Network forensics Flashcards
(22 cards)
Define internet
Collection of networks
What is an internet service provider (ISP)
Internet entry point
Username and password
What is the function of a Domain Name Service (DNS)
Translate IP addresses to named addresses or vice versa
Describe IPv4
Binary representation
32-bit long divided into 4 8-bit groups
What is the function of Network Address Translation (NAT)
Translates IP addresses
Describe firewalls
Key device to be considered
Combine deny/allow ruleset with IDS or IPS and controlling network access to applications
Creates a significant source of evidence that can be leveraged during an incident
Acquiring evidence is dependent on manufacturer and model used
What is the connection log
Provides source and destination IP addresses and protocols of connections between internal/external systems
Critical for determining if any internal system has contacted an adversary controlled systems or are possibly being controlled
Can also provide insight to where connections were denied
Describe remote access logs
Show connected systems and what time they connected
Define network forensics
Systematic tracking of incoming/ outgoing traffic to ascertain how an attack was carried out or how an event occurred on a network
What are the 2 main causes of abnormal traffic
Internal bug
Attackers
When are live acquisitions used
When dealing with active network intrusions/attacks
Before taking a system offline
-might leave footprints only in running processes or RAM
What is the sequence of storage devices in the order of volatility
Cache
RAM
Paging file
HDD
Logs on remote systems
Archive media
Define volatility
Used to describe how data on a host system is maintained after changes such as log offs or power offs
What is non-volatile data
Data stored on a hard drive that usually persists after shut down
What are the steps of live acquisition
Create or download a bootable forensic CD
Keep log of all your actions
Send information you collect to a network drive
Copy the physical memory (RAM)
Get forensic hash value for all recovered files
Describe the standard procedure for network forensics
Always use a standard installation image for systems on a network
Close any way in after an attack
Attempt to retrieve all volatile data
Acquire all compromised devices
Compare forensic image files to original installation image
Define packet sniffers
Devices/software that monitor network traffic
Most work at layer 2/3 of the OSI model
What is a security operations center (SOC)
A team dedicated to securing an enterprise
Aims to detect, investigate, triage and respond to real-time and historical threats to reduce the cyber risk across the organisation
What are the 3 main components of an SOC
The people- analysts, architects, managers, engineers
Technology and tools used in day-to-day operations
Frameworks and methodologies the team puts into practice
What are the key steps of an SOC
Gather relevant evidence
Enrich with contextual knowledge
Pivot, filter and iterate
Integrate lessons learned
What are the key issues faced by SOC investigations
Advanced Threat Actors
Lack of visibility
Time-intensive analysis
Alert fatigue
Where do SOC investigations gather evidence from
Network
DNS
Firewall
Proxy
Access
Web
IDS
Threat intelligence
