1 / 9

Wireshark is divine!

www.tinyurl.com/kwvs4n. Wireshark is divine!. Network Forensics: Wireshark as Evidence Collector Laura Chappell Founder, Wireshark University http://www.wiresharktraining.com | laura@wiresharktraining.com Presenter, Wireshark Jumpstart Series

bethany
Télécharger la présentation

Wireshark is divine!

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. www.tinyurl.com/kwvs4n Wireshark is divine! Network Forensics: Wireshark as Evidence Collector Laura Chappell Founder, Wireshark University http://www.wiresharktraining.com | laura@wiresharktraining.com Presenter, Wireshark Jumpstart Series http://www.chappellseminars.com | laura@chappellseminars.com SHARKFEST'09 Stanford University June 15th, 2009 10:45-12:15

  2. The OHHDL Case Planting the Seed of Social Malware

  3. Another Case of Interest Here’s your sense of false security… Enjoy your stay. Thank goodness they have WEP on this WLAN!

  4. In this Session • Network Forensics 101 • Evidence of Reconnaissance • Evidence of Breaches • LIVE ANALYSIS

  5. Evidence of Reconnaissance TCP scans (excessive RSTs) • UDP scans (excessive ICMP Type 3/Code 3) • IP scans (excessive ICMP Type 3/Code 2) OS fingerprinting (ICMP type 13, 15 and 17) Address scans (‘dark IP’ or ‘dark MAC’ hits) • Application scans (unusual responses)

  6. Evidence of Breaches Unusual communication pairs Unusual protocols and ports Excessive failed connections Unusual inbound connections Check out… Statistics > Protocol Hierarchies Statistics > Conversations Filter on DNS Filter on ICMP Unusual outbound connections Peer-to-peer traffic paths

  7. Now… Enough of this slide stuff…

  8. Links High Technology Crime Investigation Association http://www.htcia.org Snooping Dragon Report http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-746.pdf Hacked Hosts: Network Forensics http://www.chappellseminars.com/s-hackedhosts.html Yes – I tweet – “laurachappell” Yes – I blog - feeds2.feedburner.com/InsideLaurasLab Yes – I Facebook – “laurachappell”

  9. Thank You! Check out Laura’s live seminars at chappellseminars.com. Help us spread the word! Thanks!

More Related