Introduction to Network Forensics

How to complete Content Questions

 

Review questions are also be provided at the end of the tutorial. The following is an example of a review question format. Since type the answer in provided grey or colored box.

 

  1. What is the purpose of a partitioned data set? Answer:

It’s a set of data with many members that contain a different sub-set of data and it can be used to hold medical records, insurance records or any records to be used by the program used to run it.

 

Type in the answer to the question into the grey or colored box.

 

It is recommended that you use Table of Contents at the beginning of the tutorial to review and navigate to the concept presented in the review question.  Students will find that using the document FIND tool or searching GOOGLE may also be valuable for researching the review question answer. 

 

 

 

You MUST type or paste your answer in the box or table area provided, else you will receive ZERO credit.  Simply position the cursor inside box or table and type or paste your answer.

 

 

 

 

1.0 Introduction to Network Forensics

1.1 What is Network Forensics?

Network forensics is a sub-branch of digital forensic the legal capture, recording, and analysis of network events in order to discover the source of security attacks or other problem incidents. Simson Garfinkel has classified two types of network forensics systems.

 

  • “Catch-it-as-you-can” systems – In which all packets passing through a certain traffic point are captured and written to storage with analysis being done subsequently in batch mode. This approach requires large amounts of storage, usually involving a RAID system.

 

  • “Stop, look and listen” systems – in which each packet is analyzed in a rudimentary way in memory and only certain information saved for future analysis. This approach requires less storage but may require a faster processor to keep up with incoming traffic.

 

1.2 End-to-end Forensic Investigations

 

End-to-end forensic investigations attempts to track all elements of an attack, including

  • Who, what, and how (tools), was an attack started, including source computer and operating system, of the malicious origin.
  • What was network origin, path of intermediate network devices, e.g., switches, routers, firewalls, DHCP, DNS and IDS, and network destination of the compromised network destination?
  • What were the network protocols used to remotely transmit data between the origin computer, each intermediate network link, and the destination to the attacked device
  • Who, what was results or outcomes of the attack?
  • What was the data types of malicious payload and data compromised? Example include text, binary, image, voice, audio, other, encrypted or non-encrypted.
  • What security precautions were in place during the attack?

 

 

 

1.3 Data-link and physical layer (Ethernet Evidence)

 

Text Link – What is Network Forensics?

https://resources.infosecinstitute.com/category/computerforensics/introduction/areas-of-study/digital-forensics/network-forensics-analysis-and-examination-steps/#gref

 

Methods are achieved with eavesdropping bit streams on the Ethernet layer of the OSI model. This can be done using monitoring tools or sniffers such as Wireshark or Tcpdump, both of which capture traffic data from a network card interface configured in promiscuous mode. Those tools allow investigator to filter traffic and reconstruct attachments transmitted over the network. In addition, protocols can be consulted and analyzed, such as the Address Resolution Protocol (ARP) or any higher level protocols. However, this can be averted with encryption. Encryption might indicate that the host is suspicious since the attacker uses encryption to secure his connection and bypass eavesdropping. The disadvantage of this method is that it requires a large storage capacity.

 

What type of Identity forensic evidence is provided at the Data Link Layer?   

 

  • An 802.x MAC (Media Access Control) Address is a unique physical network address that identifies a network device that is connected to a network. This applies to all types of network cards, including Ethernet cards and WiFi cards. ALL network protocols must be eventually delivered frames to a MAC address, no matter what the higher level protocol is.

 

  • Even though an 802.x MAC is hard coded into physical network device, it can be logical changed by the operating system or by spoofing. There are many reasons for this, mostly related to bypassing some kind of MAC address filter set on a modem, router or firewall, or identify masking. Changing the MAC Address can help you bypass certain network restrictions by emulating an unrestricted MAC Address or by spoofing a MAC address that is already authorized.

 

  • Unless intermediate network devices cooperate in modified MAC addresses, a frame or packet may be delivered, but no frames or messages will be returned. The limitations of MAC spoofing to hide a network identity if the objective is simple to conduct a denial of services (DOS or DDOS) attack or simply to deliver malware. However, once a key logging malware program has been delivered, the return path for a valid TCP port number, IP address and MAC address, must be specified e specified to return the captured data.  A previously, delivered configuration file will be stored on the victim’s computer that contains valid information.

 

Change or Spoof a MAC Address in Windows or OS X – https://www.online-tech-tips.com/computer-tips/how-to-change-mac-address/

 

Does the MAC address of Data Link Layer provide the user identity who is using the MAC address?    

 

The simple correct answer is not necessarily. There many different types of network, operating system logs, and organization logs available to collect forensic evidence.  For example, a malicious user may claim that another user had used their computer during a malicious attack. Multiple logs recorded from different network devices can be correlated together to reconstruct the attack scenario. Consider the following general forensic words of wisdom.

 

  1. No single log or other sources forensic data collection provides sufficient data for a forensic conclusion. However, multiple forensic evidence logs or data collection methods are often required to prove a malicious event without a reasonable doubt.

 

  1. To use multiple sources of forensic data the a) timestamps must be correlated during the event, b) the chain of custody from the time of the event to determination must be maintained, c) each source of data must be kept in a regular business, and d) the accuracy and integrity of each source of data must be ensures by a qualified witness or other commonly accepted methodology.

 

  1. Challenges facing multiple sources of forensic data include: different evidence and propertiary formats, some sources may incomplete or missing evidence, or some gaps in the chains of evidence

 

It was stated previously that MAC addressed assigned to a suspicious user’s computer does not confirm the user’s identify.  However, consider the following additional sources of forensic evidence

 

  • The expected user swiped his organization identity card to the a security system to his/her office minutes before user’s computer was turned on and requested the DHCP server to dynamically assign the MAC address of his/her computer to a IP address.

 

  • The DHCP server logged the time and date that the Physical MAC address and TCP/IP address was assigned, most likely before it could be spoofed.

 

  • Minutes after user’s computer was assigned an IP address the user successfully logon to server operating system, and the OS logon and recorded the MAC and IP address, and authentication data information.

 

1.4 Transport and network layer (TCP/IP Evidence)

 

Apply forensics methods on the network layer. The network layer provides router information based on the routing table present on all routers and also provides authentication log evidence. Investigating this information helps determine compromised packets, identifying source, and reverse routing and tracking data.

 

What type of Identity forensic evidence is provided at the IP Layer?   

 

The IP address is a unique logical network identity assigned to only one network device that is either manually assigned, automatically assigned by the operating system, or is dynamically assigned by a DHCP.

 

  • Domain names are symbolic names of an IP address
  • An IP address may only be assigned to only one network device; however, a network device may be assigned more than once unique network IP address. A network device may listen for network traffic from more than one IP network addresses.
  • A server may be identified by one or more IP addresses, by installing more than one physical or logical network device. For example, most routers have multiple network connections which listen to multiple, unique IP addresses.
  • An IP address can easily spoof or impersonated.
  • Private Network IP address cannot be routed and a Public IP address and port number may be assigned by a NAT (Network Address Translation) or PAT (Port Address Translation) servers.
  • The substitution of public network address by using NAT or PAT can be logged by the appropriate server.

 

 

 

What type Identity forensic evidence is provided at the TCP Layer?   

 

While an IP address will provide a unique logical network identity for a network device or computer, a TCP Port Number represents a logical application identity for a process executing by an IP address.    IP addresses represent devices. Port Numbers represent Applications.

 

Port numbers number between 1 and 1023 are commonly known. For example, the port number that is “commonly” assigned to a HTTP or web server is 80. Assigning port number 80 to a web server is NOT required.

 

1.5 Application Layer Evidence

 

A client application, e.g., a network browser, will transmit data or information to and from a server application, e.g., a web server. The application layer provides commands instructing each application 1) what service is being requested or to be performed, and 2) information about the format or structure of data to be processed.

 

For example, assume a browser (client) requests the delivery of web page from a web server, and the identity (URL path) or the web page to be delivered is specified in the data partition of the message. Then the web server returns the web page back to the client format as a HTML document, and the actual HTML document is stored in the data portion of the message.

 

Every network application or business application requires client and server applications which agree on1) the commands to be executed by the executed to control the flow of data, 2) commands that identify the format and structure of the data to be transferred, and 3) the actual data transmitted.

 

Each network or business application server normally provides a log that will include considerable network forensics information, authentication information, and application server control information. Every HTTP (web), SMTP (email), FTP (File transfer), SSH (Secure Shell), Firewall, IDS and will support its own customizable log.

 

 

 

1.6 Packet Sniffers and Protocol Analyzers

 

1.6.1 Introduction to Packet Sniffers and Protocol Analyzers

Packet sniffers or protocol analyzers are tools that are commonly used by network technicians to diagnose network-related problems. Packet sniffers can also be used by hackers for less than noble purposes such as spying on network user traffic and collecting passwords. Packet sniffers work by intercepting and logging network traffic that they can ‘see’ via the wired or wireless network interface that the packet sniffing software has access to on its host computer.

 

On a wired network, what can be captured depends on the structure of the network. A packet sniffer might be able to see traffic on an entire network or only a certain segment of it, depending on how the network switches are configured, placed, etc. On wireless networks, packet sniffers can usually only capture one channel at a time unless the host computer has multiple wireless interfaces that allow for multichannel capture.

 

Once the raw packet data is captured, packet sniffing software must analyze it and present it in human-readable form so that the person using the packet sniffing software can make sense of it.

 

There are a variety of general software-based packing sniffing and protocol analyzer tool tools, such as WireShark, tshark and tcpdump. However, packet sniffing and protocol analyzer algorithms are built into almost every network device, e.g., switches, routers, or routers, or intrusion detection systems

 

1.6.2 Antisniff

 

If you’re a network technician or administrator and you want to see if anyone on your network is using a sniffer tool, check out a tool called Antisniff. Antisniff can detect if a network interface on your network has been put into ‘promiscuous mode’, which is the required mode for packet capture tasks.

