Professional Documents
Culture Documents
Network Forensics
Network Forensics
Network forensics generally has two method of information gathering. These are:-
1. Relating to security: - involves monitoring a network for anomalous traffic and
identifying intrusions. An attacker might be able to erase all log files on a
compromised host; network-based evidence might therefore be the only evidence
available for forensic analysis.
2. Relates to law enforcement: - In this case analysis of captured network traffic can
include tasks such as reassembling transferred files, searching for keywords and
parsing human communication such as emails, browsing history, successful/failed
login, download files, uses web and applications, password and username or chat
sessions.
Advantages of Network forensic investigations:-
• WHO
WHAT
What are the resources needed? (People, equipment, budget and network
devices)
• WHERE
• HOW
• WHEN
Network attack can be defined as any method, process, or means used to maliciously attempt
to compromise network security.
1. ACTIVE ATTACK
Active attack tries to change the system resources or affect their operation. Always causes
damage to the system.
2. PASSIVE ATTACK
Passive attack tries to read or make use of information from the system but does not influence
system resources.
The following are the main categories of attacks launched against networks:
IP spoofing
Router attacks
Eavesdropping
Denial of service
Man-in-the-middle attack
Sniffing
Data modification
Etc ...
Forensics can be applied to many situations to solve performance, security and policy
problems on today’s high-speed networks. These include:
Best evidence - can be produced in court (Recovered file ,Bit – for – bit snapshot of
network transaction)
Direct evidence – eye witness
Forensics Investigators should perform their work using a sound forensic mythological
framework to ensure a useful outcome. The following methodological framework is
recommended.
1. Obtain information
Whether you’re forensic investigators, you will always need to do two things at the
beginning of an investigation: obtain information about the incident itself, and obtain
information about the environment.
A. Incident description
Usually you will want to know the following things about the incident:
Information regarding incident discovery
Known persons involved
Systems and / or data known to be involved
Actions taken by organization since discovery
Potential legal issues
Working time frame for investigation and resolution
Specific goals, Etc.
This list is simply a starting point, and you will need to customize it for each incident.
B, the Environment
The information you gather about the environment will depend on your level of familiarity
with it. Remember that every environment is constantly changing, and complex social and
political dynamics occur during an incident. Even if you are very familiar with an
organization, you should always take the time to understand how the organization is
responding to this particular incident, and clearly establish who needs to be kept in the loop.
Usually you will want to know the following things about the environment:
Working business model and enforceable policies
Potential legal issues involved with said business model and policies
Organizational structure
Network topology
Possible network evidence sources
Incident response management procedures
Central communication systems (investigator communication and evidence
repository)
Available resources
Staff
Equipment
Funding
Time
2. Strategize
Understand the goals and time frame for investigation
Organize and list resources
Identify and document evidence sources
Estimate value of evidence versus value of obtaining it
Prioritize based on this estimate
Plan of attack – both for acquisition and analysis
Set up schedule for regular communication between investigators
Remember that this is fluid and will most likely have to be adjusted
3. Collect evidence
In the previous step, “Strategize,” we prioritized our sources of evidence and came up with an
acquisition plan. Based on this plan, we then collect evidence from each source. There are
different components you must address every time you acquire evidence:
Document,
Lawfully capture evidence
Make cryptographically verifiable copies
Setup secure storage of collected evidence
Establish chain of custody
Analyze copies only
Use legally obtained, reputable tools
Document every step
4. Analyze
Of course the analysis process is normally nonlinear, but certain elements should be
considered essential:
Show correlation with multiple sources of evidence
Establish a well-documented timeline of activities
Highlight and further investigate events that are potentially more relevant to incident
Corroborate all evidence, which may require more evidence gathering
Reevaluate initial plan of attack and make needed adjustments
Make educated interpretations of evidence that lead to a thorough investigation, look for
all possible explanations
Build working theories that can be backed up by the evidence (this is only to ensure a
thorough investigation)
• SEPARATE YOUR INTERPRETATIONS FROM THE FACTS
5. Report
Nothing you’ll have done to this point, from acquisition through analysis, this will deal with
conveying the results of the investigations to the client(s) or courts.
The report that you produce must be:
• Every report must be:
Purpose
Platform
Time of Analysis
Data Source
Packet Capture
For network forensic performances the purpose, platform and time of analysis may restrict
depend on the problem or attack created, but now we will see forensic value on deferent
network device and data source on each device.
Users
Systems including backups
Networking devices / communication
Users:
Existing files
Deleted files
Logs
Special System files (Registry keys)
Print spooler and system memory
Chat Archive
Backup files and Archive files
Encrypted or password protected files
Hidden files
Internet History
Email archive
Storage devices
III. Switches
Switches contain a “content addressable memory” (CAM) table, which stores
mappings between physical ports and each network card’s MAC address.
Using mac address investigator determines switches and corresponding port.
It also provides VLAN to capture traffic from the mirroring port with a packet sniffer.
IV. Routers
Switches have CAM tables, routers have routing tables.
Tables map ports on the router to the networks that they connect.
This allows a forensic investigator to trace the path that network traffic takes to
traverse multiple networks.
V. DHCP Servers
When DHCP servers assign (or “lease”) IP addresses, they typically create a log of
the event which includes the assigned IP address, the MAC address of the device
receiving the IP address, and the time the lease was provided or renewed.
DHCP logs can show an investigator exactly which physical network card was
assigned the IP address in question during the specified time frame.
