Monday, September 25, 2017

LET’S TALK ABOUT - NETWORK FORENSICS


LET’S TALK ABOUT - NETWORK FORENSICS





BASIC CONCEPT

Network forensics is a sub-branch of digital forensics relating to the monitoring and analysis of computer network traffic for the purposes of information gathering, legal evidence, or intrusion detection. Unlike other areas of digital forensics, network investigations deal with volatile and dynamic information. Network traffic is transmitted and then lost, so network forensics is often a pro-active investigation.




Network forensics generally has two uses. The first, relating to security, involves monitoring a network for anomalous traffic and identifying intrusions. An attacker might be able to erase all log files on a compromised host; network-based evidence might therefore be the only evidence available for forensic analysis. The second form relates to law enforcement. In this case analysis of captured network traffic can include tasks such as reassembling transferred files, searching for keywords and parsing human communication such as emails or chat sessions.



Two systems are commonly used to collect network data, they are:

-      brute force method "catch it as you can", and

-      Intelligent method "stop look listen" method



GENERAL ASPECTS ABOUT

Network forensics is a comparatively new field of forensic science. The growing popularity of the Internet in homes means that computing has become network-centric and data is now available outside of disk-based digital evidence. Network forensics can be performed as a standalone investigation or alongside a computer forensics analysis (where it is often used to reveal links between digital devices or reconstruct how a crime was committed).



Another concept: the capture, recording, and analysis of network events in order to discover the source of security attacks or other problem incidents



Compared to computer forensics, where evidence is usually preserved on disk, network data is more volatile and unpredictable. Investigators often only have material to examine if packet filters, firewalls, and intrusion detection systems were set up to anticipate breaches of security.



Systems used to collect network data for forensics use usually come in two forms:

1-    "Catch-it-as-you-can" – This is where all packets passing through a certain traffic point are captured and written to storage with analysis being done subsequently in batch mode. This approach requires large amounts of storage



2-    "Stop, look and listen" – This is where each packet is analyzed in a rudimentary way in memory and only certain information saved for future analysis. This approach requires a faster processor to keep up with incoming traffic







TYPES OF NETWORK FORENSIC




ETHERNET

Applying forensic methods on the Ethernet layer is done by eavesdropping bit streams with tools called monitoring tools or sniffers. The most common tool on this layer is Wireshark (formerly known as Ethereal) and tcpdump where tcpdump works mostly on unix-like operating systems. These tools collect all data on this layer and allows the user to filter for different events. With these tools, website pages, email attachments, and other network traffic can be reconstructed only if they are transmitted or received unencrypted. An advantage of collecting this data is that it is directly connected to a host. If, for example the IP address or the MAC address of a host at a certain time is known, all data sent to or from this IP or MAC address can be filtered.



To establish the connection between IP and MAC address, it is useful to take a closer look at auxiliary network protocols. The Address Resolution Protocol (ARP) tables list the MAC addresses with the corresponding IP addresses.



To collect data on this layer, the network interface card (NIC) of a host can be put into "promiscuous mode". In so doing, all traffic will be passed to the CPU, not only the traffic meant for the host.



However, if an intruder or attacker is aware that his connection might be eavesdropped, he might use encryption to secure his connection. It is almost impossible nowadays to break encryption but the fact that a suspect's connection to another host is encrypted all the time might indicate that the other host is an accomplice of the suspect.



TCP/IP

On the network layer the Internet Protocol (IP) is responsible for directing the packets generated by TCP through the network by adding source and destination information which can be interpreted by routers all over the network (a common Firewall on a local LAN; in Linux you can use TCPDUMP). Cellular digital packet networks, like GPRS, use similar protocols like IP, so the methods described for IP work with them as well.



For the correct routing, every intermediate router must have a routing table to know where to send the packet next. These routing tables are one of the best sources of information if investigating a digital crime and trying to track down an attacker. To do this, it is necessary to follow the packets of the attacker, reverse the sending route and find the computer the packet came from (i.e., the attacker).



THE INTERNET

The internet can be a rich source of digital evidence including web browsing, email, newsgroup, synchronous chat and peer-to-peer traffic. For example, web server logs can be used to show when (or if) a suspect accessed information related to criminal activity. Email accounts can often contain useful evidence; but email headers are easily faked and, so, network forensics may be used to prove the exact origin of incriminating material. Network forensics can also be used in order to find out who is using a particular computer by extracting user account information from the network traffic.




WIRELESS FORENSICS

Wireless forensics is a sub-discipline of network forensics. The main goal of wireless forensics is to provide the methodology and tools required to collect and analyze (wireless) network traffic that can be presented as valid digital evidence in a court of law. The evidence collected can correspond to plain data or, with the broad usage of Voice-over-IP (VoIP) technologies, especially over wireless, can include voice conversations.



Analysis of wireless network traffic is similar to that on wired networks, however there may be the added consideration of wireless security measures.





LET ME KNOW YOUR COMMENTS

Tuesday, September 19, 2017

LET’S TALK ABOUT – I HAVE BEEN HACKED!



LET’S TALK ABOUT – I HAVE BEEN HACKED!


WHAT TO DO AFTER YOU'VE BEEN HACKED
Evernote became the latest member of the "we’ve been hacked" club. And the thing is, what was once a pretty exclusive club now let’s just about everyone in these days.

It's hard to know what to do, or where to begin, immediately afterward.

Whether you were hacked, phished, had malware installed or just don't know what the heck happened but there's somebody all up in your e-mail, here are a few good first steps to take following an incident. This is by no means comprehensive, but it’s a good start.


