chapter 13 network forensics

issa digital forensics

IPv4

Internet protocol version 4 - 32 bit address as sets of octets between 0 and 255. Three network classes (A,B,C) subnetting CIDR

IPv6

Internet Protocol version 6 128 bit address with hex numbering

OSI Model

Open Systems Interconnection model:

• application

• presentation

• session

• transport

• network

• data link

• physical

HTTP messages

hypertext transfer protocol messages:

• GET - request to read

• HEAD - request to read the head section

• PUT - request to write

• POST - request to append

• DELETE - remove

• LINK - connect two existing resources

• UNLINK - opposite of link

network packet

data sent across the network divided into header, payload, and footer

packet headers

headers put on by every layer of OSI model

packet payload

body or information content of a packet - may be padded with zeros if fixed length is needed

packet trailer/footer

contains error checking data - part of the ethernet, Point to point protocol(PPP), or other layer 2 protocol

ports

channel in which connunication can occur - 65635 possible ports

DOS

Denial of service - attacker floods network with malicious packets to prevent legitimate network traffic

ping of death

Attacker sends an Internet Control Message Protocol (ICMP) echo packet of a larger size than the target machine can accept

ping flood

send a lot of ICMP packets to the target to overwhelm

teardrop attack

attacker sends fragments of packets with bad values

SYN Flood

send unlimited SYN requests and never responds

land attack

sends a fake TCP SYN packet with the same source as the destination

smurf attack

large number of ICMP echo requests from a single request as an amplifier to cause a traffic jam (similar to fraggle)

DHCP starvation

DOS attack to exhaust the DHCP servers to not have any address space left

HTTP Post attack

attacker sends POST request with the content-length and then sends the actual message at a slow rate cause a hung server

PDOS

permanent denial of service also called phlashing

login DOS

overload login process by coninuously sending requests

packet mistreating

compromised router mishandling packets

Sniffer

intercept and log network traffic ex WinDump and TcpDump

wireshark

sniffer and protocol analyzer

Nmap

map what ports are open and running (CLI) GUI interface is Zenmap

types of logs

autherntication, application, operating system event, network device, secutity event

WEP

wired equivalent privacy stream cipher to secure data with RC4 - no longer recommended

WPA

Wi-Fi Protected Access uses Temporal Key Integrity Protocol (TKIP), 128 bit packet key. WPA 2 and WPA3. WPA3 open networks are encrypted

network card

enables computer to connect to a network

Hub

connects computers on LAN and sends any packet to all out ports

Switch

uses MAC addresses to direct traffic

Router

connect different logical networks and enable traffic for other sides of the network to pass through

packet filter

permits/denies packets based on rules “screened firewall”

stateful packet inspection

examines all packets and considers previous packets for permitting

well known ports

0 to 1023

registered ports

1024 to 49151

dynamic ports

49152 to 65535