Subject: Digital Forensics

Topic: Network Forensics

Difficulty: High

SYSINTERNALS: Sysinternals is a collection of free tools for examining Windows products. few examples of the powerful Windows tools available at Sysinternals:

1. RegMon shows all Registry data in real time.

2. Process Explorer shows what files, Registry keys, and dynamic link libraries (DLLs) are loadedat a specific time.

3. Handle shows what files are open and which processes are using these files.

4. Filemon shows file system activity.

   PsTools is a suite created by Sysinternals that includes the following tools:

5. PsExec—Runs processes remotely

6. PsGetSid —Displays the security identifier (SID) of a computer or user

7. PsKill—Kills processes by name or process ID

8. PsList —Lists detailed information about processes

9. PsLoggedOn —Displays who’s logged on locally

10. PsPasswd—Allows you to change account passwords

11. PsService —Enables you to view and control services

12. PsShutdown—Shuts down and optionally restarts a computer

13. PsSuspend—Allows you to suspend processes

These tools help you monitor your network efficiently and thoroughly.Using UNIX/Linux Tools

Knoppix Security Tools

1.:Distribution is a bootable Linux CD intended for computer and network forensics.

2.Knoppix-STD contains several forensically sound tools put together by Klaus Knopper that aremaintained and updated by Knoppix users.

1. Knoppix offers tools in a variety of categories, including authentication, encryption, forensics,firewalls, IDSs, honeypots, network utilities, password tools, packet sniffers, vulnerability assessment, and wireless tools.

A few of the Knoppix-STD tools include the following:

1. dcfldd—The U.S. DOD computer forensics lab version of the dd command

2. memfetch—Forces a memory dump

3. photorec—Retrieves files from a digital camera

4. snort—A popular IDS that performs packet capture and analysis in real time

USING PACKET SNIFFERS

1 Packet sniffers are devices and/or software placed on a network to monitor traffic.

2 On TCP/IP networks, sniffers examine packets, hence the term “packet sniffers.”

3 Most packet sniffers work at Layer 2 or 3 of the OSI model.

4 Some sniffers perform packet captures, some are used for analysis, and some handle both tasks.

5 Most packet sniffing tools can read anything captured in Pcap (packet capture) format.

6 In a SYN flood attack, the attacker keeps asking your serve To find these packets, Tcpdump, Wireshark, and Snort can be programmed to examine TCP headers to find the SYN flag.

Ngrep: It can be used to examine e-mail headers or IRC logs. It collects and hashes data for verification.r to establish a connection.