 

1.6.3 Protecting Network Traffic from Packet Sniffers

To protect your network traffic from being sniffed use encryption such as Secure Sockets Layer (SSL) or Transport Layer Security (TLS). Encryption doesn’t prevent packet sniffers from seeing source and destination information, but it does encrypt the data packet’s payload so that all the sniffer sees is encrypted gibberish. Any attempt to modify or inject data into the packets would likely fail since messing with the encrypted data would cause errors that would be evident when the encrypted information was decrypted at the other end.

 

 

1.6.4 Limitations of Using Packet Sniffing Forensic Evidence

 

  • Given volume of network packet data it is difficult to store packet raw data or convert it log format. To be analyzed the packet data is temporarily stored in memory buffer and that buffer will overload in a few seconds. Even when the packet data is stored on a storage device, the storage retention period may be hours, days, or rarely more than a week.

 

  • Sophisticated archived storage policies are required to store raw packet data, but there will be less data if only the network headers are stored and not the actual data transmitted.

 

  • Given the high processing demand to analyze packets, a denial of service attacked may overwhelm the ability to process or store network packet evidence.

 

  • Intrusion Detection Systems does not attempt to analyze all received packets, but attempts to determine if the contents of packets that contain suspicious content (called a signature) or a sequence of packets exhibit a certain pattern of behavior. IDS analysis are maturing to use artificial intelligence and machine learning algorithms to take dynamic action to protect the system and collect detailed network forensic data.

 

1.7 Network Buffer Analysis Evidence

 

As stated previously packet data is temporarily stored in memory buffer and that buffer will overload in a few seconds. In addition to packet data, the memory buffer will also store execution status information used by the protocol or intrusion detection analyzer. In simple terms, the IDS will dump or store the complete buffer which all network and analysis evidence at that critical moment, or this is WHY intrusion detection analyzer declared a critical moment.

 

1.8 Penetration Testing (Ethical Hacking), Network Forensics, and Cyber Security

 

Penetration Testing is NOT Network Forensics, but they are related.  Let us review a definition of a penetration test.

 

A penetration test, colloquially known as a pen test, is an authorized simulated cyber- attack on a computer system, performed to evaluate the security of the system. The test is performed to identify both weaknesses (also referred to as vulnerabilities), including the potential for unauthorized parties to gain access to the system’s features and data, as well as strengths, enabling a full risk assessment to be completed.

 

Kali Linux distributions includes many open-source (FREE, FREE, FREE, and FREE) penetration testing tools. But, a Kali Linux distribution does not provide many log analysis or other forensic tools.

 

Many cyber security and forensics majors have used the nmap command. Nmap, short for Network Mapper, is a free, open-source tool for vulnerability scanning and network discovery. Network administrators use Nmap to identify what devices are running on their systems, discovering hosts that are available and the services they offer, finding open ports and detecting security risks.

 

Nmap will not provide the details of network and application protocols. Nmap will not analyze or provide information from important network forensic logs or raw packet forensic data.  But, using nmap and unusual large number of packets that 1) students can review and learn from the log data generated by nmap, and 2) test a network forensic plan to learn if collection of forensic  and log procedures are adequate to provide sufficient network forensic data. 

 

Nmap does not provide evidence sufficient to test application or business logs and procedures.  But, using nmap is a great tool provide data to learn network forensics

 

 

1.9 Questions – Network Forensics

 

Chapter 1: Practical Investigation Strategies – Network Forensics: Tracking Hackers through Cyberspace

 

Backboard – Unit 1 Network Forensics, Digital Evidence, and OSCAR 

 

Many of the following questions will be nswered by Unit !

 

What is Network forensics? – https://en.wikipedia.org/wiki/Network_forensics

Network Forensics – http://searchsecurity.techtarget.com/definition/network-forensics

Why Use Network Forensics? – https://www.netfort.com/blog/the-three-primary-use-cases-for-network-forensics/

Video- Network Forensics – https://www.youtube.com/watch?v=9_u1eriQtSY

Video – What Is Network Forensics? – https://www.youtube.com/watch?v=UjSyHiTauQs

Tools:Network Forensics –  http://forensicswiki.org/wiki/Tools:Network_Forensics

 

 

 

  1. Define Network Forensics. Answer:

It’s a sub-branch of digital forensic that it involves analyzing and monitoring of network traffic in a computer with the aim of gathering information, detection of intruders into the network and legal evidence. It basically deals with dynamic and volatile information unlike other branches of digital forensic.

 

 

 

 

 

  1. Describe several characteristics of “Catch-it-as-you-can” network forensics system model. Answer:

 

  1. There is subsequent analyzation of data.
  2. Capturing of data passing through a certain traffic.
  3. This model requires an enormous amount of storage.

 

 

 

 

  1. Describe several characteristics of “Stop, look and listen” network forensics system model. Answer:

 

  1. Packets of data are analyzed in memory.
  2. Certain information in this model are stored for future analysis
  3. Requires less storage and a faster processor.

 

 

  1. List and describe at least 5 forensic activities that are common to End-to-end forensic investigations Answer:

1.The origin of the attack. That is the computer and operating system that the malicious activity originated.

2.The origin of the attack and the path that the malicious network took and finally the destination of the malicious network.

3.The end results of the attack or rather what came forth after the attack.

4.The types of data that has been compromised by the attack e.g. records, image encrypted and decrypted information.

5.The security precautions that were there when the attack took place.

 

  1. The following table lists three popular categories used for network forensic evidence. Describe and list at three or more examples of forensic activities for each category.
Categories for the use of  Network Forensic Evidence Description Examples of Forensic Activities
Security and compliance  

 

 

 

 
Operational intelligence  

 

 

 

 
Customer insights  

 

 

 

 

 

 

 

  1. Hackers have compromised a targeted system and its operating system and network logs. The operating system logs do not provide evidence of this hack event. How can network forensic overcome this challenge? List a second popular tool employed in network forensic evidence. Answer:

 

 

 

 

 

  1. List three or more differences between computer forensic analysis and network forensic analysis. Answer:

 

 

 

 

 

 

 

 

1.10 Questions – Network Forensic Investigation Methodology OSCAR

 

  1. Chapter 1: Practical Investigation Strategies – Network Forensics: Tracking Hackers through Cyberspace and Blackboard provides a detailed Network Forensic Investigation Methodology using the acronym OSCAR. List five or more investigation guideline using the following table for each phase of the OSCAR investigation methodology.

 

OSCAR Investigation Methodology Investigation guidelines Spring 2019
Obtain Incident Information  

 

 

 

Obtain Environment Information  

 

 

 

Strategize or plan for the investigation  

 

 

 

 

 Collect Evidence  

 

 

 

 

Analyze Evidence  

 

 

 

Forensic Report  

 

 

 

 

 

 

Chapter 1: Practical Investigation Strategies – Network Forensics: Tracking Hackers through Cyberspace provides the following three real work cases.

 

1) The Hospital Laptop Goes Missing – Student’s Last Name starts with R through Z

2) Catching a Corporate Pirate – Student’s Last Name starts with A through K

3) Hack a Government Server – Student’s Last Name starts with L through Q

 

While all three real –world cases are excellent examples that is highly recommend for you to read you will only be required to complete only one of the three cases based on the first letter of your last name for the following next two requirements. For example, if your last name is Jones, you will be assigned the Catching the Corporate Pirate case.

 

  1. Carefully read each case and assign each DETAILED procedure or evidence presented in your assigned real-world to the appropriate OSCAR investigation phase. The objective of this question is to ORGANIZE the details of your assigned case and compare to an appropriate OSCAR phase. Do not worry if the case procedures do NOT exactly match OSCAR methodology. Rather, focus of the details of the case network forensic procedures.

 

OSCAR Investigation Methodology Phase Investigation Procedure or Evidence of the CaseSpring 2019
Obtain Incident Information  

 

 

 

Obtain Environment Information  

 

 

 

Strategize or plan for the investigation  

 

 

 

 

 Collect Evidence  

 

 

 

 

Analyze Evidence  

 

 

 

 

 

 

1.11 Questions – Network Forensic Report – Hospital Laptop Goes Missing Case

 

 

Consider the following Structure of a Network Forensic Report outline.

 

  1. Brief summary of background information and potential risks

 

  1. Tools used in the investigation process, including their purpose and any underlying assumptions associated with the tool

 

  1. Evidence Item #1
  2. Summary of evidence found
  3. Analysis of relevant portions

Repetition  of  above  steps  for  other  evidence  items  (which  may  include other computers and mobile devices, etc.)

 

  1. Findings or Results

 

  1. Recommendations

 

Review the Hospital Laptop goes missing case in Chapter 1 of your text. 

 

  1. Provide a summary of the security problems from a stolen laptop and its and potential risks.

 

 

 

 

 

Spring 2019

 

 

  1. List the five (5) important questions that a forensic investigation will need to answer.

 

 

 

 

 

Spring 2019

 

 

  1. Describe, not just list, three sources of forensic evidence and procedures which investigators should perform to determine the time the laptop went missing.

 

 

 

 

 

Spring 2019

 

 

 

 

  1. Describe, not just list, sources of forensic evidence and procedures which investigators should perform to determine the names of patients and their medical data which may have been compromised

 

 

 

 

 

Spring 2019

 

 

 

  1. Describe, not just list, sources of forensic evidence and procedures which investigators should perform to determine if the thief had gained further access to other sensitive data using the doctor’s credentials after the laptop was stolen

 

 

 

 

 

Spring 2019

 

 

  1. Describe, not just list, the recommended security precautions that should be implemented to protect the hospital from stolen laptops in the future

 

 

 

 

 

Spring 2019

 

 

 

 

1.12 Questions – Network Forensic Report – Case – Hacked Government Server

 

Review the Hacked Government Server case in Chapter 1 of your test. 

