Digital Evidence Sources: sFlow and IPFIX Exam 212-82 PDF

Summary

This document introduces sFlow and IPFIX protocols used as digital evidence sources in computer forensics. It describes how they work and their applications. The summary focuses on these digital evidence collecting methodologies in computer forensics.

Full Transcript

Certified Cybersecurity Technician Exam 212-82
Computer Forensics

Digital Evidence Sources: sFlow and IPFIX
e/ isFlow N\ ' / w0
IPFIX \
OQ sFlow is a sampling protocol that arbitrarily samples packets instead of flows, OQ Internet Protocol Flow
and the packet samples are transmitted in the form of UDP datagrams to the Information Export (IPFIX)
monitoring station, known as the collector serves the same purpose as
QOQ It provides visibility into individual packets, which enables investigators to NetFlow, but it is not
was corrupted
analyze whether the concerned file has malicious script, or it was corrupted compatible with
backwardly compatible
backwardly with
during transition NetFlow. Nevertheless, it
supports bi-directional flow

O Investigators can perform
i : several metering processes
several
Y Pry— S >
-|I|’
|||’ using IPFIX that creates
A
flow
S ) t—— ].e records by
records by gathering
gathering packets
packets
sFlow — L
-t at an observation center;
sFlow
sFlow Agents/sFlow-
Agents/sFlow- Analyzer
Analyzer. |Web
Web :’:mla
portal l then,
then, itit filters
filters and
and
i e
enabled Devices sFlow
sFlow displaying
iplesylieg thethe maotrics
metrics accumulates information
Collectors
Collectors regarding those packets

Copyright © by EC Rights Reserved.
cll. All Rights ReproductionIsIs Strictly Prohibited
Reproduction

Digital Evidence Sources: sFlow
sFlow is a sampling protocol that arbitrarily samples packets rather than flows; the packet
samples are transmitted in the form of UDP packets to observation centers or stations, known
as the collector. It provides visibility inside individual packets, which enables investigators to
analyze whether the concerned file has malicious script or it was corrupted during transition.
The solution also allows administrators to sample each distinctive packet based on the
specific time assigned to inspect files. sFlow is an industry standard that can be implemented
on each network device. It consists of sFlow agents (configured in a network switch or router)
that transport network packet samplings, aggregate accurate statistics, and transfer them to
the collector. Real-time sFlow data are constantly displayed at the sFlow analyzer, which
provides detailed visibility over a network, which facilitates the monitoring and management
process. Investigators can use tools such as SolarWinds Real-Time NetFlow Analyzer,
ManageEngine NetFlow Analyzer, and Intermapper to collect and analyze real-time NetFlow
and sFlow data.

sFlow
Analyzer Web portal
sFlow Agents/sFlow-
displaying the metrics
enabled Devices sFlow
Collectors

Figure 20.5: Working of sFlow

Module 20 Page 2239 Certified Cybersecurity Technician Copyright © by EG-Council
EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Computer Forensics

Digital Evidence Sources: IPFIX
Internet Protocol Flow Information Export (IPFIX) is an industry standard that is based on
NetFlow version 9. It serves the same purpose as NetFlow; however, it is not backwardly
compatible with NetFlow. It supports bi-directional flow. It exports information about traffic
flow from a network device. Security investigators can carry a pool of metering processes using
IPFIX that creates flow records by gathering packets at an observation center; then, it filters and
accumulates information regarding these packets. Investigators can use tools such as
SolarWinds Real-Time NetFlow Analyzer, ManageEngine NetFlow Analyzer, and nProbe for IPFIX
traffic probe.

Module 20 Page 2240 Certified Cybersecurity Technician Copyright © by EG-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Computer Forensics

Digital Evidence Sources: Vulnerability Scan Output
O vulnerability scan reports consist of detected vulnerabilities, bugs, and configuration weaknesses, which can be exploited to
launch cyberattacks
QO The output of a vulnerability scan acts as an important evidence source during forensic investigation
0O
QO 1t provides information on how the attack might have been performed by mapping it with the exploit database of identified
vulnerabilities

s2 Repont Tempdate

Nessus Scan Report

- R

[ o
https.//www.tenoble.com

Digital Evidence Sources: Vulnerability Scan Output
After performing vulnerability scanning, the next phase involves the generation of scanning
results or output in the form of a report. This report consists of detected vulnerabilities, bugs,
and configuration weaknesses, which can be exploited to launch cyberattacks. The scanning
results can display if an attack has already been initiated on the target application, network, or
system. This report allows security teams to analyze and perform remediation activities to
reduce future risks by applying patches and fixing configuration issues.
Based on the network size and infrastructure of the scan organization, the report can be limited
to some high-risk elements. Consider the following Nessus scan report; the scan report can be
generated based on specific elements such as all systems, assets, IP addresses, hosts, or
repositories, which can cause potential damage if vulnerabilities are present. By limiting the
vulnerability scope to specific elements can help forensic experts in easily reviewing security-
related concerns. The output of a vulnerability scan acts as an important evidence source
during forensic investigation. It provides information regarding how the attack was performed
by mapping it with the exploit database of identified vulnerabilities.

