Understand the Importance of Network Forensics

 

Understand the Importance of Network Forensics in this this article Network Forensics is the implementation of sniffing, recording, acquisition, and analysis of network traffic and event logs to investigate a network security incident. Capturing network traffic over a network is simple in theory, but relatively complex in practice due to many inherent reasons such as the large amount of data flow and complex nature of Internet protocols. Recording network traffic involves a lot of resources. It is often not possible to record all the data flowing through the network due to the large volume. Again, these recorded data need to be backed up to free recording media and for future analysis.

The analysis of recorded data is the most critical and time-consuming task. There are many automated analysis tools for forensic purposes, but they are insufficient, as there is no foolproof method to recognize bogus traffic generated by an attacker from a pool of genuine traffic. Human judgment is also critical because with automated traffic analysis tools, there is always a chance of false positives.

Network forensics is necessary in order to determine the type of attack over a network and to trace the culprit. A proper investigation process is required to produce the evidence recovered during the investigation in the court of law.

Related Product : Computer Hacking Forensic Investigator | CHFI

Postmortem and Real-Time Analysis

Forensic examination of logs has two categories:

Postmortem

Investigators perform postmortem of logs to detect something that has already occurred in a network/device and determine what it is.

Here, an investigator can go through the log files a number of times to examine and check the flow of previous runs. When compared to real-time analysis, it is an exhaustive process, since the investigators need to examine the attack in detail and give a final report.

Real-Time Analysis

Real-time analysis is an ongoing process, which returns results simultaneously, so that the system or operators can respond to the attacks immediately.

Real-time analysis is an analysis done for the ongoing process. This analysis will be more effective if the investigators/administrators detect the attack quickly. In this analysis, the investigator can go through the log files only once to evaluate the attack, unlike postmortem analysis.

Network Vulnerabilities

The massive technological advances in networking have also led to a rapid increase in the complexity and vulnerabilities of networks. The only thing that a user can do is minimize these vulnerabilities, since the complete removal of the vulnerabilities is not possible. There are various internal and external factors that make a network vulnerable.

Internal network vulnerabilities

Internal network vulnerabilities occur due to the overextension of bandwidth and bottlenecks.

• Overextension of bandwidth: Overextension of bandwidth occurs when user need exceeds total resources.
• Bottlenecks: Bottlenecks usually occur when user need exceeds resources in particular network sectors.

The network management systems direct these problems and software to the log or other management solutions. System administrators examine these systems and identify the location of network slowdowns. Using this information, they reroute the traffic within the network architecture to increase the speed and functionality of the network.

External network vulnerabilities

External network vulnerabilities occur due to threats such as DoS/DDoS attacks and network data interception. DoS and DDoS attacks result from one or numerous attacks. These attacks are responsible for slowing down or disabling the network and are considered as one of the most serious threats that a network faces. To minimize this attack, use network performance monitoring tools that alert the user or the administrator about an attack.

Data interception is a common vulnerability among LANs and WLANs. In this type of attack, an attacker infiltrates a secure session and thus monitors or edits the network data to access or edit the network operation. In order to minimize these attacks, the user or administrator needs to apply user authentication systems and firewalls to restrict unauthorized users from accessing the network.

Also Read : Mac Forensics

Network Attacks

Most common attacks against networks:

1. Eavesdropping

Eavesdropping is a technique used in intercepting the unsecured connections in order to steal personal information, which is illegal.

2. Data Modification

Once the intruder gets access to sensitive information, his or her first step is to alter the data. This problem is referred to as a data modification attack.

3. IP Address Spoofing

IP spoofing is a technique used to gain unauthorized access to a computer. Here, the attacker sends messages to the computer with an IP address that indicates the messages are coming from a trusted host.

4. Denial of Service (DoS)

In a DoS attack, the attacker floods the target with huge amount of invalid traffic, thereby leading to exhaustion of the resources available on the target. The target then stops responding to further incoming requests, thereby leading to denial of service to the legitimate users.

5. Man-in-the-Middle Attack

In man-in-the-middle attacks, the attacker makes independent connections with the users/victims and relays messages between them, making them believe that their conversation is direct.

6. Packet Sniffing

Sniffing refers to the process of capturing traffic flowing through a network, with the aim of gaining sensitive information such as usernames and passwords and using them for illegitimate purposes. In the computer network, packet sniffer captures the network packets. Software tools known as Cain&Able are used to server this purpose.

7. Enumeration

Enumeration is the process of gathering information about a network that may help in an attacking the network. Attackers usually perform enumeration over the Internet. During enumeration, the following information is collected:

• Topology of the network
• List of live hosts
• Architecture and the kind of traffic (for example, TCP, UDP, IPX)
• Potential vulnerabilities in host systems

8. Session Hijacking

A session hijacking attack refers to the exploitation of a session-token generation mechanism or token security controls, such that the attacker can establish an unauthorized connection with a target server.

9. Buffer Overflow

Buffers have data storage capacity. If the data count exceeds the original capacity of a buffer, then buffer overflow occurs. To maintain finite data, it is necessary to develop buffers that can direct additional information when they need. The extra information may overflow into neighboring buffers, destroying or overwriting the legal data.

10. Email Infection

This attack uses emails as a means to attack a network. Email spamming and other means are used to flood a network and cause a DoS attack.

11. Malware Attacks

Malware is a kind of malicious code or software designed to damage the system. Attackers try to install the malware on the targeted system; once the user installs it, it damages the system.

12. Password-based attacks

Password-based attack is a process where the attacker performs numerous login attempts on a system or an application to duplicate the valid login and gain access to it.

13. Router attacks

It is the process of an attacker attempting to compromise the router and gaining access to it.

Read More : https://info-savvy.com/understand-the-importance-of-network-forensics/

---------------------------------------------------------------------------------------------------------------

This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

https://g.co/kgs/ttqPpZ