 

  1. Provide a summary of the security problems of a rootkit found on a non-confidential data server and its and potential risks.

 

 

 

 

 

Spring 2019

 

 

  1. List the four (4) important questions that a forensic investigation will need to answer.

 

 

 

 

 

Spring 2019

 

 

  1. The local authentication log had been deleted. Describe two sources of forensic evidence and procedures which investigators should perform to determine if the server in question has compromised and the date and time when the server may have been compromised.

 

 

 

 

 

Spring 2019

 

 

  1. Describe the sources of forensic evidence and procedures which investigators should perform to determine if other servers had been compromised.

 

 

 

 

 

Spring 2019

 

 

  1. Describe, not just list, the recommended security precautions that should be implemented to protect the breached system from being compromised in the future.

 

 

 

 

 

Spring 2019

 

 

 

The Use and Administration of Shared Accounts – https://www.sans.org/reading-room/whitepapers/basics/administration-shared-accounts-1271

Understanding Shared Account Password Management – https://technet.microsoft.com/en-us/library/2008.09.passwords.aspx

 

  1. The case study deleted the old administrator account, but the solution did not clearly address the problem that al servers on the local subnet had the same administrative accounts names and passwords. What would be your recommended security precautions that should be implemented?

 

 

 

 

 

Spring 2019

 

 

 

 

 

 

 

2.0 Concepts of Digital Evidence

 

Chapter 1: Practical Investigation Strategies – Network Forensics: Tracking Hackers through Cyberspace

 

Backboard – Unit 1 Network Forensics, Digital Evidence, and OSCAR 

 

2.1 Questions – Digital Evidence Concepts

 

  1. Define or explain each digital evidence concept and provide one or more examples to apply the concept to Network Forensics using the following table.
Digital Evidence Concepts Definition or Explanation Examples applied to Network Forensics
Digital Evidence  

 

 

 

 
Best Evidence Rule  

 

 

 

 
Hearsay Evidence  

 

 

 

 

 
Business Records  

 

 

 

 

 
Real Evidence   

 

 

 

 
Circumstantial Evidence  

 

 

 

 
Chain of Custody  

 

 

 

 

 

 

 

 

 

 

2.2 Questions – Packet Sniffing and Network Surveillance

 

Computer and network surveillance – https://en.wikipedia.org/wiki/Computer_and_network_surveillance

 

What Are the Best Network Forensics and Data Capture Tools? – https://securityintelligence.com/what-are-the-best-network-forensics-and-data-capture-tools/

How network forensics analysis tools turn admins into detectives – http://searchsecurity.techtarget.com/feature/How-network-forensics-analysis-tools-turn-admins-into-detectives

 

NetworkMiner – http://www.netresec.com/?page=NetworkMiner

 

Network Monitor Freemium – Identify Emerging Threats on Your Network in Real Time – https://logrhythm.com/network-monitor-freemium/

Password Sniffer Console – http://securityxploded.com/password-sniffer-console.php

Mail Password Sniffer – http://securityxploded.com/mail-password-sniffer.php

Xplico – https://en.wikipedia.org/wiki/Xplico

Xplico – http://www.xplico.org/

Video – Network Forensic: Packets Reassembly using Xplico – https://www.youtube.com/watch?v=Pa8Me-03kIQ

Video – Network Forensic: Packets Reassembly using NetworkMiner – https://www.youtube.com/watch?v=ITpaR4vB6MY

Video – Introduction to Network Miner Tutorial – https://www.youtube.com/watch?v=7CysHUdkKeY

Video – Network Miner – Free Edition – https://www.youtube.com/watch?v=rwZTc5LXX9Y

 

  1. List and explain at least four functions of Packet Sniffing and Protocol Analysis. Answer:

 

 

 

 

 

  1. Corporate network surveillance is a computer forensic activity that is very common. In order for an organization to prevent violations of the privacy of employees, the first requirement is to establish the business purpose of monitoring network forensic data. List 5 valid business reasons why a business or other organization may be able to monitor network forensic data. Answer:

 

 

 

 

 

 

 

  1. The second requirement to avoid any violation or privacy for employees is to 1) determine the ownership of computer technology resources, 2) to notify employees of any policies for the use of their personal computer and network devices when using the company’s network. If an employee uses a personal device to access Google from a company’s network can organization sniff TCP/IP packets? Answer:

 

 

 

 

 

 

  1. Each TCP/IP packets has two major components: the packet header and the packet body. What type of data is store in a TCP/IP packet header? Answer:

 

 

 

 

 

 

 

  1. What type of data is stored in a TCP/IP packet body? Answer:

 

 

 

 

 

 

 

 

  1. Explain the concept of Admissibility of Evidence. Answer:

 

 

 

 

 

 

 

 

  1. Assume that a network forensic investigator collects TCP/IP packet headers transmitted from outside the organization’s network to into the organization’s network from non-employees. Explain the reasons why a search warrant may or may not be required? Answer:

 

 

 

 

 

 

 

  1. Assume that a network forensic investigator collects TCP/IP packet bodies transmitted from outside the organization’s network to into the organization’s network from non-employees. Explain the reasons why a search warrant may or may not be required? Answer:

 

 

 

 

 

 

 

  1. The reliability of TCP/IP packet header forensic data may be questioned because of spoofing attacks that may falsify the MAC or IP address. What other computer or network forensic data may be used to authenticate a MAC or IP address? Answer:

 

 

 

 

 

 

 

 

  1. List three or more popular software-based packet snipping and protocol analysis tools. Answer:

 

 

 

 

 

 

 

  1. Explain the function to network forensic utility called Antisniff. Answer:

 

 

 

 

 

  1. List and explain the two of advantages, in relationship to packet sniffing, of using encryption. Answer:

 

 

 

 

 

 

 

 

  1. List and explain the disadvantages, in relationship to packet sniffing, of using encryption. Answer:

 

 

 

 

 

 

 

  1. List and explain the at least three limitations of collecting network packets to be used as forensic evidence Answer:

 

 

 

 

 

 

 

 

  1. Explain the difference between collecting and analyzing network packet forensic data and analyzing the contents network device’s buffer memory of forensic evidence. Answer:

 

 

 

 

 

 

 

  1. Explain the difference between collecting and analyzing network packet forensic data and analyzing the log data as forensic evidence. Answer:

 

 

 

 

 

 

 

 

 

 

  1. Explain the difference between collecting network packet as network forensic data and analyzing the Buffers memory of network devices. Answer:

 

 

 

 

 

 

 

  1. Explain the role of packet sniffing and protocol analyzers as used in network firewalls. Answer:

 

 

 

 

 

 

 

  1. Explain the role of packet sniffing and protocol analyzers as used in intrusion detection systems. Answer:

 

 

 

 

 

 

 

 

  1. Explain the function of penetration testing in cyber security or forensic analysis. Answer:

 

 

 

 

 

 

 

  1. Explain the potential role of penetration testing in relationship to collecting and analyzing network packets and network logs. Answer:

 

 

 

 

 

 

 

 

 

3.0 TCP/IP – Internet Protocol Suite

 

Detail knowledge of TCP/IP protocols is critical.

 

3.1 Questions – Internet Protocol Suite Layers

 

Blackboard – Unit 2a Network and Application Protocols

Chapter 2: Technical Fundamentals – Network Forensics: Tracking Hackers through Cyberspace

 

Video – The TCP/IP Suite – 5.2 (Professor Messer) – https://www.youtube.com/watch?v=JCviqx8YjTQ&list=PLG49S3nxzAnnXcPUJbwikr2xAcmKljbnQ&index=151

Video – Common TCP and UDP Ports – 5.9 (Professor Messer) – https://www.youtube.com/watch?v=wqImYxaJZ2U&list=PLG49S3nxzAnnXcPUJbwikr2xAcmKljbnQ&index=163

Video – Application Ports and Protocols – 5.10 (Professor Messer) – https://www.youtube.com/watch?v=yBB2VKG1_X4&list=PLG49S3nxzAnnXcPUJbwikr2xAcmKljbnQ&index=164

What’s The Difference between the OSI Seven-Layer Network Model and TCP/IP? – http://electronicdesign.com/what-s-difference-between/what-s-difference-between-osi-seven-layer-network-model-and-tcpip

TCP/IP Protocol Architecture – https://technet.microsoft.com/en-us/library/cc958821.aspx

TCP/IP Protocols – http://www.tcpipguide.com/free/t_TCPIPProtocols.htm

 

  1. TCP/IP is called the Internet Protocol Suite because it represents a collection of network protocols that is used to transmit data across the Internet between one application and another application, e.g., your Internet Browser communicating with a web server. Complete the following table is a reasonable amount of detail.
TCP/IP Layers  

Detailed List of Functions

List of Relevant Protocols Spring 2019 Relationship to OSI Model Layer
Application Layer Provides an Interface between Applications and network communication, e.g., TCP/IP HTTP, SMTP, more…  
Transportation Layer  

 

 

 

   
Network Layer  

 

 

 

   
Interlink (or Link) Layer  

 

 

 

   

 

 

3.1.1 Forensic evidence provided by Application, TCP, IP and MAC Headers

 

TCP Headers and UDP Headers Explained

https://www.lifewire.com/tcp-headers-and-udp-headers-explained-817970

 

Video – Asher Dallas Lecture – Intro to Port Numbers and Network Firewalls –

https://www.youtube.com/watch?v=Ru_0NMiISFI

Video – TCP Header: Networking & TCP/IP Tutorial. TCP/IP Explained –

https://www.youtube.com/watch?v=M-zX_6FuFKg

Video – Common TCP and UDP Ports – CompTIA A+ 220-901 – 2.4 (Professor Messer)

https://www.youtube.com/watch?v=MTPTow2PTfY&t=69s

Video – Common Network Protocols – CompTIA A+ 220-901 – 2.4 (Professor Messer)

https://www.youtube.com/watch?v=xh7ekN1Vn4E&t=44s

Video – Ports & IP Addressing

IP Protocol Header Fundamentals-

https://www.thegeekstuff.com/2012/03/ip-protocol-header

IP header –

 

On Teaching TCP/IP Protocol Analysis to Computer Forensics Examiners – https://pdfs.semanticscholar.org/0aa8/f83ff9f0690f0461b04d8a75a3959e866939.pdf

 

 

Ethernet frame header – http://study-ccna.com/ethernet-frame/

MAC & IP addresses – http://study-ccna.com/mac-ip-addresses/

 

 

Each TCP/IP Layer contains a header that provides valuable network forensic evidence.

