Weekly Blog:
Week 1:
Network forensics definition and intent. Basically, Network Forensics focuses on analyzing controlled network traffic. The aims are the detection/prevention of intrusion, collection of information, and collection of legal evidence.
Two types of techniques of inquiry. The first one is OSCAR and TAARA is the second one. OSCAR stands for acquiring records, strategizing, gathering information, evaluating and finally reporting, while TAARA stands for activating, acquiring, analyzing, reporting and acting.
Week 2:
Switches, routers, DHCP servers, DNS servers, authentication servers, and so on are the sources of network data. In both the second and third OSI layers, the switch and router are used. The proof that one can gain from the switches is the devices’ MAC addresses. The IP addresses and port numbers of origins in the case of the router and can be accessed from it as the router
A consolidated log server is a server that records a network’s traffic originating from multiple computers. Then the traffic is sent to the SIEM to be processed.
The DNS server is the center of the Internet since, by referring to its name rather than the complicated IP address, we can access websites with its presence. For humans, it is easier to recall names instead of numbers.
Week 4:
What is analyzing flows? The word “flow” itself refers to a packet series that is sent to the destination from the source. Flow analysis is then carried out to determine the trends in the packet or traffic chain, isolate irregular behavior, analyze protocols of the higher layer, and extract data.
The distinction between multicasting and broadcasting. In the context that packets are transferred to different destinations, the principles of broadcast and multicast are identical. In broadcasting, however, services are only offered to customers. For starters, First Media’s consumers can only get access to its services.
The methods used for the study of movement. The flow analysis applications used are Tshark, Tcpflow, Pcapcat, Tcpxtract, etc.
Week 5:
The aim of proof acquisition. Its aim is to collect data from the network devices in an enterprise without leaving a deep impact on the business itself. A zero footprint inquiry is, however, difficult to accomplish.
Some of the applications for traffic acquisition are Tcpdump, Wireshark, Snort, etc.
Week 7:
The CSMA/CD and CSMA/CA differences. The ethernet medium in CSMA/CD can only be used by one device at a time. If another computer (let’s say computer B) wishes to connect with a different system, the ethernet medium has to wait for it to be unoccupied. The computer that needs to connect using the occupied ethernet medium in CSMA/CA will be told that the medium is actually in operation.
The evil twin. To eavesdrop on wireless contact, the evil twin is included. It falls under the guise of a legal connection point for Wi-Fi, but it is clearly fake.
Week 8:
Week 11:
A network proxy works between us and the Internet as a portal. As it has the potential to provide anonymity, it provides a high degree of privacy. Caching, URI filtering, page filtering, and distributed caching are other notable web proxy functionalities.
There are many kinds of constant, erratic, and off-system evidence. Persistent facts can include all HTTP/https traffic history, configuration files for web proxies, etc. Volatile proof applies to cached information contained in volatile memory, such as RAM, etc. Off-system proof implies proof that comes from centralized logging and documentation.