|
Posted by Gary Woods on October 5, 2006, 1:57 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
--B_3242901449_35545435
Content-type: text/plain;
charset="ISO-8859-1"
Content-transfer-encoding: 8bit
Iım trying to evangelize a point about the need for Forensics evidence on
the network. Any comments?
Most of us watch or have seen a TV program called CSI .
The first thing a CSI asked when arriving at the crime scene is ³do you have
any video cameras².
Why is that? Well, itıs the best way to tell who has been in the building,
exited the building (and what they took), around the building and whoıs been
knocking on the door/windows etc. It makes EXCELLENT Forensics evidence.
The question is why donıt we capture packets in the same location on our
network as they do with video cameras? By this I am talking about packet
capture at the Ingress and egress of the network...the ISP link!
Think about it. It is no longer expensive to store several weeks of traffic
versus not knowing what is actually leaving you network and by whom.
Gary
--B_3242901449_35545435
Content-type: text/html;
charset="ISO-8859-1"
Content-transfer-encoding: quoted-printable
<HTML>
<HEAD>
<TITLE>Why don't commercial companies have similar forensic capabilities as=
their physical property/buildings?</TITLE>
</HEAD>
<BODY>
<FONT FACE=3D"Verdana, Helvetica, Arial"><SPAN STYLE=3D'font-size:12.0px'>IR=
17;m trying to evangelize a point about the need for Forensics evidenc=
e on the network. Any comments?<BR>
<BR>
Most of us watch or have seen a TV program called CSI .<BR>
<BR>
The first thing a CSI asked when arriving at the crime scene is “do y=
ou have any video cameras”.<BR>
<BR>
Why is that? Well, it’s the best way to tell who has been in the buil=
ding, exited the building (and what they took), around the building and who&=
#8217;s been knocking on the door/windows etc. It makes EXCELLENT Forensics =
evidence.<BR>
<BR>
The question is why don’t we capture packets in the same location on =
our network as they do with video cameras? By this I am talking about packet=
capture at the Ingress and egress of the network...the ISP link!<BR>
<BR>
Think about it. It is no longer expensive to store several weeks of traffic=
versus not knowing what is actually leaving you network and by whom.<BR>
<BR>
Gary<BR>
<BR>
<BR>
</SPAN></FONT>
</BODY>
</HTML>
--B_3242901449_35545435--
|
|
Posted by BobS on October 5, 2006, 3:20 pm
If you were Registered and logged in, you could reply and use other advanced thread options
: quoted-printable
Why don't commercial companies have similar forensic capabilities as =
their physical property/buildings?Gary,
Good observation and I'm certainly no expert in this but it just so =
happens - I am presently involved with a small project where I'm doing =
exactly that, with very limited tools.
Most (I say that cautiously) routers have logging capability but it's =
minimal - at best on the lower cost ($300 - $600 range) routers/access =
points. I'm looking for some software that I can feed in a .csv or text =
file that has the IP's I'm interested in so the process of doing a trace =
and whois can be automated and again logged with the findings. Right =
now, one IP address at a time.
There's more than I care to learn about doing an "accurate" reverse =
trace but I can see a need for such tools that you're talking about. =
There are plenty of packet sniffers and geo tracers available and a good =
firewall will give you most of the info you need to get started - but =
then you need a lot of time (and knowledge) to find out everything you =
can. Corporations and gov't can justify this cost - small businesses =
gain very little from the effort most of the time and elect to just =
block the attacks and not worry about tracking them down since they =
cannot do much even if they can gather all the info.
So we're stuck using the low cost software and occasionally get lucky =
with an ISP that does act on abuse reports but not many do.....
Bob S.
I'm trying to evangelize a point about the need for Forensics =
evidence on the network. Any comments?
Most of us watch or have seen a TV program called CSI .
The first thing a CSI asked when arriving at the crime scene is "do =
you have any video cameras".
Why is that? Well, it's the best way to tell who has been in the =
building, exited the building (and what they took), around the building =
and who's been knocking on the door/windows etc. It makes EXCELLENT =
Forensics evidence.
The question is why don't we capture packets in the same location on =
our network as they do with video cameras? By this I am talking about =
packet capture at the Ingress and egress of the network...the ISP link!
