Monday, March 16, 2020

DIGITAL FORENSICS:Network Evidence Collection.

DIGITAL FORENSICS:Network Evidence Collection.

Tools
- NetworkMiner_2-0
- Wireshark-win32-2.6.1
- Windows 7 forensic workstation

Evidence Collection.


In order to conduct a proper examination of log files and other network data such as packet

captures, they often have to be moved from the log source and examined offline. As with

any source of evidence, the log files or packet captures have to be handled with due care to

ensure that they are not corrupted or modified during the transfer. One simple solution is to

transfer the evidence immediately to a USB drive or similar removable medium. From
there, a hash can be created for the evidence prior to any examination

Wireshark can be used for capturing packets.
packet captures

The log entry captures the necessary information:

File Name: Each log file or packet capture should have its own unique name.
Within the procedures in use by the IR should be a naming convention for
different types of evidence files.
Description: A brief description of the file. There does not need to be too much
detail unless it is a unique file and a detailed description is called for.
Location: The location is important. In this case, the packet capture was obtained
on the switch located at 192.168.245.141
Date and time: Record the date and time the file was transferred to the medium.
Note: Prior to an incident, it is important to identify what type of time
zone will be in use. From an evidentiary standpoint, the time zone does
not really matter as long as it is consistent among the entire incident
investigation.
Collected by: Initials are sufficient for the log file.
MD5 hash:


packet captures "CF-Image01.pcap"

Source




Machine name : ForensicEx01
Hardware: Intel(R) Core(TM) i7-4702MQ CPU @ 2.20GHz (with SSE4.2)
OS: 32-bit Windows 7 Service Pack 1, build 7601
Application: Dumpcap (Wireshark) 2.6.1 (v2.6.1-0-g860a78b3)
IP: 192.168.245.141
Mac address: 00-0C-29-58-F1-EA

Time
First packet: 2012-10-27 03:19:42
Last packet: 2012-10-27 03:24:02
Elapsed: 00:04:20


Import CF-Image01.pcap



NetworkMiner 

extract image file


Summary
Packet captures provide details into the
exact nature of network traffic. Finally, analysts have to be prepared to acquire these
sources of evidence is a forensically sound manner. The next chapter will take the analyst
off the network into acquiring the volatile data from host based systems.


How to Install Network Miner Packet Analysis Tool



Ref:

Digital Forensic and Incident Reponse Gerard Johansen

https://www.netresec.com/

หมายเหตุ:เนื้อหาในเว็บไซต์นี้มีขึ้นเพื่อวัตถุประสงค์ในการให้ข้อมูลและเพื่อการศึกษาเท่านั้น

* หากมีข้อมูลข้อผิดพลาดประการใด ขออภัยมา ณ ที่นี้ด้วย  รบกวนแจ้ง Admin เพื่อแก้ไขต่อไป
ขอบคุณครับ

#WindowsForensic #ComputerForensics #dfir #forensics #digitalforensics #computerforensic #investigation #cybercrime #fraud

No comments:

Post a Comment