Chapter 7: Network

Forensics
1. Introduction
2. Generic Cyber Incident Response
3. Network Forensics Architecture
4. Network Forensics Data
5. Analysis Techniques
1
Introduction
• Network forensics: allows analyzing network related
data with the objective to identify malicious activities,
discover their details, and assess the damage.
• Issues with network forensics analysis:
• Encryption and activity that happen on the victim host itself.
• Cannot rely on network forensics when an attacker runs a local exploit
to replace good system binaries with Trojan binaries or changes the
system configuration

2
Introduction (cont.)
• Analysis of network data can reveal a detailed portrait of network
activity.
• In network forensic investigations, statistical analysis of network data
can serve a variety of purposes, including:

• Identifying Compromised Hosts

• Often, compromised hosts send out more traffic than normal, transmit or receive traffic
on unusual ports, or communicate with other systems that are known to be malicious.

3
Introduction (cont.)
• Confirming or Disproving Data Leakage
• Network investigators often receive flow records with requests to determine whether an
unknown attacker exported sensitive information across the network perimeter. If the
time frame is bounded, and flow records are comprehensive, it is possible to analyze the
volume of exported data and determine whether a leak may have occurred.

• Individual Profiling
• Network data can provide a surprisingly rich picture of an individual’s activity. Network
data from a user’s workstation can reveal normal working hours, periods of inactivity,
lunch times, break times, sources of entertainment, inappropriate activity, and more.

4
Generic Cyber Incident Response
通用 • Network forensics (along with memory/disk forensics)
is a core aspect of cyber incident response
• A commonly accepted Incident Response (IR) process
includes six phases:
1. Preparation • Preparation, Identification, Containment, Eradication, Recovery, and
Lessons Learned

Analyze/
iterate
2. Identification

4. Eradication

3. Containment
遏制
5. Recovery 6. Lessons Learned
5
Generic Cyber Incident Response (cont.)
NIST SP 800-61rev2 incident handling workflow
In the incident response workflow (ISO 27035, NIST 800-
61), detection is the part where incident handling
begins. The first part of the workflow deals with
preparation for incidents, while the later ones are about
recovery and post-incident activity.

6
Network Forensics Architecture

7
Network Forensics Data
Acquisition Modes
- Two types of acquisition approaches:
- Passive acquisition: happens when data is gathered without
emitting data at OSI Layer 2 or above. data link
- E.g., sniffing falls into this field. layer

- Active acquisition: happens when evidence is gathered by

interacting with systems on the network.
- E.g., by sending queries to them, or systems logging to a log
host, SIEM or management station. This may even include
scanning the network

- Acquisition should preserve data integrity

- not change the packets, send out additional packets or alter the
network configuration

8
Network Forensics Data •Source IP address of the suspect
•Destination IP address
• Many data sources: •Protocol being used in the suspicious activity
•Source port of the suspect
• Firewall logs •Destination port targeted by the suspect

• Network binary logs

• Consist of the payload of the network binary
• ASCII SESSION logs broken out to a separate file for easier analysis.
• Intrusion detection alerts
• System logs •How did the suspect/attacker get in?
•Where did the suspect/attacker come from?
• Keystroke logs •What is the system activity?
• File System
•Counter encrypted communications channels
(e.g. based on SSH or SSL) used by the attacker.

• Forensics analysis consists of pulling valuable

information from each of these data sources so we
can track attacker activity.
• primary objective: replay the attack, and learn the motives,
tools, and tactics of the attacker.
9
Network Forensics Data (cont.)
Network Packets
It is completely reasonable to
capture all the packets.
■ Disks have gotten bigger faster than
network connections have gotten faster.
■ This is an engineering problem.
■ Once implemented, it can also
be privacy problem

Systems can capture the

entire packet or just the
packet header

10
Network Forensics Data (cont.)
Network Packets

With just headers,

you can only get
source, destination,
size, timestamps,
ports, etc.

11
 Network Forensics Data (cont.)
Network Packets
With the full packets, you can get all the content.
Some vendors call this “deep packet inspection”
or “deep packet analysis.”

Primary use is to discover inappropriate

data transfer or service use:
■ Use of outside chat or web mail services.
■ Leaking protected health Information.
■ Restrict information
Also good for finding privacy violations.

