Network Forensics
Network Traffic Analysis and Investigation
What is Network Forensics?
Network Forensics: The capture, recording, and analysis of network events and traffic to discover the source of security attacks or network intrusion incidents.
- Traffic Analysis: Examining network communications
- Incident Investigation: Identifying attack vectors and sources
- Evidence Collection: Preserving network-based evidence
- Real-time Monitoring: Live network surveillance
Network Forensics Objectives
Primary Goals:
- Incident Detection: Identify security breaches and anomalies
- Evidence Collection: Gather admissible network evidence
- Attack Attribution: Determine attack sources and methods
- Timeline Reconstruction: Establish sequence of network events
- Damage Assessment: Evaluate impact and scope of incidents
- Prevention: Improve security based on findings
Network Protocol Analysis
Layer 2 - Data Link
- MAC addresses
- ARP traffic
- Switch logs
- VLAN information
Layer 3 - Network
- IP addresses and routing
- ICMP messages
- Network topology
- Routing protocols
Layer 4 - Transport
- TCP/UDP connections
- Port information
- Session analysis
- Connection states
Layer 7 - Application
- HTTP/HTTPS traffic
- Email protocols
- File transfers
- Application data
Network Data Collection
Collection Approaches:
- Catch-it-as-you-can: Collect all packets passing through collection point
- Stop-look-and-listen: Real-time analysis with selective storage
- Hybrid Approach: Combination of full packet capture and real-time analysis
Packet Capture Methods
- Network taps
- Port mirroring/SPAN
- Inline sensors
- Software-based capture
Data Sources
- Full packet captures
- Flow records (NetFlow/sFlow)
- Log files
- IDS/IPS alerts
Traffic Analysis Techniques
Packet Analysis Process:
1. Packet Capture → 2. Protocol Decoding → 3. Session Reconstruction
4. Content Extraction → 5. Pattern Analysis → 6. Anomaly Detection
Analysis Methods:
- Protocol Analysis: Examine protocol compliance and anomalies
- Session Reconstruction: Rebuild communication sessions
- Flow Analysis: Study traffic patterns and volumes
- Content Analysis: Examine payload data
- Behavioral Analysis: Identify unusual communication patterns
Network Forensic Tools
Packet Capture Tools
- Wireshark: GUI packet analyzer
- tcpdump: Command-line packet capture
- tshark: Command-line Wireshark
- NetworkMiner: Forensic packet analyzer
Flow Analysis Tools
- SiLK: Traffic analysis toolkit
- Argus: Network activity auditing
- nfcapd/nfdump: NetFlow capture and analysis
- ELK Stack: Log analysis platform
Wireshark Display Filters Examples:
ip.addr == 192.168.1.1 # Specific IP address
tcp.port == 80 # HTTP traffic
http.request.method == "POST" # HTTP POST requests
dns.flags.response == 0 # DNS queries only
tcp.flags.syn == 1 # TCP SYN packets
Common Network Attack Investigation
DDoS Attacks
- Traffic volume analysis
- Source IP distribution
- Attack vector identification
- Amplification factor calculation
Malware Communication
- Command and control traffic
- Data exfiltration patterns
- DNS tunneling detection
- Beaconing behavior analysis
Network Intrusion
- Lateral movement tracking
- Privilege escalation evidence
- Data access patterns
- Persistence mechanism traffic
Man-in-the-Middle
- Certificate anomalies
- ARP spoofing indicators
- DNS hijacking evidence
- Traffic redirection patterns
Session Reconstruction
Session Reconstruction: The process of reassembling network communications to understand complete interactions between network endpoints.
Reconstruction Process:
- Packet Collection: Gather related packets
- Stream Assembly: Reassemble TCP streams
- Protocol Decoding: Parse application protocols
- Content Extraction: Extract files and data
- Timeline Creation: Order events chronologically
TCP Stream Following:
• Wireshark: Follow → TCP Stream
• Identifies complete conversations
• Reconstructs bidirectional communication
• Extracts application-layer data
• Reveals transferred files and content
Network Log Analysis
Types of Network Logs:
- Firewall Logs: Connection attempts and blocks
- Router Logs: Routing decisions and interface status
- Switch Logs: Port activities and MAC address changes
- DNS Logs: Domain name resolution queries
- DHCP Logs: IP address assignments
- Proxy Logs: Web access and URL filtering
Common Log Formats:
• Apache Common Log Format (CLF)
• W3C Extended Log Format
• Cisco IOS logging format
• Windows Event Log format
• Syslog (RFC 3164/RFC 5424)
Network Flow Analysis
Network Flows: Unidirectional sequence of packets sharing common characteristics (source/destination IP, ports, protocol, ToS) within a time window.
