0
0
Network Forensics

Network Forensics

Höfundur Anchit Bijalwan

Útgefandi Taylor & Francis

Snið ePub

Print ISBN 9780367493615

Útgáfa 1

Útgáfuár 2022

8.190 kr.

Description

Efnisyfirlit

  • Cover
  • Half Title
  • Title Page
  • Copyright Page
  • Table of Contents
  • Preface
  • Organization of This Book
  • Author
  • Acknowledgments
  • Part A Network Forensics Concepts
  • 1. Introduction to Network Forensics
  • 1.1 Introduction
  • 1.2 Network Security
  • 1.2.1 Evolution of Network Security
  • 1.2.2 Importance of Network Security
  • 1.2.3 Basic Terminology for Understanding Network Security
  • 1.2.4 Features of Network Security Services
  • 1.3 Types of Network Security Attacks
  • 1.3.1 Active Attack
  • 1.3.1.1 Modification
  • 1.3.1.2 Fabrication
  • 1.3.1.3 Interruption and Denial of Service
  • 1.3.1.4 Replay Attack
  • 1.3.1.5 Masquerade Attack
  • 1.3.2 Passive Attack
  • 1.3.2.1 Traffic Analysis
  • 1.3.2.2 Message Transmission
  • 1.4 Network Security Tools
  • 1.4.1 Intrusion Detection System
  • 1.4.1.1 Knowledge- or Signature-Based IDS
  • 1.4.1.2 Behavior- or Anomaly-Based IDS
  • 1.4.2 Firewall
  • 1.4.2.1 Network-Level Firewall
  • 1.4.2.2 Application-Level Firewall
  • 1.4.2.3 Proxy Firewall
  • 1.4.3 Antivirus
  • 1.5 Security Issues
  • 1.5.1 Network Access Control
  • 1.5.2 Application Security
  • 1.5.2.1 Application Security Process
  • 1.5.3 Email Security
  • 1.5.3.1 Antivirus Application on System
  • 1.5.3.2 Spam Filters
  • 1.5.3.3 Antispam Applications
  • 1.5.3.4 Strong Passwords
  • 1.5.3.5 Password Rotation
  • 1.5.4 Wireless Security
  • 1.5.5 Firewall
  • 1.6 Digital Forensics
  • 1.6.1 Digital Forensics Evolution
  • 1.6.2 Digital Forensic Types
  • 1.7 Computer Forensics
  • 1.7.1 Computer Forensics Process
  • 1.8 Network Forensics
  • 1.8.1 Definition
  • 1.8.2 Taxonomy of Network Forensics Tools
  • 1.8.3 Network Forensics Mechanism
  • 1.8.4 Network Forensics Process
  • 1.8.4.1 Authorization
  • 1.8.4.2 Collection of Evidences
  • 1.8.4.3 Identification of Evidences
  • 1.8.4.4 Detection of Crime
  • 1.8.4.5 Investigation
  • 1.8.4.6 Presentation
  • 1.8.4.7 Incident Response
  • 1.9 Computer Forensics vs Network Forensics
  • 1.9.1 Computer Forensics
  • 1.9.2 Network Forensics
  • 1.10 Network Security vs Network Forensics
  • 1.10.1 Network Security
  • 1.10.2 Network Forensics
  • Questions
  • Bibliography
  • 2. Cyber Crime
  • 2.1 Introduction
  • 2.2 Attack Intentions
  • 2.2.1 Warfare Sponsored by the Country
  • 2.2.2 Terrorist Attack
  • 2.2.3 Commercially Motivated Attack
  • 2.2.4 Financially Driven Criminal Attack
  • 2.2.5 Hacking
  • 2.2.6 Cyberstalking
  • 2.2.7 Child Pornography
  • 2.2.8 Web Jacking
  • 2.2.9 Data Diddling
  • 2.2.10 Counterfeiting
  • 2.2.11 Phishing
  • 2.3 Malware
  • 2.3.1 Definition
  • 2.3.2 History of Malware
  • 2.3.3 Classification of Malware
  • 2.3.3.1 Virus
  • 2.3.3.2 Worm
  • 2.3.3.3 Logic Bomb
  • 2.3.3.4 Trojan Horse
  • 2.3.3.5 Backdoor
  • 2.3.3.6 Mobile Code
  • 2.3.3.7 Exploits
  • 2.3.3.8 Downloaders
  • 2.3.3.9 Auto Rooter
