Slide 1
Upcoming SlideShare
Loading in...5

Slide 1






Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Slide 1 Slide 1 Presentation Transcript

  • Network Forensics Primer Richard Bejtlich [email_address] / Look sharp, troops. It's time to learn network forensics.
    • Introduction
    • What is Network Forensics?
    • Collecting Network Traffic as Evidence
    • Protecting and Preserving Network-Based Evidence
    • Analyzing Network-Based Evidence
    • Presenting and Defending Conclusions
    • Conclusion
  • Overview
    • Introduction
      • Speaker biography
      • Purpose of course
      • Why network forensics
      • Course outline
    What better way to relate to a law enforcement audience than to turn to the finest crime fighter of the 80s -- TJ Hooker?
  • Introduction
    • Bejtlich ("bate-lik") biography
      • TaoSecurity LLC (05-present)
        • ManTech (04-05)
        • Foundstone (02-04)
        • Ball Aerospace (01-02)
        • Captain at US Air Force CERT (98-01)
        • Lt at Air Intelligence Agency (96-98)
      • Author
        • Tao of Network Security Monitoring: Beyond Intrusion Detection (solo, Addison-Wesley, Jul 04)
        • Extrusion Detection: Security Monitoring for Internal Intrusions (solo, Addison-Wesley, Dec 05 - Jan 06)
        • Real Digital Forensics (co-author, Addison-Wesley, Sep 05)
        • Contributed to Incident Response, 2 nd Ed and Hacking Exposed, 4 th Ed
  • Introduction
    • Purpose of course
      • Introduce ways to collect, protect, analyze, and present network-based evidence
      • Host-based forensics is not addressed
        • For more coverage of host-based forensics, I recommend Incident Response, 2nd Ed by Mandia, Prosise, and Pepe
      • Share experiences conducting real network forensics
      • Encourage attendees to plan to perform network forensics prior to an incident, not during an incident
      • This course is an introduction to material I present for an entire day elsewhere
        • Network Security Operations (
        • Network Forensics at USENIX LISA (
        • Items in blue are not expanded upon in this hour-long talk
  • Introduction
    • Why network-based evidence?
      • Host-centric forensics is an established discipline, but many investigators ignore or do not understand network traffic
      • Network-based evidence can be found everywhere
      • Network-based evidence can be easy to collect -- without anyone's notice
    • Network forensics should always be performed!
    I'm sold. Let's talk network forensics! Rookies...
  • Introduction Plan Protect Detect Respond The Security Process Defensible Network Architecture Network Security Monitoring Pervasive Network Awareness Network Incident Response Network Forensics Traffic Threat Assessment Preparation for Incident Response
  • Overview
    • What is Network Forensics?
      • Definitions
      • Evidence guidelines
      • Daubert
      • Kumho
    To Serve and to Protect Packets You can't carry enough weaponry when performing network forensics. Phasers on stun.
  • What is Network Forensics?
    • The "network" in "network forensics" != "computer"
      • Network here means "relating to packets" or "network traffic"
    • Definition of forensics (
      • Relating to, used in, or appropriate for courts of law or for public discussion or argumentation.
      • Of, relating to, or used in debate or argument; rhetorical.
      • Relating to the use of science or technology in the investigation and establishment of facts or evidence in a court of law: a forensic laboratory.
    • Many claim to perform network forensics, but most of these practitioners are probably just capturing packets
      • These guidelines will elevate your game to forensic levels
    • Forensics helps with "patch and proceed" or "pursue and prosecute"
  • What is Network Forensics?
    • Evidence Guidelines: three broad sources
      • Federal Rules of Evidence
      • Daubert v. Merrell Dow Pharmaceuticals, Inc., 113 S. Ct. 2786 (1993 )
      • Kumho Tire Company, Ltd v. Patrick Carmichael 119 S.Ct. 1167 (March 23, 1999 )
    Good grief Spock, what happened to your ears? Let it go, Bill.
  • What is Network Forensics?
    • Daubert criteria
      • “[W]hether it [a scientific theory or technique] can be (and has been) tested”
      • “[W]hether the theory or technique has been subjected to peer review and publication”
      • “[C]onsider the known or potential rate of error... and the existence and maintenance of standards controlling the technique's operation”
      • “The technique is ‘generally accepted’ as reliable in the relevant scientific community”
