Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Forensics: When conventional forensic analysis is not enough

Published byLaura Baker Modified over 6 years ago

Similar presentations

Presentation on theme: "Network Forensics: When conventional forensic analysis is not enough"— Presentation transcript:

1 Network Forensics: When conventional forensic analysis is not enough
Manuel Humberto Santander Peláez GIAC GCFA Gold, GNET Silver, GCIA Gold

2 Network Security Perimeter
Firewalls NIDS/NIPS VPN Concentrator NAC (Switches) Antivirus Antispyware Content Filtering

3 Network Security Perimeter
VPN Concentrator Firewall Switch (NAC) NIDS Security Event Correlator

4 Network Forensics Capture, recording and analysis of network events
Need to discover source and type of network attacks Big amount of logs and traffic Network Security Perimeter devices gives lots of interesting info

5 Network Forensics Network traffic gives evidence of attacks like:
Exploit attacks Virus breach attempts MITM Valuable if possible to correlate to computer breaches. Can find the missing information on a computer attack (“missing puzzle”)

6 Billing Information Change using a network attack
Colombia Utility Company is the biggest utility company in all Colombia Massive change of billing amount on installations, about 40% less on each invoice Once invoice is delivered, no change can be made (Law 142 of 1994 Colombian Congress) Where was the breach? How can this be prevented?

7 Billing Information Change using a network attack
Billing process is a daily batch process 98% of invoices were altered Billing Calculations are done by stored procedures on the database First evidence gathered was report of users executing the offending transactions on the application (August 25/2007)

8 Billing Information Change using a network attack

9 Billing Information Change using a network attack
Same result obtained on every computer analyzed from the obtained table

10 Billing Information Change using a network attack
IDS alerts showed ARP address change for main router several times, No firewall or NAC alert Found 4970 alerts for August 25/2007 Investigation showed a local desktop machine claimed to be the router for the whole network segment All billing department people in that segment logged on the application

11 Billing Information Change using a network attack

12 Billing Information Change using a network attack
Oexplore access time matches the first access at the database. Passwords found cracked by Cain.

13 Billing Information Change using a network attack

14 Billing Information Change using a network attack

15 Lessons Learned Network Forensics completes computer forensic evidence when evidence found inside computers doesn’t give enough clues. Network Forensics evidence must be correlated with the evidence found in computers to be valuable. Security Perimeter devices gives valuable information if well configured.

Download ppt "Network Forensics: When conventional forensic analysis is not enough"

Similar presentations

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
Operating Systems Security 1. The Boot Sequence The action of loading an operating system into memory from a powered-off state is known as booting or.

Operating Systems Security 1. The Boot Sequence The action of loading an operating system into memory from a powered-off state is known as booting or.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Guide to Computer Forensics and Investigations1 Network Forensics Overview Network forensics –Systematic tracking of incoming and outgoing traffic To ascertain.

Guide to Computer Forensics and Investigations1 Network Forensics Overview Network forensics –Systematic tracking of incoming and outgoing traffic To ascertain.
Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.

Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.
5-Network Defenses Dr. John P. Abraham Professor UTPA.

5-Network Defenses Dr. John P. Abraham Professor UTPA.
1 DB2 Access Recording Services Auditing DB2 on z/OS with “DBARS” A product developed by Software Product Research.

1 DB2 Access Recording Services Auditing DB2 on z/OS with “DBARS” A product developed by Software Product Research.
Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.

Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.
Section 3.2: Operating Systems Security

Section 3.2: Operating Systems Security
Access Control Chapter 3 Part 5 Pages 248 to 252.

Access Control Chapter 3 Part 5 Pages 248 to 252.
Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:

Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:
Security+ Guide to Network Security Fundamentals, Third Edition

Security+ Guide to Network Security Fundamentals, Third Edition
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
INTRANET SECURITY Catherine Alexis CMPT 585 Computer and Data Security Dr Stefan Robila.

INTRANET SECURITY Catherine Alexis CMPT 585 Computer and Data Security Dr Stefan Robila.
Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Security Awareness: Applying Practical Security in Your World Chapter 6: Total Security.

Security Awareness: Applying Practical Security in Your World Chapter 6: Total Security.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 5 Network Defenses.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 5 Network Defenses.
John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.

John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.

Similar presentations

Ads by Google