Professional Documents
Culture Documents
Unit – 1
Network Forensics
• In many cases, the investigator and the adversary use the same tools: one to cause the
incident, the other to investigate the incident. In fact many of the network security
tools on the market today, including NetScanTools Pro, Tracroute, and Port Probe used
to gain information on the network configurations, can be used by both the investigator
and the criminal.
• While computer forensics, deals with the extraction, preservation, identification,
documentation, and analysis, and it still follows well-defined procedures springing from
law enforcement for acquiring, providing chain-of-custody, authenticating, and
interpretation, network forensics on the other hand has nothing to investigate unless
steps were in place ( like packet filters, firewalls, and intrusion detection systems) prior
to the incident.
ashwini.solegaonkar@gmail.com
Different definitions of Network Forensics
• Network forensics is the capturing, recording, and analysis of network events in
order to discover the source of security attacks.
• The capture, recording, and analysis of network events in order to discover the
source of security attacks or other problem incidents.
• Network forensics allows us to find the details of network events after they have
happened.
ashwini.solegaonkar@gmail.com
The Network Security Process
Network Forensics
ashwini.solegaonkar@gmail.com
Looking For Evidence
• Vulnerabilities:
• An attacker identifies potential weaknesses in a system, network, and
elements of the network and then tries to take advantage of those
vulnerabilities.
• The intruder can find known vulnerabilities using various scanners.
• Viruses: Viruses are a major cause of shutdown of network
components. A virus is a software program written to change the
behaviour of a computer or other device on a network, without the
permission or knowledge of the user.
Network Forensics
ashwini.solegaonkar@gmail.com
Looking For Evidence
• An investigator can find evidence from the following:
• From firewalls:
An investigator can look at a firewall’s logs. If the firewall itself was the
victim, the investigator treats the firewall like any other device when
obtaining evidence.
Network Forensics
ashwini.solegaonkar@gmail.com
Intrusion Detection
• Intrusion detection is the process of tracking unauthorized activity using
techniques such as inspecting user actions, security logs, or audit data.
• Intrusion attacks can also appear in the form of denial of service, and DNS,
Network Forensics
• Intrusions can result in a change of user and file security rights, installation
of Trojan files, and improper data access.
ashwini.solegaonkar@gmail.com
Investigative Methodology
• Obtain information
• Strategize
• Collect evidence
Network Forensics
• Analyse
• Report
ashwini.solegaonkar@gmail.com
Obtain Information
• Incident description
• Information regarding incident discovery
• Known persons involved
Network Forensics
ashwini.solegaonkar@gmail.com
Strategize
• Understand the goals and time frame for investigation
• Organize and list resources
• Identify and document evidence sources
• Estimate value of evidence versus value of obtaining it
Network Forensics
ashwini.solegaonkar@gmail.com
Collect Evidence
• Document, document, document
• Lawfully capture evidence
• Make cryptographically verifiable copies
• Setup secure storage of collected evidence
Network Forensics
ashwini.solegaonkar@gmail.com
Analyse
• Show correlation with multiple sources of evidence
• Establish a well documented timeline of activities
• Highlight and further investigate events that are potentially more relevant
to incident
• Corroborate all evidence, which may require more evidence gathering
Network Forensics
ashwini.solegaonkar@gmail.com
Report
• Every report must be:
• Understandable by nontechnical people
• Complete and meticulous
• Defensible in every detail
Network Forensics
• Completely factual
ashwini.solegaonkar@gmail.com
Network forensics challenges
Network Forensics
ashwini.solegaonkar@gmail.com
Network forensics challenges
1. High speed data transmission
• High data rate of network traffic creates difficulties for network forensics in
capturing and preserving all network packets . Millions of packets are transmitted
over the network in no time, which passes through thousands of interconnected
network devices.
Network Forensics
• A huge amount of data is transmitted over the network which is captured and
analysed for investigation. However, such data complicates the situation for
network forensics to retrieve evidence from the network. For instance, the
captured data needs to be stored on devices with large storage capacity; whereas
the storage capacity of the network interconnectivity devices is limited.
ashwini.solegaonkar@gmail.com
Network forensics challenges
3. Data integrity
• Data integrity plays a vital role in the process of network forensics which has to
be tackled. Data integrity in the network is an ability to keep accurate, complete,
and consistent data in the network.
4. Data privacy
Network Forensics
5. Access to IP addresses
ashwini.solegaonkar@gmail.com
Network forensics
6. Data extraction location
challenges
• Distributive nature and virtualized characteristics of networks complicate network
forensics in identifying appropriate location and device for extracting the data. A
network with thousands of devices connected with each other through high speed
data links, which transmit millions of packets per second is difficult to be handled
for its each link and device.
• Current network forensic analysis tools capture and record network traffic by
targeting complete packets.
• Such tools incorporate problems regarding storing huge volume of data with more
time delays.
• An intelligent and smart network forensic tool is required to capture network traffic
of choice depending on the investigational situation.
• For instance, capturing specific session data with a domain of interest, which further
records, analyses, and visualizes the data. This will reduce problem of storage,
computational resources for investigation, bandwidth utilization, time delays, and
result in quick incident response in real-time situation.
ashwini.solegaonkar@gmail.com