidence available, list possible explanation and theories.
– Report, write down detailed explanations and facts for people to be able to understand.

– Trigger, what incident that trigger the investigation
– Acquire, identifying and collecting of evidence
– Analysis, make an explanation of the evidence obtained
– Report, made for the higher ups to make a plan and take measures based on the facts given
– Action, action recommended