Week 11
This week, we learned about storage Media, switches, CAM tables, ARP table routers, and firewalls. We also had a quiz.
Storage media discussed:
- ROM
- NVRAM
- DRAM
- CAM
- Hard Drive
The differences between Switch and Router according to forensics value:
Switches contain a “content addressable memory” (CAM) table. The table map MAC addresses to physical ports. The investigator can discover the switches with the corresponding port by using the MAC address. The table also provides VLAN to capture traffic from the mirroring port with a packet sniffer. While Routers contain a routing table. The table map ports on the router to the networks that they connect. With the table, the forensic investigator can trace the path that network traffic takes to traverse multiple networks.
Port Mirroring, also known as switched port analyzer (SPAN), remotely switched port Analyzer (RSPAN), and roving analysis port (RAP), is a method of monitoring network traffic, identifying network abnormalities, and troubleshooting network abnormalities. The port mirroring is configured at the network switch by the network administrators or network monitoring/security application. It allows administrators to keep track of network performance and be alerted if problems occur. Port mirroring can also be used to mirror either inbound or outbound traffic (or both) on single or multiple interfaces. With port mirroring enabled, the network switch sends a copy of network packets seen on one switch port (or an entire VLAN) to a network monitoring connection on another switch port where the data packets can be analyzed. The port mirroring process is hidden from the source and other nodes on the network.
The network appliances that used port mirroring are intrusion detection systems, passive probes, or real user monitoring (RUM) technology which support application performance management (APM).