Network Forensics

Question 1

What is a Switched Port Analyzer (SPAN) ?

Answer 1

Allows for the copying of ingress and/or egress communications from one or more switch ports to another

Question 2

What is Packet Sniffer ?

Answer 2

A piece of hardware or software that records data from frames as they pass over network media using methods such as a mirrored port or tap device

Question 3

Complete the sentence:

A network sniffer should be placed inside / outside a firewall or close to an important server

Answer 3

inside

Question 4

What is tcpdump ?

Answer 4

A data-network packet analyzer computer program that runs under a command line interface.
It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached

Question 5

What is Wireshark?

Answer 5

A free and open-source GUI-based packet analyzer that is used for network troubleshooting, analysis, software and communications protocol development, and education

Question 6

What is Full Packet Capture (FPC) ?

Answer 6

Captures the entire packet including the header and the payload for all traffic entering and leaving a network- entering and leaving - a lot of data!

Flow analysis tools provides network traffic statistics sampled by a collector

Question 7

What is Flow Collector ?

Answer 7

A means of recording metadata and statistics about network traffic rather than recording each frame

Flow analysis tools provides network traffic statistics sampled by a collector

Question 8

What is NetFlow ?

Answer 8

A Cisco-developed means of reporting network flow information to structured database
Gathers:
● Network protocol interface
● Version and type of IP
● Source and destination IP
● Source and destination port
● IPs type of service
● NetFlow provides metadata while packet captures provide a complete record of what occurred

Question 9

What is Zeek (Bro) ?

Answer 9

a hybrid tool that passively monitors a network like a sniffer and only logs data of potential interest.
Zeek performs normalization on the data.
stores data as tab-delimited or Java Script Object. Notation (JSON) formatted text files.

Question 10

What is Multi Router Traffic Grapher (MRTG) ?

Answer 10

Is a tool used to create graphs showing traffic flows through the network interfaces of routers and
switches by polling the appliances using the Simple Network Management Protocol (SNMP)

Question 11

What are Known-bad IP Addresses ?

Answer 11

An IP address or range of addresses that appears on one or more blacklists.
Reputation-based risk intelligence is used to create IP/URL block lists
Attackers now use domain generation algorithms to overcome block lists

Question 12

What is Domain Generation Algorithm (DGA) ?

Answer 12

A method used by malware to evade block lists by dynamically generating domain names for C2 networks