Think about it. It is no longer expensive to store several weeks of =
traffic versus not knowing what is actually leaving you network and by =
whom.
Gary
------=_NextPart_000_0041_01C6E891.C5A03270
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>Why don't commercial companies have similar forensic =
capabilities as their physical property/buildings?</TITLE>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2900.2963" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Gary,</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Good observation and I'm certainly no =
expert in=20
this but it just so happens - I am presently involved with a small =
project where=20
I'm doing exactly that, with very limited tools.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Most (I say that cautiously) routers =
have logging=20
capability but it's minimal - at best on the lower cost ($300 - $600 =
range)=20
routers/access points. I'm looking for some software that I can =
feed in a=20
.csv or text file that has the IP's I'm interested in so the process of =
doing a=20
trace and whois can be automated and again logged with the =
findings. Right=20
now, one IP address at a time.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>There's more than I care to learn about =
doing an=20
"accurate" reverse trace but I can see a need for such tools that you're =
talking=20
about. There are plenty of packet sniffers and geo =
tracers available=20
and a good firewall will give you most of the info you need to get =
started - but=20
then you need a lot of time (and knowledge) to find out everything you =
can.=20
Corporations and gov't can justify this cost - small businesses =
gain very=20
little from the effort most of the time and elect to just block the =
attacks=20
and not worry about tracking them down since they cannot do much even if =
they=20
can gather all the info.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>So we're stuck using the low cost =
software and=20
occasionally get lucky with an ISP that does act on abuse reports but =
not many=20
do.....</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Bob S.</FONT></DIV>
<BLOCKQUOTE=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV>"Gary Woods" <<A=20
message <A=20
=
ndace.com</A>...</DIV>
<DIV><FONT face=3D"Verdana, Helvetica, Arial"><SPAN =
style=3D"FONT-SIZE: 12px">I=92m=20
trying to evangelize a point about the need for Forensics =
evidence on=20
the network. Any comments?<BR><BR>Most of us watch or have seen a TV =
program=20
called CSI .<BR><BR>The first thing a CSI asked when arriving at the =
crime=20
scene is =93do you have any video cameras=94.<BR><BR>Why is that? =
Well, it=92s the=20
best way to tell who has been in the building, exited the building =
(and what=20
they took), around the building and who=92s been knocking on the =
door/windows=20
etc. It makes EXCELLENT Forensics evidence.<BR><BR>The question is why =
don=92t=20
we capture packets in the same location on our network as they do with =
video=20
cameras? By this I am talking about packet capture at the Ingress and =
egress=20
of the network...the ISP link!<BR><BR>Think about it. It is no =
longer=20
expensive to store several weeks of traffic versus not knowing what is =
actually leaving you network and by=20
whom.<BR><BR>Gary<BR><BR><BR></SPAN></FONT><FONT=20
face=3D"Verdana, Helvetica, Arial"><SPAN=20
style=3D"FONT-SIZE: =
12px"></DIV></BLOCKQUOTE></SPAN></FONT></BODY></HTML>
------=
|
|
Posted by =?Utf-8?B?S2FybCBMZXZpbnNvbiwg on October 5, 2006, 3:31 pm
If you were Registered and logged in, you could reply and use other advanced thread options
"Gary Woods" wrote:
> IÂım trying to evangelize a point about the need for Forensics evidence on
> the network. Any comments?
>
> Most of us watch or have seen a TV program called CSI .
>
> The first thing a CSI asked when arriving at the crime scene is ³do you have
> any video cameras².
>
> Why is that? Well, itÂıs the best way to tell who has been in the building,
> exited the building (and what they took), around the building and whoÂıs been
> knocking on the door/windows etc. It makes EXCELLENT Forensics evidence.
>
> The question is why donÂıt we capture packets in the same location on our
> network as they do with video cameras? By this I am talking about packet
> capture at the Ingress and egress of the network...the ISP link!
>
> Think about it. It is no longer expensive to store several weeks of traffic
> versus not knowing what is actually leaving you network and by whom.
Those sites can't put cameras everywhere. And those cameras don't always
record absolutely every second. Decisions are made, based on cost and risk.