ASK YOURSELF WHY
While you are fixing things, it's a good time to take a step back, and ask yourself a more basic question: What was the reason for the breach? If it was your bank account, the answer may be obvious. In other cases, such as e-mail, it can be for a host of reasons – from using it to send spam, to requesting money from your contacts, to getting password resets on other services. An attacker may even be trying to gain access to your business. Knowing why you were targeted can also sometimes help you understand how you were breached.


RESET YOUR PASSWORDS
Immediately change the password on the affected service, and any others that use the same or similar password. And, really, don't reuse passwords. You should be changing your passwords periodically anyway as a part of routine maintenance. But if you've just been hacked, it's now more urgent. This is especially true if you reuse passwords, or use schemes that result in similar passwords (like 123Facebook, 123Linkedin, 123Google).

"Password reuse is one of the great evils and its very hard to prevent," says PayPal's principal scientist for consumer security Markus Jakobsson. Sites can set up password requirements – for example a character length or that a password include symbols and numbers – but they cannot force people into not reusing the same or similar passwords. "It's very common for people to use similar or the same password but it's very rare for people to realize that it creates a liability for them to do it and that they need to change their password after they've been hacked."


UPDATE AND SCAN
There's a possibility that the attacker got in via your machine. Almost all malware is installed by victims themselves, if unknowingly. And if something nasty is on your computer, you need to get it off before you start a recovery process. Make sure you are running the most recent version of your operating system. Download a solid anti-virus product and run a scan for malware and viruses that may have been the source of the attack. This is the most basic thing you can do, so do it now. And moreover, use a brand-name commercial program that you pay for.

"Malware antivirus software isn't perfect – they have a hit ratio of 50 to 75 percent and can miss almost as much as they find, but it's better than nothing," explains Jakobsson. And why should you pay for it? "Most people who search for 'free antivirus' end up installing malware."


TAKE BACK YOUR ACCOUNT
Most of the major online services have tools in place to help you get your account back after it has been taken over by someone else. Here’s how to do that on Apple, Facebook, Google, Microsoft, Twitter and Yahoo. Typically, you’re going to need to be able to answer some questions about your account. Facebook has a novel method that relies on friend verification. Are you using a service not listed here? Typically you can find your way back in by searching for its name plus "account recovery."


CHECK FOR BACKDOORS
Smart hackers won’t just get into your account, they’ll also set up tools to make sure they can get back in once you’ve gotten them out. Once you have your accounts back, you should immediately make sure there isn't a back door somewhere designed to let an attacker back in. Check your e-mail rules and filters to make sure nothing is getting forwarded to another account without your knowledge. See if the answers to your security questions were changed, or if those questions themselves have changed.


FOLLOW THE MONEY
If there is an element of commerce involved in the affected account, thoroughly review any activity on that account. Verify that no new shipping addresses have been set up on your account, no new payment methods have been added, or new accounts linked. This is especially true of sites that let you make one-click purchases, or issue payment cards.

"Attackers do things for a reason," says Jakobsson. "If we are talking about attacking your Bank of America account or PayPal the reason is obvious: They want your money. What criminals will often want to do is hook up a debit card to your account. If they add an address and then request a financial instrument, that is a way for them to monetize."


PERFORM A SECURITY AUDIT ON ALL YOUR AFFECTED ACCOUNTS
Often, one account is simply used as a gateway to another. Your Dropbox account may only be a means to get at something stored there. Your e-mail might only be a path to your online banking. Not only do you need to secure the account you know was hacked, but you need to check all the others it touches as well. Reset your passwords on those services, and treat them as if they have been compromised.


DE-AUTHORIZE ALL THOSE APPS
This is one of those non-obvious but important steps. One of the first things you should probably do if you’ve had an account compromise is de-authorize all the associated apps that use that account for login or for its social graph. For example, Google, Twitter, Facebook, Dropbox and many others support OAuth, which enables third party apps to use account APIs without having to give them the account login information. But if a hacker has used it to authorize another device or service, and remains logged in there, simply changing your password won't get them out. There could be a rogue client out there that you remain unaware of even after regaining access to your account. The best bet is to pull the plug on everything you've given access to. Here they are on Google, Facebook and Twitter. It may be a pain to go back through and re-authorize them, but it’s less so than leaving a malicious individual lurking in your account. And in any case, doing so periodically is just good hygene.

LOCK DOWN YOUR CREDIT
It's bad enough you had your email hacked, but you really don't want your identity stolen as a result. Services like LifeLock will do this for you for a fee, but you can also do it yourself by contacting the three major credit reporting agencies directly. Depending on the state you live in, locking down your credit might be free, provided you've filed a police report.



SPEAK OUT
"Say that your Facebook account gets hacked," says Jakobsson, "there's a good chance you won't lose any money, but your friends might." The mugged-in-London scam works by hijacking your identity to contact friends to request money. It's also true, though less commonly so, on AIM and Google Talk and other services. There may also be data that you need to let others' know has been accessed–from financial matters to sensitive personal information.

But there's another reason to do this too, and it's the same reason for this very article, which is to raise awareness. The best tactic of all is to do everything in your power to not be hacked: to run up to date software, use good password hygiene, and make backups of everything in your system.

"This is an amazing opportunity to educate people," says Jakobsson. ""When you say, 'wow, it could happen to him; it could happen to me,' that's when you change."


LET ME KNOW YOUR COMMENTS

Types of IT Support

  Types of IT Support Source: LinkedIn