Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the...
-
Upload
ashley-fleming -
Category
Documents
-
view
225 -
download
2
Transcript of Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the...
![Page 1: Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal.](https://reader030.fdocuments.us/reader030/viewer/2022032611/56649e005503460f94ae98be/html5/thumbnails/1.jpg)
Forensic and Investigative Accounting
Chapter 14
Internet Forensics Analysis: Profiling the Cybercriminal
![Page 2: Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal.](https://reader030.fdocuments.us/reader030/viewer/2022032611/56649e005503460f94ae98be/html5/thumbnails/2.jpg)
Chapter 14 Forensic and Investigative Accounting 2
Protocols
Internet protocols are those rules allowing different operating systems and machines to communicate with one another over the Internet.
![Page 3: Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal.](https://reader030.fdocuments.us/reader030/viewer/2022032611/56649e005503460f94ae98be/html5/thumbnails/3.jpg)
Chapter 14 Forensic and Investigative Accounting 3
The Internet
Transmission Control ProtocolTransmission Control Protocol (TCP) divides (TCP) divideselectronic messages into “packets” of informationelectronic messages into “packets” of information
and then reassembles these packets at the end.and then reassembles these packets at the end.
Internet ProtocolInternet Protocol (IP) assigns a unique (IP) assigns a uniqueaddress to each computer on the Internet.address to each computer on the Internet.
![Page 4: Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal.](https://reader030.fdocuments.us/reader030/viewer/2022032611/56649e005503460f94ae98be/html5/thumbnails/4.jpg)
Chapter 14 Forensic and Investigative Accounting 4
Transmission Control Protocol (TCP) and Internet Protocol (IP)
TCP/IP protocols are the communication guidelines used and widely supported over the Internet.
Almost every packet of information sent over the Internet uses the datagrams contained within a TCP/IP envelope. The datagrams consist of layers of information needed to verify the packet and get the information from the sender’s to the receiver’s location following traffic control guidelines.
![Page 5: Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal.](https://reader030.fdocuments.us/reader030/viewer/2022032611/56649e005503460f94ae98be/html5/thumbnails/5.jpg)
Chapter 14 Forensic and Investigative Accounting 5
OSI Model
Data unit Layer Function
Hostlayers
Data
Application Network process to application
Presentation Data representation and encryption
Session Interhost communication
Segments Transport End-to-end connections and reliability (TCP)
Medialayers
Packets Network Path determination and logical addressing (IP)
Frames Data link Physical addressing (MAC & LLC)
Bits Physical Media, signal and binary transmission
![Page 6: Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal.](https://reader030.fdocuments.us/reader030/viewer/2022032611/56649e005503460f94ae98be/html5/thumbnails/6.jpg)
![Page 7: Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal.](https://reader030.fdocuments.us/reader030/viewer/2022032611/56649e005503460f94ae98be/html5/thumbnails/7.jpg)
Chapter 14 Forensic and Investigative Accounting 7
![Page 8: Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal.](https://reader030.fdocuments.us/reader030/viewer/2022032611/56649e005503460f94ae98be/html5/thumbnails/8.jpg)
Chapter 14 Forensic and Investigative Accounting 8
IP Address Defined
An IP address is a 32-bit number (four bytes) that identifies the sender and recipient who is sending or receiving a packet of information over the Internet.
The 32-bit IP address is known as dotted decimal notation. The minimum value for an octet is 0, and the maximum value for an octet is 255. illustrates the basic format of an IP address.
![Page 9: Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal.](https://reader030.fdocuments.us/reader030/viewer/2022032611/56649e005503460f94ae98be/html5/thumbnails/9.jpg)
Chapter 14 Forensic and Investigative Accounting 9
TCP/IP Connections
A three-way handshake synchronizes both ends of a connection by allowing both sides to agree upon initial sequence numbers. This mechanism also guarantees that both sides are ready to transmit data and know that the other side is ready to transmit as well.
