登录查看更多内容

How can you use network evidence to solve cyber crimes?

由人工智能和领英社区提供技术支持

Network evidence is any data that can be collected from a network or a device connected to a network, such as packets, logs, files, or metadata. Network evidence can help solve cyber crimes by providing clues about the source, nature, and impact of an attack, as well as the identity and motive of the attacker. However, network evidence can also be volatile, fragile, and complex, so it requires careful handling and analysis. In this article, you will learn how to use network evidence to solve cyber crimes, and what tools and techniques you can apply to collect, preserve, examine, and present network evidence.

此文章中的业界达人

由社区从 2 条内容中精选。了解更多

Katherine B

MSc in Cyber Security

1 Network Evidence Collection

The first step in using network evidence to solve cyber crimes is to collect it from the relevant sources. Depending on the type and scope of the attack, you may need to collect network evidence from different layers of the network stack, such as physical, data link, network, transport, or application layer. Additionally, evidence can be gathered from various devices, including routers, switches, firewalls, servers, or clients. Common types of network evidence include network packets which contain source and destination addresses, protocols, ports and payload. Wireshark, tcpdump or nmap are tools used to capture and analyze these packets. Network logs are records of events that occur on the network or devices with information such as date and time, source and destination, action and outcome, user and process. Syslog, Splunk or ELK are tools used to collect and analyze these logs. Network files are stored on the network or devices with content, name size type and hash. FTK Imager, EnCase or Autopsy are tools used to collect and analyze these files. Network metadata is data that describes characteristics or context of other data such as IP address MAC address DNS name or geolocation. Whois nslookup or traceroute are tools used to collect and analyze this type of evidence. Collecting this network evidence is essential for communicating the status findings and actions of the incident response team to relevant stakeholders.

添加您的观点

2 Network Evidence Preservation

The second step in using network evidence to solve cyber crimes is to preserve it from any alteration, damage, or loss. Network evidence can be easily modified, deleted, or corrupted, so it is essential to maintain its integrity and authenticity. To do this, you should isolate the network or device from any external influence, such as the internet or other devices. Additionally, creating a copy or an image of the network or device that contains network evidence can help you work on the copy instead of the original. Furthermore, verifying the identity and validity of the network or device that contains network evidence can involve checking labels and serial numbers. Lastly, documenting the process and details of the network evidence collection and preservation is important for recording information such as date, time, location, personnel, tools, and methods.

添加您的观点

Katherine B

MSc in Cyber Security
举报内容
An essential aspect of any data collection is to only work on the copy, never the original. This is to prevent the data' integrity from being called into question for any legal or official inquiry efforts. By preserving the source, you are ensuring that the work you do on they copy can be legitimized by any other efforts that you do to present the data as needed.

已翻译

赞

3 Network Evidence Examination

The third step in using network evidence to solve cyber crimes is to examine it for any relevant information, patterns, or anomalies. Network evidence can be analyzed through static analysis, which involves viewing the header, content, or metadata of a network packet, log, or file. Dynamic analysis is another method in which network evidence is examined by executing or altering it. Correlation analysis is the process of comparing or combining network evidence with other network evidence or external sources, such as cross-referencing a network packet, log, or file with a database, a timeline, or a map. All of these methods can help uncover valuable insights that can be used to solve cyber crimes.

添加您的观点

4 Network Evidence Presentation

The fourth step in using network evidence to solve cyber crimes is to present it to the relevant audience, such as the management, law enforcement, or the court. Network evidence can be presented in various formats, like reports that summarize the findings and conclusions of the examination and provide evidence and reasoning behind them. Reports can contain text, tables, charts, graphs, or diagrams to illustrate the network evidence. Visualizations are graphical representations that display relationships and trends of the network evidence and emphasize key points. Visualizations can include maps, timelines, networks, or dashboards. Testimonies are oral statements that explain and defend the network evidence examination and address any questions or challenges from the audience. Testimonies may involve verbal, non-verbal, or technical skills to communicate the network evidence.

添加您的观点

Katherine B

MSc in Cyber Security
举报内容
The presentation of findings is a significant milestone in an investigation. The information that is presented is central to any investigation and it is critical that it is presented factually, without personal bias or interpretation. The evidence should support itself with the help of previous documentation of process, effective references to standardized practices, and well-framed results. The format for presentation should follow a simple as-is approach, ensuring the ease of understanding for those who may not have professional experience in the field of computer forensics.

已翻译

赞

5 Here’s what else to consider

This is a space to share examples, stories, or insights that don’t fit into any of the previous sections. What else would you like to add?

添加您的观点

Network Security

+ 关注

给文章评分

我们借助人工智能创建了此文章。您认为这篇文章怎么样？

很棒不太好

举报此文章

查看全部

How can you use network evidence to solve cyber crimes?

1

2

3

4

5

1 Network Evidence Collection

2 Network Evidence Preservation

3 Network Evidence Examination

4 Network Evidence Presentation

5 Here’s what else to consider

Network Security

给文章评分

感谢您的反馈

更多Network Security相关文章

更多相关阅读内容

How can you use network evidence to solve cyber crimes?

1

2

3

4

5

1 Network Evidence Collection

2 Network Evidence Preservation

3 Network Evidence Examination

4 Network Evidence Presentation

5 Here’s what else to consider

Network Security

给文章评分

感谢您的反馈

查看其他技能