Source and destination TCP port numbers are stored in the TCP header. A port number is described as an endpoint for communications. An IP address indemnities a host computer. But, a host computer contains an operating system, which is managing and executing various applications, servers, daemons or subsystems.  Therefore, a TCP port number represents an identity of a program that is running on the IP address. In a multitasking or multiprocessing operating system, an IP address often executes many programs.

 

For example, your server located at IP address 101.3.4.56 is running a web server, for example Apache. Apache is normally listening to port 80.  Your computer may be assigned an IP address 193.66.45.25 and your browser wants to communicate to the web server located an IP address 101.3.4.56.  We probably know the port number of web server, e.g., port number 80, because our instructor told us to memorize this port number. This is the wrong answer. Port 80 is a well-known port number that is assumed by default.  The web server pot number does not have to be assigned port 80. Any port number could be used.  Let us assume that the destination port number of Apache is 80.

 

Dynamic port numbers (private port numbers) – http://searchnetworking.techtarget.com/definition/dynamic-port-numbers

 

Continuing with this example, what is the port number assigned to our browser? Is it port 80? Probably no. Client ports tend to be dynamically assigned by the host operating system. Assume that   the port number 32415 is assigned your IP address 193.66.45.25.

 

Can you open simultaneous communications with multiple web sites using one browser? Therefore, how will your browser distinguish the multiple web sites, or end points? You have probably guessed that the browser itself is assigned a dynamic port number, rather each browser connected website is assigned a dynamic port number.

 

Since we are discussing the access to web server, we need to communicate with network application protocol that both the web server and the browser can understand. Therefore, the port number will connect the IP address to an application, and the rules of communication will determine by the network application protocol which is stored and transmitted by the application header. We should expect the HTTP application header would contain different control information that the SNMP (email) application header.

 

Netstat is an extremely powerful tool that can be used to view the network connection information on a machine. Netstat includes information such as listening/active ports and which protocols they are using. Established connections will also list the IP address (potentially an attacker’s) that the machine is connected to. Many systems also allow you to specify a switch to view not only the PID of the programs connected to those ports, but also their names. Because many hacking attacks attempt to create backdoors on the victim machine in order to establish another means of connecting back into the machine later, being able to view open ports and the programs attached to them can be very beneficial. Netstat can help you quickly identify any suspicious network behavior on the machine and help point you in the right direction to files and connections that may require additional investigation.

 

3.1.2 802.x Ethernet Frame Header.

 

  1. Using a snipping tool and paste the layout of the 802.x Ethernet Frame Header. Answer =>

 

 

 

 

Spring 2019

 

 

  1. List and specifically describe the 802.x Ethernet frame header fields that would be important to Network Forensic analysis. Answer =>

 

 

 

 

Spring 2019

 

 

  1. Describe the format and provide an example of Ethernet Mac address Answer =>

 

 

 

Spring 2019

 

 

 

 

 

  1. Describe the type of identity format provided by Ethernet Mac address. Answer =>

 

 

 

 

Spring 2019

 

 

 

  1. Describe the process of assigning an Ethernet Mac address Answer =>

 

 

 

 

Spring 2019

 

 

 

  1. List and explain two or more reasons why an attacker would be motivated to spoof an MAC address. Answer =>

 

 

 

 

Spring 2019

 

 

  1. Explain an easy method that can be used to spoof an MAC address. Answer =>

 

 

 

 

Spring 2019

 

 

  1. In conduction a key logging attack, explain at least on method how would an attacker over the limitations of spoofing a MAC address to an attacker? Answer =>

 

 

 

Spring 2019

 

 

 

 

10 .A MAC addressed assigned to a suspicious user’s computer does not confirm the user’s identity. List the multiple sources of computer, network and business forensics which may be used to connect a computer MAC address to a user’s personal identity. Answer =>

 

 

 

 

 

 

 

Spring 2019

 

 

 

 

  1. List four or more guidelines for collecting multiple sources of forensic evidence Answer =>

 

 

 

 

 

 

 

 

Spring 2019

 

 

 

 

3.1.3 802.1x Wireless Ethernet Frame Header.

 

How 802.11 Wireless Works – https://technet.microsoft.com/en-us/library/cc757419(v=ws.10).aspx

 

  1. Using a snipping tool and paste the layout of the 802.1x Wireless Ethernet Frame Header. Answer =>

 

 

 

 

Spring 2019

 

 

 

  1. List and specifically describe the 802.x Wireless Ethernet frame header fields that would be important to Network Forensic analysis. Answer =>

 

 

 

 

Spring 2019

 

 

3.1.4 IP Header.

 

  1. Using a snipping tool and paste the layout of an IP Header. Answer =>

 

 

 

 

Spring 2019

 

 

 

  1. List and specifically describe IP header fields that would be important to Network Forensic analysis. Answer =>

 

 

 

 

Spring 2019

 

 

  1. Explain the relationship between a Domain name and an IP address. Answer =>

 

 

 

 

Spring 2019

 

 

  1. Explain the type of identity forensic evidence is provided by an IP address. Answer =>

 

 

 

 

Spring 2019

 

 

  1. Explain how a computer may have more than one IP address? Answer =>

 

 

 

 

Spring 2019

 

 

 

 

 

 

3.1.5 TCP/UDP Header and Port Numbers

 

  1. Using a snipping tool and paste the layout of a TCP Header. Answer =>

 

 

 

 

Spring 2019

 

 

 

  1. List and specifically describe TCP header fields that would be important to Network Forensic analysis. Answer =>

 

 

 

 

Spring 2019

 

 

 

  1. Describe the role of Source and Destination TCP ports in connecting an email client to an email server. Answer =>

 

 

 

 

Spring 2019

 

 

 

  1. Describe the differences between a well-known port number and a dynamically assigned port number. .

 

 

 

 

Spring 2019

 

 

  1. Explain the type of identity forensic evidence is provided by a TCP port number. Answer =>

 

 

 

 

Spring 2019

 

 

 

Video – UDP and TCP: Comparison of Transport Protocols – https://www.youtube.com/watch?v=Vdc8TCESIg8

TCP and UDP – https://www.slideshare.net/ahdkhalid/tcp-and-udp

ADVANTAGES AND DISADVANTAGES OF TCP AND UDP  –  http://smblog.iiitd.com/2010/09/advantages-and-disadvantages-of-tcp-and.html

 

 

  1. What is the difference between a TCP port and an IP Network address? Answer:

 

 

 

 

  1. List the advantages and Disadvantages of TCP Transport Protocol
Advantages of TCP  Disadvantages  of TCP
   

 

   

 

   

 

   

 

   

 

 

 

  1. List the advantages and Disadvantages of UDP Transport Protocol
Advantages of UDP  Disadvantages  of UDP
   

 

   

 

   

 

   

 

   

 

 

 

Common TCP Applications and Server Port Assignments – http://www.tcpipguide.com/free/t_TCPCommonApplicationsandServerPortAssignments.htm

 

  1. List at least five common applications and port numbers which will commonly use TCP transport. Answer:

 

 

 

 

  1. If you were viewing a streaming Netflix video, why would Netflix it use TCP, rather than UDP? Answer:

 

 

 

 

 

 

Most Domain Name Servers (DNS) will assign port 53 or Network Time Services will use port 123. While both protocols will use UDP to improve performance, some systems may use TCP instead of UDP.  When using packet sniffing to gather network forensic evidence for UDP applications protocols always search for both transport protocols.

 

 

 

3.1.6 HTTP Application Headers

 

Video – HTTP Headers – What are they – https://www.youtube.com/watch?v=rBm6eoFK28Q

Video – HTTP request and response – https://www.youtube.com/watch?v=3hTEmECsSd0

Video – Understanding HTTP Request Response Messages – https://www.youtube.com/watch?v=sxiRFwQ1RJ4

https://www.youtube.com/watch?v=sxiRFwQ1RJ4 https://www.youtube.com/watch?v=sxiRFwQ1RJ4

HTTP Request fields – https://www.w3.org/Protocols/HTTP/HTRQ_Headers.html

HTTP Request – https://www.w3.org/Protocols/rfc2616/rfc2616-sec5.html

 

 

  1. List and specifically describe several HTTP header fields and type of information that would be important to Network Forensic analysis. Answer =>

 

 

 

 

Spring 2019

 

 

  1. Describe the difference between an HTTP Request header and an HTTP Response header. Answer =>

 

 

 

 

Spring 2019

 

 

  1. Why are every HTTP (web), SMTP (email), FTP (File transfer), SSH (Secure Shell), Firewall, IDS server an important source of network forensic data? Answer =>

 

 

 

 

Spring 2019

 

 

 

 

3.1.7 SNMP Email Application Headers

 

What is an Email Header? – https://whatismyipaddress.com/email-header

Email Forensics

https://fenix.tecnico.ulisboa.pt/downloadFile/1970943312267438/csf-13.pdf

Video – The Best Email Header Analysis 2015 -Trace the email sender ip ! email tarce

https://www.youtube.com/watch?v=dA3HpLiG6YI

Video – Email tracing: Trace any email to know actual sender –

https://www.youtube.com/watch?v=3XqJ3l4tpuU

 

  1. List and specifically describe several Email (SMTP) header fields that would be important to Network Forensic analysis.

