Скачать книгу

addition to an understanding of common forensic procedure and evidence handling, you also need a solid understanding of networking. This includes the TCP/IP suite of protocols as well as a number of application protocols. It also includes an understanding of some of the security technology that is commonly in place in enterprise networks like firewalls and intrusion detection systems.

      Because there is currently no end in sight when it comes to computers being compromised by attackers around the world, there is no end in sight for the need for skilled forensics professionals. For forensic investigators without a foundation in network protocols and security technologies, this book intends to address that gap.

      Summary

      Businesses, government agencies, educational institutions, and non-profits are all subject to attack by skilled adversaries. These adversaries are, more and more, well-funded professional organizations. They may be some form of organized crime or they may be nation-states. The objectives of these two types of organizations may be significantly different but the end result is the same – they obtain some sort of unauthorized access to systems and once they are in place, they can be difficult to detect or extricate. This is where forensics professionals come in.

      Forensics is a wide and varied field that has its basis in the legal world. Forensics, in a general sense, is anything to do with court proceedings. For our purposes, while the practice of digital forensics may have some foundation in law enforcement professionals performing investigations as part of criminal proceedings, the skills necessary to perform those investigations cross over to other areas. When it comes to investigations performed within an enterprise rather than by a law enforcement agency, the skills and techniques are the same but there may be differences in how artifacts and evidence are handled. That isn't always the case, of course, because even if you are just looking for the root cause, there is a possibility of what you find being necessary as part of a court case.

      Because there is a possibility that artifacts and evidence may be used in court, it's generally a good idea to make use of cryptographic hashes as well as keeping a chain-of-custody document. These two activities will help you maintain accountability and a historical record of how the evidence and artifacts were handled. This is helpful if you have to refer to the events later on.

      When it comes to working in an organization that isn't law enforcement, you may be asked to perform forensic investigations as part of an incident response. Incident response teams are becoming common practice at all sizes of organization. It's just how any organization has to operate to ensure that they can get back on their feet quickly and efficiently when an attack happens – whether it's someone who has infiltrated the network by sending an infected e-mail or whether it's an attacker who has broken into the web server through a commonly known vulnerability.

      Given the number of organizations around the world that have suffered these attacks, including several highly publicized attacks at Sony, Target, Home Depot, TJ Maxx, and countless others, there is a real need for forensics practitioners who can work with network data. This is because companies are using intrusion detection systems that will generate packet captures surrounding an incident and some organizations will actually perform a wire recording on a continuous basis simply in case an incident takes place. The network is the best place to capture what really happened because the network – the actual wire – can't lie.

      References

      Morgan, Steve. “Help Wanted: 1,00 °Cybersecurity Jobs At OPM, Post-Hack Hiring Approved By DHS.” (Forbes, January 13, 2016.) Retrieved June 22, 2016, from http://www.forbes.com/sites/stevemorgan/2016/01/31/help-wanted-1000-cybersecurity-jobs-at-opm-post-hack-hiring-approved-by-dhs/#3f10bfe12cd2.

      Umberg, Tommy and Cherrie Warden. “Digital Evidence and Investigatory Protocols.” Digital Evidence and Electronic Signature Law Review, 11 (2014). DEESLR, 11(0). doi:10.14296/deeslr.v11i0.2131.

2

      Networking Basics

      In this chapter, you will learn about:

      

What protocols are and how they work

      

The basics of TCP/IP

      

The difference between the OSI model and the TCP/IP architecture

      Sitting at his desk, he was looking for his next target. A couple of quick Google searches and digging through various job sites gave him some ideas but he needed to know more. He was in need of addresses and hostnames and he knew of several places he would be able to locate that information. With just a few commands in his open terminal window he had a number of network addresses that he could start poking at. That gave him a starting point, and a few DNS queries later he had not only network addresses but some hostnames that went along with them. He was also able to get some contact information that could be useful later on.

      Once he had his hostnames and addresses, he could figure out what programs may be listening on the ports that were open at those addresses. He knew that the application layer was where the money was – all of the problems lower down in the stack had long since been corrected, so the best way into a system was going to be through any program that was sitting behind one of those open ports. Once he knew what applications he needed to target, he would be golden and he could make his move. There was so much that he might be able to do with a poorly implemented web application environment, for example. He could just see his bank account growing with all of the credit cards and other information he may be able to steal.

      I wouldn't be doing much of a job of talking about network forensics without going over the basics of networking protocols and where all of the important information about the Internet and all of the networks attached to it is stored. The people who are attacking networks know at least enough to make their way around the Internet and local networks so forensics investigators need to know at least as much as the adversaries do in order to determine what they are doing. Even if the adversary is a piece of malware or someone internal to the company, you'll need to understand how it got to the system and interacted with the applications there.

      We're going to start by talking about what a protocol is. In the course of going deeper into analysis, we'll be talking about protocols a lot so it's important to have a foundation on which to build those later conversations. When we are talking about networking, the different protocols are sometimes best thought about in layers, and that's actually how you will see them represented. There are two conceptual ideas for thinking about the layers of network protocols. One of them is the Open Systems Interconnect (OSI) model, which describes seven layers in its stack. The other is the Transmission Control Protocol/Internet Protocol (TCP/IP) suite, which has only four layers and evolved into a model after it had finally stabilized in its implementation.

      The Internet protocols associated with the Advanced Research Projects Agency (ARPA) and later the Internet Engineering Task Force (IETF) have, almost since the very beginning, been created in an open, collaborative manner. As such, they start as documents that are called requests for comments (RFCs). Understanding these documents can be very useful. If there is ever a question about what you are looking at in practice, you can refer back to the original documentation to look up details about the protocols and standards to see what it is expected to look like.

      The Internet is collaborative because it's a global entity, and as a result a number of interested parties want a say in how it's managed. As a global network, information related to networks and domains is stored a number of places. Knowing where the information is stored and how you can look up that information will provide essential information during the course of an investigation. Once we are done here, you will have a better understanding of how all of the information is stored and where you can get at it.

      Protocols

      To explain what a protocol is, we're going to step out of the world of networking and technology altogether. I can't help but think of the Goldie Hawn movie Protocol when thinking about this topic,

Скачать книгу