Network Evidence

Analysis –
Analyzing packet
captures
Presented by,
Subhana s
 NETWORK EVIDENCE COLLECTION AND ANALYSIS

 Network forensic involves the process of identifying, collecting, analyzing and examining
the digital evidence extracted from network security element logs.

 This collection is critical during an incident where an external threat sources is in the
process of pilfering data out of the network.

 Network based evidence is also useful when examining host evidence

 As it provides a second source of event validation which is extremely useful in
determining the root cause of an incident.
 Network evidence analysis concerns the gathering, monitoring and analyzing of network

activities ,

 To uncover the source of attacks, viruses, intrusions or security breaches that occur on a

network or in network traffic.

 It is used to collect evidence by analyzing network traffic data in order to identify the source

of an attack.
 Some experts believe that Target likely had two primary sources of that evidence to analyze
log data and packet capture network forensic analysis.
 Analyzing Packet Captures

 Network Packet Capture is a networking term for intercepting a data packet that is

crossing a specific point in a data network.

 Once a packet is captured in real-time, it is stored for a period of time so that it can be

analyzed, and then either be downloaded, archived or discarded. 

 Packet captures contain a great deal of information that is potentially valuable to incident

response analysts.

 Some of this information includes source and destination IP addresses , domains and

ports , and the content of communications between hosts.

 Entire packets or specific portions of a packet can be captured.

 A full packet includes two things: a payload and a header.

  The payload is the actual contents of the packet, while the header contains

metadata, including the packet's source and destination address.

 In some instances , incident response analysts are able to reconstruct actual files,

such as text documents and images in these packet captures.

 
 COMMAND-LINE TOOLS

 There are certain tools and techniques are available to examine the evidence acquired.

 There are several command-line tools that can be utilized during the analysis of network

packet captures.
 During more in-depth or lengthy incident response engagements, analysts may gather
several packet captures files.
 Mergecap : Merging multiple capture files into one
Mergecap is a program that combines multiple saved capture files into a single
output file specified by the -w argument.
 There is no need to tell Mergecap what type of file you are reading; it will determine the file
type by itself. 

 By default, Mergecap writes all of the packets in the input capture files to a pcapng file. 

 The -F flag can be used to specify the capture file’s output format .

 Packets from the input files are merged in chronological order based on each frame’s

timestamp, unless the -a flag is specified.

 When the –a flag is specified,packets are copied from each input file to the output file.
 Simple example of using mergecap.

$ mergecap –w outfile.pcapng dhcp-capture.pcapng imap-1.pcapng

 editcap: Edit capture files

editcap is a general-purpose utility for modifying capture files.Its main

function is to remove packets from capture files,but it can also be used to convert files
from one format to another.

 This would be helpful if an analysts has a large packet capture and dividing makes
searching easier.
 WIRESHARK

 Wireshark comes with an array of command line tools which can be helpful for packet
analysis.
 It is one of the most popular packet capture analysis tool available to incident response
analysts.
 In the past, such tools were either very expensive, proprietary, or both. However, with
the advent of Wireshark, that has changed.
 Wireshark is available for free, is open source, and is one of the best packet analyzers
available today.
 Wireshark, a network analysis tool formerly known as Ethereal, captures packets in real
time and display them in human-readable format.
 Wireshark includes filters, color coding, and other features that enables to dig deep into
network traffic and inspect individual packets.
 There are some changes to be made to better assist the incident response analyst with
performing packet capture analysis in relation to an incident investigation:

 Time :
i. The time setting in Wireshark allows for several options.
ii. One of these options which can be useful in an incident investigation is the date and
time that the individual packets have been captured.

 To enable this, navigate to View and then to Time Display Format. From there, choose one
of the time options such as Date and Time of Day or Time of Day.

 Another option to consider is utilizing the UTC time options as well.

 Name resolution:

i. The name resolution setting allows analysts to toggle between seeing the IP address of
source and destination hosts and hostname resolution.
ii. For example, if the packet capture is opened, the following shows the IP addresses:

iii. Navigate to View and then Name Resolution. Click on Resolve Network
Addresses. Wireshark will then resolve the IP addresses to hostnames.
 Colorize packet list:

i. This feature allows analysts to toggle between a blank background

of the packet list or to allow Wireshark to color-code the packets.
Features In Wireshark That Provide Key Pieces Of Information From The
Packet Capture:

a) Display filters :
• One of the most important features is the ability to filter packet captures on a
wide range of services and ports.
• In order to filter traffic on the source IP address, by right-clicking on the IP
address in the packet capture window and navigating to Apply as Filter and
then Selected, the analyst can select the IP address as a filter.
b) Host identification:

• Another key aspect to the analysis of packet captures is to

• identify the localhost, if applicable.

• The first packet in the capture is a DHCP packet originating from a CISCO device to the

compromised machine.

• By double-clicking on the individual packet, a great deal of information is found:

 Xplico And CapAnalysis

 When conducting a detailed examination of a packet capture, especially a larger

packet capture, may not fit the incident.

 If an analyst wishes to isolate specific traffic such as HTTP or DNS traffic, there

are tools that can be utilized for that purpose.

 Two such tools are Xplico and CapAnalysis.

 Both of these tools can be run on Linux operating systems and provide a

platform for incident response analysts.

Xplico

 Xplico is a Network Forensic Analysis Tool(NFAT)

 The goal of Xplico is extract from an internet traffic capture the applications data
contained.
 Xplico is able to extract information contained within common protocols such as
HTTP, SIP, IMAP, IMAP, SMTP, and TCP.
 For example,from a pcap file Xplico extracts each email(POP,IMAP,and SMTP
protocols),and HTTP contents.
 Xplico is installed by default in the major distributions of digital forensics and
penetration testing:
 BackBox
 CERT Linux Forensics Tool
 Kali Linux,
 BackTrack,etc..
CapAnalysis

• CapAnalysis is an effective network traffic analysis tool for information security

specialists,

• System administrators and others who need to analyze a large number of captured

network traffic.

• CapAnalysis by indexing the data set of the PCAP file,

• Executing and converting its contents in a variety of forms,

• It is from a list containing TCP, UDP, or ESP streams,

• To a way to connect them to a geographic graphic.

 Tools such as Xplico and CapAnalysis allow the incident response analyst to

gain insight

 into the wealth of data contained within a packet capture in a more user-

friendly way. The way that the data is presented in these solutions further

allows the analyst to codify,

 Potential incidents by quickly reviewing the data and determining whether

there is in fact a potential incident that requires more detailed investigation.

THANK YOU