CVF 2203 - Network Forensics, Analysis and Incident Handling Credits: 3 Hours/Week: Lecture 2 Lab 2 Course Description: Network forensics involves the identification, preservation, and analysis of evidence of attacks in order to identify the attackers and document their activity with sufficient reliability to justify appropriate technological, business, and legal responses. This course focuses on the technological components of the topic with emphasis on the network traffic analysis aspect. The technical aspect addresses analysis of intruder types and the intrusion process, review of network traffic logs and profiles and their types, identification of attack signatures and fingerprints, application of data mining techniques, study of various traceback methods, and the extraction of information acquired through the use of network analysis tools and techniques. MnTC Goals None
Prerequisite(s): CVF 1085 with a grade of C or higher OR instructor consent. Corequisite(s): None Recommendation: None
Major Content 1 . Part I. Foundation a. Practical Investigative Strategies
1.1 Real-World Cases
1.2 Footprints
1.3 Concepts in Digital Evidence
1.4 Challenges Relating to Network Evidence
1.5 Network Forensics Investigative Methodology (OSCAR)
1.6 Conclusion
2. Statistical Flow Analsis
5.1 Process Overview
5.2 Sensors
5.3 Flow Record Export Protocols
5.4 Collection and Aggregation
5.5 Analysis
5.6 Conclusion
5.7 Case Study: The Curious Mr. X
3. Wireless: Network Forensics Unplugged
6.1 The IEEE Layer 2 Protocol Series
6.2 Wireless Access Points (WAPs)
6.3 Wireless Traffic Capture and Analysis
6.4 Common Attacks
6.5 Locating Wireless Devices
6.6 Conclusion
6.7 Case Study: HackMe, Inc.
4. Network Intrusion Detection and Analysis
7.1 Why Investigate NIDS/NIPS?
7.2 Typical NIDS/NIPS Functionality
7.3 Modes of Detection
7.4 Types of NIDS/NIPSs
7.5 NIDS/NIPS Evidence Acquisition
7.6 Comprehensive Packet Logging
7.7 Snort
7.8 Conclusion
7.9 Case Study: Inter0ptic Saves the Planet (Part 1 of 2)
5. Network Devices and Servers
8. Event Log Aggregation, Correlation, and Analysis
8.1 Sources of Logs
8.2 Network Log Architecture
8.3 Collecting and Analyzing Evidence
8.4 Conclusion
8.5 Case Study: L0ne Sh4rk’s Revenge
6. Switches, Routers, and Firewalls
9.1 Storage Media
9.2 Switches
9.3 Routers
9.4 Firewalls
9.5 Interfaces
9.6 Logging
9.7 Conclusion
9.8 Case Study: Ann’s Coffee Ring
7. Web Proxies
10.1 Why Investigate Web Proxies?
10.2 Web Proxy Functionality
10.3 Evidence
10.4 Squid
10.5 Web Proxy Analysis
10.6 Encrypted Web Traffic
10.7 Conclusion
10.8 Case Study: Inter0ptic Saves the Planet (Part 2 of 2)
8. Network Tunneling
11.1 Tunneling for Functionality
11.2 Tunneling for Confidentiality 1
1.3 Covert Tunneling
11.4 Conclusion
11.5 Case Study: Ann Tunnels Underground
9. Malware Forensics
12.1 Trends in Malware Evolution
12.2 Network Behavior of Malware
12.3 The Future of Malware and Network Forensics
12.4 Case Study: Ann’s Aurora
10. Technical Fundamentals
2.1 Sources of Network-Based Evidence
2.2 Principles of Internetworking
2.3 Internet Protocol Suite
2.4 Conclusion
11. Evidence Acquisition
3.1 Physical Interception
3.2 Traffic Acquisition Software
3.3 Active Acquisition
3.4 Conclusion
12. Traffic Analysis
4.1 Protocol Analysis
4.2 Packet Analysis
4.3 Flow Analysis
4.4 Higher-Layer Traffic Analysis
4.5 Conclusion
4.6 Case Study: Ann’s Rendezvous Learning Outcomes At the end of this course students will be able to:
1 . deploy a structured lifecycle approach to data analytics problems.
2 . distinguish between PCAP and NetFlow data.
3 . explain the basics of packet capture and traffic analysis.
4 . demonstrate at least two ways to visualize network data.
5 . explain at least one approach to network data anonymization.
6 . explain coarse vs. fine data representation.
7 . explain what a traffic matrix is.
8 . demonstrate how to extract some embedded as well as some hidden network data.
9 . distinguish between at least two types of malicious traffic from network data and categorize them.
10. configure a connection between host-based events and network-based events.
11. apply appropriate analytic techniques and tools to analyze big data.
12. use open source tools such as R, Hadoop, and Postgres. Competency 1 (1-6) None Competency 2 (7-10) None Courses and Registration
Add to Portfolio (opens a new window)
|