Cyber Forensics

Unit – 1
Network Forensics

Prof. Ashwini Solegaonkar

Department of Information Technology and Computer Science
D. G. Ruparel College of Arts, Science and Commerce, Mumbai-16
 Network Forensics
• “Network forensics is a sub-branch of digital forensics relating to the monitoring
and analysis of computer network traffic for the purposes of information
gathering, legal evidence, or intrusion detection.”

Computer Forensics Network Forensics

• Data is static and preserved once • Data is changing constantly

Network Forensics

power is removed • Pinpointing direct location of needed

• Evidence is contained within the
file system
• Easy to make a forensically sound
image
• Seizing a businesses computer/s
usually involves limited disruption
• Legal precedence in place and is
routinely admitted into court
ashwini.solegaonkar@gmail.com
evidence is problematic
• Physical access to network devices
can be difficult
• Most network devices do not have
persistent data storage
• Investigators must minimize
investigation impact on business
network
• Conflicting precedence and not yet
standardized
 •
Network Forensics
Unlike computer forensics that retrieves information from the computer’s disks,
network forensics, in addition retrieves information on which network ports were
used to access the network.
• There are several differences that separate the two including the following:
• Unlike computer forensics where the investigator and the person being investigated, in
many cases the criminal, are on two different levels, with the investigator supposedly
on a higher level of knowledge of the system, the network investigator and the
adversary are at the same skills level.
Network Forensics

• In many cases, the investigator and the adversary use the same tools: one to cause the
incident, the other to investigate the incident. In fact many of the network security
tools on the market today, including NetScanTools Pro, Tracroute, and Port Probe used
to gain information on the network configurations, can be used by both the investigator
and the criminal.
• While computer forensics, deals with the extraction, preservation, identification,
documentation, and analysis, and it still follows well-defined procedures springing from
law enforcement for acquiring, providing chain-of-custody, authenticating, and
interpretation, network forensics on the other hand has nothing to investigate unless
steps were in place ( like packet filters, firewalls, and intrusion detection systems) prior
to the incident.

ashwini.solegaonkar@gmail.com
 Different definitions of Network Forensics
• Network forensics is the capturing, recording, and analysis of network events in
order to discover the source of security attacks.

• The capture, recording, and analysis of network events in order to discover the
source of security attacks or other problem incidents.

• Network traffic is transmitted and then lost, leaving no clues behind.

Network Forensics

• An investigator needs to back up these recorded data to free up recording media

and to preserve the data for future analysis.

• Network forensics allows us to find the details of network events after they have
happened.

ashwini.solegaonkar@gmail.com
 The Network Security Process
Network Forensics

ashwini.solegaonkar@gmail.com
 Looking For Evidence
• Vulnerabilities:
• An attacker identifies potential weaknesses in a system, network, and
elements of the network and then tries to take advantage of those
vulnerabilities.
• The intruder can find known vulnerabilities using various scanners.
• Viruses: Viruses are a major cause of shutdown of network
components. A virus is a software program written to change the
behaviour of a computer or other device on a network, without the
permission or knowledge of the user.
Network Forensics

• Trojans: Trojan horses are programs that contain or install malicious

programs on targeted systems. These programs serve as back doors
and are often used to steal information from systems.
• E-mail infection: The use of e-mail to attack a network is increasing.
An attacker can use e-mail spamming and other means to flood a
network and cause a denial-of-service attack.
• Router attacks: Routers are the main gateways into a network,
through which all traffic passes. A router attack can bring down a
whole network.
• Password cracking: Password cracking is a last resort for any kind of
attack.

ashwini.solegaonkar@gmail.com
 Looking For Evidence
• An investigator can find evidence from the following:

• From the attack computer and intermediate computers:

This evidence is in the form of logs, files, ambient data, and tools.

• From firewalls:
An investigator can look at a firewall’s logs. If the firewall itself was the
victim, the investigator treats the firewall like any other device when
obtaining evidence.
Network Forensics

• From internetworking devices:

Evidence exists in logs and buffers as available.

• From the victim computer:

An investigator can find evidence in logs, files, ambient data, altered
configuration files, remnants of Trojaned files, files that do not match
hash sets, tools, Trojans and viruses, stored stolen files, Web
defacement remnants, and unknown file extensions.

ashwini.solegaonkar@gmail.com
 Intrusion Detection
• Intrusion detection is the process of tracking unauthorized activity using
techniques such as inspecting user actions, security logs, or audit data.

• There are various types of intrusions, including unauthorized access to files

and systems, worms, Trojans, computer viruses, buffer overflow attacks,
application redirection, and identity and data spoofing.

