Our journey, so far, has been an interesting one. As we traversed this ocean of network forensics, we stopped at numerous stops and islands on the way to enhance our understanding of the environment. These stops have helped us understand the various tools, technologies, and techniques that are required to conduct a network forensic investigation. We have seen the use of memory forensics that allow us to create images of RAM contents, how packet sniffers allow us to grab network data, and also how various intrusion detection and prevention servers play a role in the defense of the network. An analysis of the logs generated by proxies, firewalls, and intrusion detection and prevention systems have helped us gain an insight into networks, their behavior, and the various forensic artifacts left behind for us to find as evidence of malicious activity. We have also studied about malicious software and its various kinds and how malware affects our systems and the various steps involved in its investigations. As our travel across the ocean comes to an end, we need to stitch our knowledge together to form a map of our journey through network forensics and see how we can put all this knowledge to good use in an integrated manner.

In this final chapter, we will cover the finer aspects and provide the finishing touches to successfully take up, handle, investigate, and close a network forensics case.

Now it's time for all the Network 007s to take this final journey together through our network to learn the end game. That's what really counts!

We will solve our case according to the following steps:

Revisiting the TAARA investigation methodology

Let's do a quick review of the TAARA network forensics and incident response methodology.

As we learned in Chapter 1, Becoming Network 007s, TAARA stands for the following:

• Trigger: This is the event that leads to an investigation.
• Acquire: This is the process that is set in motion by the trigger; this is predefined as part of the incident response plan and involves identifying, acquiring, and collecting information and evidence relating to the incident. This includes getting information related to the triggers, reasons for suspecting an incident, and identifying and acquiring sources of evidence for subsequent analysis.
• Analysis: All the evidence that is collected is now collated, correlated, and analyzed. The sequence of events is identified. The pertinent questions relating to whether the incident actually occurred or not; if it did, what exactly happened, how it happened, who was involved, what is the extent of the compromise, and so on are answered.
• Report: Based on the preceding analysis, a report is produced before the stakeholders to determine the next course of action.
• Action: The action recommended in the report is usually implemented during this stage.

The following image gives us an overview of the network forensics investigative methodology, TAARA: