“This is a must-have work for anybody in information security, digital forensics, or involved with incident handling. As we move away from traditional disk-based analysis into the interconnectivity of the cloud, Sherri and Jonathan have created a framework and roadmap that will act as a seminal work in this developing field.”
– Dr. Craig S. Wright (GSE), Asia Pacific Director at Global Institute for Cyber Security + Research.
“It’s like a symphony meeting an encyclopedia meeting a spy novel.”
–Michael Ford, Corero Network Security
On the Internet, every action leaves a mark–in routers, firewalls, web proxies, and within network traffic itself. When a hacker breaks into a bank, or an insider smuggles secrets to a competitor, evidence of the crime is always left behind.
Learn to recognize hackers’ tracks and uncover network-based evidence in Network Forensics: Tracking Hackers through Cyberspace. Carve suspicious email attachments from packet captures. Use flow records to track an intruder as he pivots through the network. Analyze a real-world wireless encryption-cracking attack (and then crack the key yourself). Reconstruct a suspect’s web surfing history–and cached web pages, too–from a web proxy. Uncover DNS-tunneled traffic. Dissect the Operation Aurora exploit, caught on the wire.
Throughout the text, step-by-step case studies guide you through the analysis of network-based evidence. You can download the evidence files from the authors’ web site (lmgsecurity.com), and follow along to gain hands-on experience.
Hackers leave footprints all across the Internet. Can you find their tracks and solve the case? Pick up Network Forensics and find out.
- Ok, this is a great scholarly text. If you’ve never used Wireshark or a Ethernet Tap then you will be in for a treat and a lot of tools you haven’t ever used before. Otherwise, this work is like most College text, when the first few chapters are a “history of” and then it sort of goes to an explanation of the tools you need. I found several things I didn’t know, and a few tips on actually hiding your traffic and obfuscating your internet mixed in the text. It’s not Harry Potter, and sadly it didn’t make me a wazard, but it’s a great book for anyone interested in network forensics. For those who are hacker minded, this is basically a book of “this is how you can / will be caught” so, read it, know it, reverse it… and then see how much you can derive from your own traffic. The exercises seem to be aimed for a school / network which isn’t really in existence, aka most of the “test” are more… ok, look at the traffic patterns in the book, and figure out what you are looking for, instead of go to your computers and run this simulation. Overall, I’d give this book a 4 out of 5 stars, because they teach you how to watch the traffic and dissect it, yet give very little information on how to obfuscate your tracks. Then again, if they taught you how to do that, they’d be out of a job. 😀
- This book is a survey of the basics. An introduction would not be fair because no topic is covered in depth.
What I was expecting to be the core of the book: Packet Analysis, and Statistical Flow Analysis was very fundamental concepts and had little technical depth.
The techniques in Packet Analysis had little insight, only a description of a series of non-integrated tools to describe a broken process. A single tshark command could have summarized much of the discussed content in this chapter.
Statistical Flow Analysis was similar in technical merit. The chapter covered a series of tools and had little value. The concept of flow, triggered flow or the trade secrets for flow analysis were not even discussed.
The most disappointing chapter was the Wireless, Chapter-6. If you have ever looked at the 802.11 protocol, this chapter is pointless. There are no new ideas or techniques described. Further, fundamental information about the specifics within the protocol are missing.
However, there were some redeeming chapters. The legal section covered at the beginning was very well done. Further, Chapter-7, IDS, was not horrable. However, if this was your first exposure to IDS, you will just be confused and find nothing useful. Chapter-12 was good.
If more of the book covered topics discussed in chapter-12, it would have better met my expectations. This book is not for someone that understands network security, but instead for those with little understanding of Network Security/Forensics that wish to get a list of topics for independent research.
- With a title like Network Forensics: Tracking Hackers through Cyberspace, the book at first sounds like a cheesy novel. But by page 25, you will quickly see this is the real thing. By the time you hit the last page, you will have read the collective wisdom of two of the smartest minds in the space.
Author’s Jonathan Ham and Sherri Davidoff are both SANS Institute instructors, and bring significant real-world experience to every chapter. Martin McKeay has an interview (albeit dated) with the authors on his web site here about their SANS course on network forensics.
In 12 densely written chapters at just over 500 pages, the book covers nearly every aspect within network and digital forensics.
While the book Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet provides a comprehensive overview of the topic; Network Forensics: Tracking Hackers through Cyberspace focuses at the packet level.
Part 2, which is about a third of the book, is spent on traffic analysis, with all-embracing coverage of concepts and topics such as statistical flow analysis, wireless traffic capture and analysis, NIDS detection and analysis, packet logging and more.
Readers should be very comfortable with Wireshark packet capture output, which the book extensively references. Those not quite comfortable with packet capture analysis will likely find this book way over their head.
Part 3 focuses on network devices and logging for all types of network devices. Detailed logging aspects for switches, routers and firewalls are dealt with.
The last 2 chapters deal with advanced topics such as network tunneling and malware forensics.
The book also includes 9 case studies which go into extreme detail on the topic covered. While the notion of a case study in many books is a 2-3 page overview, these case studies are 10-20 pages in length and provide an across-the-board analysis of the topic. Evidence files for each case study are available at the author’s web site here.
Network Forensics: Tracking Hackers through Cyberspace is an extremely detailed and comprehensive guide on the topic. It is made for the advanced user who is comfortable with forensic tools such as NetworkMiner and Snort.
For those that are up to the task, Network Forensics: Tracking Hackers through Cyberspace is an invaluable reference that will make the reader a master of the topic.