ofaheem Posted May 6, 2015 Share Posted May 6, 2015 Hi, I am studying a postgraduate degree of digital forensic computing and my professor have asked me to do a network forensic analysis of DNS protocol. He have asked us the following: Asked us to setup Virtual server using VMware workstation and virtual client. It should not be connected to internet and do DNS forensic analysis by extracting the digital evidence in relation to DNS protocol Now I have already setup a virtual server of Windows Server 2012 R2 having Active Directory and Active Directory integrated DNS Server and a virtual client of Windows 7 Professional which is joined to this domain. I have also installed Wireshark on this client computer but the problem is for me how to perform steps of extracting digital evidence and how to explain the wireshark logs in words If anybody can provide me help in this regard I shall be grateful Thanks & regard, Osama Quote Link to comment Share on other sites More sharing options...
cooper Posted May 6, 2015 Share Posted May 6, 2015 I doubt the point of getting a degree is learning to ask others how to do it... Quote Link to comment Share on other sites More sharing options...
digip Posted May 6, 2015 Share Posted May 6, 2015 (edited) If we give you an answer that turns out to be wrong and you go with it without verifying the info, this will count as part of your grade, and as such, may not help you in the long run. Maybe try some things, explain what you're doing and ask for pointers about stuff you have you want better explained, which honestly, (and it's a cliche but still important), google for what you are doing and the info you want to dissect. I have a feeling you will not only get a better understanding of what it is you are asking, but you probably already know most of it since you are in a networking class that should have some fundamentals of how the protocols work, OSI layers, etc. Good luck. Edited May 6, 2015 by digip Quote Link to comment Share on other sites More sharing options...
fugu Posted May 8, 2015 Share Posted May 8, 2015 what evidence are you trying to extract? Quote Link to comment Share on other sites More sharing options...
Isolot Posted May 8, 2015 Share Posted May 8, 2015 (edited) I have not studied digital forensics but if it were me i would teach myself by capturing a pcap of multiple different scenarios: - client requests private ip name resolution - client requests public ip reverse look up - client requests public host name resolution - client requests resolution of an ip that the dns server contains a record for - client requests resolution of an ip that the server does not have a record for - client requests requests different types of records ie mx records. now open up each of the captures and strip them down to just the dns request..(add dns specific filters eg. udp). Now ask yourself, If i were a detective, what information might be important to me? - time of the request - time of the response - time between the request and response - source ip of the request - destination ip of the request - type of request - size of the request - what was the data in the request? where was the user trying to go (right click follow udp stream) - what what was the servers response - what was the mac address in the request? (this can give you the last hop and give an idea of the network route taken) - source and destination port used. google searching will provide the how to's on where to find the answer to the above questions in the packets. you could also now go a step further - what third party tools can you hand the pcaps to in order to provide automated reports? xplico? etc - was there a tcp handshake after the dns request completed to say the user actually went ahead with the connection? Edited May 8, 2015 by Isolot Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.