Network forensics investigations

Overview of network forensics

Network forensics is a sub-branch of digital forensics relating to the monitoring/capturing,
recoding and analysis of computer network traffic for the purposes of information gathering,
legal evidence, or intrusion detection. Unlike other areas of digital forensics, network
investigations deal with volatile and dynamic information. Network traffic is transmitted and
then lost, so network forensics is often a pro-active and history log files investigation.
It deals with data which are found across a network connection mostly ingress and egress
traffic. Network forensics attempts to analyze traffic data logged through firewalls, IDS or at
network devices like routers and switches. The process of finding out how the attack is
launched and which is the system to launch the attack and its methodology.

Network forensics generally has two method of information gathering. These are:-
1. Relating to security: - involves monitoring a network for anomalous traffic and
identifying intrusions. An attacker might be able to erase all log files on a
compromised host; network-based evidence might therefore be the only evidence
available for forensic analysis.
2. Relates to law enforcement: - In this case analysis of captured network traffic can
include tasks such as reassembling transferred files, searching for keywords and
parsing human communication such as emails, browsing history, successful/failed
login, download files, uses web and applications, password and username or chat
sessions.
Advantages of Network forensic investigations:-

 Network Performance Benchmarking

 Network Troubleshooting
 Transactional Analysis
 Security Attack Analysis
 The following lists some of the questions that may network forensics in establishing
the facts of the case or answers:
When we see each WH questions in network forensic investigation answer the following
lists:-

• WHO

 Who are the people involve?

 Who are the IT personnel of the premise?

 Who are the top management of the company?

 WHAT

 What types of crime is it? (Network, computer, mobile... forensics, cyber

terrorism,)

 What are the resources needed? (People, equipment, budget and network
devices)

 What are the needed documents?

 What is the IP address, MAC, devices?

 Who owns the IP address/devices?

• WHERE

 Where is the location of the crime? In Ethiopia or cross border?

 Where is the database server?

• HOW

 How did the crime happen?

• WHEN

 When did the crime happen?

 When did the investigating team first detect the crime?

TYPES OF NETWORK ATTACKS

Network attack can be defined as any method, process, or means used to maliciously attempt
to compromise network security.

Types of Network Attack

1. ACTIVE ATTACK

Active attack tries to change the system resources or affect their operation. Always causes
damage to the system.
2. PASSIVE ATTACK

Passive attack tries to read or make use of information from the system but does not influence
system resources.

The following are the main categories of attacks launched against networks:

 IP spoofing
 Router attacks
 Eavesdropping
 Denial of service
 Man-in-the-middle attack
 Sniffing
 Data modification
 Etc ...

When you should apply network forensics?

Forensics can be applied to many situations to solve performance, security and policy
problems on today’s high-speed networks. These include:

 finding proof of a security attack

 Troubleshooting intermittent performance issues
 Monitoring user activity for compliance with IT and HR policies
 Identifying the source of data leaks
 Monitoring business transactions
 Troubleshooting VoIP and video over IP

How do you collect network based evidence?

 Watch traffic to and from a specific host.
 Monitor traffic to and from a specific network.
 Monitor a specific person's actions.
 Verify intrusion attempts.
 Look for specific attack signatures.
 Focus on a specific protocol.
 Inspect and focusing on Log files and cookies on network devices, Hosts, browsers
What is Evidence? We can define as:-
1. Information or signs indicating whether a belief or proposition is true or valid.
2. Information used to establish facts in a legal investigation or admissible as
testimony in a law court.
Within this system there are a few categories of evidence that have very specific meanings:
 Real evidence - physical objects that play a relevant role in the crime (Computer –
box, keyboard, USB etc.)

 Best evidence - can be produced in court (Recovered file ,Bit – for – bit snapshot of
network transaction)
  Direct evidence – eye witness

 Circumstantial evidence – linked with other evidence to draw conclusion (Email

signature ,USB serial number)

 Hearsay – second-hand information (Text file containing personal letter)

 Business records – routinely generated documentation (Contracts and employee

policies, Logs)

 Digital evidence – electronic evidence (Emails ,Logs)

Network Forensics Investigative Methodology (OSCAR)

Forensics Investigators should perform their work using a sound forensic mythological
framework to ensure a useful outcome. The following methodological framework is
recommended.

