[Bill's Home] The Advanced Security and Network Forensics teaching pack is at [Notes][Labs]:

Unit 1: Fundamentals

• Lecture.
• Install ProfSIMs. Register with your Napier email address.
• Tutorial. [Use the tutorial in Networksims]
• Lab 1: [Investigate Linux Services and start developing the Toolkit] [Connect to cluster]
  • Accessing services on Windows 2003 (using stand-alone VM image). This gives an overview of accessing important services, such as Telnet, FTP, SMTP, and so on, from Linux.
  • Accessing services on Windows 2003 (using the cluster). [Demo on the cluster]
  • Toolkit 1 demo. This provides an overview of Toolkit 1 lab for Lab 1. Source code [here].
• Associated software:
• Toolkit. This is a program which can be used to investigate client/server applications [demo]. Run client.exe and it should have the client and server program in it. Also it contains a packet capture tab, where you can see the network connections.

Unit 2 Vulnerabilities and Threats

• Lecture. [Standalone version]
• Tutorial.
• Lab 2: [Investigate Unix Services, SQL Injection and further Toolkit]
  • Demo of Linux services. This gives an overview of accessing important services, such as Telnet, FTP, SMTP, and so on, from Linux (Lab 2).
  • Toolkit 2 demo. This provides an overview of Toolkit 2 lab for Lab 2 (Page 187). Source code [here].
• Demos:
  • Demo of Nessus. Nessus is an excellent vulnerability scanner.
  • Cross scripting example. This shows an example of an SQL injection attack, which is an example of a cross-scripting threat.
  • SQL examples. This shows some examples of basic SQL.
  • IDS detecting ping and port scan. This shows a simple example of using IDS for detecting a ping on a host, and' also in using the sfportscan preprocessor to detect a port scan.
  • Snort example using ProfSIMS.
  • Hydra vulnerability scanning. The Hydra program allow administrators to scan their servers, such as for FTP and Telnet, for vulnerabilities. This example shows a practical scan for a range of user names and passwords.
  • Hping vulnerability scanning. The hping program can be used to craft data packet which can be used for vulnerability testing.
  • Lab Demo: Part 1, Part 2, Part 3, Part 4.

Unit 3: Network Forensics

• Lecture. [Standalone version]
• Example traces: Ping, Telnet, DNS Lookup, FTP, NMAP, Tracrt, Web page, SSL, Spoof Address, IPSec, GoogleWeb, IP Packet (Windows). IP Packet (Ubuntu).
• Hydra traces: hydra_ftp, hydra_telnet
• Hping traces: hping_fin, hping_ping_scan, hping_port80, hping_port80_fin, hping_syn, hping_udp_scan, hydra_ftp, hydra_telnet.
• Tutorial:
  • Run TCP Dump. TCP dump analysis. [TCP Dump Tutorial].
  • Network Forensics. This shows an example of analysing simple network traces.
  • Tripwire. This shows an example of configuring Tripwire in Linux.

Unit 4: Obfuscation and Data Hiding

• Lecture. [Standalone version]
• Tutorial:
  • Encryption/Hashing/etc. This shows examples from the encryption/hashing part of the Toolkit. Run TCP Dump.
  • RSA Public key. This shows examples from the RSA encryption part of the Toolkit. Run TCP Dump.
  • Brute force. This shows an example of brute force on encrypted content.
  • Brute force on a hash. This shows an example of brute force on hashed content.
  • Digital Certificates. This shows the importing of digital certificates.
  • Encoding. This shows an example of converting from ASCII, Base-64, Hex, and Binary, into the other formats.
  • Ex-OR encoding. This shows an example of Ex-OR encoding.
  • Frequency analysis. This shows an example of frequency encoding.

Test 1

• [My study guide]. New: [Study methods]
• Sample test. [Alt].
• Get Toolkit 1.12 [Here]. Recently added: Network Interface details (Network tab), SQL query analysis, and more analysis of HTTP response (HTTP). [SQL demo]
• Podcast:
  • iPod/iPhone Web brower [http://buchananweb.co.uk/asnf.html]
  • Podcast (iPhone): http://itunes.apple.com/podcast/advanced-security-network/id357401454
  • Podcast (Desktop): http://buchananweb.co.uk/asnf_full.xml
• Sample network forensic logs [DNS] [FTP] [Hping_FIN] [Hping_Ping_Scan] [Hping_Port80] [Hping_Port80_SYN][Hping_SYN][Hydra_FTP][Hydra_Telnet][NMAP][Ping][Spoof Address] [Telnet] [Trace route] [Web page]
• Spreadsheet checker for inferred marks [Here].

Unit 5: Web Infrastructure

• Notes [Unit 5].
• Lab.
• Lecture.
• Tutorial.

Unit 6: Cloud

• Notes [Unit 6].
• Lab [Network Forensics Trace] [Toolkit].
• Lecture. [PPT - with additional slides].
  • Demo of S3CMD for Amazon S3.
  • EC2 tools
  • Real-life demo of instance creation.
  • Creating multiple instances from a user-generated AMI.
  • Creating Linux image demo (Lab 10). [Lab 10]

Coursework

A company (MyComp) has had a security breach where it is alleged that there has been illegal file sharing on the corporate server. The company has managed to get a virtual image of the computer, which contains traces of evidence that could be used for the investigation. It is thus your objective to investigate the virtual image, and produce a fair and unbiased report on the finds. You will be provided with a DVD of the image. The trace is in virtual image, but can also be downloaded from:

http://www.soc.napier.ac.uk/~bill/cw_capture.rar

Submission date: TBC