NETS1032

Analyzing Captured Data from a network

Introduction

This module provides some conceptual and practical information on processes, tools, and considerations for analyzing captures of network traffic.

For your lab work, ensure you have access to both a Linux desktop environment with root, and a Windows desktop with Administrator. You will be showing your work to the professor throughout the semester, so you will need to be able to share your lab system screen, and the lab system you use will need to be clearly identified as your own (you should use your own name for the login, or at least something unique to you). No marks will be given for showing work on a lab system which is not your own.

Learning Objectives

At the end of this module, students will:

• Become familiar with specific tools for viewing and extracting information from network traffic capture files
• Demonstrate using network traffic capture analysis tools to identify and extract specific network transactions and protocols
• Demonstrate using captured network traffic to find credentials and other user-level information in a network capture file

These objectives are in support of all Learning Outcomes in the Course Outline.

To do List

• Read through the presentation
• Watch the recorded video of the presentation found in the general chat of the Microsoft Team for this course if you did not attend the class when it was presented
• Review the lesson materials linked below
• Perform the learning activities as described below
• Do the quiz found under Tests on Blackboard for this topic

Lesson Material

• Network Capture Analysis Presentation
• See Blackboard for any available prerecorded video of this presentation under Weekly Learning
• Links from the presentation
  • Network Forensics using Kali Linux andor SANS Sift Josh Brunty video from Hack3rcon 2016
  • Network Forensics and Network Security Monitoring

Learning Activity

Watch the videos from the presentation, as well as the videos listed under additional resources. Briefly review the materials available at the other websites listed under Additional Resources. Do the Network Capture Analysis Project - this is your semester project.

Additional Resources

Videos

• Introduction to Network Analysis from DFIR.Science showing how to use GUI tools to work with low-volume traffic
• Complete wireshark course starting from scratch, watching the entire series and reading the information with links in the video descriptions is strongly recommended Intro to Wireshark Tutorial // Lesson 1 // Wireshark Setup Free Tutorial
• Wireshark Tcpdump Remote Capturing video on youtube
• Efficiently Summarizing Web Browsing Activity - SANS DFIR Summit 2018
• Advanced Network Forensics video from 2014, but still 100% applicable

Software Tools for live forensic analysis

• wireshark
• ngrep
• splitcap
• tcpstat
• Network Miner

General resources

• ngrep examples
• Using tcpstat and ipstat

Graded Activity

The lab instructions tell you what parts of the lab activity are graded, and when you need to be capturing screenshots during the lab.

Quiz

The quiz is found on Blackboard under Assignments and Tests.

Test

There is no separate test for this topic. The quiz will count for your testing mark in this topic.

Summary

In this module, we worked with capturted network data to identify and extract artifacts of interest to a forensic investigation. You should have:

• Become familiar with specific tools for viewing and extracting information from network traffic capture files
• Demonstrated using network traffic capture analysis tools to identify and extract specific network transactions and protocols
• Demonstrated using captured network traffic to find credentials and other user-level information in a network capture file
• Completed your semester project

Completing the quiz will provide you with a measure of your knowledge in these areas. For the next class you should have your computing environment available with access to both Linux and Windows.