Network Forensics

Network Traffic Analysis and Investigation

Network Forensics Process

What is Network Forensics?

Network Forensics: The capture, recording, and analysis of network events and traffic to discover the source of security attacks or network intrusion incidents.
  • Traffic Analysis: Examining network communications
  • Incident Investigation: Identifying attack vectors and sources
  • Evidence Collection: Preserving network-based evidence
  • Real-time Monitoring: Live network surveillance

Network Forensics Objectives

Primary Goals:

  1. Incident Detection: Identify security breaches and anomalies
  2. Evidence Collection: Gather admissible network evidence
  3. Attack Attribution: Determine attack sources and methods
  4. Timeline Reconstruction: Establish sequence of network events
  5. Damage Assessment: Evaluate impact and scope of incidents
  6. Prevention: Improve security based on findings

Network Protocol Analysis

Layer 2 - Data Link

  • MAC addresses
  • ARP traffic
  • Switch logs
  • VLAN information

Layer 3 - Network

  • IP addresses and routing
  • ICMP messages
  • Network topology
  • Routing protocols

Layer 4 - Transport

  • TCP/UDP connections
  • Port information
  • Session analysis
  • Connection states

Layer 7 - Application

  • HTTP/HTTPS traffic
  • Email protocols
  • File transfers
  • Application data

Network Data Collection

Collection Approaches:

  • Catch-it-as-you-can: Collect all packets passing through collection point
  • Stop-look-and-listen: Real-time analysis with selective storage
  • Hybrid Approach: Combination of full packet capture and real-time analysis

Packet Capture Methods

  • Network taps
  • Port mirroring/SPAN
  • Inline sensors
  • Software-based capture

Data Sources

  • Full packet captures
  • Flow records (NetFlow/sFlow)
  • Log files
  • IDS/IPS alerts

Traffic Analysis Techniques

Packet Analysis Process: 1. Packet Capture → 2. Protocol Decoding → 3. Session Reconstruction 4. Content Extraction → 5. Pattern Analysis → 6. Anomaly Detection

Analysis Methods:

  • Protocol Analysis: Examine protocol compliance and anomalies
  • Session Reconstruction: Rebuild communication sessions
  • Flow Analysis: Study traffic patterns and volumes
  • Content Analysis: Examine payload data
  • Behavioral Analysis: Identify unusual communication patterns

Network Forensic Tools

Packet Capture Tools

  • Wireshark: GUI packet analyzer
  • tcpdump: Command-line packet capture
  • tshark: Command-line Wireshark
  • NetworkMiner: Forensic packet analyzer

Flow Analysis Tools

  • SiLK: Traffic analysis toolkit
  • Argus: Network activity auditing
  • nfcapd/nfdump: NetFlow capture and analysis
  • ELK Stack: Log analysis platform
Wireshark Display Filters Examples: ip.addr == 192.168.1.1 # Specific IP address tcp.port == 80 # HTTP traffic http.request.method == "POST" # HTTP POST requests dns.flags.response == 0 # DNS queries only tcp.flags.syn == 1 # TCP SYN packets

Common Network Attack Investigation

DDoS Attacks

  • Traffic volume analysis
  • Source IP distribution
  • Attack vector identification
  • Amplification factor calculation

Malware Communication

  • Command and control traffic
  • Data exfiltration patterns
  • DNS tunneling detection
  • Beaconing behavior analysis

Network Intrusion

  • Lateral movement tracking
  • Privilege escalation evidence
  • Data access patterns
  • Persistence mechanism traffic

Man-in-the-Middle

  • Certificate anomalies
  • ARP spoofing indicators
  • DNS hijacking evidence
  • Traffic redirection patterns

Session Reconstruction

Session Reconstruction: The process of reassembling network communications to understand complete interactions between network endpoints.

Reconstruction Process:

  1. Packet Collection: Gather related packets
  2. Stream Assembly: Reassemble TCP streams
  3. Protocol Decoding: Parse application protocols
  4. Content Extraction: Extract files and data
  5. Timeline Creation: Order events chronologically
TCP Stream Following: • Wireshark: Follow → TCP Stream • Identifies complete conversations • Reconstructs bidirectional communication • Extracts application-layer data • Reveals transferred files and content

Network Log Analysis

Types of Network Logs:

  • Firewall Logs: Connection attempts and blocks
  • Router Logs: Routing decisions and interface status
  • Switch Logs: Port activities and MAC address changes
  • DNS Logs: Domain name resolution queries
  • DHCP Logs: IP address assignments
  • Proxy Logs: Web access and URL filtering
Common Log Formats: • Apache Common Log Format (CLF) • W3C Extended Log Format • Cisco IOS logging format • Windows Event Log format • Syslog (RFC 3164/RFC 5424)

Network Flow Analysis

Network Flows: Unidirectional sequence of packets sharing common characteristics (source/destination IP, ports, protocol, ToS) within a time window.