12
 Network Forensics Data (cont.)
Session Data
聚合的
- Consist of aggregated traffic metadata and usually refers to the conversation
between two network entities, grouped together into "flows" and/or groups of
network packets related to one another. E.g.:
44 packets seen; 44 TCP packets traced
elapsed wallclock time: 0:00:00.025033, 1757 pkts/sec analysed
trace file elapsed time: 0:00:00.435121
TCP connection info:
1: host1.net:63807 - prefetch.biz:www (a2b) 7> 6<
2: host1.net:62941 - prefetch.biz:www (c2d) 6> 4<
3: host1.net:57312 - prefetch.biz:www (e2f) 6> 5<
4: host1.net:55792 - prefetch.biz:www (g2h) 6> 4y

- Inform the investigator about questions such as who talked to whom, when,
for how long, etc. without looking at any contents of the conversation(s) at all. 13
 Network Forensics Data (cont.)
Network Flows
A flow is a sequence of packets
from a source to a destination, “an
artificial logical equivalent to a call
or connection"

Packet headers can

be used to reconstruct
“flows”

14
 Network Forensics Data (cont.)
What does the flow
Network Flows - Example capture #1 says?
Employees of Winterfell were target of suspected phishing attack

15
 Network Forensics Data (cont.) What does the flow
capture #2 (taken
Network Flows – Example (cont.) every 5 seconds)
says?
Employees of Winterfell were target of suspected phishing attack

16
Network Forensics Data (cont.) What does the flow
capture # 3 says?

Network Flows – Example (cont.)

17
Network Forensics Data (cont.)
Network Capture Tools
Tools for working with network data: Command line & GUI
Command-line tools are effective when:
■ Working with a small amount of data (<100GB)
■ Looking for a novel attack (something the GUIs don't recognize)
■ With a skilled operator
■ Mostly open-source freeware

GUI Tools:
■ Better for exploring large data sets
■ Mostly proprietary

18
Network Forensics Data (cont.)
Network Capture Tools
Packet capturing tools: tcpdump, dumpcap

- Similar in their usage, as the command line options of dumpcap

are largely modelled after those of tcpdump.

- E.g., the following command captures packets on interface eth0 and

stores output in file dump.pcap:
tcpdump -i eth0 -w dump.pcap

- E.g., the following command allows capturing only HTTP coming from
the given IP-address:
tcpdump src 192.168.2.3 and tcp port 80

19
Network Forensics Data (cont.)
Network Capture Tools
Wireshark is mostly a GUI built on top of
tcpdump.
It captures packets and displays them in
more detail.
Advantages:
■ Free
■ Packet decoders for hundreds of packet types
■ Decompresses compressed data on the fly
■ Decrypts many protocols:
— IPsec, ISAKMP, Kerberos, SMPv3,
—SSL/TLS, WEP and WPA/WPA2

Disadvantages:
■ Designed for packet analysis, not correlation.
■ Only analyzes 1 tcp connection at a time.
■ Flow reconstruction packet-by-packet is very time consuming. 20
Network Forensics Data (cont.)
Network Capture Tools
A flow capture & analysis tool: Argus
- One of the first implementations of a network flow monitoring system, it used to be an
acronym for Audit Record Generation and Utilization To install argus on Kali:

sudo apt-get install argus-server

- Consists of 2 packages:
- Argus monitor: captures packets (using libcap) from the network (or from a file) and
aggregate them into flow records
- E.g.:
argus -i eth0 -w log.argus to generate flow records from a network interface
argus -r dump.pcap - i dump.argus to create flow records from a packet
capture file.
argus -i eth0 -w log.argus net 172.28.2.0/22 to capture from a subnet
- Argus-clients package: contains numerous clients to analyze the flow records
21
Analysis Techniques
• Flow record analysis is typically an iterative process.
• Important highlights include:
• Goals and Resources
• As always, the goals of your investigation and available resources shape your analysis. Are you
trying to identify compromised systems? Evaluate whether a data breach occurred?
Investigate an HR violation?
• Starting Indicators or triggering event
• Starting indicators may include:
• IP address of a compromised or malicious system
• Time frame in which malicious activity is suspected
• Known ports on which a worm was suspected to be active
• Specific flow records that indicate abnormal or unexplained activity
• You may be given the IP address of a compromised system, or the domain name of a
suspicious web site, or a description of malware behavior to search for in flow record data.
• Each of these “starting indicators” is useful for different analysis techniques. The volume and
type of data you begin with will shape your investigation.