1. Obtain information
Whether you’re forensic investigators, you will always need to do two things at the
beginning of an investigation: obtain information about the incident itself, and obtain
information about the environment.

A. Incident description
Usually you will want to know the following things about the incident:
 Information regarding incident discovery
 Known persons involved
 Systems and / or data known to be involved
 Actions taken by organization since discovery
 Potential legal issues
 Working time frame for investigation and resolution
 Specific goals, Etc.

This list is simply a starting point, and you will need to customize it for each incident.
B, the Environment
The information you gather about the environment will depend on your level of familiarity
with it. Remember that every environment is constantly changing, and complex social and
political dynamics occur during an incident. Even if you are very familiar with an
organization, you should always take the time to understand how the organization is
responding to this particular incident, and clearly establish who needs to be kept in the loop.
Usually you will want to know the following things about the environment:
 Working business model and enforceable policies
 Potential legal issues involved with said business model and policies
 Organizational structure
 Network topology
 Possible network evidence sources
 Incident response management procedures
  Central communication systems (investigator communication and evidence
repository)
 Available resources

Staff

Equipment

Funding

Time

2. Strategize
 Understand the goals and time frame for investigation
 Organize and list resources
 Identify and document evidence sources
 Estimate value of evidence versus value of obtaining it
 Prioritize based on this estimate
 Plan of attack – both for acquisition and analysis
 Set up schedule for regular communication between investigators
 Remember that this is fluid and will most likely have to be adjusted
3. Collect evidence
In the previous step, “Strategize,” we prioritized our sources of evidence and came up with an
acquisition plan. Based on this plan, we then collect evidence from each source. There are
different components you must address every time you acquire evidence:
 Document,
 Lawfully capture evidence
 Make cryptographically verifiable copies
 Setup secure storage of collected evidence
 Establish chain of custody
 Analyze copies only
 Use legally obtained, reputable tools
 Document every step
4. Analyze
Of course the analysis process is normally nonlinear, but certain elements should be
considered essential:
 Show correlation with multiple sources of evidence
 Establish a well-documented timeline of activities
 Highlight and further investigate events that are potentially more relevant to incident
 Corroborate all evidence, which may require more evidence gathering
 Reevaluate initial plan of attack and make needed adjustments
 Make educated interpretations of evidence that lead to a thorough investigation, look for
all possible explanations
 Build working theories that can be backed up by the evidence (this is only to ensure a
thorough investigation)
 • SEPARATE YOUR INTERPRETATIONS FROM THE FACTS

5. Report
Nothing you’ll have done to this point, from acquisition through analysis, this will deal with
conveying the results of the investigations to the client(s) or courts.
The report that you produce must be:
• Every report must be:

 Understandable by nontechnical people

 Complete and meticulous
 Defensible in every detail
 Completely factual

Classification of Network Forensic Systems

Network forensic systems are classified into different types, based on various characteristics:
among these classifications:-

 Purpose
 Platform
 Time of Analysis
 Data Source
 Packet Capture

For network forensic performances the purpose, platform and time of analysis may restrict
depend on the problem or attack created, but now we will see forensic value on deferent
network device and data source on each device.

Sources of network Evidence

The basic sources of evidence are: -

 Users
 Systems including backups
 Networking devices / communication

Users:

 First hand Observations

Systems including backups

 Existing files
 Deleted files
 Logs
 Special System files (Registry keys)
 Print spooler and system memory
 Chat Archive
  Backup files and Archive files
 Encrypted or password protected files
 Hidden files
 Internet History
 Email archive
 Storage devices

Sources of Network-Based Evidence and forensic value

Every environment is unique. Large financial institutions have very different equipment,
staff, and network topologies than local government agencies or small health care offices.
Even so, if you walk into any organization you will find similarities in network equipment
and common design strategies for network infrastructure.
I. On the wire
 Investigators can TAP into physical cabling to copy and preserve network traffic as it
is transmitted across the line.
 Puncture the insulation and make contact with copper wires, to surreptitious fibber
taps, which bend the cable and cut the sheathing to reveal the light signals as they
traverse the glass.
Ex. “Vampire Tap”

II. in the Air

An increasingly popular way to transmit station-to-station signals is via “wireless”
networking, which consists of radio frequency (RF) and (less commonly) infrared (IR)
waves. This information commonly includes:
 Broadcast SSIDs (and sometimes even non broadcast ones)
 WAP MAC addresses
 Supported encryption/authentication algorithms
 Associated client MAC addresses
 in many cases, the full Layer 3+ packet contents

