Network Forensics Flashcards
(12 cards)
What is a Switched Port Analyzer (SPAN) ?
Allows for the copying of ingress and/or egress communications from one or more switch ports to another
What is Packet Sniffer ?
A piece of hardware or software that records data from frames as they pass over network media using methods such as a mirrored port or tap device
Complete the sentence:
A network sniffer should be placed inside / outside a firewall or close to an important server
inside
What is tcpdump ?
A data-network packet analyzer computer program that runs under a command line interface.
It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached
What is Wireshark?
A free and open-source GUI-based packet analyzer that is used for network troubleshooting, analysis, software and communications protocol development, and education
What is Full Packet Capture (FPC) ?
Captures the entire packet including the header and the payload for all traffic entering and leaving a network- entering and leaving - a lot of data!
Flow analysis tools provides network traffic statistics sampled by a collector
What is Flow Collector ?
A means of recording metadata and statistics about network traffic rather than recording each frame
Flow analysis tools provides network traffic statistics sampled by a collector
What is NetFlow ?
A Cisco-developed means of reporting network flow information to structured database
Gathers:
● Network protocol interface
● Version and type of IP
● Source and destination IP
● Source and destination port
● IPs type of service
● NetFlow provides metadata while packet captures provide a complete record of what occurred
What is Zeek (Bro) ?
a hybrid tool that passively monitors a network like a sniffer and only logs data of potential interest.
Zeek performs normalization on the data.
stores data as tab-delimited or Java Script Object. Notation (JSON) formatted text files.
What is Multi Router Traffic Grapher (MRTG) ?
Is a tool used to create graphs showing traffic flows through the network interfaces of routers and
switches by polling the appliances using the Simple Network Management Protocol (SNMP)
What are Known-bad IP Addresses ?
An IP address or range of addresses that appears on one or more blacklists.
Reputation-based risk intelligence is used to create IP/URL block lists
Attackers now use domain generation algorithms to overcome block lists
What is Domain Generation Algorithm (DGA) ?
A method used by malware to evade block lists by dynamically generating domain names for C2 networks