Understand the Importance of Network Forensics
Understand the Importance of Network Forensics in this this article Network Forensics is the implementation of sniffing, recording, acquisition, and analysis of network traffic and event logs to investigate a network security incident. Capturing network traffic over a network is simple in theory, but relatively complex in practice due to many inherent reasons such as the large amount of data flow and complex nature of Internet protocols. Recording network traffic involves a lot of resources. It is often not possible to record all the data flowing through the network due to the large volume. Again, these recorded data need to be backed up to free recording media and for future analysis.
The analysis of recorded data is the most critical and time-consuming task. There are many automated analysis tools for forensic purposes, but they are insufficient, as there is no foolproof method to recognize bogus traffic generated by an attacker from a pool of genuine traffic. Human judgment is also critical because with automated traffic analysis tools, there is always a chance of false positives.
Network forensics is necessary in order to determine the type of attack over a network and to trace the culprit. A proper investigation process is required to produce the evidence recovered during the investigation in the court of law.
Related Product : Computer Hacking Forensic Investigator | CHFI
Postmortem and Real-Time Analysis
Forensic examination of logs has two categories:
Postmortem
Investigators perform postmortem of logs to detect something that has already occurred in a network/device and determine what it is.
Here, an investigator can go through the log files a number of times to examine and check the flow of previous runs. When compared to real-time analysis, it is an exhaustive process, since the investigators need to examine the attack in detail and give a final report.
Real-Time Analysis
Real-time analysis is an ongoing process, which returns results simultaneously, so that the system or operators can respond to the attacks immediately.
Real-time analysis is an analysis done for the ongoing process. This analysis will be more effective if the investigators/administrators detect the attack quickly. In this analysis, the investigator can go through the log files only once to evaluate the attack, unlike postmortem analysis.
Network Vulnerabilities
The massive technological advances in networking have also led to a rapid increase in the complexity and vulnerabilities of networks. The only thing that a user can do is minimize these vulnerabilities, since the complete removal of the vulnerabilities is not possible. There are various internal and external factors that make a network vulnerable.
Internal network vulnerabilities
Internal network vulnerabilities occur due to the overextension of bandwidth and bottlenecks.
- Overextension of bandwidth: Overextension of bandwidth occurs when user need exceeds total resources.
- Bottlenecks: Bottlenecks usually occur when user need exceeds resources in particular network sectors.
The network management systems direct these problems and software to the log or other management solutions. System administrators examine these systems and identify the location of network slowdowns. Using this information, they reroute the traffic within the network architecture to increase the speed and functionality of the network.
External network vulnerabilities
External network vulnerabilities occur due to threats such as DoS/DDoS attacks and network data interception. DoS and DDoS attacks result from one or numerous attacks. These attacks are responsible for slowing down or disabling the network and are considered as one of the most serious threats that a network faces. To minimize this attack, use network performance monitoring tools that alert the user or the administrator about an attack.
Data interception is a common vulnerability among LANs and WLANs. In this type of attack, an attacker infiltrates a secure session and thus monitors or edits the network data to access or edit the network operation. In order to minimize these attacks, the user or administrator needs to apply user authentication systems and firewalls to restrict unauthorized users from accessing the network.
Also Read : Mac Forensics
Network Attacks
Most common attacks against networks:
1. Eavesdropping
Eavesdropping is a technique used in intercepting the unsecured connections in order to steal personal information, which is illegal.
2. Data Modification
Once the intruder gets access to sensitive information, his or her first step is to alter the data. This problem is referred to as a data modification attack.
3. IP Address Spoofing
IP spoofing is a technique used to gain unauthorized access to a computer. Here, the attacker sends messages to the computer with an IP address that indicates the messages are coming from a trusted host.
4. Denial of Service (DoS)
In a DoS attack, the attacker floods the target with huge amount of invalid traffic, thereby leading to exhaustion of the resources available on the target. The target then stops responding to further incoming requests, thereby leading to denial of service to the legitimate users.
5. Man-in-the-Middle Attack
In man-in-the-middle attacks, the attacker makes independent connections with the users/victims and relays messages between them, making them believe that their conversation is direct.
6. Packet Sniffing
Sniffing refers to the process of capturing traffic flowing through a network, with the aim of gaining sensitive information such as usernames and passwords and using them for illegitimate purposes. In the computer network, packet sniffer captures the network packets. Software tools known as Cain&Able are used to server this purpose.
7. Enumeration
Enumeration is the process of gathering information about a network that may help in an attacking the network. Attackers usually perform enumeration over the Internet. During enumeration, the following information is collected:
- Topology of the network
- List of live hosts
- Architecture and the kind of traffic (for example, TCP, UDP, IPX)
- Potential vulnerabilities in host systems
8. Session Hijacking
A session hijacking attack refers to the exploitation of a session-token generation mechanism or token security controls, such that the attacker can establish an unauthorized connection with a target server.
9. Buffer Overflow
Buffers have data storage capacity. If the data count exceeds the original capacity of a buffer, then buffer overflow occurs. To maintain finite data, it is necessary to develop buffers that can direct additional information when they need. The extra information may overflow into neighboring buffers, destroying or overwriting the legal data.
10. Email Infection
This attack uses emails as a means to attack a network. Email spamming and other means are used to flood a network and cause a DoS attack.
11. Malware Attacks
Malware is a kind of malicious code or software designed to damage the system. Attackers try to install the malware on the targeted system; once the user installs it, it damages the system.
12. Password-based attacks
Password-based attack is a process where the attacker performs numerous login attempts on a system or an application to duplicate the valid login and gain access to it.
13. Router attacks
It is the process of an attacker attempting to compromise the router and gaining access to it.
Read More : https://info-savvy.com/understand-the-importance-of-network-forensics/
---------------------------------------------------------------------------------------------------------------
This Blog Article is posted by
Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
Contact us – www.info-savvy.com
Really nice and informative..I found this blog very useful.for any ISO related queryiso-22000-2018-lead-auditor-training
ReplyDeleteReally nice and informative..I found this blog very useful.for any ISO related queryiso-22301-lead-auditor-training
ReplyDeleteThanks you for sharing this unique useful information content with us. Really awesome work... ISO 45001 Certification Qatar
ReplyDeleteWow, so amazing reasons that you have shared here & this will be must helpful for all. CE Certification
ReplyDeleteWow, so amazing reasons that you have shared here & this will be must helpful for all. ISO 22301 Certification
ReplyDeleteThank you for providing me with such valuable information. ISO 22301 Lead Auditor Training
ReplyDelete