  • 2.3.3.10 Kit (Virus Generator)
  • 2.3.3.11 Spammer
  • 2.3.3.12 Flooders
  • 2.3.3.13 Keyloggers
  • 2.3.3.14 Rootkit
  • 2.3.3.15 Zombie or Bot
  • 2.3.3.16 Spyware
  • 2.3.3.17 Adware
  • 2.3.3.18 Ransomware
  • 2.3.3.19 Hacker’s Useful Components and Other Harmful Programs
  • 2.4 Terminology for the Cyber Attackers
  • 2.5 Types of Attacks
  • 2.5.1 Distributed Denial of Service Attack
  • 2.5.2 Spam
  • 2.5.3 Personal Information Thieving
  • 2.5.4 Click Fraud
  • 2.5.5 Identity Theft
  • Questions
  • Bibliography
  • 3. Network Forensics Process Model
  • 3.1 Introduction
  • 3.2 Recent Trend in Network Forensics
  • 3.2.1 Malware Forensics
  • 3.2.2 Botnet Forensics
  • 3.2.3 Cloud Forensics
  • 3.2.4 Grid Forensics
  • 3.3 Life Cycle of Network Forensics
  • 3.4 Network Forensics Process Model
  • 3.4.1 Authorization
  • 3.4.2 Collection of Evidence
  • 3.4.3 Identification of Evidence
  • 3.4.4 Detection of Crime
  • 3.4.5 Investigation
  • 3.4.6 Presentation
  • 3.4.7 Incident Response
  • 3.5 Detection and Investigative Network Forensics Frameworks
  • 3.5.1 Detection-Based Framework
  • 3.5.2 BOT GAD-Based Framework
  • 3.5.3 System Architecture-Based Framework
  • 3.5.4 Fast Flux-Based Framework
  • 3.5.5 Mac OS-Based Framework
  • 3.5.6 Open Flow-Based or AAFID Framework
  • 3.5.7 P2P-Based Framework
  • 3.5.8 Distributed Device-Based Frameworks
  • 3.5.9 Soft Computing-Based Frameworks
  • 3.5.10 Honeypot-Based Frameworks
  • 3.5.11 Attack Graph-Based Frameworks
  • 3.5.12 Formal Method-Based Frameworks
  • 3.5.13 Formal Method-Based Frameworks
  • 3.5.14 Network Monitoring Framework
  • Questions
  • References
  • 4. Classification of Network Forensics
  • 4.1 Introduction
  • 4.1.1 Signature-Based or Misuse Detection
  • 4.1.1.1 Monitoring
  • 4.1.1.2 Capturing (Avoidance of Packets Drop)
  • 4.1.1.3 Notification
  • 4.1.1.4 Software Initiation
  • 4.1.1.5 Multiperspective Environment
  • 4.1.2 Anomaly-Based or Hybrid Detection
  • 4.1.3 Comparative Difference between Signature- and Anomaly-Based Detection
  • 4.2 Detection and Prevention System
  • 4.2.1 Detection System
  • 4.2.2 Prevention System
  • 4.3 Types of Network Forensics Classification
  • 4.3.1 Payload-Based Identification
  • 4.3.1.1 Deep Packet Inspection
  • 4.3.2 Statistical-Based Identification
  • 4.3.2.1 Heuristic Analysis
  • 4.4 Network Forensics Analysis Classification
  • 4.4.1 Signature-Based Classification
  • 4.4.2 Decision Tree-Based Classification
  • 4.4.3 Ensemble-Based Classification
  • 4.4.3.1 Voting
  • 4.4.3.2 Adaptive Boosting
  • 4.4.3.3 Bagging
  • 4.5 Implementation and Results
  • Questions
  • References
  • Part B Network Forensics Acquisition
  • 5. Network Forensics Tools
  • 5.1 Introduction
  • 5.2 Visual Tracing Tools
  • 5.2.1 NeoTracePro
  • 5.2.2 VisualRoute
  • 5.2.3 Sam Spade
  • 5.2.4 eMailTrackerPro
  • 5.3 Traceroute Tools
  • 5.3.1 Text-Based Traceroute
  • 5.3.2 3D-Based Traceroute
  • 5.3.3 Visual Traceroute
  • 5.4 Monitoring Tools
  • 5.4.1 Packet Sniffer Tool
  • 5.4.1.1 Wireshark
  • 5.4.1.2 Argus
  • 5.4.1.3 TCP Dump
  • 5.4.1.4 OmniPeek