 

 

 

 

Spring 2019

 

 

  1. Using the EMAIL(SMTP) and other data outline the process of tracking an email to an Ip address and sender .

 

 

 

 

Spring 2019

 

 

Encapsulation – http://study-ccna.com/encapsulation/

 

3 Explain the concept of  encapsulation.

 

 

 

 

Spring 2019

 

 

 

 

 

3.2 Questions – IPv4 and IPv6

 

Video – IPv4 vs IPv6 as Fast as Possible – https://www.youtube.com/watch?v=aor29pGhlFE

Video – IPv4 vs IPv6 Tutorial – https://www.youtube.com/watch?v=ThdO9beHhpA

Video – IPv6 Tutorial – https://www.youtube.com/watch?v=iR8ve5tTWAA

IPv6 – Features – https://www.tutorialspoint.com/ipv6/ipv6_features.htm

Learn About Anycast And Some Of Its Advantages And Disadvantages – https://www.psychz.net/client/kb/en/learn-about-anycast-and-some-of-its-advantages-and-

disadvantages.html

 

3.2.1 Advantages of IPv6

 

  1. IPv6 provides better end-to-end connectivity. Explain how IPv6 provides this advantage. Answer:

 

 

 

 

 

  1. IPv6 provides faster forwarding and routing. Explain of IPv6 provides this advantage. Answer:

 

 

 

 

 

  1. IPv6 provides stateless configuration. Explain of IPv6 provides this advantage. Answer:

 

 

 

 

 

  1. IPv6 provides better security. Explain of IPv6 provides this advantage. Answer:

 

 

 

 

 

 

 

3.2.1 Unicasting, Anycasting and DNS

 

  1. What is IP Unicasting? Answer:

 

 

 

 

 

  1. What is IP Anycast? Answer:

 

 

 

 

 

  1. Provide an example of the use of an Anycast DNS. Answer:

 

 

 

 

 

  1. What are the benefits of Anycast DNS? Answer:

 

 

 

 

 

 

 

3.2.2 IPv6 Address Structure

IPv6 Address Structure – https://www.tutorialspoint.com/ipv6/ipv6_address_types.htm

 

An IPv6 address is made of 128 bits divided into eight 16-bits blocks. Each block is then converted into 4-digit Hexadecimal numbers separated by colon symbols.For example, given below is a 128 bit IPv6 address represented in binary format and divided into eight 16-bits blocks:

 

0010000000000001 0000000000000000 0011001000111000 1101111111100001 0000000001100011 0000000000000000 0000000000000000 1111111011111011

 

Each block is then converted into Hexadecimal and separated by ‘:’ symbol:

 

2001:0000:3238:DFE1:0063:0000:0000:FEFB

 

Even after converting into Hexadecimal format, IPv6 address remains long. IPv6 provides some rules to shorten the address. The rules are as follows:

 

Rule.1: Discard leading Zero(es):

 

In Block 5, 0063, the leading two 0s can be omitted, such as (5th block):

 

2001:0000:3238:DFE1:63:0000:0000:FEFB

 

Rule.2: If two of more blocks contain consecutive zeroes, omit them all and replace with double colon sign ::, such as (6th and 7th block):

 

2001:0000:3238:DFE1:63::FEFB

 

Consecutive blocks of zeroes can be replaced only once by :: so if there are still blocks of zeroes in the address, they can be shrunk down to a single zero, such as (2nd block):

 

2001:0:3238:DFE1:63::FEFB

 

  1. What is an IPv6 Global unicast address and IP address routing prefix? Answer:

 

 

 

 

 

  1. What is an IPv6 Link-local unicast address and its IP address prefix? Answer:

 

 

 

 

 

  1. What is an IPv6 Unique-local unicast address and its IP address prefix? Answer:

 

 

 

 

 

 

3.2.3 IPv6 – Headers

IPv6 – Headers – https://www.tutorialspoint.com/ipv6/ipv6_headers.htm

 

  1. What information is stored in an IPv6 Fixed Header? Answer:

 

 

 

 

 

  1. What information is stored in an IPv6 Extension Header? Answer:

 

 

 

 

 

3.2.4 IPv6 – Communication

 

IPv6 – Communication – https://www.tutorialspoint.com/ipv6/ipv6_communication.htm

In IPv4, a host that wants to communicate with another host on the network needs to have an IP address acquired either by means of DHCP or by manual configuration. As soon as a host is equipped with some valid IP address, it can speak to any host on the subnet. To communicate on layer-3, a host must also know the IP address of the other host. Communication on a link, is established by means of hardware embedded MAC Addresses. To know the MAC address of a host whose IP address is known, a host sends ARP broadcast and in return, the intended host sends back its MAC address.

In IPv6, there are no broadcast mechanisms. It is not a must for an IPv6 enabled host to obtain an IP address from DHCP or manually configured, but it can auto-configure its own IP.

ARP (Address Resolution Protocol) has been replaced by ICMPv6 Neighbor Discovery Protocol.

 

  1. List the three steps used by the ICMPv6 Neighbor Discovery Protocol to be assign an IPv6 IP address. Answer:

 

 

 

 

Spring 2019

 

 

  1. List the three steps used by the ICMPv6 Neighbor Discovery Protocol to locate IPv6 routers on a network segment. Answer:

 

 

 

 

Spring 2019

 

 

3.2.5 IPv4 to IPv6 Transition

 

Video – Transition from IPv4 to IPv6 – https://www.youtube.com/watch?v=GANKPeAuspg

 

Transition from IPv4 to IPv6 – https://www.tutorialspoint.com/ipv6/ipv6_ipv4_to_ipv6.htm

Making the Transition from IPv4 to IPv6 – https://docs.oracle.com/cd/E19683-01/817-0573/transition-10/index.html

 

  1. What is a Dual Stack Router? Answer:

 

 

 

 

  1. What is IP version tunneling? Answer:

 

 

 

 

  1. What is NAT Protocol Translation? Answer:

 

 

 

 

 

 

 

 

 

3.3 Questions – MAC and IP Address Spoofing

 

Blackboard – Unit 2a Network and Application Protocols

Chapter 2: Technical Fundamentals – Network Forensics: Tracking Hackers through Cyberspace

 

Video – How to Change or Spoof MAC Address in Windows | Mac | Android – https://www.youtube.com/watch?v=ePtCvwmNhb4

Video – What is a MAC Address? –  https://www.youtube.com/watch?v=UrG7RTWIJak

Video – What is a MAC Address? – https://www.youtube.com/watch?v=7W07vA4oHCk

What’s the Difference between a MAC Address and an IP Address? –  https://askleo.com/whats_the_difference_between_a_mac_address_and_an_ip_address/

Video – How to spoof a MAC address? – https://www.youtube.com/watch?v=Cb_TjJSTsqA&spfreload=10

Detecting and Preventing MAC Spoofing – https://infoexpress.com/content/practical/142

Detecting Wireless LAN MAC Address Spoofing – http://www.willhackforsushi.com/papers/wlan-mac-spoof.pdf

 

3.3.1 MAC Addressing Spooling

 

  1. What is a MAC Address? Answer:

 

 

 

 

 

  1. What is MAC Address Spoofing? Answer:

 

 

 

 

 

  1. What is the difference between and MAC network address and an IP Network Address? Answer:

 

 

 

 

 

 

3.3.2 IP Address Spoofing

 

  1. What is IP addressing Spoofing? Answer:

 

 

 

 

  1. What dangers will MAC address and IP address spoofing will causes problems for network forensics analysis? Answer:

 

 

 

 

 

 

3.4 Private Network Addresses

 

Blackboard – Unit 2a Network and Application Protocols

Chapter 2: Technical Fundamentals – Network Forensics: Tracking Hackers through Cyberspace

 

 

3.4.1 Questions – Advantages and Disadvantages of Private Network Addresses

 

  1. What is a Private Network Address? Answer:

 

 

 

 

  1. What are the security advantages of Private Network Addresses? Answer:

 

 

 

 

  1. Private addresses are provides an advantage described as “Self-Containment”. Describe the concept of Private Address Self Containment. Answer:

 

 

 

 

  1. Private addresses has a disadvantage described as “Isolation “. Describe the concept of Private Address Isolation. Answer:

 

 

 

 

3.4.2 Questions – VPNs and Private Network Addresses

What Is A VPN? –  https://www.whatismyip.com/what-is-a-vpn/

VPNs for Beginners – What You Need to Know – https://www.bestvpn.com/blog/38176/vpns-beginners-need-know/

What Is a VPN, and Why Would I Need One? – https://www.howtogeek.com/133680/htg-explains-what-is-a-vpn/

I Am Anonymous When I Use a VPN – 10 Myths Debunked – https://www.goldenfrog.com/blog/myths-about-vpn-logging-and-anonymity

 

Video – What is a VPN? – Gary explains – https://www.youtube.com/watch?v=xGjGQ24cXAY

Video – VPN – Virtual Private Networking – https://www.youtube.com/watch?v=q4P4BjjXghQ

Video – How to set up a VPN Server on Windows Server 2012 – https://www.youtube.com/watch?v=9qbpxKRb-94&t=35s

 

  1. What is a Virtual Private Network (VPN)? Answer:

 

 

 

 

  1. How does a VPN network add security? Answer:

 

 

 

 

 

  1. What is the function of L2TP/IPsec? Answer:

 

 

 

 

  1. What is Open VPN? Answer:

 

 

 

 

