Chapter 1 Practical Investigative Strategies
1.1 Real-World Cases
1.2 Footprints 8
1.3 Concepts in Digital Evidence
1.4 Challenges Relating to Network Evidence 16
1.5 Network Forensics Investigative Methodology (OSCAR)
1.6 Conclusion
Chapter 2 Technical Fundamentals
2.1 Sources of Network-Based Evidence
2.2 Principles of Internetworking
2.3 Internet Protocol Suite
2.4 Conclusion
Chapter 3 Evidence Acquisition 45
3.1 Physical Interception
3.2 Traffic Acquisition Software
3.3 Active Acquisition
3.4 Conclusion
Part II Traffic Analysis 73
Chapter 4 Packet Analysis 75
4.1 Protocol Analysis
4.2 Packet Analysis
4.3 Flow Analysis
4.4 Higher-Layer Traffic Analysis
4.5 Conclusion 133
4.6 Case Study: Ann’s Rendezvous
Chapter 5 Statistical Flow Analysis 159
5.1 Process Overview 160
5.2 Sensors
5.3 Flow Record Export Protocols
5.4 Collection and Aggregation
5.5 Analysis
5.6 Conclusion 183
5.7 Case Study: The Curious Mr. X
Chapter 6 Wireless: Network Forensics Unplugged 199
6.1 The IEEE Layer 2 Protocol Series
6.2 Wireless Access Points (WAPs)
6.3 Wireless Traffic Capture and Analysis
6.4 Common Attacks
6.5 Locating Wireless Devices
6.6 Conclusion 235
6.7 Case Study: HackMe, Inc.
Chapter 7 Network Intrusion Detection and Analysis 257
7.1 Why Investigate NIDS/NIPS? 258
7.2 Typical NIDS/NIPS Functionality
7.3 Modes of Detection
7.4 Types of NIDS/NIPSs
7.5 NIDS/NIPS Evidence Acquisition
7.6 Comprehensive Packet Logging 267
7.7 Snort
7.8 Conclusion 275
7.9 Case Study: Inter0ptic Saves the Planet (Part 1 of 2)
Part III Network Devices and Servers 289
Chapter 8 Event Log Aggregation, Correlation, and Analysis 291
8.1 Sources of Logs
8.2 Network Log Architecture
8.3 Collecting and Analyzing Evidence
8.4 Conclusion 317
8.5 Case Study: L0ne Sh4rk’s Revenge
Chapter 9 Switches, Routers, and Firewalls 335
9.1 Storage Media 336
9.2 Switches
9.3 Routers
9.4 Firewalls
9.5 Interfaces
9.6 Logging
9.7 Conclusion 355
9.8 Case Study: Ann’s Coffee Ring
Chapter 10 Web Proxies 369
10.1 Why Investigate Web Proxies? 369
10.2 Web Proxy Functionality
10.3 Evidence
10.4 Squid
10.5 Web Proxy Analysis
10.6 Encrypted Web Traffic
10.7 Conclusion 401
10.8 Case Study: Inter0ptic Saves the Planet (Part 2 of 2)
Part IV Advanced Topics 421
Chapter 11 Network Tunneling 423
11.1 Tunneling for Functionality
11.2 Tunneling for Confidentiality
11.3 Covert Tunneling
11.4 Conclusion 439
11.5 Case Study: Ann Tunnels Underground
Chapter 12 Malware Forensics 461
12.1 Trends in Malware Evolution
12.2 Network Behavior of Malware
12.3 The Future of Malware and Network Forensics 491
12.4 Case Study: Ann’s Aurora
Afterword 519
Index