NETWORK FORENSICS

Introduction to Network Forensics and Tracking Network Traffic

● Network Forensics: The process of collecting and analyzing raw network data to
systematically track network traffic and determine how an attack or event occurred on a
network.
● Importance: With the increasing frequency of network attacks, network forensics is
crucial for identifying whether attacks are intentional or unintentional and for
understanding the methods used by attackers.

Types of Network Attacks

● Unintentional Attacks: Often occur due to lack of knowledge and do not involve
malicious intent.
● DoS Attacks: Denial of Service attacks overload network resources, making the network
unavailable to genuine users without gaining access to any computer on the network.
○ Characteristics: DoS attackers should not be referred to as intruders since no
direct intrusion happens. Not all intruders are attackers, but those who gain access
and then destroy information or plant viruses can be called both intruders and
attackers.

Tracking Network Traffic

● Intrusion Traces: Intruders leave traces when they attack a network. Detecting these
traces involves identifying variations in network traffic.
● Normal Traffic Patterns: Understanding typical network patterns (e.g., peak internet
usage hours) helps in identifying unusual activities.
○ Example: Peak hours in a city might be between 6 a.m. and 6 p.m. Any
suspicious activity at night would prompt an investigation by the network
administrator.
Standard Procedures in Network Forensics

● Response to Attacks: Network administrators aim to find compromised machines, take

them offline, and restore them quickly to reduce downtime.
● Importance of Procedures: Following standard procedures ensures all compromised
systems are tracked and attack methods are identified to prevent future incidents.
● Compromised System Handling: Thorough investigation and adherence to procedures
help in understanding the full scope of an attack and securing the network.

Securing a Network

● Network Forensics Role: Used to identify security breaches due to attacks, viruses, and
other incidents.
● Hardening: Involves tasks like applying the latest patches and using a layered network
defense strategy to protect valuable data.
○ Defense in Depth (DiD): Developed by the National Security Agency (NSA), this
strategy includes three modes of protection: People, Technology, and Operations.

Defense in Depth (DiD) Strategy

1. People:
○ Qualified Personnel: Hiring well-qualified individuals and treating them well to
prevent revenge motives.
○ Training: Adequate training in security procedures and policies.
○ Security Measures: Includes physical and personnel security measures.
2. Technology:
○ Network Architecture: Selecting strong network architecture.
○ Tools: Using tools like firewalls and Intrusion Detection Systems (IDSs).
○ Penetration Testing and Risk Assessment: Regular testing and assessment to
enhance network security.
○ Investigation Tools: Tools that allow for quick and thorough examination during
a security breach.
3. Operations:
○ Daily Activities: Updating antivirus software, security patches, and operating
systems.
○ Evaluation and Monitoring: Regular evaluation and monitoring methods.
○ Disaster Recovery Plans: Having plans in place for disaster recovery.
Reviewing Network Logs

● Network Logs: Records of incoming and outgoing traffic on a network, created by

servers, firewalls, routers, and other devices.
● Purpose: They track activities and events, helping to monitor network health, identify
issues, and investigate security incidents.

Tools for Reviewing Network Logs

● Tcpdump: A common program used to capture and analyze network traffic. It generates
extensive records that detail network activities.

Example of Tcpdump Output

● Format: The log entries typically include the date, time, protocol, interface, packet size,
and source/destination addresses.

TCP log from 2010-12-16:15:06:33 to 2010-12-16:15:06:34

Wed Dec 15 15:06:33 2010; TCP; eth0; 1296 bytes; from 204.146.114.10:1916 to
156.26.62.201:126
Wed Dec 15 15:06:33 2010; TCP; eth0; 625 bytes; from 192.168.114.30:289 to
188.226.173.122:13
Wed Dec 15 15:06:33 2010; TCP; eth0; 2401 bytes; from 192.168.5.41:529 to
188.226.173.122:31
Wed Dec 15 15:06:33 2010; TCP; eth0; 1296 bytes; from 206.199.79.28:1280 to
10.253.170.210:168; first packet
END

○ Header: The first line shows the log's timeframe.

○ Entries: Subsequent lines follow the format time; protocol; interface; size; source
and destination addresses.

Analyzing the Logs

● Understanding Entries: For example, the second line shows:

○ Date and Time: December 15, 2010, at 15:06:33
○ Protocol: TCP
○ Interface: Ethernet 0 (eth0)
○ Size: 1296 bytes
○ Source: IP address 204.146.114.10 with port 1916
○ Destination: IP address 156.26.62.201 with port 126
Key Points for Investigation

● Port Information: Ports above 1024 can be suspicious and warrant further investigation.
Check port assignments on the Internet Assigned Numbers Authority (IANA) website.
● Frequent IP Addresses: Repeated occurrences of specific IP addresses can indicate
potential issues or malicious activity.

