Untitled Quiz

DF347 Networks Forensics

Course offered at Al-Balqa Applied University, Semester 1, 2024/2025
Dates for the week covered: October 27th - 31st, 2024

ACPO Principles (I)

Principles set by the Association of Chief Police Officers (ACPO) in the UK
Important guidelines for digital forensic practitioners
Principle 1: Law enforcement agencies and their agents must not change data that might be used in court.
Principle 2: Persons accessing original data must be competent and able to explain their actions and their relevance.

ACPO Principles (II)

Principle 3: An audit trail or record of all digital evidence processes should be created and preserved for examination by an independent third party.
Principle 4: The investigation leader has responsibility for ensuring compliance with the principles. Compliance is voluntary, but non-adherence can lead to evidence exclusion.
Principles are about data change, original data, audit trail and overall responsibility (COAR).

Digital Evidence on Media Storage

A computer or storage device can be a crime scene.
Protect the crime scene and avoid contaminating evidence.
Digital evidence becomes unusable once contaminated.
An image is a snapshot of data.
Be careful when dealing with live data as it can alter modification, access and creation time (MAC times).
Unless necessary, do not handle live data.

Common Digital Evidence Locations

Undeleted files (expect some inaccurate naming)
Deleted files
Windows registry
Hibernation Files
Swap Files (often for virtual memory, also known as page files or paging files)
Temporary Files (.tmp)
Slack Space
Browser Caches
Random Access Memory (RAM)
Mission-critical machines cannot be turned off without severe disruption.

Copying and Backups

Copying files usually doesn't capture all data for examination.
Standard backup methods are often insufficient.
Most operating systems primarily index the file system structure.
Slack, unallocated and deleted spaces aren't indexed.
Backups generally don't capture this type of data and modify MAC times as a result, which can contaminate the timeline.
Most backup methods only copy residing data on the allocated disk space.

Bitstream or Forensic Copies

Bit-for-bit copying of data on a copied media.
Captures all data, including hidden, residual, slack space, swap, unallocated, unused space, and deleted files.
Sequentially copies each disk sector, regardless of data presence.
Aim is to produce a snapshot of the drive identical to the original.
A 1000GB drive with 50GB files will produce a 1000GB image file for forensic imaging.

Data Acquisition

Static Acquisition: Copying a hard drive from a powered-off system. This method is standard and reliable as it doesn't alter the data.
Live Acquisition: Copying data from a running computer (often the preferred method). This method, however, cannot be repeated exactly due to data changes. RAM data is becoming increasingly important but lacks a timestamp, making it harder to use for investigations.

Imaging Process

Make two copies of the original media.
One copy becomes the working copy for analysis.
Another copy is for control/library purposes.
Verify the integrity of the image to the original.
The library copy is stored as backup in case of corruption or for disclosure.
Drive imaging to an image file is not recommended.
A clean medium to copy to is crucial for drive-to-drive imaging.
Verify integrity of all images.

Computer Networks

Wired or wireless networks are common in UK homes and businesses, often complex.
Data relevant for investigation may be stored on various connected devices, both inside and outside the local scene and stored on the internet.
Devices can transfer data without human interaction (often problematic).
An unknown third party may remotely control a device, also changing necessary data.
Steps are provided to reduce negative impacts to investigations in most residential cases.

Dealing With the Wi-Fi Access Point

Locate the Wi-Fi Access Point/Router.
If lights are static or flashing intermittently, there's likely no network traffic.
Disconnect the telephone/cable/fiber connection, but leave the router on.
Fast-flashing lights may indicate network activity—ask the owner.
Disconnect and leave the router on.
If lights continue to flash, transfer traffic is occurring, and the router's power may need to be disconnected.

Indicator of Compromise (IoC)

Information pertaining to a security breach (used by security teams).
Identify and verify the presence of malicious software.
Evidence is left behind by an attack.
Observation, analysis, and signatures help obtain IoCs. Observing abnormal activity/behavior in systems or devices, analyzing characteristics of suspicious activity, and identifying known malicious software signatures.

Types of IoCs (I & II)

Network-based: malicious IPs, domains, URLs, unusual port activity, network connections to malicious hosts, data exfiltration patterns.
Host-based: activity on specific host (workstation, server), file names, hashes, registry keys, suspicious processes.
File-based: malicious files (e.g. malware, scripts).
Behavioral: unusual network/system activity, unusual logins/authentication attempts, unusual user behavior.
Metadata: file/document metadata (author, creation date, version information).

Indicators of Attack (IoA)

Likelihood of a threat from a specific action or event.
Similar to IoCs but not identical.
IoA may indicate a high attack probability, whereas IoC represents evidence of unauthorized access (data transfer).
Using automated and manual tools to monitor and analyse evidence of cyber attacks.
Regularly update IoC procedures with new technologies and emerging attack vectors.

Watching Attacks - Live Demo

Web links to various cyber threat maps (Kaspersky, Fortinet, Oracle, Digital Attack Map, Checkpoint).

Security Operations Centre (SOC)

Centralized secure function with people, processes, and technology.
Constantly monitors, improves, prevents, detects, analyzes, and responds to cybersecurity incidents.
Functions as a centralized command post over an organization's IT infrastructure, including networks, devices, appliances, and information stores.
Responsible for the security of the IT infrastructure and data.

Telemetry

Data collected from a network environment/ used to monitor health, performance, accessibility, and security of the network and its components.
Network issues can be resolved in real-time.
Threats are identified by collecting context from multiple sources.
The SOC serves as the correlation point for every logged event, and the SOC must decide how to manage and act upon each instance.

Network Security Monitoring (NSM)

Collection and analysis of network traffic and endpoint events.
Detecting and responding to intrusions and escalations of indications and warnings.
Techniques and tools are used to implement NSM within security operations.
Identifying suspicious activities across networks and devices using IoCs (e.g., protocol signatures, IP addresses, directory names, file names, persistence mechanisms, logins, usernames, passwords, MD5 checksums).

The NSM Process

Collection, detection, and response.
Collection of network traffic and endpoint events using full packet data, session data, statistical data, and alert data.

Network Monitoring & Forensics (by Jim Irving)

Overview related to previous semester's content for network and host forensics.
Covering PCAP and flow recap
Logs, alerts, and their interpretations
SIEM tools and one-place collections within monitoring solutions
Network and Host forensics' introductory concepts, focused on data types, and working with PCAP data
Capturing, interpreting and obtaining network and flow data.

Introduction

Network forensics: Capturing, recording, and analyzing network events to identify security attacks or issues.
Course Goal: To provide students with a comprehensive understanding of network forensic data gathering types and low-level concepts for performing network forensics.
Post-completion, students should be able to plan and execute comprehensive network monitoring programs and use forensic data for investigations.

Benefits

New capabilities for future projects if unfamiliar with network forensics.
Seasoned professionals can learn from others.
The Socratic method facilitates learning.

Disclaimer

Information presented is strictly informative, not a recommendation, nor an official opinion.
Use of tools/techniques described requires legal authorization.

References

"Forensic Science", 4th edition, by Jackson and Jackson (2017).
Slides from Dr. Sami Smadi (previous semesters) and Jim Irving (CHFI) from past semesters at BAU.