III. Switches
 Switches contain a “content addressable memory” (CAM) table, which stores
mappings between physical ports and each network card’s MAC address.
 Using mac address investigator determines switches and corresponding port.
 It also provides VLAN to capture traffic from the mirroring port with a packet sniffer.
IV. Routers
 Switches have CAM tables, routers have routing tables.
 Tables map ports on the router to the networks that they connect.
 This allows a forensic investigator to trace the path that network traffic takes to
traverse multiple networks.
V. DHCP Servers
 When DHCP servers assign (or “lease”) IP addresses, they typically create a log of
the event which includes the assigned IP address, the MAC address of the device
receiving the IP address, and the time the lease was provided or renewed.
 DHCP logs can show an investigator exactly which physical network card was
assigned the IP address in question during the specified time frame.
VI. Name Servers
 DNS servers can be configured to log queries for IP address and hostname
resolutions.
 DNS servers can log not only queries, but also the corresponding times. Therefore,
forensic investigators can leverage DNS logs to build a timeline of a suspect’s
activities
 The DNS server may contain logs that reveal connection attempts from internal to
external systems, including web sites, SSH servers, external email servers, and more.
VII. Authentication Servers
 Authentication servers typically log successful and/or failed login attempts and other
related events.
 Investigators can analyse authentication logs to identify brute-force password-
guessing attacks, account logins at suspicious hours or unusual locations, or
unexpected privileged logins, which may indicate questionable activities.

VIII. Network Intrusion Detection/Prevention Systems

 Designed to provide for timely data pertaining to adverse event on the network.
 Forensic investigators can request that network staff tune the NIDS to gather more
granular data (source and destination IP addresses, the TCP/UDP ports, and the time
the event occurred) for specific events of interest or specific sources and destinations.

IX. Firewalls
 They were most definitely designed to implement security policies to prevent
violations.
 Firewalls were not initially designed to alert security personnel when security
violations were taking place
 Firewalls can be configured to produce alerts and log allowed or denied traffic,
system configuration changes, errors, and a variety of other events.
X. Web Proxies
 Web proxies are commonly used within enterprises for two purposes:

A. to improve performance by locally caching web pages and,

B.to log, inspect, and filter web surfing traffic.
 Web proxies can be a gold mine for forensic investigators, especially when they are
configured to retain granular logs for an extended period of time.
 an enterprise web proxy can literally store the web surfing logs for an entire
organization
XI. Application servers
 Common types of application servers include: Database servers ,Web servers ,Email
servers, Chat servers , VoIP/voicemail servers
 There are far too many kinds of application servers for us to review every one in
depth (there have been dozens if not hundreds of books published on each type of
application server).
XII. Central Log Servers
 Central log servers aggregate event logs from a wide variety of sources, such as
authentication servers, web proxies, firewalls, and more.
 Much like intrusion detection systems, central log servers are designed to help
security professionals identify and respond to network security incidents.
 Devices such as routers, which typically have very limited storage space, may retain
logs for very short periods of time, but the same logs may be sent in real time to a
central log server and preserved for months or years.
For now and this case and others network forensic investigation can be obtain sources of
evidence from the following three forms:-
 Online/internet investigations and analysis (OSINT)
 LOG file investigations from networking devices
 Network configuration for forensic investigations

Internet Cookies
A cookie (called an Internet or Web cookie) is the term given to describe a type of message
that is given to or saved by a web browser by a web server. The main purpose of a cookie is
to identify users and possibly prepare customized Web pages or to save site login information
for you.

When you enter a website using cookies, you may be asked to fill out a form providing
personal information; like your name, password, username, email address, and interests. This
information is packaged into a cookie and sent to your Web browser, which then stores the
information for later use. The next time you go to the same Web site, your browser will send
the cookie to the Web server. The message is sent back to the server each time the browser
requests a page from the server.

A web server has no memory so the hosted website you are visiting transfers a cookie file of
the browser on your computer’s hard disk so that the site can remember who you are and
your preferences. This message exchange allows the Web server to use this information to
present you with customized Web pages. So, for example, instead of seeing just a generic
welcome page you might see a welcome page with your name on it.