22
Analysis Techniques (cont.)
Filtering
• Consist of narrowing down a large pool of evidence to a subset—or groups of
subsets—that are of interest.
• Involve removing extraneous details and identify events, hosts, ports, and
activities of interest. 无关的
• For example, if your starting indicator was a specific IP address, you might start by isolating
all activity relating to that IP address and picking out subsets of flows for analysis until you
have gathered the evidence you need and built your case.

• Alternatively, you might filter for flows that match particular patterns of activity indicative of
worm behavior, data exfiltration, port scanning, or other suspicious behavior, depending on
your investigative goals. 渗出

23
Analysis Techniques (cont.)
Baselining
• Network traffic analysts can build, maintain, and reference a baseline of
traffic and identify trends and patterns of activity that are considered
“normal” for the environment.
• Forensic investigators can reference these baselines in order to analyze
suspicious activity.
• Network baselines: By looking at general trends over time for monitored segments,
the traffic seen can be understood even if specific source and destination IP
addresses must be abstracted or generalized.
• Host baselines: Likewise, when a particular host becomes of interest, investigators
can build or refer to a historical baseline of a specific host’s activities in order to
identify or investigate anomalous behavior.

24
Analysis Techniques (cont.)
“Dirty Values”
• Common technique used in digital forensics analysis
• Consist of compiling a list of “dirty values” and search network data to
pick out relevant entries.
• In network forensics, “dirty values” are more likely to be suspicious IP
addresses, ports, dates, and times.
• As you conduct your analysis, you will often find that it is helpful to
maintain an updated list of suspicious values that you collect as you
move forward.

25
Analysis Techniques (cont.)
Activity Pattern Matching
• Every activity leaves a fingerprint on the network.
• Simple patterns, such as large unidirectional volumes of traffic flow, can indicate
specific activities that may be suspicious given the context.
• More complex patterns may match the behaviors of known worms or viruses.
• A trained investigator can pick out suspicious activity that manifests as complex
and subtle variations in flow record evidence.

26
Analysis Techniques (cont.)
Activity Pattern Matching - Flow Elements
• IP address
• The source and destination IP addresses are great clues that reveal a lot about the
cause and purpose of a flow.
• Ports
• Often correspond with assigned or well-known ports linked to specific applications or
services.
• Can also indicate whether a system is port scanning or being scanned and help you
identify malicious activity.
• Protocol and Flags
• Layer 3 and 4 protocols can indicate whether connections were completed and help
you tell the difference between connection attempts that were denied by firewalls,
successful port scans, successful data transfers, and more.

27
Analysis Techniques (cont.)
Activity Pattern Matching - Flow Elements
• Directionality
• Can indicate whether proprietary data has been leaked or a malicious
program was downloaded.
• Volume of data transferred
• Can help indicate the type of activity and whether or not higher-layer data
transfer attempts were successful.
• E.g., many small TCP packets may be indicative of port scanning, whereas larger packets can
indicate file exportation.

• E.g., a large volume of data transferred in a very short period of time is usually caused by
something different than the same amount of data transferred over a very long period of
time.

28
 Analysis Techniques (cont.)
Activity Pattern Matching – Multistage Attack Patterns
• Hackers usually attack their victims indirectly through proxies or a series of compromised
machines -> involve various patterns with different scenarios which confuse investigators
Analysis techniques: event correlation, aggregation, and scenarios reconstruction
- Partially automated, but largely manual; rely heavily on human expertise

Two independent hackers use same

intermediary node to attack a victim.

Connection chain: hacker recursively

logs into a host, then
from there logs into another host
One hacker uses two
intermediary nodes to
attack the same victim
29
Analysis Techniques (cont.)
Which activity pattern
Activity Pattern Matching – Example does packets capture
time sender receiver protocol #1 covers?

12:03:36.016502 doggie.example.edu > 192.0.2.7: icmp: echo reply (DF)

