Use network forensic techniques to gather and analyze evidence on a network attack and provide recommendations to improve network security for an organization
Networks can have a variety of security and defense strategies. Network forensics refers to the capture, recording, and analysis of events that occur on a network in an effort to identify the source of attacks or other incidents. Some organizations have established a robust approach that limits potential exposures, while other organizations may employ a strategy that is open to exploitation. Exploitation can occur within an organization and from outside the organization, with network architecture a significant influence in how dramatically an exploitation manifests.
An investigator may know that reviewing the firewall logs is important, but without knowing what to look for. Different situations necessitate looking for different things. There are tools that can be used to provide reports of firewall logs that can help pinpoint activity of interest. It is possible to make a system attack appear to be nothing more than a simple port scan, which can make detection difficult. A tool such as NetStat can provide a picture the state of network connections on a single system.
As part of an investigation, an examiner may also need to review the various types of protocols allowed on a network. This review can include internal traffic as well as protocols leading out of the network. By narrowing down the list of potential protocols, an examiner may be able also to narrow down the options available to a potential attacker. This can also suggest a potential attacker’s modus operandi, which can provide insight into what needs to be modified from a security perspective.
In this project, you will use network forensic techniques to gather and analyze evidence on a network attack and provide recommendations to improve network security for an organization. The project will be completed in five steps. Steps 1–4 consist of exploring network forensics, analyzing incident response, conducting a network analysis using Wireshark, and examining Wireshark results. As you go through each step, you will document your research and findings about network forensics and an network attack. In the final step, you will compile your research and findings to complete a comprehensive incident response report. This report will summarize the field of network forensics, including attack techniques, attack vectors, and digital forensic tools and procedures for analyzing network traffic to understand how a network attack can occur. This final deliverable will conclude with a comprehensive recommendation for network administrators to follow to harden their network infrastructure.
You will be assessed on your final incident report in which you demonstrate your ability to collect network evidence and evaluate data storage, enterprise architecture, information systems, and network security.
Now that you have an idea of the task ahead, review the scenario to get started.
When you submit your project, your work will be evaluated using the competencies listed below. You can use the list below to self-check your work before submission.
3.1: Identify numerical or mathematical information that is relevant in a problem or situation.
3.3: Analyze mathematical or statistical information, or the results of quantitative inquiry and manipulation of data.
6.10: Collect network evidence.
9.1: Examine Data Storage and Transport Technologies.
9.2: Evaluate Enterprise Architecture.
9.6: Evaluate Information Systems/Network Security.
9.7: Evaluate Embedded Computers
Step 1: Explore Network Forensics
In this case, you have received your assignment from Yvonne, the response team leader. Now it’s time to plan out the steps you will take to
investigate the existing network protocols
analyze the network attack
gather forensic data about the attack
prepare the incident report, identifying
the attacker
compromised server and service
exploited vulnerability
data breached
your recommendations to strengthen the organization’s network infrastructure
Begin by looking into how the network attack could have occurred by researching techniques attackers use to infiltrate a network such as denial of service, backdoor, botnet, and brute force. The next step is to examine the latest Network Forensic Analysis Tools (NFAT). Then, you’ll summarize the information you gathered from your research and include it in the first section of the incident report. This summary will provide the leaders in your organization with an understanding of how network attacks happen and how your organization’s security operations team analyzes the network for vulnerabilities.
After that you’ve completed your research on network attacks and tools for network analysis, you’re ready to go to the next step: analyzing the organization’s incident response.
Step 2: Analyze the Organization’s Incident Response
Having conducted research on network attacks and network forensic analysis tools, you’re ready to prepare for the investigation on this particular network intrusion. To do this, you’ll learn how to gather network evidence from log files, network/server configuration, user accounts, and network infrastructure.
Once you have gathered the network evidence in this case, you’ll incorporate it into the second section of your final incident report. As with the first section of your report, the audience for this section are the leaders in your organization who’ll need an overview of how the organization’s security team gathers network evidence.