SYN SYN/ACK ACK FIN
![Page 10: Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal.](https://reader030.fdocuments.us/reader030/viewer/2022032611/56649e005503460f94ae98be/html5/thumbnails/10.jpg)
Chapter 14 Forensic and Investigative Accounting 10
Popular Protocols
DNS: The Domain Name System Finger: Used to determine the status of other
hosts and/or users FTP: The File Transfer Protocol allows a user
to transfer files between local and remote host computers
HTTP: The Hypertext Transfer Protocol is the basis for exchange of information over the World Wide Web
![Page 11: Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal.](https://reader030.fdocuments.us/reader030/viewer/2022032611/56649e005503460f94ae98be/html5/thumbnails/11.jpg)
Chapter 14 Forensic and Investigative Accounting 11
Popular Protocols
IMAP: The Internet Mail Access Protocol defines an alternative to POP as the interface between a user's mail client software and an e-mail server, used to download mail from the server to the client
Ping: A utility that allows a user at one system to determine the status of other hosts and the latency in getting a message
POP: The Post Office Protocol defines a simple interface between a user's mail client software and an e-mail server
![Page 12: Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal.](https://reader030.fdocuments.us/reader030/viewer/2022032611/56649e005503460f94ae98be/html5/thumbnails/12.jpg)
Chapter 14 Forensic and Investigative Accounting 12
Popular Protocols SSH: The Secure Shell is a protocol that allows
remote logon to a host across the Internet SMTP: The Simple Mail Transfer Protocol is the
standard protocol for the exchange of electronic mail over the Internet
SNMP: The Simple Network Management Protocol defines procedures and management information databases for managing TCP/IP-based network devices
Telnet: Short for Telecommunication Network, a virtual terminal protocol allowing a user logged on to one TCP/IP host to access other hosts
![Page 13: Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal.](https://reader030.fdocuments.us/reader030/viewer/2022032611/56649e005503460f94ae98be/html5/thumbnails/13.jpg)
Chapter 14 Forensic and Investigative Accounting 13
Web Log Entries
One important method for finding the web trail of an attacker is in examining web logs.
Recorded network logs provide information needed to trace all website usage.
Web Log = Blog Also check transaction logs and server logs
![Page 14: Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal.](https://reader030.fdocuments.us/reader030/viewer/2022032611/56649e005503460f94ae98be/html5/thumbnails/14.jpg)
Chapter 14 Forensic and Investigative Accounting 14
Web Log Entries
Information provided in a log includes the visitor’s IP address, geographical location, the actions the visitor performs on the site, browser type, time on page, and the site the visitor used before arriving.
Logs should be stored on a separate computer from the web server hosting the site so they cannot be easily altered.
![Page 15: Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal.](https://reader030.fdocuments.us/reader030/viewer/2022032611/56649e005503460f94ae98be/html5/thumbnails/15.jpg)
Chapter 14 Forensic and Investigative Accounting 15
TCPDUMP
TCPDUMP is a form of network sniffer that can disclose most of the information contained in a TCP/IP packet.
Windows uses WinDUMP A sniffer is a program used to secretly
capture datagrams moving across a network and disclose the information contained in the datagram’s network protocols.
![Page 16: Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal.](https://reader030.fdocuments.us/reader030/viewer/2022032611/56649e005503460f94ae98be/html5/thumbnails/16.jpg)
Chapter 14 Forensic and Investigative Accounting 16
Decoding Simple Mail Transfer Protocol (SMTP)
SMTP is the protocol used to send e-mail over the Internet.
SMTP server logs can be used to check the path of the e-mail from the sending host to the receiving host.
![Page 17: Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal.](https://reader030.fdocuments.us/reader030/viewer/2022032611/56649e005503460f94ae98be/html5/thumbnails/17.jpg)
Chapter 14 Forensic and Investigative Accounting 17
Decoding Simple Mail Transfer Protocol (SMTP)
Most of the important information about the origin of an e-mail message is in the long form of the header. The most important data for tracing purposes is the IP addresses and the message ID.
