Network Forensics: Tracking Hackers through Cyberspace / Edition 1

Hardcover (Print)
Rent from
(Save 67%)
Est. Return Date: 07/24/2015
Used and New from Other Sellers
Used and New from Other Sellers
from $41.45
Usually ships in 1-2 business days
(Save 44%)
Other sellers (Hardcover)
  • All (15) from $41.45   
  • New (10) from $45.17   
  • Used (5) from $41.41   


“This is a must-have work for anybody in information security, digital forensics, or involved with incident handling. As we move away from traditional disk-based analysis into the interconnectivity of the cloud, Sherri and Jonathan have created a framework and roadmap that will act as a seminal work in this developing field.”

– Dr. Craig S. Wright (GSE), Asia Pacific Director at Global Institute for Cyber Security + Research.

“It’s like a symphony meeting an encyclopedia meeting a spy novel.”

–Michael Ford, Corero Network Security

On the Internet, every action leaves a mark–in routers, firewalls, web proxies, and within network traffic itself. When a hacker breaks into a bank, or an insider smuggles secrets to a competitor, evidence of the crime is always left behind.

Learn to recognize hackers’ tracks and uncover network-based evidence in Network Forensics: Tracking Hackers through Cyberspace. Carve suspicious email attachments from packet captures. Use flow records to track an intruder as he pivots through the network. Analyze a real-world wireless encryption-cracking attack (and then crack the key yourself). Reconstruct a suspect’s web surfing history–and cached web pages, too–from a web proxy. Uncover DNS-tunneled traffic. Dissect the Operation Aurora exploit, caught on the wire.

Throughout the text, step-by-step case studies guide you through the analysis of network-based evidence. You can download the evidence files from the authors’ web site (, and follow along to gain hands-on experience.

Hackers leave footprints all across the Internet. Can you find their tracks and solve the case? Pick up Network Forensics and find out.

Read More Show Less

Product Details

  • ISBN-13: 9780132564717
  • Publisher: Prentice Hall
  • Publication date: 7/6/2012
  • Edition description: New Edition
  • Edition number: 1
  • Pages: 576
  • Sales rank: 314,460
  • Product dimensions: 6.90 (w) x 9.20 (h) x 1.40 (d)

Meet the Author

Sherri Davidoff is a founder of LMG Security, an information security consulting and research firm. Her specialties include network penetration testing, digital forensics, social engineering testing, and web application assessments. She holds her S.B. in Computer Science and Electrical Engineering from MIT.

Jonathan Ham has been commissioned to teach NCIS investigators how to use Snort, performed packet analysis from a facility more than two thousand feet underground, taught intrusion analysis to the NSA, and chartered and trained the CIRT for one of the largest U.S. civilian federal agencies. He is a founder of LMG Security. His favorite field is ip[6:2].

Read More Show Less

Table of Contents

Foreword xvii

Preface xix

Acknowledgments xxv

About the Authors xxvii

Part I: Foundation 1

Chapter 1: Practical Investigative Strategies 3

1.1 Real-World Cases 3

1.2 Footprints 8

1.3 Concepts in Digital Evidence 9

1.4 Challenges Relating to Network Evidence 16

1.5 Network Forensics Investigative Methodology (OSCAR) 17

1.6 Conclusion 22

Chapter 2: Technical Fundamentals 23

2.1 Sources of Network-Based Evidence 23

2.2 Principles of Internetworking 30

2.3 Internet Protocol Suite 35

2.4 Conclusion 44

Chapter 3: Evidence Acquisition 45

3.1 Physical Interception 46

3.2 Traffic Acquisition Software 54

3.3 Active Acquisition 65

3.4 Conclusion 72

Part II: Traffic Analysis 73

Chapter 4: Packet Analysis 75

4.1 Protocol Analysis 76

4.2 Packet Analysis 95

4.3 Flow Analysis 103

4.4 Higher-Layer Traffic Analysis 120

4.5 Conclusion 133

4.6 Case Study: Ann’s Rendezvous 135

Chapter 5: Statistical Flow Analysis 159

5.1 Process Overview 160

5.2 Sensors 161

5.3 Flow Record Export Protocols 166

5.4 Collection and Aggregation 168

5.5 Analysis 172

5.6 Conclusion 183

5.7 Case Study: The Curious Mr. X 184

Chapter 6: Wireless: Network Forensics Unplugged 199

6.1 The IEEE Layer 2 Protocol Series 201

6.2 Wireless Access Points (WAPs) 214

6.3 Wireless Traffic Capture and Analysis 219

6.4 Common Attacks 224

6.5 Locating Wireless Devices 229

6.6 Conclusion 235

6.7 Case Study: HackMe, Inc. 236

Chapter 7: Network Intrusion Detection and Analysis 257

7.1 Why Investigate NIDS/NIPS? 258

7.2 Typical NIDS/NIPS Functionality 258

7.3 Modes of Detection 261

7.4 Types of NIDS/NIPSs 262

7.5 NIDS/NIPS Evidence Acquisition 264

7.6 Comprehensive Packet Logging 267

7.7 Snort 268

7.8 Conclusion 275

7.9 Case Study: Inter0ptic Saves the Planet (Part 1 of 2) 276

Part III: Network Devices and Servers 289

Chapter 8: Event Log Aggregation, Correlation, and Analysis 291

8.1 Sources of Logs 292

8.2 Network Log Architecture 306

8.3 Collecting and Analyzing Evidence 311

8.4 Conclusion 317

8.5 Case Study: L0ne Sh4rk’s Revenge 318

Chapter 9: Switches, Routers, and Firewalls 335

9.1 Storage Media 336

9.2 Switches 336

9.3 Routers 340

9.4 Firewalls 344

9.5 Interfaces 348

9.6 Logging 352

9.7 Conclusion 355

9.8 Case Study: Ann’s Coffee Ring 356

Chapter 10: Web Proxies 369

10.1 Why Investigate Web Proxies? 369

10.2 Web Proxy Functionality 371

10.3 Evidence 375

10.4 Squid 377

10.5 Web Proxy Analysis 381

10.6 Encrypted Web Traffic 392

10.7 Conclusion 401

10.8 Case Study: Inter0ptic Saves the Planet (Part 2 of 2) 402

Part IV: Advanced Topics 421

Chapter 11: Network Tunneling 423

11.1 Tunneling for Functionality 423

11.2 Tunneling for Confidentiality 427

11.3 Covert Tunneling 430

11.4 Conclusion 439

11.5 Case Study: Ann Tunnels Underground 441

Chapter 12: Malware Forensics 461

12.1 Trends in Malware Evolution 462

12.2 Network Behavior of Malware 484

12.3 The Future of Malware and Network Forensics 491

12.4 Case Study: Ann’s Aurora 492

Afterword 519

Index 521

Read More Show Less

Customer Reviews

Be the first to write a review
( 0 )
Rating Distribution

5 Star


4 Star


3 Star


2 Star


1 Star


Your Rating:

Your Name: Create a Pen Name or

Barnes & Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation


  • - By submitting a review, you grant to Barnes & and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Terms of Use.
  • - Barnes & reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously

    If you find inappropriate content, please report it to Barnes & Noble
    Why is this product inappropriate?
    Comments (optional)