Using Ethereal for Further Analysis

● Top Websites: Ethereal (now known as Wireshark) can generate a list of the top 10
websites visited by users, showing bytes transferred and IP addresses.
● Top Internal Users: It can also list the top 10 internal users by tracking IP addresses and
the amount of data they transfer.

Patterns in Network Logs

● Behavioral Patterns: Logs can reveal patterns like an employee frequently accessing
certain sites during work hours, potentially indicating misuse of company resources.
● Investigating Suspicious Activity: If suspicious behavior is detected, investigate while
preserving evidence. Findings might reveal broader issues affecting other companies.

Handling Findings

● Confidentiality: Do not reveal findings about other companies without their consent.
● Contacting Companies: Notify affected companies to collaborate on tracking down
intruders.
● Reporting to Authorities: Consider reporting significant incidents to federal authorities
for further action.
Network Forensic Tools
Windows Operating System Network Tools

● Sysinternals Suite: A collection of free tools for examining Windows products, created
by Mark Russinovich and Bryce Cogswell, now owned by Microsoft. These tools help in
monitoring network traffic and managing devices and processes. Here are some of the
key tools:

○ RegMon: Displays all registry data in real-time.

○ Process Explorer: Shows files, registry keys, and DLLs loaded at a specific time.

○ Handle: Shows open files and the processes using them.

○ Filemon: Shows file system activity.

○ PsExec: Runs processes remotely.

○ PsGetSid: Displays the security identifier (SID) of a computer or user.

○ PsKill: Kills processes by name or process ID.

○ PsList: Lists detailed information about processes.

○ PsLoggedOn: Displays who is logged on locally.

○ PsPasswd: Allows you to change account passwords.

○ PsService: Enables you to view and control services.

○ PsShutdown: Shuts down and optionally restarts a computer.

○ PsSuspend: Allows you to suspend processes.

UNIX/Linux Operating System Network Tools

● Knoppix Security Tools Distribution: A bootable Linux CD designed for computer and
network forensics, created by Klaus Knopper. It offers a variety of tools for
authentication, firewalls, password management, wireless tools, encryption, intrusion
detection systems (IDS), honeynets, forensics, packet sniffers, vulnerability assessment,
and more. Here are some important tools:

○ dcfldd: A U.S. Department of Defense computer forensics lab version of the dd

command.

○ memfetch: Forces a memory dump.

○ photorec: Retrieves files from a digital camera.

○ snort: A popular IDS that captures and analyzes packets in real-time.

○ oinkmaster: Manages snort rules, specifying regular traffic and alarms.

○ john: The latest version of John the Ripper, a password cracker.

○ chntpw: Resets passwords on a Windows computer, including the administrator

password.

○ tcpdump and ethereal (Wireshark): Packet sniffers for capturing and analyzing
network traffic.
Packet Sniffers

● Packet Sniffers: Devices or software used to monitor network traffic. They can enhance
security and track network bottlenecks but can also be used maliciously to capture
sensitive information.

○ Functionality: Examine packets on TCP/IP networks, working at Layer 2 or

Layer 3 of the OSI model.

○ Common Tools: Tcpdump, Tethereal, and SNORT can capture packets, including
those with specific flags like SYN for detecting SYN flood attacks.

Example Packet Sniffer Tools

● Topslice: Extracts information from large Libpcap files based on a specified timeframe
and can combine files.

● Tcpreplay: Replays network traffic recorded in Libpcap format to test network devices.

● Ngrep: Examines email headers or IRC logs, collects, and hashes data for verification.

● Ethereal (Wireshark): A graphical tool for viewing network traffic and rebuilding
sessions.

● Netdude: A GUI tool for inspecting and analyzing large Tcpdump files.

● Argus: A session data probe, collector, and analysis tool.

Examining the Honeynet Project

● Honeynet Project: Aims to thwart internet and network attackers by creating awareness,
providing information, and offering tools and methods. It involves worldwide
participation.

○ Steps:

■ Awareness: Informing people and organizations about existing threats.

■ Information: Providing details on how to protect against threats and

understanding attacker tactics.

■ Research: Offering tools and methods for individuals to conduct their

own research.

● Threats Addressed:

○ Distributed Denial-of-Service (DDoS) Attacks: Involving hundreds or

thousands of "zombie" machines.

○ Zero-Day Attacks: Exploiting network and OS vulnerabilities before patches are

available.

● Honeypots and Honeywalls:

○ Honeypot: A decoy computer set up to lure attackers, containing no valuable

information.

