Wireshark is an open source protocol analyzer that can capture traffic in real time. Wireshark is a free packet sniffer computer application. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Wireshark is very similar to tcpdump, but it has a graphical front-end, and many more information sorting and filtering options. It allows the user to see all traffic being passed over the network (usually an Ethernet network but support is being added for others) by putting the network interface into promiscuous mode.

Wireshark uses pcap to capture packets, so it can only capture the packets on the networks supported by pcap. It has the following features:

• Data can be captured “from the wire” from a live network connection or read from a file that records the already-captured packets.
• Live data can be read from a number of types of network, including Ethernet, IEEE 802.11, PPP, and loopback.
• Captured network data can be browsed via a GUI, or via the terminal (command line) version of the utility, tshark.
• Captured files can be programmatically edited or converted via command-line switches to the “editcap” program.
• Data display can be refined using a display filter.
• Plugins can be created for dissecting new protocols.
  

  

  ]]> http://cisspfix.com/wireshark-come-shallow.html/feed 0 http://cisspfix.com/computer-investigation-process.html http://cisspfix.com/computer-investigation-process.html#comments Fri, 18 Sep 2009 04:34:04 +0000 cisspfix http://cisspfix.com/?p=50 Continue reading →]]>
  
  

  “Necessity is the Mother of all Inventions”, sophistication of digital environment lead to the discovery of Computer Forensics. Computer Forensics is an investigative process of collecting and examining of electronic evidence to form a structured report which can be produced in a court as a evidence. Computer Forensic is introduced when crime is facilitated either by using computer or on Computer or Network itself. Computer Forensic also deals with the issue, such as Privacy, Copy Infringement, and Software ownership. For the collection of Electronic Evidence, it is required to follow certain pre-established procedure and steps, which ensures the identity of culprit. By following such methodologies, computer crime investigation can be done effectively and efficiently.

  Investigating Computer Crimes

  If any forensic investigation involves Computer in one way or another, then the investigation is coined as Computer Forensic Investigation. Development of technology from the last two decades is so rapid that it made lot easier for criminals to hide information about their crimes, one advantage enjoyed by investigators is that any type of Computer Crime results in some type of clue and evidence stored on computer but still there are number of Cyber Crimes which requires Computer Forensic investigation, some of them are:

  • Unauthorized access
  • Property Theft (misuse of information)
  • Forgery
  • Privacy breach
  • Computer fraud.
  • Child pornography

  Methodology of Forensic Investigation
  First and Foremost step of Investigation process is Complaint. Investigation will never going to occur if it remain un-noticed, unless appropriate authorities are not aware of the crime being committed, criminal gets away with crime. There are some fundamental steps involved in forensic investigation,

  Preparation (of the investigator, not the data)

  Computer Forensic Investigators must be prepared with the tools and procedures used during investigation, these tools include Hardware as well as Software which are used to secure evidence and data.

  Collection (the data)

  Next important step is to collect damaged data as efficiently as possible, damaged data typically includes deleted files, formatted hard disk, deleted partitions or any other form of electronic storage medium like compact disk, USB drives etc. Special care must be taken when handling computer evidence: most digital information is easily changed, and once changed it is usually impossible to detect that a change has taken place (or to revert the data back to its original state) unless other measures have been taken.

  Analysis

  This step involves proper examination and evaluation of gathered information. During analysis it is very important that the collected data and information aren’t modified in any way, otherwise property of data will change. Therefore it is very necessary to use tools that won’t modify data. Chiefly Forensic Analysis consists of manual review of material on the media, reviewing the Windows registry for suspect information, discovering and cracking passwords, keyword searches for topics related to the crime, and extracting e-mail and images for review.

  Reporting

  After the completion of Analysis, a detailed report is generated enlisting all possible evidences and information. This Report is produced as a legal evidence before court whenever required.

  The Role of Evidence

  Collection of Evidence is the sole reason behind the Forensic Investigation; therefore Evidence plays a vital role in Computer Forensic Investigation. The Digital Evidence should be properly studied, preserved and presented. These Evidences are presented in court during legal process and questioning. Collection of Evidence is done in several steps, first of which is Identification of Evidence followed by the Recovery of Evidence, this is accomplished viewing log files, recovering data using different forensic tools. One more important point which should be kept in mind during Investigation is security of Data, Digital Evidence and Data must be secured throughout the investigation.

  Volatile Evidence

  Data stored in temporary storage media [Random Access Memory(RAM), Cache Memory, Onboard memory of different peripherals like Graphics and video card etc ) are termed as Volatile Memory because data stored in it depends on the electricity for their existence, as soon as the system is powered off, stored data will be permanently vanished. It is therefore very important to collect such data first.

  Acquiring Evidence

  This is the next step of processing evidence. Acquisition process involves in making exact copy of digital evidence. It is very important that the original data isn’t altered, damaged or destroyed in doing so.

  Disk Imaging

  This technique is used to preserve the original evidence as it was seized. Disk imaging is different from back up of a disk in a way that while creating backup, only active files of a system are copied. Whereas during disk imaging exact replica of original disk is formed.

  Retaining Data and Timestamp:

  Retaining the Date and Time of creation and modification of Data is a vital factor to be kept in mind in criminal issues. Timestamp in a file are very important evidence, since the timestamp is according to the system clock which is in turn depends on the time zone. It should always investigated that which time zone is configured on the system, it may be possible that criminal deliberately change the time zone so that the data does not co-relate with the real time.

  Investigating Company Policy Violations

  Investigation Process of Companies are totally different from the other types of Investigations. Normally when Cyber crime occurs on house computers, police are called for proper investigation. In a Corporate World a team of some specialized skilled peoples are formed which is known as Incident Response Team. This team is responsible for finding the type of Cyber crime occurred and eventually contact police for further investigation, depending upon the type of crime occurred and what is found in investigation. This Incident Response Team also deal with the internal matter of the company like security breach by company employee, unauthorized access to company’s computer etc. It is not always necessary to include police investigation when policies are violated, sometime it is dealt by company itself by taking disciplinary action against the accused employee. But still Forensic Investigations is important because these procedures create a tighter case, thus leaving no point to argue the facts.

  

  ]]> http://cisspfix.com/computer-investigation-process.html/feed 30