Step 2: Analyze the Organization’s Incident Response
Having conducted research on network attacks and network forensic analysis tools, you’re ready to prepare for the investigation on this particular network intrusion. To do this, you’ll learn how to gather network evidence from log files, network/server configuration, user accounts, and network infrastructure.
Once you have gathered the network evidence in this case, you’ll incorporate it into the second section of your final incident report. As with the first section of your report, the audience for this section are the leaders in your organization who’ll need an overview of how the organization’s security team gathers network evidence.
Step 3: Conduct Network Traffic Analysis
Now that your network forensic research and preparations are complete, you’re ready to analyze the compromised network and conduct a network analysis. Based on the tools research you completed in the earlier step, you decide to use the Wireshark tool to analyze the network packet capture. You will conduct packet sniffing with Wireshark to gather information about the attacker, determine the resources that may have been compromised during the attack, and learn how the attacker compromised the resources.
Go to the virtual lab to use Wireshark to analyze network packets and generate a written report. You will need to include screenshots and answers to forensic analysis questions.
COMPLETE THIS LAB
Here are some resources that will help you complete the lab:
Accessing the Virtual Lab Environment: Navigating the Workspace and the Lab Setup.
Review the Workspace and Lab Machine Environment Tutorial
Lab Instructions: Conducting Network Traffic Analysis
Self-Help Guide: Workspace: Getting Started and Troubleshooting
Getting Help: To obtain lab assistance, email GraduateCyber@umuc.edu
Your full name:
Your user ID:
Preferred email:
Your course and section number:
Detailed description of the issue that you are experiencing:
Machine type (PC, tablet, mobile device):
OS type and version:
Browser type and version:
Provide any information related to the issue that you are experiencing and attach any screenshot that you may be able to produce related to the issue.
Additional Lab Support Information:
More lab-related self-help information is available if you register for CLAB 699, our free online graduate Cyber Computing Lab Assistance hub.
Registering for Cyber Computing Lab Assistance
You will incorporate this written report into the third section of your incident report. This section—geared to the leaders, network administrators, and the security operations team in your organization—will provide them with detailed information about the network attack and vulnerabilities the organization needs to address.
Once you have answered the forensic analysis questions in the written report, you are ready to go to the next step: examination of your Wireshark lab results.
Step 4: Examine Wireshark Lab Results
You’ve conducted the network analysis using Wireshark and answered the forensic analysis questions in the written report. Now, you’ll complete a forensic investigation report to document the results of the Wireshark analysis. Your report will include screenshots and analysis of
- packets
- server images
- log review
- user account and privilege escalation
- account weaknesses
You’ll include this forensic investigation report as a part of your final incident report, which you will create in the next step.
Step 5: Prepare and Submit Your Final Incident Report
You are confident that you’ve conducted a comprehensive network investigation and gathered the necessary information about the network attack and how to mitigate future attacks. You combine the results of Steps 1–4 to prepare a final incident report on the compromised network for your organization’s leaders, network administrators, and security operations team.
You report should include
a summary of the field of network forensics, including attack techniques, attack vectors, and digital forensic tools and procedures for analyzing network traffic to understand how a network attack can occur (or could have occurred)
your written report from the Wireshark virtual lab
your forensic investigation report
recommendations for network administrators to follow to harden their network infrastructure
When you are finished, submit this final incident report to your organization’s security operations manager (your instructor) using the dropbox below.
Before you submit your assignment, review the competencies below, which your instructor will use to evaluate your work. A good practice would be to use each competency as a self-check to confirm you have incorporated all of them in your work.
3.1: Identify numerical or mathematical information that is relevant in a problem or situation.
3.3: Analyze mathematical or statistical information, or the results of quantitative inquiry and manipulation of data.
6.10: Collect network evidence.
9.1: Examine Data Storage and Transport Technologies.
9.2: Evaluate Enterprise Architecture.
9.6: Evaluate Information Systems/Network Security.
9.7: Evaluate Embedded Computers.