TYPES OF COOKIES

I, Single-Session cookies
Also called a transient cookie, a cookie that is erased when you close the Web browser. The
session cookie is stored in temporary memory and is not retained after the browser is closed.
Session cookies do not collect information from your computer. They typically will store
information in the form of a session identification that does not personally identify the user.
II, Persistent/Multi-Session cookies
Also called a permanent cookie, or a stored cookie, a cookie that is stored on your hard drive
until it expires (persistent cookies are set with expiration dates) or until you delete the cookie.
Persistent cookies are used to collect identifying information about the user, such as Web
surfing behavior or user preferences for a specific Web site.

Uses

 collect information about the pages you view and your activities on the site
 enable the site to recognize you, for example by:
 remembering your user ID
 offering an online shopping cart
 keeping track of your preferences if you visit the website again
 customize your browsing experience
 deliver ads targeted to you
Network forensic tools
Network forensic tools allow us to monitor networks, gather information about the traffic,
and assist in network crime investigation. Forensic tools help in analysing the insider theft,
misuse of resources, predict attack targets, perform risk assessment, evaluate network
performance, and protect intellectual propriety. Forensic tools can capture the entire network
traffic, allow users to analyse network traffic according to their needs and discover significant
features about the traffic. Forensic tools synergize with intrusion detection systems and
firewalls and make long-term preservation of network traffic records for quick analysis.
These tools are called network forensic analysis tools (NFAT).

The analysis analyzed the contents using network forensic tools

 Vulnerability Assessment Tools: - Metasploit, Nessus, Nikto, Yersinia, Wikto,
 Network Scanning Tools: - Nmap , Angry IP Scanner , Wireless Network Watcher,
IPTraf , Visual Route
 Network Monitoring Tools: - ntop , Tcpstat , Activity Monitor
 Host-Side Artifacts: - netstat , nbstat , ifconfig/ipconfig , SysInternals , Ntop ,ARP
 Web site analyszer: - Analog, Deep Log Analyzer, Awstats , Paros , HP WebInspect,
Scrawlr, keepNI
 Locating IP Addresses: - Nslookup , Traceroute , WHOIS , Hide Real IP , IP
Detective suite

Online Analysis of Network Traffic

Network traffic also enables an investigator to extract information that is difficult to obtain
from host-based evidence, such as IP addresses and other identity information a user uses
Passwords

 Specialized knowledge and tools are required to process network traffic as a source of
evidence.
  In general, there is only one chance to capture real-time network data from a network.

Sniffing

 Goal is generally to obtain information –Account usernames, passwords –Source

code, business critical information
 Usually a program placing an Ethernet adapter into promiscuous mode and saving
information for retrieval later
 Hosts running the sniffer program are compromised using host attack methods.

Online Monitoring
If you need to have online analysis of network you need to capture packets. Network Traffic
Analysis requires online capturing and analysis of packets in real time.

I. TAPS / Test Access Ports

 Devices specially built for accessing traffic between network devices
 Usually pre-installed at important traffic points
 Physical devices are able to capture traffic at the physical layer

II, SPAN Port - Switched Port Analyser (Port Mirroring)

 Provided on good switches

 A switch can be configured to copy one or more switch ports to a dedicated port.
 A capture device connected to the SPAN port sees traffic flowing through specified
switch ports.
 A SPAN port only copies valid network packets. Error packets may be ignored and
not copied.

If we really want to know what is happening on our network, we will need to capture traffic.
III, Network packet capture (PCAP)
 is the process of intercepting (moving or crossing) and logging traffic.
 Real time (online) collection of data it travels over networks.
 Capture is the process carried out by a packet analyzer, also known as a protocol
analyzer, network analyzer.
Systematic capture and analysis of network events and traffic in order to trace prove a
network incident.
 Online capture and analysis
 Offline analysis
It is the online user activity capturing that can be useful in network forensics such as:-
• Visited websites
• Time spent on browsing them,
• Successful and unsuccessful login attempts,
• Illegal file downloads, intellectual property abuse, etc.

Packet files not only contain a wealth of information, but data can be retrieved from them
in various groupings, such as individual frames, client-server conversations, packet
streams, flows, and sessions.

How can we capture packets?

