Digital Forensics and Incident Response by Johansen Gerard
Author:Johansen, Gerard [Johansen, Gerard]
Language: eng
Format: azw3
Tags: COM043050 - COMPUTERS / Security / Networking, COM053000 - COMPUTERS / Security / General, COM015000 - COMPUTERS / Security / Viruses and Malware
Publisher: Packt Publishing
Published: 2017-07-24T04:00:00+00:00
Command-line tools
There are several command-line tools that can be utilized during the analysis of network packet captures. During more in-depth or lengthy incident response engagements, analysts may gather several packet captures files. It may be beneficial to combine these multiple packet captures into one single file to make analysis easier. The application mergecap does just that by combining several packet capture files. Mergecap is made as part of the CAINE OS and can be executed utilizing the following command:
caine@caine:~$ mergecap -w mergedpacketcapture.pcap packetcapture1.pcap packetcapture2.pcap
Another command-line tool that is useful in analyzing packet captures is the tool editcap. Editcap allows analysts to manipulate the packet capture files into smaller segments for easier review. For example, an analyst may only want to look at captures that are broken up into 50,000 packet segments. This would be helpful if an analysts has a large packet capture and dividing makes searching easier. To do this, the analyst would type the following into the command line:
caine@caine:~$ editcap -F pcap -c evidence.pcap split.pcap
In the preceding command, editcap took the evidence file evidence.pcap and divided it out into 50,000 packet segments. Another technique that editcap can be leveraged for is to divide a larger packet capture into time segments. For example, if analysts want to divide a packet capture into 10-minute segments, they type in the following:
caine@caine:~$ editcap -F pcap-t+600 evidence.pcap split.pcap
Analysts may also find that, in some circumstances, they may want to isolate Domain Name Registration traffic. This is due in large to a variety of C2 traffic, data exfiltration, and the possible redirection to compromised websites, often leveraging vulnerabilities in the DNS system. The application DNS top parses packet capture files and ascertains the sources and count of DNS queries from internal hosts. For example, if an incident response analyst wants to determine whether any IP addresses were sending outbound DNS queries of the packet capture taken from http://www.malware-traffic-analysis.net/2017/02/21/index.html. The command entered would be:
forensics@ubuntu:~/Documents/Packet Captures$ dnstop -l 3 2017-02-21-Hancitor-malspam-traffic.pcap
The preceding command produces the following output:
Download
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.
Future Crimes by Marc Goodman(2997)
Mastering Python for Networking and Security by José Manuel Ortega(2937)
Blockchain Basics by Daniel Drescher(2884)
Mastering Bitcoin: Programming the Open Blockchain by Andreas M. Antonopoulos(2505)
From CIA to APT: An Introduction to Cyber Security by Edward G. Amoroso & Matthew E. Amoroso(2478)
The Art Of Deception by Kevin Mitnick(2294)
Practical Threat Detection Engineering by Megan Roddie & Jason Deyalsingh & Gary J. Katz(2274)
The Code Book by Simon Singh(2202)
Effective Threat Investigation for SOC Analysts by Yahia Mostafa;(2148)
DarkMarket by Misha Glenny(1844)
Wireless Hacking 101 by Karina Astudillo(1843)
Applied Network Security by Arthur Salmon & Michael McLafferty & Warun Levesque(1838)
Hands-On AWS Penetration Testing with Kali Linux by Benjamin Caudill & Karl Gilbert(1829)
Machine Learning Security Principles by John Paul Mueller(1828)
Practical Memory Forensics by Svetlana Ostrovskaya & Oleg Skulkin(1828)
Mobile Forensics Cookbook by Igor Mikhaylov(1811)
Serious Cryptography: A Practical Introduction to Modern Encryption by Aumasson Jean-Philippe(1802)
Solidity Programming Essentials by Ritesh Modi(1760)
Bulletproof Android: Practical Advice for Building Secure Apps (Developer's Library) by Godfrey Nolan(1667)