12:03:46.016502 doggie.example.edu > 192.0.2.7: icmp: echo reply (DF)
12:04:37.016502 doggie.example.edu > 192.0.2.7: icmp: echo reply (DF)
12:04:47.006502 doggie.example.edu > 192.0.2.7: icmp: echo reply (DF)
12:05:38.016502 doggie.example.edu > 192.0.2.7: icmp: echo reply (DF)
12:05:48.016502 doggie.example.edu > 192.0.2.7: icmp: echo reply (DF)
12:06:39.006502 doggie.example.edu > 192.0.2.7: icmp: echo reply (DF)
12:06:49.006502 doggie.example.edu > 192.0.2.7: icmp: echo reply (DF)
12:07:40.006502 doggie.example.edu > 192.0.2.7: icmp: echo reply (DF)
12:07:50.006502 doggie.example.edu > 192.0.2.7: icmp: echo reply (DF)
12:08:41.006502 doggie.example.edu > 192.0.2.7: icmp: echo reply (DF)
12:08:51.006502 doggie.example.edu > 192.0.2.7: icmp: echo reply (DF)
12:09:42.016502 doggie.example.edu > 192.0.2.7: icmp: echo reply (DF)
12:09:52.016502 doggie.example.edu > 192.0.2.7: icmp: echo reply (DF)
12:10:43.016502 doggie.example.edu > 192.0.2.7: icmp: echo reply (DF)
12:10:53.016502 doggie.example.edu > 192.0.2.7: icmp: echo reply (DF)
12:11:44.016502 doggie.example.edu > 192.0.2.7: icmp: echo reply (DF)

30
Analysis Techniques (cont.)
Activity Pattern Matching – Example (cont.)
time sender.port receiver.port SYN bit Seq/SeqAck win (window size)

16:03:40.763603 foo.example.com.39344 -> watson.80: S 523285584:523285584(0) win 8760 (DF)

16:03:41.919170 foo.example.com.39345 -> watson.80: S 523517577:523517577(0) win 8760 (DF)
16:03:42.348706 foo.example.com.39358 -> watson.80: S 526418601:526418601(0) win 8760 (DF)
16:03:42.491895 foo.example.com.39359 -> watson.80: S 526509044:526509044(0) win 8760 (DF)

Which activity pattern

does packets capture
#2 covers?

31
Analysis Techniques (cont.)
Activity Pattern Matching – Example (cont.)
time sender receiver protocol

01:14:10.016000 foo.example.com > watson: icmp: echo request (frag 56980:1480@0+)

01:14:10.018000 foo.example.com > watson: icmp: echo request (frag 56980:1480@1480+)
01:14:10.026000 foo.example.com > watson: icmp: echo request (frag 56980:1480@2960+)
01:14:10.032000 foo.example.com > watson: icmp: echo request (frag 56980:1480@4440+)
01:14:10.038000 foo.example.com > watson: icmp: echo request (frag 56980:1480@5920+)
:
:
01:14:11.056000 foo.example.com > watson: icmp: echo request (frag 56980:1480@59200+)
01:14:11.062000 foo.example.com > watson: icmp: echo request (frag 56980:1480@60680+)
01:14:11.070000 foo.example.com > watson: icmp: echo request (frag 56980:1480@62160+)
01:14:11.072000 foo.example.com > watson: icmp: echo request (frag 56980:1480@63640+)
01:14:11.080000 foo.example.com > watson: icmp: echo request (frag 56980:1480@65120)

Which activity pattern

does packets capture
#3 covers?
32
Analysis Techniques (cont.)
Activity Pattern Matching – Example (cont.)
time sender receiver.port protocol

09:42:27.826000 foo.example.com.137 > watson.137: udp 28 (frag 242:36@0+)

09:42:27.828000 foo.example.com > watson: (frag 242:4@24)

Which activity pattern

does packets capture
#4 covers?

33
Analysis Techniques (cont.)
Activity Pattern Matching – Example (cont.)
time sender.port receiver.port SYN Seq/SeqSAck win (window size)

10:08:23.472378 state.example.net.1739 > watson.22: S 72549644:72549644(0) win 8192 (DF)

10:08:25.009256 state.example.net.1739 > watson.22: S 72549644:72549644(0) win 8192 (DF)
10:08:26.504518 state.example.net.1739 > watson.22: S 72549644:72549644(0) win 8192 (DF)
10:08:28.006168 state.example.net.1739 > watson.22: S 72549644:72549644(0) win 8192 (DF)
17:14:18.726864 foo.example.com.62555 > watson.22: S 20583734:20583734(0) win 8192 <mss 1380> (DF)
17:14:21.781140 foo.example.com.62555 > watson.22: S 20583734:20583734(0) win 8192 <mss 1380>(DF)
17:14:27.776662 foo.example.com.62555 > watson.22: S 20583734:20583734(0) win 8192 <mss 1380>(DF)
17:14:39.775929 foo.example.com.62555 > watson.22: S 20583734:20583734(0) win 8192 <mss 1380>(DF)

Which activity pattern

does packets capture
#5 covers?
34