Title Page Copyright and Credits Hands-On Network Forensics Dedication About Packt Why subscribe? Packt.com Contributors About the author About the reviewer Packt is searching for authors like you Preface Who this book is for What this book covers To get the most out of this book Download the color images Conventions used Get in touch Reviews Disclaimer Section 1: Obtaining the Evidence Introducing Network Forensics Technical requirements Network forensics investigation methodology Source of network evidence Tapping the wire and the air CAM table on a network switch Routing tables on routers Dynamic Host Configuration Protocol logs DNS servers logs Domain controller/authentication servers/ system logs IDS/IPS logs Firewall logs Proxy server logs Wireshark essentials Identifying conversations and endpoints Identifying the IP endpoints Basic filters Exercise 1 – a noob's keylogger Exercise 2 – two too many Summary Questions and exercises Further reading Technical Concepts and Acquiring Evidence Technical requirements The inter-networking refresher Log-based evidence Application server logs Database logs Firewall logs Proxy logs IDS logs Case study – hack attempts Summary Questions and exercises Further reading Section 2: The Key Concepts Deep Packet Inspection Technical requirements Protocol encapsulation The Internet Protocol header The Transmission Control Protocol header The HTTP packet Analyzing packets on TCP Analyzing packets on UDP Analyzing packets on ICMP Case study – ICMP Flood or something else Summary Questions and exercises Further reading Statistical Flow Analysis Technical requirements The flow record and flow-record processing systems (FRPS)  Understanding flow-record processing systems Exploring Netflow Uniflow and bitflow Sensor deployment types Analyzing the flow Converting PCAP to the IPFIX format Viewing the IPFIX data Flow analysis using SiLK Viewing flow records as text Summary Questions  Further reading Combatting Tunneling and Encryption Technical requirements Decrypting TLS using browsers Decoding a malicious DNS tunnel Using Scapy to extract packet data Decrypting 802.11 packets Decrypting using Aircrack-ng Decoding keyboard captures Summary Questions and exercises Further reading Section 3: Conducting Network Forensics Investigating Good, Known, and Ugly Malware Technical requirements Dissecting malware on the network Finding network patterns Intercepting malware for fun and profit PyLocky ransomware decryption using PCAP data Decrypting hidden tear ransomware Behavior patterns and analysis A real-world case study – investigating a banking Trojan on the network Summary Questions and exercises Further reading Investigating C2 Servers Technical requirements Decoding the Metasploit shell Working with PowerShell obfuscation Decoding and decompressing with Python Case study – decrypting the Metasploit Reverse HTTPS Shellcode Analyzing Empire C2 Case study – CERT.SE's major fraud and hacking criminal case, B 8322-16 Summary Questions and exercises Further reading Investigating and Analyzing Logs Technical requirements Network intrusions and footprints Investigating SSH logs Investigating web proxy logs Investigating firewall logs A case study – defaced servers Summary Questions and exercises Further reading WLAN Forensics Technical requirements The 802.11 standard Wireless evidence types Using airodump-ng to tap the air Packet types and subtypes Locating wireless devices Identifying rogue access points Obvious changes in the MAC address The tagged perimeters The time delta analysis Identifying attacks Rogue AP attacks Peer-to-peer attacks Eavesdropping Cracking encryption Authentication attacks Denial of service Investigating deauthentication packets Case study – identifying the attacker Summary Questions Further reading Automated Evidence Aggregation and Analysis Technical requirements Automation using Python and Scapy Automation through pyshark – Python's tshark Merging and splitting PCAP data Splitting PCAP data on parameters Splitting PCAP data in streams Large-scale data capturing, collection, and indexing Summary  Questions and exercises Further reading Other Books You May Enjoy Leave a review - let other readers know what you think Assessments Chapter 1: Introducing Network Forensics Chapter 6: Investigating Good, Known, and Ugly Malware Chapter 7: Investigating C2 Servers Chapter 9: WLAN Forensics