Tactical Wireshark: A Deep Dive Into Intrusion Analysis, Malware Incidents, and Extraction of Forensic Evidence

Take a systematic approach at identifying intrusions that range from the most basic to the most sophisticated, using Wireshark, an open source protocol analyzer. This book will show you how to effectively manipulate and monitor different conversations and perform statistical analysis of these conversations to identify the IP and TCP information of interest.

Next, you'll be walked through a review of the different methods malware uses, from inception through the spread across and compromise of a network of machines. The process from the initial "click" through intrusion, the characteristics of Command and Control (C2), and the different types of lateral movement will be detailed at the packet level.

In the final part of the book, you'll explore the network capture file and identification of data for a potential forensics extraction, including inherent capabilities for the extraction of objects such as file data and other corresponding components in support of a forensics investigation.

After completing this book, you will have a complete understanding of the process of carving files from raw PCAP data within the Wireshark tool.

What You Will Learn

• Use Wireshark to identify intrusions into a network
• Exercise methods to uncover network data even when it is in encrypted form
• Analyze malware Command and Control (C2) communications and identify IOCs
• Extract data in a forensically sound manner to support investigations
• Leverage capture file statistics to reconstruct network events

Who This Book Is ForNetwork analysts, Wireshark analysts, and digital forensic analysts.

以系統化的方式使用Wireshark，一個開源的協議分析器，來識別從基本到最複雜的入侵行為。本書將向您展示如何有效地操作和監控不同對話，並對這些對話進行統計分析，以識別感興趣的IP和TCP信息。

接下來，您將逐步了解恶意軟件使用的不同方法，從起源到在一個機器網絡中的傳播和破壞。從最初的“點擊”到入侵的過程，命令和控制（C2）的特徵以及不同類型的橫向移動將在封包級別詳細介紹。

在本書的最後部分，您將探索網絡捕獲文件並識別潛在的取證提取數據，包括支持取證調查的文件數據和其他相應組件的固有能力。

完成本書後，您將完全了解在Wireshark工具中從原始PCAP數據中提取文件的過程。

您將學到什麼：
- 使用Wireshark識別網絡入侵
- 在加密形式下解析網絡數據的方法
- 分析恶意軟件的命令和控制（C2）通信並識別IOCs
- 以取證合規的方式提取數據以支持調查
- 利用捕獲文件統計數據重建網絡事件

本書適合對象：
網絡分析師、Wireshark分析師和數字取證分析師。

Kevin Cardwell is an Instructor, Curriculum Developer, Technical Editor and Author of Computer Forensics, and Hacking courses. He is the author of the EC Council Certified Penetration Testing Professional, Ethical Hacking Core Skills, Advanced Penetration Testing and ICS/SCADA Security courses. He has presented at the Blackhat USA, Hacker Halted, ISSA and TakeDownCon conferences as well as many others. He has chaired the Cybercrime and Cyberdefense Summit in Oman and was Executive Chairman of the Oil and Gas Cyberdefense Summit. He is the author of Defense and Deception: Confuse and Frustrate the Hackers, Building Virtual Pentesting Labs for Advanced Penetration Testing 1st and 2nd edition, and Backtrack: Testing Wireless Network Security. He holds a BS in Computer Science from National University in California and an MS in Software Engineering from the Southern Methodist University (SMU) in Texas.

Kevin Cardwell是一位教師、課程開發人員、技術編輯和《電腦取證》和《駭客》課程的作者。他是EC Council認證滲透測試專業人員、道德駭客核心技能、高級滲透測試和ICS/SCADA安全課程的作者。他曾在Blackhat USA、Hacker Halted、ISSA和TakeDownCon等會議上發表演講。他曾主持阿曼的網絡犯罪和網絡防禦峰會，並擔任石油和天然氣網絡防禦峰會的執行主席。他是《防禦與欺騙：困惑和挫敗駭客》、《構建虛擬滲透測試實驗室：高級滲透測試第1版和第2版》以及《Backtrack：測試無線網絡安全》的作者。他擁有加利福尼亞國立大學的計算機科學學士學位和德克薩斯州南方術大學的軟件工程碩士學位。