 A network tap is a system that monitors events on a local network in order to aid
administrators (or attackers) in analyzing the network.
 Configure a SPAN or mirror port
 Use built in packet capture features of firewall or routers
 Use an application like Wireshark (packet capturing tools)

In network forensic Packets are captured and examined to help diagnose and solve
network problems such as:
• network security policies (Identifying security threats
• Help in identifying who is communicating with whom and what data is sent
and received over the network.
• Trying to investigate high bandwidth usage
• Identifying network congestion
• Identifying data/packet loss
• To detect malicious network traffic and behavior.
• Forensic network analysis
Packet capture can be performed in-line or using a copy of the traffic that is sent by network
switching devices to a packet capture device.

Method of packet capturing

Systems used to collect network data for forensics use usually come in two forms:
1. “Catch it as you can” method:-
 Full Packet Capture
 It guarantees that there is no omission of important network events.
 This process is time-consuming and needs storage volume.
2. “Stop, look and listen” method:
 Packet Capture Analysis
 Administrators watch each data packet that flows across the network but they
capture only what is considered suspicious and deserving of an in-depth
analysis.
 Not consume much space, it may require significant processing power.
 Requires significant technical skills, and often is performed with tools such as
Wireshark.

Packet Capture Considerations

 To successfully perform a packet capture, there are a couple of things to be
considered including:-
 1. What to Capture
 What packets do you intend to capture?
 Do you want packets only from/to the particular device on which the packet
capture tool is running?
 Interface of the devices maybe including multicast and broadcast.
 To capture packets the devices interface must run in “promiscuous” mode (or
“monitor” mode in the case of wireless).
 It is important to note that some interfaces do not support promiscuous mode
and even if they do, some operating systems do not support it.
 2. When packet capture?
 Most powerful technique
 When need to see what client and server are actually saying to each other.
 When need to analyses type of traffic on network.
 Requires understanding of network protocols to use effectively.
 3. Where to Capture (Capture Point)
 Capture point is a traffic transit point where a packet is captured. Capture
points need to define the following:
 IPv4 or IPv6
 Interface e.g. Fast Ethernet etc.
 Direction of traffic to the interface: in (ingress), out (engress) or both
 Note: Different vendors use different terminologies for this feature including
Port Mirroring, Switched Port Analyzer (SPAN), etc.
  4. Storage concerns (CAPTURE BUFFER)
 The last factor to consider is where to store the captured packets.
 Capture buffer is an area in memory for holding packet data.
 There are two types of Capture Buffers: Linear and Circular.
 Linear Capture Buffer: When the capture buffer is full, it
stops capturing data.
 Circular Capture Buffer: When the capture buffer is full, it
continues capturing data by overwriting older data.

Network Packet Capture & Analysis

Packet Capture is a networking term for intercepting a data packet that is crossing a specific
point in a data network. Once a packet is captured in real-time, it is stored for a period of time
so that it can be analyzed, and then either be downloaded, archived or discarded. Packets are
captured and examined to help diagnose and solve network problems such as:

 Identifying security threats

 Troubleshooting undesirable network behaviors
 Identifying network congestion
 Identifying data/packet loss
 Forensic network analysis

Packet capture can be performed in-line or using a copy of the traffic that is sent by network
switching devices to a packet capture device.

Creating capture packet data formats

 Network analyzers like network packet capture (Wireshark) create .pcap files to
collect and record packet data from a network.

 There are many different types of PCAP files range formats, including:

 Libpcap, Packet sniffing tools like tcpdump use the Libpcap format.

 WinPcap, Tools like Wireshark, Nmap, and Snort use WinPCap to monitor
devices.

 PCAPng:-

 pcapng collects includes extended timestamp precision,

user comments, and capture statistics to provide the user
with additional information.
  Tools like Wireshark are using PCAPng because it can
record more information than PCAP.

 Npcap

 The library is faster and more secure than WinpCap.

 Npcap is also supported by Wireshark.

Packet Capture Tools

 We have to decide what we want:-

 To perform a packet capture,

 The first thing we need to do is decide what our goal is. Are we only interested
in capturing packets or we also want to analyze the captured packets?

 How do you go about it?

 Network packet capture perform and available for the function of :-

 Packet capture (sniffer)

 Packet analyzer

 Protocol analyses and sometimes even for

 Traffic monitoring

 Best and Packet Capturing and network analyzers Tools includes :-

 Wireshark

 Network miner

 Fiddler

 Solar winds

 PRTG network monitor

 Splunk

 EtherApe

 Etc.

Analysis of packet capture data typically requires significant technical skills, and often is
performed with tools such as Wireshark and others which are defined above.