Passive DNS Logs: The Pulse of the Network

  • Monday, 07 Mar 2016 9:00PM EST (08 Mar 2016 02:00 UTC)
  • Speaker: Philip Hagen

Although some network protocols are more commonly seen than others, thestaggering reality is that there are thousands of protocols an analystmay encounter during the course of an investigation, incident response,or threat hunting program. Therefore, network forensic analysts willrecognize great efficiencies by reviewing those which provide insight tomany other protocols. A prime example is the Domain Name System, orDNS. By logging all DNS queries and their responses, it's possible tocharacterize the nature of nearly every other protocol - even manyundocumented, custom, and proprietary ones. This webcast will reviewseveral different methods one can use to log DNS activity or extract itfrom existing evidence, as well as analytic cases where it can providedecisive value by itself or as clarifying evidence in support of NetFlowand logs.