Please use google chrome
n TCP/IP and UDP networks, a port is an endpoint to a logical connection. The port number identifies what type of port it is. For example, port 80 is used for HTTP traffic. If you use a command, such as netstat -n on Microsoft Windows or Linux, you see a listing of the local addresses (and ports) and the foreign addresses (and ports) to which they are connected.
The three categories of TCP and UDP ports are
Well-known ports: When IP was being implemented, there was a slow start of assigning services that needed to use specific ports. The ports were initially assigned from the lowest port number and worked their way up.
Ports 0–1023 are considered well-known ports because they were used by many of the core services on the Unix servers, and most required privilege permissions on the server to implement. Telnet (23) and Simple Mail Transport Protocol (SMTP) (25) are two examples of these services.
Registered ports: The Internet Assigned Numbers Authority (IANA) keeps the list of all services that run on both the well-known ports and on all registered ports. The registration process puts a permanent association in place with the port number and the service. These services are all long-running services and would be assigned to ports between 1,024 and 49,151. The Microsoft Remote Desktop Protocol (RDP) (3389) and Network File System (NFS) (2049) are two examples of registered ports.
Dynamic and/or private ports: All other ports, from 49,152 to 65,535, are referred to as dynamic, or private ports. These ports are not permanently associated with any service. If you write your own service, you can configure it to use any dynamic port that you want, but someone else may write his own service and use the same port. This will not cause any issue until you install both services on the same IP host because they are both going to want to use the same port, and that is just not possible. It would be like two people having their phones hooked up to the same plug and receptacle at the operator’s office; it is not possible. This problem should not happen, though, if you have a registered port to work with because the other developer cannot use the same service.
For Wireshark make sure you access all of the materials:
http://www.eecs.yorku.ca/
https://www.wireshark.org/
or
https://www.wireshark.org/
I am getting some questions on the scanning tool nmap and what you are looking for in the network trace you are analyzing.
Here is an url which will help explain some common nmap scans – focus on the TCP connection scans.
Attached are Wireshark tutorials, that should help you get through the lab.
If you have a question – ask me. Just be specific – there is not a lot I can do with “I don’t understand Wireshark”, You have to tell me what part of it you do not understand so I can help.
If you have any questions about the coursework or if you are having difficulties in class or outside of class, please make sure you communicate with me. If you do not tell me I have no idea if you are having issues.
I am including several files that may help you understand Registry Forensics and how to locate the data you are being asked to find.
As always please contact me with your issues,
detecting-security-incidents-
forensic-analysis-windows-
SANS-Digital-Forensics-and-
windows-registry-quick-
you may have noticed that the Lab Assistance Call Out Box in Projects 1, 2, 3, 4 contains a reference to CLAB 699.
We are working to have that 699 reference removed and the following substituted:
For easy reference, I have listed the location of the affected Call Out Boxes:
DFC 640 Call Out Boxes
Project 1, Step 3 :
Project 2, Step 1 :
Project 2, Step 3 :
Project 3, Step 1 :
Project 3, Step 3 :
Project 3, Step 4 :
Project 3, Step 5 :
An IP address is the address of the layer-3 IP protocol. The IP address is a logical 32-bit address which is used to determine the destination of a data packet (datagram). The IP address identifies the source and destination networks which allow the datagram to flow accordingly in the specified route
Version 4 of the Internet Protocol i.e. IPv4 defines an IP address as a 32-bit number. However, because of the growth of the Internet and the depletion of available IPv4 addresses, a new version of IP (IPv6), using 128 bits for the IP address, was developed in 1995 and standardized as RFC 2460 in 1998.
Ports are represented by 16-bit numbers. Hence ports range from 0-65,525. The port numbers from 0 -1023 are restricted because they are reserved for the use of well-known protocol services such as HTTP and FTP. In a network, the endpoint, which two hosts communicate with each other are identified as ports.
Both the IP address and the Port number have an essential role to play in the Networking and Application domain. The differences between both have been enlisted in below table –
Solution preview for the order on use network forensic techniques to gather and analyze evidence on a network attack and provide recommendations to improve network security for an organization
APA
2083 words