It is small for portability, but large enough that only an insane person would begin digging through it starting at frame 1. The PCAP provided for this analysis is from the ‘edge sensor’ located on the victim network. These small slices of PCAP typically do not tell the complete story. For example, if the system suspects a particular exchange of packets is malicious shell code it will flag the event and save that exchange of packets ( example investigation).
Many Intrusion Detection Systems and Firewalls offer the ability to download the PCAP of a falgged event. An enterprise grade installation is the same general idea but a very different discussion beyond the scope of this post. For an idea of how sensors are placed to gather network traffic check out my article, “Building a SIEM at Home”. Packet Capture (PCAP) files are tremendous resources for investigations when they are available.
To Memory Analysis: Malicious IP Addresses, Malicious Filenames.From Memory Analysis: Malicious IP Addresses, Malicious Filenames.To Disk Analysis: Malicious IP Addresses, Malicious Filenames.From Disk Analysis: Malicious IP Addresses, Malicious Filenames.A great piece of software to take Screen Shots is Greenshot.A great note keeping App that teams can use to coordinate is OneNote.The reader should quickly understand what they’re looking at Examples: Highlights, Boxes, Arrows Text.Notes should be accompanied by screenshots that tell a story.Understand your own thinking later… or after sleep.This is for team mates to understand your thinking.Keep solid notes on your thinking around evidence and data that you find.SANS Course: “ FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response“.SANS Course: “ SEC503: Intrusion Detection In-Depth“.Book: “ The TCP/IP Guide: A Comprehensive, Illustrated Internet Protocols Reference“.Book: “ Practical Packet Analysis, 3E: Using Wireshark to Solve Real-World Network Problems“.Book: “ Mastering TShark Network Forensics: Moving From Zero to Hero“.Basic Wireshark Skills ( Brad’s MTA Wireshark Tutorials).How data reduction aids in investigations.How to pivot into and away from PCAP Analysis (how to use findings for quicker analysis).Understand the advantages and goals of PCAP Analysis.This post assumes you have a DFIR Analyst Station ready to analyze the PCAPs from The Case of the Stolen Szechuan Sauce. Make sure you understand the basic rundown of forensic artifacts. Have you built your DFIR Fort Kickass, yet? How to build a DFIR Analyst Workstation found here. Reading Time: 28 minutes Case 001 PCAP Analysis
0 kommentar(er)