  1. What is the relationship between VPN and website tracking? Answer:

 

 

 

 

Video – VPN Provider’s No-Logging Claim Tested by FBI – https://www.youtube.com/watch?v=mfOzvYoiszk

Video – Private Internet Access VPN does not log. Period. – https://www.youtube.com/watch?v=YQn3KYiy8Zs

Video – Is Private Internet Access Good? What They Don’t Tell You About PIA VPN – https://www.youtube.com/watch?v=cX9kBmEPD08

 

 

 

  1. What is the relationship between VPN logging and VPN anonymity? Answer:

 

 

 

 

 

  1. Virtual Private Networks (VPNs) provides the capability of permitting Private Addresses to communicate with a public network address. Describe the differences between a Private network address and VPN. Answer:

 

 

 

 

3.5 Questions – Network Address Translation

 

Blackboard – Unit 2a Network and Application Protocols

Chapter 2: Technical Fundamentals – Network Forensics: Tracking Hackers through Cyberspace

 

 

Video – Understanding Network Address Translation – 1.4 (Professor Messer) https://www.youtube.com/watch?v=EKAPejq4fC4&t=51s

NAT Advantages & Disadvantages – https://www.certificationkits.com/cisco-certification/ccna-articles/cisco-ccna-network-address-translation-nat/cisco-ccna-nat-advantages-a-disadvantages/

Disadvantages of Network Address Translation (NAT) Protocol  – http://vinciconsulting.com/blog/-/blogs/disadvantages-of-network-address-translation-nat-protocol

The Advantages & Disadvantages of Using a Private IP Address Space – http://smallbusiness.chron.com/advantages-disadvantages-using-private-ip-address-space-46424.html

 

Why NAT has nothing to do with Security!  – https://blog.webernetz.net/2013/05/21/why-nat-has-nothing-to-do-with-security/

The Myth of Network Address Translation as Security – https://f5.com/resources/white-papers/the-myth-of-network-address-translation-as-security

 

  1. What is Network Address Translation? Answer:

 

 

 

 

  1. Which layer of the TCP/IP model implements the Network Address Translation protocol? Answer:

 

 

 

 

3.5.1 Questions – Advantages and Disadvantage of NAT

 

  1. What are the advantages of Network Address Translation? Answer:

 

 

 

 

  1. What are the disadvantages of Network Address Translation? Answer:

 

 

 

 

 

 

3.5.2 Questions – SNAT and NAT

Logging network activity – https://community.jisc.ac.uk/library/janet-services-documentation/logging-network-activity

Secure Network Address Translation (SecureNA or SNAT) – https://www.techopedia.com/definition/26212/secure-network-address-translation-securena-or-snat

 

  1. How is SNAT different than NAT? Answer:

 

 

 

 

3.5.3 Questions – NAT and network security

 

  1. Explain the reasons why or why not the Network Translation Protocol may increase network security? Answer:

 

 

 

 

 

 

 

 

 

4.0 DHCP Servers

 

4.1 Questions – DHCP, Static and Dynamic IP

 

What is DHCP?  –  http://whatismyipaddress.com/dhcp

Why Does Your IP Address Change Now and Then?  –  http://whatismyipaddress.com/keeps-changing

Dynamic IP vs Static IP – http://whatismyipaddress.com/dynamic-static

What is DHCP Lease Time & What Should I Set it To? –  http://homenetworkadmin.com/dhcp-lease-time/

What is NAT and DHCP?  – https://www.dslextreme.com/support/kb/glossary/what-is-nat-and-dhcp

DHCP Log Explanation – https://web.stanford.edu/services/lnaguide/dhcp-log-explanation.html

Analyze DHCP Server Log Files – https://technet.microsoft.com/en-us/library/dd183591(v=ws.10).aspx

Do not rely on Windows DHCP server logs as security logs – http://robert.penz.name/1010/do-not-rely-on-windows-dhcp-server-logs-as-security-logs/

 

1 What is DHCP? Answer:

 

 

 

 

  1. What are the differences between NAT and DHCP? Answer:

 

 

 

 

  1. When using DHCP, why does your IP address constantly change? Answer:

 

 

 

 

  1. What DHCP setting determines how often a DHCP address changes? Answer:

 

 

 

 

  1. What is a Static IP address? Answer:

 

 

 

 

  1. What is a Dynamic IP Address? Answer:

 

 

 

 

 

 

 

4.1 DHCP Server Logs

 

Video – DHCP Logs in server 2012 R2 ( DHCP 4/6 ) – https://www.youtube.com/watch?v=nu4qI8frPEA

Video – How to Install and Configure DHCP Server on Windows Server 2012 – https://www.youtube.com/watch?v=fk6wUDsvxGs

Video – Basic DHCP Setup on Windows Server 2012 – https://www.youtube.com/watch?v=ZfsXh_LSkgE&t=38s

 

The following is a sample of the Windows Server DHCP Audit Log file

 

 

Many companies I know backup their DHCP log files so that they are able to but a MAC address to an IP address seen in a security incident. Sure it is possible that an attacker uses a static IP address, but more often than not is a dynamic one – just because it is easier or he does not possess the privileges to change it. Even if you’re using a simple MAC address based network authentication solution you’ll have log files which ties the MAC address to a specific Ethernet port and so a physical location.

 

 

  1. Explain the role of routers, email servers, firewalls, and authentication servers in addressing the problems associated with DHCP and Network Translation to using network translation in relationship to the analysis of network forensics evidence. Answer:

 

 

 

 

 

Spring 2019

 

 

4.2 Introduction to Time synchronization

 

 

Why is time accuracy and synchronization important? –  http://www.dba-oracle.com/forensics/t_forensics_accuracy.htm

5 cyber security myths, the importance of time synchronization, and more – https://www.eventtracker.com/newsletters/5-cyber-security-myths-the-importance-of-time-synchronization-and-more/

 

Time synchronization and network devices –

https://books.google.com/books?id=A4V45b2w27gC&pg=PA344&lpg=PA344&dq=time+synchronization+and+network+forensics&source=bl&ots=Su1L7MGv1r&sig=JfLuQANdEpCxzd45QKi7k0AXPbs&hl=en&sa=X&ved=0ahUKEwj965mtmcXTAhUGQSYKHS_vB4wQ6AEIYDAJ#v=onepage&q=time%20synchronization%20and%20network%20forensics&f=false

 

  1. Explain the importance of time synchronization for routers, email servers, firewalls, and authentication servers in addressing the problems associated with DHCP and Network Translation to using network translation in relationship to analysis of network forensics evidence. Answer:

 

 

 

 

 

 

 

 

5.0 Domain Name System, Resolution and DNS Servers

 

5.1 Questions – Domain Name Space and DNS Lookups

 

Video – DNS Essentials – Understanding & Working with DNS – https://www.youtube.com/watch?v=4a3MGDAoljI

Video – Introduction to DNS (Domain Name Services (Eli the Computer) – https://www.youtube.com/watch?v=VwpP8PUzqLw

Video -The Domain Name System (DNS) Name Resolution Processhttps://www.youtube.com/watch?v=S8G63sJPPj0

 

BIND- The most widely used Name Server Software – https://www.isc.org/downloads/bind/

Linux BIND DNS – Introduction to the DNS Database (BIND) – http://www.firewall.cx/linux-knowledgebase-tutorials/system-and-network-services/829-linux-bind-introduction.html

 

  1. What is purpose of DNS resolution? Answer:

 

 

 

 

 

  1. What is the Domain Name Space? Answer:

 

 

 

 

 

  1. What is Fully Qualified Domain Name (FQDN)? Answer:

 

 

 

 

 

 

  1. Applying the concept of the Domain Name Space, what is edu? Answer:

 

 

 

 

 

  1. Applying the concept of the Domain Name Space, what is infs4180? Answer:

 

 

 

 

 

 

 

  1. Applying the concept of the Domain Name Space, what is kali182? Answer:

 

 

 

 

  1. What is the local host file? Answer:

 

 

 

 

  1. What is a local DNS server? Answer:

 

 

 

 

  1. What is BIND? Answer:

 

 

 

 

 

What’s the difference between forward lookup and reverse lookup in DNS – https://www.bayt.com/en/specialties/q/24691/what-s-the-difference-between-forward-lookup-and-reverse-lookup-in-dns/

Understanding Reverse Lookup – https://technet.microsoft.com/en-us/library/cc730980(v=ws.11).aspx

How Reverse DNS works? –  https://community.spiceworks.com/how_to/934-how-reverse-dns-works

What is “reverse DNS” and do I need it?  –  http://support.simpledns.com/kb/a45/what-is-reverse-dns-and-do-i-need-it.aspx

Reverse DNS lookup – https://en.wikipedia.org/wiki/Reverse_DNS_lookup

 

  1. What is a Forward DNS Lookup? Answer:

 

 

 

 

 

  1. What is a Reverse DNS Lookup? Answer:

 

 

 

 

 

 

5.2 Questions – DNS Zones

Many of the following question answer may be found in the following video

Video -The Domain Name System (DNS) Name Resolution Processhttps://www.youtube.com/watch?v=S8G63sJPPj0

Understanding DNS Zones – https://technet.microsoft.com/en-us/library/cc725590(v=ws.11).aspx

DNS Zone – https://www.ntchosting.com/encyclopedia/dns/zone/

Understanding Zone Types – https://technet.microsoft.com/en-us/library/cc771898(v=ws.11).aspx

 

  1. What is a DNS zone? Answer:

 

 

 

 

  1. What are the advantages of using a DNS zone? Answer:

 

 

 

 

  1. What is a primary DNS zone data base? Answer:

 

 

 

 

  1. What is a secondary DNS zone data base? Answer:

 

 

 

 

  1. What is a zone transfer? Answer:

 

 

 

 

 

 

 

