As stated by Precise Cyber Forensics
, “Computer Forensics is the use of specialized techniques for recovery, authentication, and analysis of electronic data when a case involves issues relating to reconstruction of computer usage, examination of residual data, authentication of data by technical analysis.”
In general terms, a forensic is a post event analysis done in order to find the root cause.
Done on residual data or logs from different resources…
To analyze the packet captures, various tools are available starting from simplistic: TCPDUMP, wireshark, ethreal, netmon and many others……
Forensic experts and hackers analyze the logic and write parsers to extract specific stream of data from big big network traces…automating their work.
For example Dsniff is a tool which extracts HTTP, SMTP, FTP, and Telnet passwords.
Cain also uses similar features to extract passwords from real streams.
Analyzing packet captures can be at times overwhelming with a lot of data if you have a lot of hosts or traces taken for longer intervals.Coming to Wireshark…
If you don’t already have Wireshark, you will need to download it
There is a lot of help available through videos on YouTube
, and there’s different compilations atSecurityTube.net
and others, but I am only giving you a brief introduction.
We can filer the capture files to minimize the amount of data we have to see and analyze.
1. tcp.port==21 filters all the traffic on basis of port (source and destination has port 21)
2. ip.src==a.b.c.d Filters all traffic on basis of source IP address in packet. (the IP address is a.b.c.d)
3. ip.dst==a.b.c.d Filters all traffic on basis of destination IP address. (the IP address is a.b.c.d)
4. ip.addr==a.b.c.d Filters all traffic on basis of where source or destination IP address is a.b.c.d.
Hope this helps… 🙂