TABLE OF CONTENTS by Michael Gregg
This chapter examines router and network forensics. This chapter is important as many attacks will require the analyst to look for information in the router or require network forensics. This requires you to have an understanding of routers and their architecture. It is important to understand where they reside within the OSI model and what role they play within network communications.
Anytime you work with forensic evidence it is critical that the concept of chain of custody be understood. How evidence is handled, stored, accessed, and transported is critical, because if basic control measures are not observed the evidence may be ruled inadmissible in court.
Network forensics can best be defined as the sniffing, recording, and analysis of network traffic and events. Network forensics are performed in order to discover the source of security incidents and attacks or other potential problems. One key role of the forensic expert is to differentiate repetitive problems from malicious attacks.
The hacking process follows a fixed methodology. The steps a hacker follows can be broadly divided into six phases:
Reconnaissance
Scanning and enumeration
Gaining access
Escalation of privilege
Maintaining access
Covering tracks and placing backdoors
Reconnaissance is considered the first preattack phase. The hacker seeks to find out as much information as possible about the victim. The second preattack phase is scanning and enumeration. At this step in the methodology, the hacker is moving from passive...