Flow Technologies
- NetFlow: Cisco's flow monitoring
- sFlow: Sampled flow monitoring
- IPFIX: IP Flow Information Export
- J-Flow: Juniper's implementation
Flow Analysis Benefits
- Scalable monitoring
- Long-term storage
- Trend analysis
- Bandwidth utilization
Flow Record Information:
- Source and destination IP addresses
- Source and destination port numbers
- Protocol type
- Type of Service (ToS)
- Start and end timestamps
- Packet and byte counts
Wireless Network Forensics
Wireless-Specific Challenges:
- Signal Interception: Requires proximity to access point
- Encryption: WPA/WPA2/WPA3 protection
- Channel Hopping: Multiple frequency monitoring
- Device Mobility: Changing association patterns
- Physical Layer: RF signal analysis
Wireless Analysis Tools:
- Kismet: Wireless network detector
- Aircrack-ng: Wireless security auditing
- InSSIDer: WiFi network scanner
- CommView for WiFi: Wireless packet capture
- Wireshark: With wireless adapters
Encrypted Traffic Analysis
Challenge: Analyzing encrypted communications without breaking encryption by examining metadata and traffic patterns.
Analysis Techniques:
- Traffic Flow Analysis: Connection patterns and timing
- Packet Size Analysis: Size patterns reveal application types
- Certificate Analysis: TLS certificate information
- DNS Analysis: Domain name resolutions
- JA3 Fingerprinting: TLS client identification
Encrypted Traffic Indicators:
• Regular beaconing patterns (malware C2)
• Unusual data volumes during off-hours
• Connections to suspicious IP addresses
• Certificate anomalies or changes
• Domain generation algorithm patterns
Network Timeline Analysis
Timeline Creation Process:
- Data Collection: Gather timestamped network events
- Time Synchronization: Normalize timestamps across sources
- Event Correlation: Link related network activities
- Pattern Recognition: Identify attack sequences
- Visualization: Create comprehensive timeline views
Correlation Techniques:
- IP address correlation across time
- Session ID tracking
- User agent string analysis
- Geolocation correlation
- Attack signature matching
Network Evidence Preservation
Chain of Custody: Maintaining integrity and authenticity of network evidence from collection through analysis and presentation.
Preservation Requirements
- Accurate time synchronization
- Hash verification of packet captures
- Proper storage and handling
- Access logging and control
- Documentation of procedures
Storage Considerations
- High-speed storage for captures
- Redundant storage systems
- Compression for long-term retention
- Secure access controls
- Regular integrity checks
Network Forensics Challenges
Technical Challenges:
- Volume: High-speed networks generate massive data
- Encryption: Widespread use limits content analysis
- Switched Networks: Traffic segmentation challenges
- Cloud Computing: Limited visibility in virtual environments
- Mobile Devices: Wireless and cellular network complexity
Legal and Privacy Challenges:
- Privacy regulations and compliance
- Cross-border data collection
- Warrant requirements
- Data retention policies
- Employee monitoring ethics
Network Forensics in Incident Response
IR Integration Points:
- Detection: Network monitoring alerts to incidents
- Analysis: Forensic examination of network evidence
- Containment: Network-based isolation and blocking
- Eradication: Remove network-based threats
- Recovery: Restore normal network operations
- Lessons Learned: Improve monitoring and detection
Real-time Response Actions:
• Block malicious IP addresses
• Quarantine infected systems
• Capture additional evidence
• Preserve volatile network state
• Document ongoing activities
Network Forensics Best Practices
Collection Best Practices
- Continuous monitoring deployment
- Strategic sensor placement
- Comprehensive logging configuration
- Time synchronization across systems
- Regular storage capacity monitoring
Analysis Best Practices
- Systematic investigation methodology
- Multiple analysis perspectives
- Automated analysis tool usage
- Cross-correlation with other evidence
- Detailed documentation practices
Future Trends
Emerging Technologies:
- AI/ML Integration: Automated threat detection and analysis
- 5G Networks: New protocols and security challenges
- IoT Forensics: Massive device ecosystem analysis
- SD-WAN Analysis: Software-defined networking challenges
- Edge Computing: Distributed processing forensics
Tool Evolution:
- Cloud-native forensic platforms
- Real-time analysis capabilities
- Enhanced encrypted traffic analysis
- Cross-platform correlation tools
- Automated report generation
Key Takeaways
Critical Points:
- Comprehensive Monitoring: Strategic placement and continuous capture
- Multi-layered Analysis: Examine all network protocol layers
- Tool Proficiency: Master various analysis tools and techniques
- Evidence Integrity: Maintain chain of custody and documentation
- Continuous Learning: Adapt to evolving network technologies
Network Forensics Success: Combine comprehensive monitoring, systematic analysis, and proper evidence handling to effectively investigate network-based security incidents and cyber crimes.