Flow Technologies

  • NetFlow: Cisco's flow monitoring
  • sFlow: Sampled flow monitoring
  • IPFIX: IP Flow Information Export
  • J-Flow: Juniper's implementation

Flow Analysis Benefits

  • Scalable monitoring
  • Long-term storage
  • Trend analysis
  • Bandwidth utilization

Flow Record Information:

  • Source and destination IP addresses
  • Source and destination port numbers
  • Protocol type
  • Type of Service (ToS)
  • Start and end timestamps
  • Packet and byte counts

Wireless Network Forensics

Wireless-Specific Challenges:

  • Signal Interception: Requires proximity to access point
  • Encryption: WPA/WPA2/WPA3 protection
  • Channel Hopping: Multiple frequency monitoring
  • Device Mobility: Changing association patterns
  • Physical Layer: RF signal analysis

Wireless Analysis Tools:

  • Kismet: Wireless network detector
  • Aircrack-ng: Wireless security auditing
  • InSSIDer: WiFi network scanner
  • CommView for WiFi: Wireless packet capture
  • Wireshark: With wireless adapters

Encrypted Traffic Analysis

Challenge: Analyzing encrypted communications without breaking encryption by examining metadata and traffic patterns.

Analysis Techniques:

  • Traffic Flow Analysis: Connection patterns and timing
  • Packet Size Analysis: Size patterns reveal application types
  • Certificate Analysis: TLS certificate information
  • DNS Analysis: Domain name resolutions
  • JA3 Fingerprinting: TLS client identification
Encrypted Traffic Indicators: • Regular beaconing patterns (malware C2) • Unusual data volumes during off-hours • Connections to suspicious IP addresses • Certificate anomalies or changes • Domain generation algorithm patterns

Network Timeline Analysis

Timeline Creation Process:

  1. Data Collection: Gather timestamped network events
  2. Time Synchronization: Normalize timestamps across sources
  3. Event Correlation: Link related network activities
  4. Pattern Recognition: Identify attack sequences
  5. Visualization: Create comprehensive timeline views

Correlation Techniques:

  • IP address correlation across time
  • Session ID tracking
  • User agent string analysis
  • Geolocation correlation
  • Attack signature matching

Network Evidence Preservation

Chain of Custody: Maintaining integrity and authenticity of network evidence from collection through analysis and presentation.

Preservation Requirements

  • Accurate time synchronization
  • Hash verification of packet captures
  • Proper storage and handling
  • Access logging and control
  • Documentation of procedures

Storage Considerations

  • High-speed storage for captures
  • Redundant storage systems
  • Compression for long-term retention
  • Secure access controls
  • Regular integrity checks

Network Forensics Challenges

Technical Challenges:

  • Volume: High-speed networks generate massive data
  • Encryption: Widespread use limits content analysis
  • Switched Networks: Traffic segmentation challenges
  • Cloud Computing: Limited visibility in virtual environments
  • Mobile Devices: Wireless and cellular network complexity

Legal and Privacy Challenges:

  • Privacy regulations and compliance
  • Cross-border data collection
  • Warrant requirements
  • Data retention policies
  • Employee monitoring ethics

Network Forensics in Incident Response

IR Integration Points:

  1. Detection: Network monitoring alerts to incidents
  2. Analysis: Forensic examination of network evidence
  3. Containment: Network-based isolation and blocking
  4. Eradication: Remove network-based threats
  5. Recovery: Restore normal network operations
  6. Lessons Learned: Improve monitoring and detection
Real-time Response Actions: • Block malicious IP addresses • Quarantine infected systems • Capture additional evidence • Preserve volatile network state • Document ongoing activities

Network Forensics Best Practices

Collection Best Practices

  • Continuous monitoring deployment
  • Strategic sensor placement
  • Comprehensive logging configuration
  • Time synchronization across systems
  • Regular storage capacity monitoring

Analysis Best Practices

  • Systematic investigation methodology
  • Multiple analysis perspectives
  • Automated analysis tool usage
  • Cross-correlation with other evidence
  • Detailed documentation practices

Future Trends

Emerging Technologies:

  • AI/ML Integration: Automated threat detection and analysis
  • 5G Networks: New protocols and security challenges
  • IoT Forensics: Massive device ecosystem analysis
  • SD-WAN Analysis: Software-defined networking challenges
  • Edge Computing: Distributed processing forensics

Tool Evolution:

  • Cloud-native forensic platforms
  • Real-time analysis capabilities
  • Enhanced encrypted traffic analysis
  • Cross-platform correlation tools
  • Automated report generation

Key Takeaways

Critical Points:

  • Comprehensive Monitoring: Strategic placement and continuous capture
  • Multi-layered Analysis: Examine all network protocol layers
  • Tool Proficiency: Master various analysis tools and techniques
  • Evidence Integrity: Maintain chain of custody and documentation
  • Continuous Learning: Adapt to evolving network technologies
Network Forensics Success: Combine comprehensive monitoring, systematic analysis, and proper evidence handling to effectively investigate network-based security incidents and cyber crimes.