  • 5.4.2 Intrusion Detection System (IDS)
  • 5.4.2.1 Zeek
  • 5.4.2.2 SNORT
  • 5.4.3 Finger
  • 5.4.3.1 Nmap
  • 5.4.3.2 POF
  • 5.4.4 Pattern-Based Monitoring Tool
  • 5.4.4.1 NGREP
  • 5.4.4.2 TCPXTRACT
  • 5.4.5 Statistics-Based Monitoring System
  • 5.4.5.1 NetFlow
  • 5.4.5.2 TCPstat
  • 5.5 Analysis Tools
  • 5.5.1 Open-Source Tool
  • 5.5.1.1 NetworkMiner
  • 5.5.1.2 PyFlag
  • 5.5.2 Proprietary Tools
  • 5.5.2.1 NetIntercept
  • 5.5.2.2 SilentRunner
  • Questions
  • References
  • 6. Network Forensics Techniques
  • 6.1 Introduction
  • 6.1.1 Conventional Network Forensics Technique
  • 6.1.2 Advanced Network Forensics Technique
  • 6.2 Conventional Network Forensics Technique
  • 6.2.1 IP Traceback Technique
  • 6.2.1.1 Link State Testing
  • 6.2.1.2 Input Debugging
  • 6.2.1.3 Controlled Flooding
  • 6.2.1.4 ICMP Traceback
  • 6.2.1.5 Packet Marking Techniques
  • 6.2.1.6 Source Path Isolation Engine
  • 6.2.1.5 Payload Attribution
  • 6.2.2 Intrusion Detection System
  • 6.2.2.1 Knowledge- or Signature-Based IDS
  • 6.2.2.2 Behavior- or Anomaly-Based IDS
  • 6.2.3 Firewalls
  • 6.2.3.1 Network-Level Firewall
  • 6.2.3.2 Application-Level Firewall
  • 6.2.3.3 Proxy Firewall
  • 6.3 Advanced Network Forensics Techniques
  • 6.3.1 Vulnerability Detection Techniques
  • 6.3.1.1 Data Fusion, Alert Generation, and Correlation
  • 6.3.1.2 Black-Box Testing
  • 6.3.1.3 White-Box Testing
  • 6.3.1.4 Double-Guard Detecting Techniques
  • 6.3.1.5 Hidden Markov Models
  • 6.3.2 Honeypots and Honeynet
  • 6.3.2.1 Honeypot
  • 6.3.2.2 Honeynet
  • 6.3.2.3 Classification of Honeypots
  • 6.3.2.4 Honeywall
  • 6.3.2.5 Architecture Types of Honeynet
  • 6.3.3 Highly Efficient Techniques for Network Forensics
  • 6.3.3.1 Bloom Filters
  • 6.3.3.2 Rabin Fingerprinting
  • 6.3.3.3 Winnowing
  • 6.3.3.4 Attribution Systems
  • 6.3.4 UDP Flooding Technique
  • Questions
  • References
  • 7. Detection of Vulnerabilities
  • 7.1 Introduction
  • 7.2 Network Forensics Acquisition
  • 7.2.1 SIFT
  • 7.2.2 CAINE
  • 7.2.3 Autopsy
  • 7.2.3.1 Extensible
  • 7.2.3.2 Comfortable
  • 7.2.3.3 Centralized
  • 7.2.3.4 Multiple Users
  • 7.2.4 Forensics Acquisition Website
  • 7.2.5 Oxygen Forensic Suit
  • 7.2.6 Paladin Forensic Suit
  • 7.2.7 ExifTool
  • 7.2.8 CrowdResponse Tool
  • 7.2.9 BulkExtractor
  • 7.2.10 Xplico
  • 7.3 Identification of Network Attacks
  • 7.3.1 UDP Flooding
  • 7.3.2 Random-UDP Flooding
  • 7.3.2.1 Normal Flow of UDP Datagrams
  • 7.3.2.2 Random-UDP Flooding Attack
  • 7.3.2.3 Identification of Random-UDP Flooding Attack
  • Questions
  • References
  • Part C Network Forensics Attribution
  • 8. Network Forensics Analysis
  • 8.1 Introduction
  • 8.2 Network Forensic Standard Process Model
  • 8.2.1 Authorization
  • 8.2.2 Preservation
  • 8.2.3 Initial Assessment
  • 8.2.4 Strategy Planning
  • 8.2.5 Evidence Collection
  • 8.2.6 Documentation
  • 8.2.7 Analysis
  • 8.2.8 Investigation
  • 8.2.9 Decision and Reporting
  • 8.2.10 Review
  • 8.3 Network Forensic Framework for the Analysis
  • 8.3.1 Network Traffic Collector