5.3 Questions – DNS Zone records and DNS line commands.

 

 

 

  1. Describe the types of DNS zone records using the following table.
Types of

DNS Zone Records

Description  
SOA Record  

 

NS Records  

 

A Records  

 

MX Records  

 

CNAME Records  

 

 

 

  1. Provide an example of a command line utility that is used to test DNS Resolution. Answer:

 

 

 

 

 

 

  1. Provide an example of a command line utility that is used to clear the local DNS cache? Answer:

 

 

 

 

 

 

 

 

 

5.4 Questions – Hacking DNS

 

Review the following videos to answer some of the following questions

Video – Hacking DNS (Eli the Computer Guy)https://www.youtube.com/watch?v=zRysni9ND2w

Video – DNS Spoofing – https://www.youtube.com/watch?v=U0gwn9zcDns

DNS spoofing, or DNS cache poisoning   – https://en.wikipedia.org/wiki/DNS_spoofing

 

  1. Describe the process of using the local hosts file to conduct a DNS spoofing attack? Answer:

 

 

 

 

  1. Where is the Windows hosts file located? Answer:

 

 

 

 

  1. Where is the Linux hosts file located? Answer:

 

 

 

 

  1. What is Local DNS Server? Answer:

 

 

 

 

  1. Assume that you want to do a DNS spoofing attack on nku.edu using only one computer. What is the most likely method to conduct this type of DNS attack? Answer:

 

 

 

 

  1. Assume that you want to prevent users at your company from accessing Facebook.com by using the principles of a DNS spoofing attack? Answer:

 

 

 

 

  1. In order to compromise hosts files, what special privileges must you have? Answer:

 

 

 

  1. How does virus checker software use the hosts file? Answer:

 

 

 

 

 

OpenDNS – https://www.opendns.com/home-internet-security/

OpenDNS – https://en.wikipedia.org/wiki/OpenDNS

What is OpenDNS and Why You Absolutely Need It ?  –  What is OpenDNS and Why You Absolutely Need It

 

 

  1. What is OpenDNS.com? Answer:

 

 

 

 

 

  1. How does OpenDNS.com prevent viruses from download more malware? Answer:

 

 

 

 

5.5 Securing DNS Servers

 

5.5.1 Common threats to DNS servers

 

Securing DNS Servers – http://www.tech-faq.com/securing-dns-servers.html

 

The common threats to DNS servers are:

 

  • Denial-of-service (DoS) attacks: DoS attacks occur when DNS servers are flooded with recursive queries in an attempt to prevent the DNS server from servicing legitimate client requests for name resolution. A successful DoS attack can result in the unavailability of DNS services, and in the eventual shut down of the network.

 

  • Footprinting: Footprinting occurs when an intruder intercepts DNS zone information. When the intruder has this information, the intruder is able to discover DNS domain names, computer names, and IP addresses which are being used on the network. The intruder then uses this information to decide on which computers he/she wants to attacks.

 

  • IP Spoofing: After an intruder has obtained a valid IP address from a footprinting attack, the intruder can use the IP address to send malicious packets to the network, or access network services. The intruder can also use the valid IP address to modify data.

 

  • Redirection: A redirection attack occurs when an intruder is able to make the DNS server forward or redirect name resolution requests to the incorrect servers. In this case, the incorrect servers are under the control of the intruder. A redirection attack is achieved by an intruder corrupting the DNS cache in a DNS server that accepts unsecured dynamic updates.

 

10 things you should know about securing DNS – http://www.techrepublic.com/article/10-things-you-should-know-about-securing-dns/

 

5.5.2 General DNS security recommendations

 

  • Protect the server form Cache Pollution. Your DNS servers should not respond to name resolution requests from any unauthorized networks. DNS servers should respond to requests from internal interfaces only. This is called Secure Cache against pollution in Windows servers
  • To prevent other servers from discovering DNS zone records that contain important information, zone transfers should be targeted at specific DNS servers. Anyone can issue a DNS query that will cause a DNS server configured to allow zone transfers to dump the entirety of its zone database files. Malicious users can use this information to reconnoiter the naming schema in your organization and attack key infrastructure services.
  • To protect your DNS servers from spoofing of DNS records, you should use the only secure dynamic (encrypted) updates connections.
  • An Active Directory-integrated zone is a zone that stores its zone data in Active Directory. DNS zone files are not used to store data for these zones. An Active Directory-integrated zone is an authoritative primary zone. Active Directory-integrated zones enjoy the security features of Active Directory.
  • Secure the DNS Server boot process
  • A DNS forwarder is a DNS server that performs DNS queries on behalf of another DNS server. The primary reasons to use a DNS forwarder are to offload processing duties from the DNS server forwarding the query to the forwarder and to benefit from the potentially larger DNS cache on the DNS forwarder. Instead of allowing your internal DNS servers to perform recursion and contacting DNS servers itself, configure the internal DNS server to use a forwarder for all domains for which it is not authoritative.
  • Caching-only DNS servers can improve security for your organization when used as forwarders that are under your administrative control. Internal DNS servers can be configured to use the caching-only DNS server as their forwarders and the caching-only DNS server performs recursion on behalf of your internal DNS servers.

 

5.5.3 Securing the DNS server

 

  • Physically secure your DNS servers.
  • File system permission should be utilized to protect zone data on the system volume and access to the volume should be limited by both file system permissions and security policies
  • Apply and maintain a strong virus protection solution.
  • Software patches should be kept up to date.
  • If applicable, programs should only be allowed to be installed when they have trusted sources.
  • All unnecessary services and applications not being used on DNS servers should be deleted.
  • Secure the Administrator and Guest well-known accounts.
  • Set access controls of DNS registry entries of system entries.

 

5.5.4 Securing DNS Servers Attached to the Internet

 

  • DNS servers that are attached to the Internet should be placed in a perimeter network so that internal network resources can be secured from the public Internet.
  • Use a firewall solution to configure access rules and packet filtering to filter both source and destination addresses and ports.
  • Remove all unnecessary services from these DNS servers.
  • Limit the number of DNS servers that are allowed to start a DNS zone transfer. Zone transfer should also only be allowed to specific IP addresses
  • Consider using IPSec or other encryption method to secure zone replication traffic.
  • Consider adding a second DNS server on a different subnet to further augment protection from DoS attacks.
  • Regularly monitor your DNS servers and the DNS log files.

 

5.5.5 Questions – Securing DNS servers

  1. What is DNS Footprinting? Answer:

 

 

 

Spring 2019

 

  1. What is a DNS Denial of Service Attack? Answer:

 

 

 

 

 

  1. What is DNS cache pollution? Answer:

 

 

 

 

 

  1. Why are file permissions important to secure a DNS server? Answer:

 

 

 

Spring 2019

 

  1. How does one other servers from discovering DNS zone records which may be important to map the local Domain Name Space? Answer:

 

 

 

 

 

  1. List two important security requirements for protecting a DNS zone transfer. Answer:

 

 

 

 

 

 

 

5.5.6 Questions – DNS Network Forensics Evidence

 

The following questions may be answered by viewing the following video.

 

Video – DNS Evidence You Don’t Know What You’re Missing (Phill Hagan) – https://www.youtube.com/watch?v=mZrNLZAdTTA

 

  1. Why is baselining DNS evidence important? Answer:

 

 

 

 

 

  1. Why does the domain name facebook.com have multiple DNS A records or host IP records? Answer:

 

 

 

Spring 2019

 

We can capture DNS traffic evidence, e.g., tcpdump, tshark,Wireshark

We can analyze a server, proxy server or IDS server log  

 

Assume that we want to analyze a DNS forward lookup to www.reddit.com

 

 

 

  1. Linux will store DNS network forensic evidence in /var/log/messages file. Since Linux stores a lot of evidence, the grep commands is used to filter the message log and will search for www.reddit.com

The following is a sample of one DNS forward lookup.

 

 

 

Describe and explain the network forensic evidence for each field of this entry using the following table

DNS log entry  Description  and Explanation
 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

  1. Assume that alter the grep command to search the var/log/messages file for the IP address of 5.79.11.202. For example;

 

 

What type of network forensic evidence can we discover about IP address 5.79.11.202 from the preceding grep example? Answer:

 

 

 

  1. Using DNS network forensics how can you determine is an employee is inappropriately viewing Netlex on a company’s computer – during work hours? Answer:

 

 

 

  1. Why is important to periodically monitor and provide a baseline of the top 5000 domain names being accessed by your organization? Answer:

 

 

 

Greylisting –  https://en.wikipedia.org/wiki/Greylisting

 

 

  1. What is Grey Listing? Answer:

 

 

 

  1. What is the relationship between “grey listing” and arpa lookups? Answer:

 

 

 

 

 

 

  1. We will be studying and practicing tcpdump and capturing packets latter in the course. Let’s introduce tcpdump to collect DNS evidence.