Module 20 Page 2241 Certified Cybersecurity Technician Copyright © by EG-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Computer Forensics

I tenablo.sc

Add Report Template

Nessus Scan Report

Chapters Description

&& About
About
This Report
This Report By knm vmbn vulnerabilities atfoct hosts on |mmrnlm socurlty teams can
Bymmmwmkmmm«mlmnnMMyimun
efforts more
offorts more Thiss report
report data
datn
& Executive
Exocutive Report about vulmbllmndfioclodmnmmo&.cm-
about vulmbllm.l detocted on the network, Charts istrate iustrate tha rmtio of vulnerability
tha ratio
saverities and list the most vulnerable hosts by vuinerability score. An
mmlmm.mmmmmwywwnym An itorator
iterator is used
usod to
&& Vulhernbiltien
byby Host
Vuherabilties Host provica
provice detalled
detalled information on each host scanned. For For each host, the IPIP acdress, ms DNS
name,
narne, NetBIOS
NetBIOS name, MAC addross,
name, Mlcmruu.moolnow ilty total,
vulnorability total, and
and last scanned timo
are listed.
listed. Amwmovmmmmmmmumm
A severity summary of each host shows how many vuinorabiitios of each sovority
level
lovel impact
impact that
that host. Detalled
Detailed irinformation about every vilnerabilty detected onon that host
about every
II8 listed,
listedt, Inchading
inchusing plugin
plugin 10,
1D, plugin
plugin name,
name, plugin
plugin tamily,
family, severity,
severity, protocol,
protocol, port,
port,
exploitabiity, host CPE,
exploitabiity, CPE, plugn text, first discoverad,
discoverad, and Last
last seen times,
times, Security teams
©can
©an use uso this extonsive
extensive data inin order 1oto Identify
Identity vulnerabilities
vulnerabiities in their network and and tallor ther
thewr
Focus maigation
maigation accordingly.
efforts acoordingly.

o [ 1] &7
Al Systerns
Assots Details
1Ps / DNS Names Catogory:
Catogory: Threat
Theoat Dotection
Dotection && Viuinerabilty
Vuinerabiity Assessments
Assessments
Repositores Croated: May 10, 2015 19:01

Updated: Doc 22, 2015
2015 17:45
Roquirements: nessus 655
Tags:
TWE Qetting
gotling started
started winerabiity
vinerabiity

Figure 20.6 Screenshot of Nessus vulnerability scan report

Module 20 Page 2242 Certified Cybersecurity Technician Copyright © by EG-Council
EC-Council
Prohibited.
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Computer Forensics

Digital Evidence Sources: Protocol Analyzer Output
QO Security solutions such as SIEM capture the network traffic from every corner and aggregate the packets to analyze them using protocol
analyzers
Q The results of protocol analyzers can be used to troubleshoot network issues, identify the behavioral patterns of an entity by reviewing
the protocols used, and identify and restrict the protocols used by malicious IPs

Glgabitl thermetBIASAQ/

Port Protocl osce Tt

{
§H
ar

EEEEREEEREEREERE
EEEEEEREEREEERE
https.//www.manageengine.com
htps.//www.manageengine.com

Digital Evidence Sources: Protocol Analyzer Output
A network protocol analyzer is used to analyze network packets transmitting through the
network of an organization. Some organizations have a Security Operation Center (SOC)
infrastructure to monitor their networks using SIEM tools. They capture the network traffic
from every corner and aggregate packets to analyze them using protocol analyzers. The results
or output of protocol analyzers can be used to troubleshoot network issues, identify the
behavioral patterns of an entity by reviewing the protocols used, and identify and restrict the
protocols used by malicious IPs. Some network packets containing malicious software
(malware) can also be extracted for analysis.
As shown in the screenshot, ManageEngine NetFlow Analyzer captures the network packets
and displays complete information about a packet. This information contains the source and
destination IP addresses of a conversation, protocols used, port number, and packet size.

Module 20 Page 2243 Certified Cybersecurity Technician Copyright © by EC-Gouncil
EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Computer Forensics

Dashboard ventory
yentory wic Attacks IPSLA Alarms I
Workflow g 2209500 1) Reasscs Do (8 Gt ote” |
GigabitEthernetBIASAO/1
GIQ@i?ElhernfitQlMM/l @© Lasthour
@ Lt B 30 S

Overview Trathc Application Source Destination QoS Conversation NBAR CBQoS Multicast Medianet AVC Attacks

1P Address | Network
IPAddress | Resolve DNS GroupBy None
Nore +~ ® IN our
our @
1 AR
Al o

Source
Source Destination Application
Application Port Protocol oscp
osce Traffic Show Graph
192222235 168.10651.125 IGMP App
IGMP_App. 1GMP Default
Defautt 1000 KB
KB [
i

19212456
19212456 168226759
168226759 UT_App
Ut App.» ut
umn Detault
Default 1000 X8
1000 X8 ull
‘

168220319 19217363 SCPS_Aoo
SCPS_Aoo 2a SCPS Default 1000 KB ull

168.1.36219
168136219 192220173 GRE_Ago.- GRE Default 1,000 XB
1000 X8 ull
1921084 168.157.4882 IPCV_Ago
IPCV_Agp. (el
[LaY Detault 1000 K8
1,000 ull

16824023219
16824023219 192125460
192125460 IPV6-Route Aop
IPV6-Route App." IPV6-Route
1PV6-Route Defautt
Default 1000
10008X8 ull
‘

192217148
192217.148 168.17.12133 Speite RPC_App. Serite RPC
Sgrite Detault 1000 K8 ull

1920210220 168.105.133242 CPNX_App - CPNX Default 1000 KB ‘

192217.161
1922.17.161 1688082.142 PRM App. PRM Detault
Default 1000 X8 wull
ull

19208823 168.1940254 SUNND _App
_Apo - SUN ND Detait
Defaiit 1000 KB ‘

Pageno L1 50 -~-

=
Figure 20.7: Screenshot of ManageEngine NetFlow Analyzer output

Module 20 Page 2244 Certified Cybersecurity Technician Copyright © by EG-Council
EG-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.