Network Forensics -Tracking Hackers Through Cyberspace

Tuesday, September 04, 2012

Jayson Wylie


There are very few books that I have come across that approach the topic of network forensics to help with actual efforts to investigate possible incidents.

I would not consider it a started book and there are other books than can teach some of the basic of security in the network domain.

At a bare minimum, one would have to have a good familiarity of all the components that compose complex network systems and investigative tools. 

This is a fairly new release and has up-to-date approaches to detail the Chain-of- Custody, how to report findings and actions involved in an investigation. This is very important for presentation in court or litigation.

The book does a very good job of identifying points of interest, areas to find evidence, and the priority of the process of getting to the more volatile areas, like contents stored in a device’s memory buffer, first then down the line using the principle of addressing areas where evidence will disappear the fastest first.

Each chapter deals either with certain incidents, both internal and external, or technology components for potential areas of evidence collection.

The investigative aspects detail tools, methods and approaches to address network forensics.  There are numerous examples of using the tools to isolate and identify suspected activities.

Skills that would be good to understand are sniffers, packet flow analysis, packets structure and identifying normal as opposed to suspicious traffic for common network activities. 

Understanding the Berkley Packet Filtering (BPF) syntax is essential for things like parsing large traffic captures with Tshark as well as helping with display or capture filters for Wireshark.  Understanding grep and awk in *nix helps as well as regular expressions.

Case studies are used to detail a sound approach for addressing a variety of scenarios using tools and checking for specific facts while helping to identify the process trail and places for evidence or information collection.

I highly recommend this book for seasoned network security professionals and those responsible for forensics to help set a foundation of proper approach, reporting and evidence collection for identifying an incident and being able to show proof and record.

Possibly Related Articles:
Information Security
Forensics Hacking Network Security Book Review
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.