Foreword         xvii Preface        xix
Acknowledgments         xxv
About the Authors        xxvii
Â
Part I: Foundation         1
Chapter 1: Practical Investigative Strategies         3
1.1 Real-World Cases  3
1.2 Footprints  8
1.3 Concepts in Digital Evidence  9
1.4 Challenges Relating to Network Evidence  16
1.5 Network Forensics Investigative Methodology (OSCAR)Â Â 17
1.6 Conclusion  22
Â
Chapter 2: Technical Fundamentals           23
2.1 Sources of Network-Based Evidence  23
2.2 Principles of Internetworking  30
2.3 Internet Protocol Suite  35
2.4 Conclusion  44
Â
Chapter 3: Evidence Acquisition        45
3.1 Physical Interception  46
3.2 Traffic Acquisition Software  54
3.3 Active Acquisition  65
3.4 Conclusion 72
Â
Part II: Traffic Analysis          73
Chapter 4: Packet Analysis         75
4.1 Protocol Analysis  76
4.2 Packet Analysis  95
4.3 Flow Analysis  103
4.4 Higher-Layer Traffic Analysis  120
4.5 Conclusion  133
4.6 Case Study: Ann’s Rendezvous  135
Â
Chapter 5: Statistical Flow Analysis         159
5.1 Process Overview  160
5.2 Sensors  161
5.3 Flow Record Export Protocols  166
5.4 Collection and Aggregation  168
5.5 Analysis  172
5.6 Conclusion  183
5.7 Case Study: The Curious Mr. XÂ Â 184
Â
Chapter 6: Wireless: Network Forensics Unplugged          199
6.1 The IEEE Layer 2 Protocol Series  201
6.2 Wireless Access Points (WAPs)Â Â 214
6.3 Wireless Traffic Capture and Analysis  219
6.4 Common Attacks  224
6.5 Locating Wireless Devices  229
6.6 Conclusion  235
6.7 Case Study: HackMe, Inc.  236
Â
Chapter 7: Network Intrusion Detection and Analysis         257
7.1 Why Investigate NIDS/NIPS?  258
7.2 Typical NIDS/NIPS Functionality  258
7.3 Modes of Detection  261
7.4 Types of NIDS/NIPSs  262
7.5 NIDS/NIPS Evidence Acquisition  264
7.6 Comprehensive Packet Logging  267
7.7 Snort  268
7.8 Conclusion  275
7.9 Case Study: Inter0ptic Saves the Planet (Part 1 of 2)Â Â 276
Â
Part III: Network Devices and Servers          289
Chapter 8: Event Log Aggregation, Correlation, and Analysis  291
8.1 Sources of Logs  292
8.2 Network Log Architecture  306
8.3 Collecting and Analyzing Evidence  311
8.4 Conclusion  317
8.5 Case Study: L0ne Sh4rk’s Revenge  318
Â
Chapter 9: Switches, Routers, and Firewalls          335
9.1 Storage Media  336
9.2 Switches  336
9.3 Routers  340
9.4 Firewalls  344
9.5 Interfaces  348
9.6 Logging  352
9.7 Conclusion  355
9.8 Case Study: Ann’s Coffee Ring  356
Â
Chapter 10: Web Proxies        369
10.1 Why Investigate Web Proxies?  369
10.2 Web Proxy Functionality  371
10.3 Evidence  375
10.4 Squid  377
10.5 Web Proxy Analysis  381
10.6 Encrypted Web Traffic  392
10.7 Conclusion  401
10.8 Case Study: Inter0ptic Saves the Planet (Part 2 of 2)Â Â 402
Â
Part IV: Advanced Topics         421
Chapter 11: Network Tunneling         423
11.1 Tunneling for Functionality  423
11.2 Tunneling for Confidentiality  427
11.3 Covert Tunneling  430
11.4 Conclusion  439
11.5 Case Study: Ann Tunnels Underground  441
Â
Chapter 12: Malware Forensics        461
12.1 Trends in Malware Evolution  462
12.2 Network Behavior of Malware  484
12.3 The Future of Malware and Network Forensics  491
12.4 Case Study: Ann’s Aurora  492
Â
Afterword        519
Â
Index         521
Â