○ Honeywall: Monitors honeypots and records attacker activities.

○ Process: Deploying a honeypot, taking it offline if compromised, comparing pre-

and post-attack images to analyze the attack methods and changes made.
Performing Live Acquisitions

Live acquisitions are crucial for capturing volatile data when dealing with active network attacks
or unauthorized access by employees. These acquisitions are performed while the system is still
running because certain evidence, such as running processes and data in RAM, can be lost if the
system is shut down or restarted.

Here is a simplified breakdown of the process:

1. Prepare Forensic Tools:

○ Create or download a bootable forensic CD.
○ Test the CD on a non-suspect drive.
○ If the suspect system is on the network, ensure you have the appropriate forensic
tools on your computer.
○ Insert the bootable forensic CD into the suspect system if necessary.

2. Log Actions:
○ Keep a detailed log of all actions taken during the live acquisition process.
○ Document the reasons for each action.

3. Set Up Data Storage:

○ Use a network drive to store gathered data if available.
○ If a network drive is not available, use a USB thumb drive.
○ Note the use of the USB drive in your log.

4. Copy Physical Memory (RAM):

○ Capture the entire contents of RAM.

5. Investigate Specific Issues:

○ Depending on the incident, decide whether to:
■ Shut down the system for a static acquisition later.
■ Use tools like RootKit Revealer to check for rootkits.
■ Access firmware to check for changes.

6. Validate Data Integrity:

○ Ensure you obtain a forensically sound digital hash value of all recovered files to
confirm they haven't been altered.
Performing a Live Acquisition in Windows

Various tools can capture RAM during a live acquisition in Windows. Here are some of the tools:

● Win32dd: A command-line tool for performing memory dumps on Windows.

● Back Track 3: Combines tools from the White Hat Hackers CD and The Auditor CD,
popular among penetration testers.

● Mantech Memory DD: Acquires up to 4 GB of RAM in standard DD format.

● Winen.exe from Guidance Software: A standalone RAM acquisition tool.

Command-Line vs. GUI Tools:

● Command-Line Tools: Offer more control and are generally preferred for live
acquisitions.
● GUI Tools: Require more system resources and can sometimes give false
readings, especially on Windows OSs.

Live acquisitions are essential for preserving volatile data during an ongoing network attack or
suspected unauthorized access. Following a systematic procedure and using reliable tools ensures
that the captured data remains forensically sound.
Order of Volatility (OOV)

The Order of Volatility (OOV) refers to the lifespan of data on a system, which is critical for
investigators to understand when collecting evidence during a network forensics investigation.
Data varies in how long it remains accessible and useful:

1. Registers, Cache: Lasts only for milliseconds.

2. Routing Table, ARP Cache, Process Table, Kernel Statistics: Short-lived and volatile.

3. Memory (RAM): Volatile, lost when the system is powered off.

4. Established Network Connections: Lasts until the connection is terminated.

5. Running Processes: Exists until the process is terminated or the system is shut down.

6. Temporary File Systems: Can be deleted or overwritten quickly.

7. Media in Use: Disk: Persistent until manually deleted or overwritten.

8. Remote Logging and Monitoring Data: Exists on other systems, potentially

longer-lived.

9. Backup Media: Tapes, Disks Not in Use: Very persistent, often stored for long periods.

10. Archival Media: Long-term storage, such as tapes or disks.

11. WORM: CD-ROMs, DVDs: Very long-term, write-once-read-many storage.

After digital evidence is gathered, physical evidence such as configuration, network topology,
paper documents, fingerprints, and DNA can be collected.
Standard Procedures for Network Forensics

Network forensics involves a systematic approach to ensure accurate and reliable evidence
collection. The standard procedure includes the following steps:

1. Standard Installation Image:

○ Use a standard installation image for all systems on the network.
○ This image includes all standard applications and OS files.
○ Maintain MD5 and SHA-1 hash values for all applications and OS files to ensure
integrity.

2. Fix Vulnerabilities:
○ If an intrusion incident occurs, ensure the vulnerability is patched to prevent
further attacks.

3. Live Acquisition:
○ Recover all volatile data, such as RAM and running processes, before the system
is turned off.

4. Forensic Imaging:
○ Create a forensic image of the compromised drive to preserve the state of the data
at the time of the incident.

5. File Comparison:
○ Compare the files on the forensic image with the original installation image.
○ Use hash values to verify the integrity of common files (e.g., Win.exe, standard
DLLs) and detect any alterations.

By following these standard procedures, investigators can systematically collect and analyze
evidence, ensuring the reliability and integrity of their findings.