If your company or your ISP isn't recording that stuff, there's probably a
reason.
Some companies do record everything. Others more typically only capture a
little bit of the data, for example the "netflow" data or snapshots of just
the packet headers without all the data. Other companies [like many ISPs]
have inspection devices that can be turned on upon request from, say, law
enforcement. It can be very difficult to capture absolutely all traffic,
depending on how much traffic there is. And even if you did capture
everything, it takes talent and luck to find what you're looking for in all
that data.
Data can easily be encrypted via, say, HTTPS so that your recording of that
data might not tell you much if anything.
If you're saying that ISPs should record all data, that is expensive and
there has to be something to make it worth there while. Even then, you're
not likely going to get access to that data, not unless you can get a law
enforcement officer to obtain a subpoena.
If you're saying that all computers should record all network data, your
computer does have that ability, just install Ethereal / Wireshark from
www.ethereal.com Your only limit is hard drive space. Most people just use
their firewall logs and hope that captures most of the data that they need.
--
kind regards,
Karl Levinson, CISSP, CCSA, MCSE [MS MVP]
-------------------------
Microsoft Security FAQ:
http://www.securityadmin.info
|
|
Posted by Roger Abell [MVP] on October 6, 2006, 12:27 am
If you were Registered and logged in, you could reply and use other advanced thread options
After the cost of capture and storage, and effort to extract what
may still be stored and "of interest" what one may often end up
with is an IP for the penetration (or what ever it was of interest).
However, that IP turns out to be one hop in a long sequence of
bounces about the internet, and you find that those responsible
for that IP are not able to assist you in following the trail to the
next hop. This is not a minor factor in the cost/benefit analysis.
Roger
> Iım trying to evangelize a point about the need for Forensics evidence on
> the network. Any comments?
>
> Most of us watch or have seen a TV program called CSI .
>
> The first thing a CSI asked when arriving at the crime scene is ³do you
> have
> any video cameras².
>
> Why is that? Well, itıs the best way to tell who has been in the building,
> exited the building (and what they took), around the building and whoıs
> been
> knocking on the door/windows etc. It makes EXCELLENT Forensics evidence.
>
> The question is why donıt we capture packets in the same location on our
> network as they do with video cameras? By this I am talking about packet
> capture at the Ingress and egress of the network...the ISP link!
>
> Think about it. It is no longer expensive to store several weeks of
> traffic
> versus not knowing what is actually leaving you network and by whom.
>
> Gary
>
>
>
>
|
|
Posted by imhotep on October 12, 2006, 12:39 am
If you were Registered and logged in, you could reply and use other advanced thread options
> Iım trying to evangelize a point about the need for Forensics evidence on
> the network. Any comments?
>
> Most of us watch or have seen a TV program called CSI .
>
> The first thing a CSI asked when arriving at the crime scene is ³do you
> have any video cameras².
>
> Why is that? Well, itıs the best way to tell who has been in the building,
> exited the building (and what they took), around the building and whoıs
> been knocking on the door/windows etc. It makes EXCELLENT Forensics
> evidence.
>
> The question is why donıt we capture packets in the same location on our
> network as they do with video cameras? By this I am talking about packet
> capture at the Ingress and egress of the network...the ISP link!
>
> Think about it. It is no longer expensive to store several weeks of
> traffic versus not knowing what is actually leaving you network and by
> whom.
>
> Gary
Speak for yourself "we" do...
Imhotep
|
| Similar Threads | Posted | | auditing for forensic purposes | October 14, 2005, 6:48 am |
| Browser Re Direct or Similar | August 11, 2005, 4:01 pm |
| Any other software on the market similar to this one? | March 21, 2006, 7:32 pm |
| Forensic level hard drive tools? | April 20, 2006, 2:27 pm |
| Need security advice from Admins at Software Development companies | October 18, 2005, 11:29 am |
| Commercial Honeypots for Windows? | January 28, 2007, 3:18 pm |
| Searching aescipher.exe or similar command line tool with AES encryption | February 15, 2007, 6:39 am |
| Commercial cert vs. Microsoft Certificate Services generated cert | June 21, 2007, 4:23 am |
|
XML site map