  • 8.3.2 Reduction and Feature Extraction
  • 8.3.3 Analysis and Pattern Matching
  • 8.3.4 Reconstruction
  • 8.3.5 Replay
  • 8.4 Network Traffic Analysis
  • 8.4.1 Case Analysis
  • 8.4.2 Dataset: KDD Cup 99 Case Study-I
  • 8.4.3 Methodology
  • 8.4.4 Case Study-I: Experimental Setup
  • 8.4.5 Data Selection
  • 8.4.6 Analysis of the Case
  • 8.5 Network Forensics Analysis with Case Study-2
  • 8.5.1 Analysis Methodology
  • 8.5.2 Network Behavior
  • 8.5.2.1 Domain Name System
  • 8.5.2.2 Internet Control Message Protocol
  • 8.5.3 Bot Analysis Using Classification
  • Questions
  • References
  • 9. Evidence and Incident Response
  • 9.1 Introduction
  • 9.2 Evidence and Its Sources
  • 9.2.1 Sources of Evidence within Network
  • 9.2.2 Sources of Evidence in Remote Network
  • 9.3 Evidence Handling
  • 9.3.1 Recovery as Fast as Possible
  • 9.3.2 Monitoring and Collecting Evidence
  • 9.4 Evidence-Handling Procedure
  • 9.4.1 Identification of Evidence
  • 9.4.2 Collection for the Evidence
  • 9.4.3 Acquisition and Analysis of Evidence
  • 9.4.3.1 Physical Extraction
  • 9.4.3.2 Logical Extraction
  • 9.4.4 Preservation and Reporting of Evidence
  • 9.5 Incident Response and Its Methodology
  • 9.5.1 Process of Incident Response
  • 9.5.1.1 Preparation
  • 9.5.1.2 Identification
  • 9.5.1.3 Detection
  • 9.5.1.4 Analysis
  • 9.5.1.5 Containment
  • 9.5.1.6 Eradication and Recovery
  • 9.5.1.7 Post Incidence
  • 9.5.2 Incident Classification
  • 9.5.2.1 High-Level Incident
  • 9.5.2.2 Middle- or Moderate-Level Incident
  • 9.5.2.3 Low-Level Incident
  • 9.5.3 Role of CSIRT
  • Questions
  • References
  • 10. Introduction to Botnet
  • 10.1 Introduction
  • 10.1.1 Spartan Dominition Robot (SD Bot)
  • 10.1.2 AgoBot (aka Gaobot or Phatbot)
  • 10.1.3 Spybot
  • 10.1.4 Mytob
  • 10.1.5 Hybot
  • 10.2 Evolution of Botnet
  • 10.3 Botnet Lifecycle
  • 10.4 Botnet Structure
  • 10.4.1 Propagation and Compromise
  • 10.4.2 Command and Control
  • 10.4.2.1 Centralized
  • 10.4.2.2 P2P
  • 10.4.2.3 Hybrid
  • 10.4.3 Attacks and Theft
  • 10.5 Botnet Security Attacks
  • 10.5.1 Warfare Sponsored by the Country
  • 10.5.2 Terrorist Attack
  • 10.5.3 Commercially Motivated Attack
  • 10.5.4 Financially Driven Criminal Attack
  • 10.5.5 Hacking
  • 10.6 Traditional Botnet Attacks
  • 10.6.1 Distributed Denial of Service Attack
  • 10.6.2 Spam
  • 10.6.3 Personal Information Theft
  • 10.6.4 Click Fraud
  • 10.6.5 Identity Theft
  • 10.7 Recent Botnet Attacks
  • 10.7.1 StealRat Botnet
  • 10.7.2 Citadel Botnet
  • 10.7.3 Andromeda Botnet
  • 10.7.4 Attacks on WordPress Targeting “Admin” Password
  • 10.7.5 Android Master Key Vulnerability
  • Questions
  • References
  • 11. Botnet Forensics
  • 11.1 Introduction
  • 11.2 Methodology Used in Botnet Forensics
  • 11.2.1 Collection of Malwares
  • 11.2.2 Malware Analysis
  • 11.3 Nature of Botnet Forensics
  • 11.3.1 Continuous
  • 11.3.2 Comprise
  • 11.3.3 Concrete
  • 11.3.4 Convenient
  • 11.4 Background
  • 11.5 Botnet Forensics Classification
  • 11.5.1 Payload Classification
  • 11.5.2 Signature-Based Classification
