Tools
- NetworkMiner_2-0
- Wireshark-win32-2.6.1
- Windows 7 forensic workstation
Evidence Collection.
In order to conduct a proper examination of log files and other network data such as packet
captures, they often have to be moved from the log source and examined offline. As with
any source of evidence, the log files or packet captures have to be handled with due care to
ensure that they are not corrupted or modified during the transfer. One simple solution is to
transfer the evidence immediately to a USB drive or similar removable medium. From
there, a hash can be created for the evidence prior to any examination
Wireshark can be used for capturing packets.
Wireshark can be used for capturing packets.
packet captures |
The log entry captures the necessary information: |
File Name: Each log file or packet capture should have its own unique name.
Within the procedures in use by the IR should be a naming convention for
different types of evidence files.
Description: A brief description of the file. There does not need to be too much
detail unless it is a unique file and a detailed description is called for.
Location: The location is important. In this case, the packet capture was obtained
on the switch located at 192.168.245.141
Note: Prior to an incident, it is important to identify what type of time
zone will be in use. From an evidentiary standpoint, the time zone does
not really matter as long as it is consistent among the entire incident
investigation.
Collected by: Initials are sufficient for the log file.
MD5 hash:
packet captures "CF-Image01.pcap" |
Source
Machine name : ForensicEx01
Hardware: Intel(R) Core(TM) i7-4702MQ CPU @ 2.20GHz (with
SSE4.2)
OS: 32-bit Windows 7 Service Pack 1, build 7601
Application: Dumpcap (Wireshark) 2.6.1 (v2.6.1-0-g860a78b3)
IP: 192.168.245.141
Mac address: 00-0C-29-58-F1-EA
Time
First packet: 2012-10-27 03:19:42
Last packet: 2012-10-27 03:24:02
Elapsed: 00:04:20
Import CF-Image01.pcap
NetworkMiner |
Summary
Packet captures provide details into the
exact nature of network traffic. Finally, analysts have to be prepared to acquire these
sources of evidence is a forensically sound manner. The next chapter will take the analyst
off the network into acquiring the volatile data from host based systems.
How to Install Network Miner Packet Analysis Tool
Ref:
Digital Forensic and Incident Reponse Gerard Johansen
https://www.netresec.com/หมายเหตุ:เนื้อหาในเว็บไซต์นี้มีขึ้นเพื่อวัตถุประสงค์ในการให้ข้อมูลและเพื่อการศึกษาเท่านั้น
* หากมีข้อมูลข้อผิดพลาดประการใด ขออภัยมา ณ ที่นี้ด้วย รบกวนแจ้ง Admin เพื่อแก้ไขต่อไป
ขอบคุณครับ
#WindowsForensic #ComputerForensics #dfir #forensics #digitalforensics #computerforensic #investigation #cybercrime #fraud
No comments:
Post a Comment