VI. Name Servers
DNS servers can be configured to log queries for IP address and hostname
resolutions.
DNS servers can log not only queries, but also the corresponding times. Therefore,
forensic investigators can leverage DNS logs to build a timeline of a suspect’s
activities
The DNS server may contain logs that reveal connection attempts from internal to
external systems, including web sites, SSH servers, external email servers, and more.
VII. Authentication Servers
Authentication servers typically log successful and/or failed login attempts and other
related events.
Investigators can analyse authentication logs to identify brute-force password-
guessing attacks, account logins at suspicious hours or unusual locations, or
unexpected privileged logins, which may indicate questionable activities.
IX. Firewalls
They were most definitely designed to implement security policies to prevent
violations.
Firewalls were not initially designed to alert security personnel when security
violations were taking place
Firewalls can be configured to produce alerts and log allowed or denied traffic,
system configuration changes, errors, and a variety of other events.
X. Web Proxies
Web proxies are commonly used within enterprises for two purposes:
Internet Cookies
A cookie (called an Internet or Web cookie) is the term given to describe a type of message
that is given to or saved by a web browser by a web server. The main purpose of a cookie is
to identify users and possibly prepare customized Web pages or to save site login information
for you.
When you enter a website using cookies, you may be asked to fill out a form providing
personal information; like your name, password, username, email address, and interests. This
information is packaged into a cookie and sent to your Web browser, which then stores the
information for later use. The next time you go to the same Web site, your browser will send
the cookie to the Web server. The message is sent back to the server each time the browser
requests a page from the server.
A web server has no memory so the hosted website you are visiting transfers a cookie file of
the browser on your computer’s hard disk so that the site can remember who you are and
your preferences. This message exchange allows the Web server to use this information to
present you with customized Web pages. So, for example, instead of seeing just a generic
welcome page you might see a welcome page with your name on it.
TYPES OF COOKIES
I, Single-Session cookies
Also called a transient cookie, a cookie that is erased when you close the Web browser. The
session cookie is stored in temporary memory and is not retained after the browser is closed.
Session cookies do not collect information from your computer. They typically will store
information in the form of a session identification that does not personally identify the user.
II, Persistent/Multi-Session cookies
Also called a permanent cookie, or a stored cookie, a cookie that is stored on your hard drive
until it expires (persistent cookies are set with expiration dates) or until you delete the cookie.
Persistent cookies are used to collect identifying information about the user, such as Web
surfing behavior or user preferences for a specific Web site.
Uses
collect information about the pages you view and your activities on the site
enable the site to recognize you, for example by:
remembering your user ID
offering an online shopping cart
keeping track of your preferences if you visit the website again
customize your browsing experience
deliver ads targeted to you
Network forensic tools
Network forensic tools allow us to monitor networks, gather information about the traffic,
and assist in network crime investigation. Forensic tools help in analysing the insider theft,
misuse of resources, predict attack targets, perform risk assessment, evaluate network
performance, and protect intellectual propriety. Forensic tools can capture the entire network
traffic, allow users to analyse network traffic according to their needs and discover significant
features about the traffic. Forensic tools synergize with intrusion detection systems and
firewalls and make long-term preservation of network traffic records for quick analysis.
These tools are called network forensic analysis tools (NFAT).
Specialized knowledge and tools are required to process network traffic as a source of
evidence.
In general, there is only one chance to capture real-time network data from a network.
Sniffing
Online Monitoring
If you need to have online analysis of network you need to capture packets. Network Traffic
Analysis requires online capturing and analysis of packets in real time.
If we really want to know what is happening on our network, we will need to capture traffic.
III, Network packet capture (PCAP)
is the process of intercepting (moving or crossing) and logging traffic.
Real time (online) collection of data it travels over networks.
Capture is the process carried out by a packet analyzer, also known as a protocol
analyzer, network analyzer.
Systematic capture and analysis of network events and traffic in order to trace prove a
network incident.
Online capture and analysis
Offline analysis
It is the online user activity capturing that can be useful in network forensics such as:-
• Visited websites
• Time spent on browsing them,
• Successful and unsuccessful login attempts,
• Illegal file downloads, intellectual property abuse, etc.
Packet files not only contain a wealth of information, but data can be retrieved from them
in various groupings, such as individual frames, client-server conversations, packet
streams, flows, and sessions.
In network forensic Packets are captured and examined to help diagnose and solve
network problems such as:
• network security policies (Identifying security threats
• Help in identifying who is communicating with whom and what data is sent
and received over the network.
• Trying to investigate high bandwidth usage
• Identifying network congestion
• Identifying data/packet loss
• To detect malicious network traffic and behavior.
• Forensic network analysis
Packet capture can be performed in-line or using a copy of the traffic that is sent by network
switching devices to a packet capture device.
Packet capture can be performed in-line or using a copy of the traffic that is sent by network
switching devices to a packet capture device.
There are many different types of PCAP files range formats, including:
Libpcap, Packet sniffing tools like tcpdump use the Libpcap format.
WinPcap, Tools like Wireshark, Nmap, and Snort use WinPCap to monitor
devices.
PCAPng:-
Npcap
The first thing we need to do is decide what our goal is. Are we only interested
in capturing packets or we also want to analyze the captured packets?
Packet analyzer
Traffic monitoring
Wireshark
Network miner
Fiddler
Solar winds
Splunk
EtherApe
Etc.
Analysis of packet capture data typically requires significant technical skills, and often is
performed with tools such as Wireshark and others which are defined above.