![Page 18: Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal.](https://reader030.fdocuments.us/reader030/viewer/2022032611/56649e005503460f94ae98be/html5/thumbnails/18.jpg)
Chapter 14 Forensic and Investigative Accounting 18
Tracing and Decoding IP Addresses
Traceroute Whois Ping Finger searches
![Page 19: Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal.](https://reader030.fdocuments.us/reader030/viewer/2022032611/56649e005503460f94ae98be/html5/thumbnails/19.jpg)
Chapter 14 Forensic and Investigative Accounting 19
![Page 20: Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal.](https://reader030.fdocuments.us/reader030/viewer/2022032611/56649e005503460f94ae98be/html5/thumbnails/20.jpg)
Chapter 14 Forensic and Investigative Accounting 20
![Page 21: Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal.](https://reader030.fdocuments.us/reader030/viewer/2022032611/56649e005503460f94ae98be/html5/thumbnails/21.jpg)
Chapter 14 Forensic and Investigative Accounting 21
![Page 22: Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal.](https://reader030.fdocuments.us/reader030/viewer/2022032611/56649e005503460f94ae98be/html5/thumbnails/22.jpg)
Chapter 14 Forensic and Investigative Accounting 22
![Page 23: Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal.](https://reader030.fdocuments.us/reader030/viewer/2022032611/56649e005503460f94ae98be/html5/thumbnails/23.jpg)
Chapter 14 Forensic and Investigative Accounting 23
![Page 24: Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal.](https://reader030.fdocuments.us/reader030/viewer/2022032611/56649e005503460f94ae98be/html5/thumbnails/24.jpg)
URL Directory of Tools
•Tracks Eraser Pro http://www.acesoft.net/•IP Lookup http://cqcounter.com/whois/•IP Lookup http://ip-lookup.net/•IP Visual Trace http://visualiptrace.visualware.com/•Best Software Downloads http://www.bestsoftware4download.com/•Mellisa Data Lookups http://www.melissadata.com/lookups/
![Page 25: Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal.](https://reader030.fdocuments.us/reader030/viewer/2022032611/56649e005503460f94ae98be/html5/thumbnails/25.jpg)
Chapter 14 Forensic and Investigative Accounting 25
69
![Page 26: Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal.](https://reader030.fdocuments.us/reader030/viewer/2022032611/56649e005503460f94ae98be/html5/thumbnails/26.jpg)
Chapter 14 Forensic and Investigative Accounting 26
70
![Page 27: Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal.](https://reader030.fdocuments.us/reader030/viewer/2022032611/56649e005503460f94ae98be/html5/thumbnails/27.jpg)
Chapter 14 Forensic and Investigative Accounting 27
![Page 28: Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal.](https://reader030.fdocuments.us/reader030/viewer/2022032611/56649e005503460f94ae98be/html5/thumbnails/28.jpg)
Chapter 14 Forensic and Investigative Accounting 28
ipconfig /all
![Page 29: Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal.](https://reader030.fdocuments.us/reader030/viewer/2022032611/56649e005503460f94ae98be/html5/thumbnails/29.jpg)
Chapter 14 Forensic and Investigative Accounting 29
![Page 30: Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal.](https://reader030.fdocuments.us/reader030/viewer/2022032611/56649e005503460f94ae98be/html5/thumbnails/30.jpg)
Chapter 14 Forensic and Investigative Accounting 30
Narrowing the Search
Preliminary Incident Response Form John Doe subpoena
![Page 31: Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal.](https://reader030.fdocuments.us/reader030/viewer/2022032611/56649e005503460f94ae98be/html5/thumbnails/31.jpg)
Chapter 14 Forensic and Investigative Accounting 31
Informational Searches Internet databases
General searches Name, telephone number, and e-mail address
search engines Internet relay chat (IRC), FTP, and Listserv
searches Usenet postings search Legal records Instant messaging (IM)
Web page searches Government data searches Miscellaneous searches
![Page 32: Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal.](https://reader030.fdocuments.us/reader030/viewer/2022032611/56649e005503460f94ae98be/html5/thumbnails/32.jpg)
Chapter 14 Forensic and Investigative Accounting 32
End Crumbley Ch. 14