• Intrusion attacks can also appear in the form of denial of service, and DNS,
Network Forensics

e-mail, content, or data corruption.

• Intrusions can result in a change of user and file security rights, installation
of Trojan files, and improper data access.

• Administrators use many different intrusion detection techniques, including

evaluation of system logs and settings, and deploying firewalls, antivirus
software, and specialized intrusion detection systems.

• Administrators should investigate any unauthorized or malicious entry into a

network or host.

ashwini.solegaonkar@gmail.com
 Investigative Methodology
• Obtain information
• Strategize
• Collect evidence
Network Forensics

• Analyse
• Report

ashwini.solegaonkar@gmail.com
 Obtain Information
• Incident description
• Information regarding incident discovery
• Known persons involved
Network Forensics

• Systems and / or data known to be involved

• Actions taken by organization since discovery
• Potential legal issues
• Working time frame for investigation and resolution
• Specific goals

ashwini.solegaonkar@gmail.com
 Strategize
• Understand the goals and time frame for investigation
• Organize and list resources
• Identify and document evidence sources
• Estimate value of evidence versus value of obtaining it
Network Forensics

• Prioritize based on this estimate

• Plan of attack – both for acquisition and analysis
• Set up schedule for regular communication between
investigators

ashwini.solegaonkar@gmail.com
 Collect Evidence
• Document, document, document
• Lawfully capture evidence
• Make cryptographically verifiable copies
• Setup secure storage of collected evidence
Network Forensics

• Establish chain of custody

• Analyse copies only
• Use legally obtained, reputable tools
• Document every step

ashwini.solegaonkar@gmail.com
 Analyse
• Show correlation with multiple sources of evidence
• Establish a well documented timeline of activities
• Highlight and further investigate events that are potentially more relevant
to incident
• Corroborate all evidence, which may require more evidence gathering
Network Forensics

• Revaluate initial plan of attack and make needed adjustments

• Make educated interpretations of evidence that lead to a thorough
investigation, look for all possible explanations
• Build working theories that can be backed up by the evidence (this is only
to ensure a thorough investigation)
• SEPARATE YOUR INTERPRETATIONS FROM THE FACTS

ashwini.solegaonkar@gmail.com
 Report
• Every report must be:
• Understandable by nontechnical people
• Complete and meticulous
• Defensible in every detail
Network Forensics

• Completely factual

ashwini.solegaonkar@gmail.com
 Network forensics challenges
Network Forensics

ashwini.solegaonkar@gmail.com
 Network forensics challenges
1. High speed data transmission

• High data rate of network traffic creates difficulties for network forensics in
capturing and preserving all network packets . Millions of packets are transmitted
over the network in no time, which passes through thousands of interconnected
network devices.
Network Forensics

2. Data storage on the network devices

• A huge amount of data is transmitted over the network which is captured and
analysed for investigation. However, such data complicates the situation for
network forensics to retrieve evidence from the network. For instance, the
captured data needs to be stored on devices with large storage capacity; whereas
the storage capacity of the network interconnectivity devices is limited.

ashwini.solegaonkar@gmail.com
 Network forensics challenges
3. Data integrity

• Data integrity plays a vital role in the process of network forensics which has to
be tackled. Data integrity in the network is an ability to keep accurate, complete,
and consistent data in the network.

4. Data privacy
Network Forensics

• Data privacy is an important factor in the investigation process of network

forensics. A forensic attribution solution is proposed to solve the aforementioned
problem related to user privacy . A forensic investigator can view the data of
interest by verifying the packet signature to enforce forensic attribution in the
network.

5. Access to IP addresses

• The access of source IP address of an intruder is an important step in network

forensics. Source IP address indicates origin of the attack that assists in the
identification of the intruder and stopping the attacks.

ashwini.solegaonkar@gmail.com
 Network forensics
6. Data extraction location
challenges
• Distributive nature and virtualized characteristics of networks complicate network
forensics in identifying appropriate location and device for extracting the data. A
network with thousands of devices connected with each other through high speed
data links, which transmit millions of packets per second is difficult to be handled
for its each link and device.

7. Intelligent network forensic tools

Network Forensics

• Current network forensic analysis tools capture and record network traffic by
targeting complete packets.
• Such tools incorporate problems regarding storing huge volume of data with more
time delays.
• An intelligent and smart network forensic tool is required to capture network traffic
of choice depending on the investigational situation.
• For instance, capturing specific session data with a domain of interest, which further
records, analyses, and visualizes the data. This will reduce problem of storage,
computational resources for investigation, bandwidth utilization, time delays, and
result in quick incident response in real-time situation.

ashwini.solegaonkar@gmail.com