 

 

 

Describe and explain each of the tcpdump parameters in the following table

TCPDUMP Parameter Description  and Explanation
 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

  1. Tshark is an optional, more powerful, packet sniffing utility that may better format the packet sniffing information to conduct a network forensic investigation/

 

 

Describe and explain each of the tshark parameters in the following table

TSHARK Parameter Description  and Explanation
 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

  1. What is a passsivedns utility? Answer:

 

 

 

 

 

6.0 Switches

 

6.1 Questions – Switches and VLANS

 

Unit 2b Network and Security Devices and Applications

Router and Switch Security 2017.pdf

 

Video – Understanding Switches Video (Eli the Computer Guy) – https://www.youtube.com/watch?v=9yYqNqTNnqI

Video – Switch Interface Configuration – 2.6 (Professor Messer) – https://www.youtube.com/watch?v=EqGR1mSzM6o&list=PLG49S3nxzAnnXcPUJbwikr2xAcmKljbnQ&index=80

Video – Switch Management – 2.6 (Professor Messer)-https://www.youtube.com/watch?v=HUUqrf-05nY&list=PLG49S3nxzAnnXcPUJbwikr2xAcmKljbnQ&index=82

 

  1. Which layer of the OSI model does switches function? Answer:

 

 

 

 

  1. List five or more advantages of a network switch. Answer:

 

 

 

 

  1. What is a VLAN (Virtual Local Area Network)? Answer:

 

 

 

 

  1. List four operational advantages of using switch VLANs? Answer:

 

 

 

 

  1. Describe the network security advantage of using a VLAN. Answer:

 

 

 

 

 

 

  1. A router, similar to a VLAN, can subdivide a large network into smaller sections. However, a VLAN offers more advantages. Describe the advantages of use VLANS as compared IP sub-netted networks. Answer:

 

 

 

 

  1. Which switch protocol can be used to logically connect multiple switch ports of multiple physical switches to the same VLAN? Answer:

 

 

 

 

 

Private VLAN (PVLAN) – http://www.ciscopress.com/articles/article.asp?p=1181682&seqNum=3

Private VLAN – https://en.wikipedia.org/wiki/Private_VLAN

Private VLAN Concepts – https://www.pluralsight.com/blog/it-ops/private-vlan-concepts

 

  1. What is the difference between a VLAN and PVLAN? Answer:

 

 

 

 

 

 

 

 

 

6.2 Questions – Switch Security

 

Difference between console port and dedicated management port –  https://supportforums.cisco.com/discussion/12467571/difference-between-console-port-and-dedicated-management-port

 

Video – VLAN Hopping – 3.2 (Professor Messer) – https://www.youtube.com/watch?v=hmJvHHv5d68&index=98&list=PLG49S3nxzAnnXcPUJbwikr2xAcmKljbnQ

 

  1. What is difference between a switch’s console port and a management port? Answer:

 

 

 

 

 

  1. Describe the security advantage of the following switch port security concepts.
Switch Port Security Concept Security Advantage
MAC Locking  

 

 

MAC Locking  

 

 

 

MAC Learning  

 

 

Port Access Control List ( PACL)  

 

 

Router Access Control List (RACL)  

 

 

VLAN Access Control Lists (VACL)  

 

 

 

  1. Explain the concept of AAA as applied to switch security? Answer:

 

 

 

Spring 2019

 

 

ARP Spoofing or ARP Poisoning Attacks – https://www.veracode.com/security/arp-spoofing

Address Resolution Protocol Poisoning (ARP Poisoning) – https://www.techopedia.com/definition/27471/address-resolution-protocol-poisoning-arp-poisoning

Dynamic ARP Inspection (DAI)

http://www.ciscopress.com/articles/article.asp?p=1181682&seqNum=8

 

6.3 Questions – DAI and ARP Poisoning attacks

Since IPv6 does not rely of ARP, the ARP poisoning attack is limited to IPv4.

 

  1. What is an “ARP Poisoning” attack? Answer:

 

 

 

  1. How can Dynamic ARP Inspection (DAI) prevent ARP Poisoning attacks? Answer:

 

 

 

Protecting against MAC flooding attack – http://www.ciscozine.com/protecting-against-mac-flooding-attack/

 

What is MAC Flooding? How to prevent it?  –  https://www.interserver.net/tips/kb/mac-flooding-prevent/

 

There are three types of secure MAC addresses:

 

  • Static secure MAC addresses: These are manually configured by using the switchport port-security mac-address mac-address interface configuration command, stored in the address table, and added to the switch running configuration.
  • Dynamic secure MAC addresses: These are dynamically learned, stored only in the address table, and removed when the switch restarts.
  • Sticky secure MAC addresses: These can be dynamically learned or manually configured, stored in the address table, and added to the running configuration. If these addresses are saved in the configuration file, the interface does not need to dynamically relearn them when the switch restarts.

 

  1. What is a MAC Flooding attack? Answer:

 

 

 

  1. How can one prevent a MAC flooding attack against a switch? Answer:

 

 

 

 

 

6.4 Layer 2 Security Best Practices

 

  • Manage the switches in a secure manner. For example, use SSH, authentication mechanism, access list, and set privilege levels.
  • Restrict management access to the switch so that untrusted networks are not able to exploit management interfaces and protocols such as SNMP.
  • Always use a dedicated VLAN ID for all trunk ports.
  • Be skeptical; avoid using VLAN 1 for anything.
  • Disable DTP on all non-trunking access ports.
  • Deploy the Port Security feature to prevent unauthorized access from switching ports.
  • Use the Private VLAN feature where applicable to segregate network traffic at Layer 2.
  • Use MD5 authentication where applicable.
  • Disable CDP where possible.
  • Prevent denial-of-service attacks and other exploitation by disabling unused services and protocols.
  • Shut down or disable all unused ports on the switch, and put them in a VLAN that is not used for normal operations.
  • Use port security mechanisms to provide protection against a MAC flooding attack.
  • Use port-level security features such as DHCP Snooping, IP Source Guard, and ARP security where applicable.
  • Enable Spanning Tree Protocol features (for example, BPDU Guard, Loopguard, and Root Guard).
  • Use Switch IOS ACLs and Wire-speed ACLs to filter undesirable traffic (IP and non-IP).

 

 

 

6.3 Questions – Switch Network Forensic Evidence

 

Spanning ports are the traditional solution. A Switched Port Analyzer (SPAN) port is used to monitor network traffic on a switch. The switch is given instructions to send copies of network traffic from a port or ports to a designated SPAN port, to which the IDS is attached. The advantages are obvious: this is easy to install (it costs only a port on the switch), and is inexpensive because it has no additional hardware or management requirements. If desired, the IDS can send traffic to the source and destination of an alert (in particular, to terminate a session). There are disadvantages to spanning ports, however. Only one spanning port per switch is allowed. It is possible to span traffic from more than one port on some switches, but there is no guarantee of reliability: the spanning port is easily overloaded by copying traffic from more than one port to it. If the IDS has no other network connection besides the spanning port, any traffic generated by the IDS (in response to an alert, perhaps) causes additional problems with port overloading. Spanning ports may also be unable to mirror certain types of errors, such as oversized and undersized packets.

 

Taps, or Ethernet taps, are special purpose hardware devices that split the signal, sending one branch to the original destination, and the other to the IDS. Taps are designed to fail open so that the connection being tapped will remain open even if the tap loses power or fails. Taps possess several advantages. They do not affect or degrade traffic flow. Changes in IDS infrastructure won’t affect the larger network. Typically in a tap, the IDS link is deployed so the IDS can receive the traffic, but cannot transmit. This makes the IDS unassailable by most attacks, since it cannot open a session with an attacker through the tap, but it also eliminates the IDSs ability to terminate a session (without extra expense and trouble). Other disadvantages of using taps include the expense and overhead of deploying and maintaining a new class of devices in the data center, and difficulties in monitoring traffic in both directions

 

  1. What is a switch’s CAM table? Answer:

 

 

 

Spring 2019

 

 

  1. How can switch CAM table be used to collect network forensic evidence? Answer:

 

 

 

  1. How can port mirroring be used to collect network forensic evidence? Answer:

 

 

 

  1. What is a TAP (Test Access Port)? Answer:

 

 

 

  1. What is a SPAN port mirror? Answer:

 

 

 

Spring 2019

 

 

 

  1. What are the forensic advantages of using TAP ports? Answer:

 

 

 

7, List three limitations of using switches for collecting Network Forensic Evidence. Answer:

 

 

 

 

 

 

 

 

 

 

 

Review Questions.

 

  1. What is the only the client platforms that you can use Putty to access your INFS4180 Kali Linux server? Where can you use Windows to access your assigned INFS4180 Kali Linux Server?

 

 

 

 

Spring 2019

 

 

  1. What is the difference between a static IP address and a dynamic IP address?

 

 

 

 

 

 

  1. How are dynamic, private IP addresses assigned when using VMware Horizon View?

 

 

 

 

Spring 2019

 

  1. What is the difference between a public IP address or network and a Private IP address or network that is used by VMware Horizon client?

 

 

 

 

Spring 2019

 

  1. Which Linux commands may you use to find the current private IP address assigning to your host.

 

 

 

 

 

 

  1. Assume that you have been assigned ec2-54-235-229-171.compute-1.amazonaws.com as your AWS host name. When you ping or use Putty to ec2-54-235-229-171.compute-1.amazonaws.com, which network protocol is used to convert a host name into a private IP address?

 

 

 

 

 

 

 

 

  1. If your private IP changes, explain the reason why this change will not affect the integrity the network forensic evidence?

 

 

 

 

 

 

  1. What is the function of the Linux dhclient command?

 

 

 

 

 

 

  1. Explain how the Linux dhclient command can be used to provide the current MAC address of your network interface device?

 

 

 

 

 

 

  1. Which Windows line command is most similar to the Linux dhclient command?

 

 

 

 

Spring 2019

 

  1. List at least two advantages of using SSH Public Key authentication.

 

 

 

 

 

 

  1. List at least two disadvantages of using SSH Public Key authentication.

 

 

 

 

 

 

 

 

  1. What is the function or purpose of Putty Keep Alives?

 

 

 

 

 

 

  1. What is advantages of using a Putty Stored Session?

 

 

 

 

 

  1. Public Key authentication is based on two SSH keys, i.e., the Public SSH key and Private SSH Key. Which key should be stored in Putty, or any SSH client?

 

 

 

 

Spring 2019

 

  1. List several reasons why you may get a Putty Network error: Connection timed out error.

 

 

 

 

Spring 2019

 

  1. List several reasons why you may get a Server unexpectedly closed the network connection error.

 

 

 

Spring 2019

 

 

  1. Why does you instructor want you to follow the directions to improve your Putty Screen?