  • 11.5.3 Decision Tree-Based Classification
  • 11.5.4 Ensemble-Based Classification
  • 11.6 Botnet Forensic Framework
  • 11.6.1 Botnet Forensic Identification
  • 11.7 Botnet Forensic Analysis
  • 11.7.1 Botnet Inquisition Model
  • 11.7.1.1 Data Sources
  • 11.7.1.2 Traffic Agents
  • 11.7.1.3 Traffic Sensors
  • 11.7.1.4 Network Traffic Filtration
  • 11.7.1.5 Whitelist
  • 11.7.1.6 Blacklist
  • 11.7.1.7 Detecting Malicious Traffic Content
  • 11.7.1.8 Attack Intention
  • 11.7.1.9 Data Traffic Extraction/Visualization
  • 11.7.2 Botnet Analysis Using Ensemble of Classifier
  • 11.7.3 Results and Discussion
  • 11.7.3.1 Single Classifier
  • 11.7.3.2 Ensemble of Classifier
  • 11.7.3.3 Discussion
  • 11.8 Challenges
  • 11.8.1 Collection
  • 11.8.2 Preservation
  • 11.8.3 Identification
  • 11.8.4 Traffic Analysis
  • 11.8.5 Investigation
  • 11.9 Summary
  • Questions
  • References
  • 12. System Investigation and Ethical Issues
  • 12.1 Introduction
  • 12.1.1 Postmortem Analysis
  • 12.1.2 Examination of Computer
  • 12.2 Crimes
  • 12.2.1 Computer Crime
  • 12.2.1.1 Intelligence Attacks
  • 12.2.1.2 Financial Attacks
  • 12.2.1.3 Business Attacks
  • 12.2.1.4 Terrorist Attacks
  • 12.2.1.5 Fun Attack
  • 12.2.1.6 Grudge Attack
  • 12.2.1.7 Thrill Attacks
  • 12.2.2 Challenges on Deterring Crime
  • 12.2.2.1 Inadequate Laws
  • 12.2.2.2 Lack of Understanding
  • 12.2.2.3 Lack of Evidence
  • 12.2.2.4 Rules of Evidence
  • 12.2.2.5 Casual Approach
  • 12.2.2.6 Lack of Knowledge
  • 12.2.2.7 Lack of Tangible Assets
  • 12.2.2.8 Loss of Data
  • 12.2.2.9 Multiple Roles
  • 12.3 Computer Law
  • 12.3.1 Privacy
  • 12.3.2 Intellectual Property
  • 12.3.2.1 Patent Law
  • 12.3.2.2 Copyright
  • 12.3.2.3 Trademark
  • 12.3.2.4 Trade Secret
  • 12.3.2.5 Comparison of Patent Law, Copyright, Trademark, and Trade Secret
  • 12.3.3 Contract
  • 12.3.4 Telecommunication Law
  • 12.3.5 Computer Crime
  • 12.4 Live System
  • 12.4.1 System Activities
  • 12.4.1.1 Permanent Files
  • 12.4.1.2 Temporary Files
  • 12.4.1.3 Random-Access Memory
  • 12.4.1.4 Unallocated Space
  • 12.4.1.5 Cache
  • 12.4.1.6 CPU Registers
  • 12.4.2 Methodology for Live System Analysis
  • 12.4.2.1 Implicit or Hidden System Monitoring
  • 12.4.2.2 Explicit System Acquisition
  • 12.4.3 Key Elements of Successful Live Analysis
  • 12.5 Live Computer Analysis
  • 12.5.1 Windows-Based Forensic Analysis
  • 12.5.1.1 Tools to Recover Data on Windows
  • 12.5.2 Unix-Based Forensic Analysis
  • 12.5.2.1 Unix Notations
  • 12.5.2.2 Live Forensics through Built-Up Tools on Unix
  • 12.5.2.3 Phases Involved in Live Forensics on Unix
  • 12.5.2.4 Acquisition Tools
  • 12.6 Ethical Issues
  • 12.6.1 Piracy
  • 12.6.2 Plagiarism
  • 12.6.3 Privacy
  • 12.6.4 Ergonomics
  • 12.6.5 Work Pressure
  • Questions
  • References
  • Index

Additional information

Veldu vöru

Rafbók til eignar

Aðrar vörur

Related products

Bókakaup sérhæfir sig í þjónustu og sölu á rafbókum til nemenda á Íslandi.

Bókakaup

Um okkur

Skráðu þig á póstlistann okkar

0
    0
    Karfan þín
    Karfan þín er tómAftur í búð