This week is the last forum-based learning week. In this week, we were assigned an assignment regarding malwares. Malware, or Malicious Software refers to any software that is designed to be used to gain access to unauthorized sensitive information or cause disruptions in the system.
In this session we learned about switches, routers, and firewalls.
Switches contains MAC address in hexa code where the MAC address identifies the device that is being used because it is unique. ARP allows users to convert MAC address into IP address, which is why MAC address can be faked.
Routers can make a connection between different network unlike switches. Firewalls contains details on successful or failed connection attempts, protocols, and applications in the network.
In this session we learned about event log correlation and analysis, which are related to last week’s forum-based assignment.
Log Sources:
Windows Logs:
Is usually used in the early detection system and provides data for an investigation
Analysis Tools:
Graylog is able to analyse all the logs when all the companies servers are connected to it. Hence, when one system is attacked, the attack can be investigated through the data of the attack where graylog also provides the time and source of each log. Because of that, it is easier to identify if someone attempts to brute force into the system.
This week is forum-based, hence we were assigned an assignment regarding log correlation. The assignment involves the usage of 2 VMs and set up a graylog server.
In this session we learned about network intrusion detection and analysis.
NIDS: Network-Based Intrusion Detection System used to detect if there are anomalies or suspicious behavior in our personal network.
HIDS: Host-Based Intrusion Detection System
NIPS: Network-Based Intrusion Prevention System used to prevent any attack that is recognized by the system (e.g. ransomware).
Types of IDS:
In this session we learned about wireless devices that are used in network forensics, and how we can extract wireless data for use. The wireless devices include:
The use of wireless data can be used for cases like tracking a stolen laptop when it connects to a wireless network, or investigate malicious or suspicious activities occurring via a wireless network.
This session is also a forum-based week. This week we were assigned an assignment regarding statistical flow analysis where we were supposed to find anomalies in the flow of packet traffic.
In this session we learned about evidence acquisition. In evidence acquisition, it is required that we minimize our investigative footprint as much as possible.
Physical interception is a passive packet acquisition as it is being transmitted through a wire in order to capture or sniff packets. This is done by using inline network tap, induction coils, vampire taps, and fiber optic taps. On the other hand, software used to capture and sniff packets are wireshark, tcpdump, ngrep, and nmap.
In this session we also learned about tcpdump and some of its commands that can be used for analysis which are:
In this session we were informed of the tools that can be used to analyze files in order to find sample, seal, and dissect the evidence obtained, where in this case the file is a pcap file. The tools that were used in this session were tshark and wireshark.
In this session we also learned about flow analysis where it is used to locate data in the operating system or to identify patterns in traffic. There are various tools that can be used for flow analysis, but wireshark is typically used due to its ability to provide many different analysis methods and an easy to use GUI.
The third week is a forum-based week but there was no assignment given.