We’ll get started at 19:05
network forensics
comp6445 week05
house keeping
- report feedback
- investigation
- reflections
how did you find the report
any comments?
Investigation
- TODO
reflections
avg: 75%
- quite a few people haven’t been doing these
- literally just do them?
- if write a reasonable amount you’ll get the marks
- it takes no time and it’s worth 10% overall
Mindset
- a lot of people seem to be struggling with this
- don’t just blindly investigate the image
- google to find where interesting things could be
- use your intuition for where you might find things (e.g. Documents/Downloads/Recycling Bin)
Network forensics
What is a packet?
a chunk of data, forming part of a complete message
max packet size is about 65kb, so what happens when you stream a movie
What is in a packet
All packets contain a header and a payload
Payload is all the data
Header contains any metadata (e.g. length, protocol, source, destination)
OSI What
What is a packet capture?
- Intercepting packets travelling across a network, and logging them to a file
What could be a problem with this?
Demo
wireshark
how to use it
filters
- there’s two types of filters
- display filters: match metadata about the packet (e.g. source ip, protocol)
- pattern matching: match content in the filter (e.g. packet bytes/details)
display filters
following conversation
each packet will be tied to a “conversation”
- you can follow them by
- right clicking a packet >
follow X stream - filtering for
X.stream eq N
- right clicking a packet >
Xwould beTCPorUDP
Nwould be a number
what should I be looking for
- wierd IPs being communicated with
- files being downloaded/uploaded
- you can look for communicaion made at the same as evidence you found
decrypting traffic
Some traffic will be encrypted (e.g. SSH/HTTPS), so you won’t be able to read the packets
- Edit > Preferences
- Protocols > TLS
There you can you upload the tls/ssl keys to decrypt the traffic