Discover and interpret encrypted traffic Learn about various protocols Understand the malware language over wire Gain insights into the most widely used malware Correlate data collected from attacks Develop tools and custom scripts for network forensics automation Network forensics is a subset of digital forensics that deals with network attacks and their investigation. In the era of network attacks and malware threat, it’s now more important than ever to have skills to investigate network attacks and vulnerabilities. Hands-On Network Forensics starts with the core concepts within network forensics, including coding, networking, forensics tools, and methodologies for forensic investigations. You’ll then explore the tools used for network forensics, followed by understanding how to apply those tools to a PCAP file and write the accompanying report. In addition to this, you will understand how statistical flow analysis, network enumeration, tunneling and encryption, and malware detection can be used to investigate your network. Towards the end of this book, you will discover how network correlation works and how to bring all the information from different types of network devices together. By the end of this book, you will have gained hands-on experience of performing forensics analysis tasks. Investigate network threats with ease Practice forensics tasks such as intrusion detection, network analysis, and scanning Learn forensics investigation at the network level Table of contents 1 Introducing Network Forensics Technical requirements Network forensics investigation methodology Source of network evidence Wireshark essentials Exercise 1 – a noob's keylogger Exercise 2 – two too many Summary Questions and exercises Further reading 2 Technical Concepts and Acquiring Evidence Technical requirements The inter-networking refresher Log-based evidence Case study – hack attempts Summary Questions and exercises Further reading 3 Deep Packet Inspection Technical requirements Protocol encapsulation Analyzing packets on TCP Analyzing packets on UDP Analyzing packets on ICMP Case study – ICMP Flood or something else Summary Questions and exercises Further reading 4 Statistical Flow Analysis Technical requirements The flow record and flow-record processing systems (FRPS) Sensor deployment types Analyzing the flow Summary Questions Further reading 5 Combatting Tunneling and Encryption Technical requirements Decrypting TLS using browsers Decoding a malicious DNS tunnel Decrypting 802.11 packets Decoding keyboard captures Summary Questions and exercises Further reading 6 Investigating Good, Known, and Ugly Malware Technical requirements Dissecting malware on the network Intercepting malware for fun and profit Behavior patterns and analysis A real-world case study – investigating a banking Trojan on the network Summary Questions and exercises Further reading 7 Investigating C2 Servers Technical requirements Decoding the Metasploit shell Case study – decrypting the Metasploit Reverse HTTPS Shellcode Analyzing Empire C2 Case study – CERT.SE's major fraud and hacking criminal case, B 8322-16 Summary Questions and exercises Further reading 8 Investigating and Analyzing Logs Technical requirements Network intrusions and footprints A case study – defaced servers Summary Questions and exercises Further reading 9 WLAN Forensics Technical requirements The 802.11 standard Packet types and subtypes Locating wireless devices Identifying rogue access points Identifying attacks Case study – identifying the attacker Summary Questions Further reading 10 Automated Evidence Aggregation and Analysis Technical requirements Automation using Python and Scapy Automation through pyshark – Python's tshark Merging and splitting PCAP data Large-scale data capturing, collection, and indexing Summary Questions and exercises Further reading