    • The better your network forensic methodology meets these criteria, the more success you will have in the board room or court room
  • What is Network Forensics?
    • Kumho findings
      • Required the Court “to decide how Daubert applies to the testimony of engineers and other experts who are not scientists.”
      • “Daubert's general holding -- setting forth the trial judge's general ‘gatekeeping’ obligation -- applies not only to testimony based on ‘scientific’ knowledge, but also to testimony based on ‘technical’ and ‘other specialized’ knowledge .”
      • “[A] trial court may consider one or more of the more specific factors that Daubert mentioned when doing so will help determine that testimony's reliability.”
      • Introduced a level of “flexibility” and discretion into the process of accepting expert witness testimony.
      • “Daubert's list of specific factors neither necessarily nor exclusively applies to all experts or in every case . Rather, the law grants a district court the same broad latitude when it decides how to determine reliability as it enjoys in respect to its ultimate reliability determination.”
  • Collecting Network Traffic as Evidence
    • Secure the sensor
    • Limit access to the sensor
    • Position the sensor properly
    • Verify the sensor collects traffic as expected
    • Determine sensor failure modes
    • Recognize and compensate for collection weaknesses
    • Use trusted tools and techniques
    • Document and automate the collection process
    Nice bandana and "workout gloves", Adrian.
    • Position the sensor properly
    • Consider perimeter monitoring scenario at right
      • Perimeter is easiest place to monitor
      • However, sensor as shown may not be able to see all the traffic an analyst needs to understand the scope of an intrusion
    • Alternative deployments shown on following slides
    Collecting Network Traffic as Evidence
    • At left we monitor perimeter (via tap) and DMZ (via switch SPAN)
    • At right we add a filtering bridge/sensor to watch and/or control a high value target
    Collecting Network Traffic as Evidence
    • Don't forget to accommodate address translation issues
    • Here we add a second interface behind the gateway
    Collecting Network Traffic as Evidence
    • This network shows a variety of instrumentation options
    Collecting Network Traffic as Evidence
  • Collecting Network Traffic as Evidence
    • My preferred platform for serious monitoring at a reasonable cost is configured as follows
      • Appliance : Dell PowerEdge 750 1U rackmount server
      • 512 MB RAM
      • Intel PIV 2.8 GHz CPU
      • 2X250 GB SATA drives in RAID 0 configuration
      • Dual onboard NICs plus extra dual NICs
      • Approximately $2,000 without discounts
      • OS : FreeBSD 5.4 RELEASE (sample dmesg output at
      • Network access : Net Optics tap (
  • Collecting Network Traffic as Evidence
    • Consider using Network Security Monitoring principles to guide your data collection strategies
      • Alert data (Snort, other IDSs)
        • Traditional IDS alerts or judgments (“RPC call!”)
        • Context-sensitive, either by signature or anomaly
      • Full content data (Tcpdump)
        • All packet details, including application layer
        • Expensive to save, but always most granular analysis
      • Session data (Argus, SANCP, NetFlow)
        • Summaries of conversations between systems
        • Content-neutral, compact; encryption no problem
      • Statistical data (Capinfos, Tcpdstat)
        • Descriptive, high-level view of aggregated events
    • Sguil ( is an interface to much of this in a single open source suite
  • Collecting Network Traffic as Evidence
    • Collect network traffic using NSM principles
  • Collecting Network Traffic as Evidence
    • Verify the sensor collects traffic as expected
  • Protecting and Preserving Network-Based Evidence
    • Hash traces after collection and store hashes elsewhere
    • Understand forms of evidence
    • Copy evidence to read-only media when possible
    • Create derivative evidence
    • Follow chains of evidence
    Beam me up, Scotty. Bill's lost it.
  • Protecting and Preserving Network-Based Evidence
    • Understand forms of evidence
    • Best evidence: original form of network-based evidence available to the investigator
      • If the NBE is given to the investigator as an attachment in an email, that email and its attachment is the investigator’s best evidence.
      • It is much preferred from a forensic standpoint to obtain the original file containing traffic as it was written to a hard drive.
    • Best evidence should, to the extent practically possible, never be analyzed directly.
      • Rather, investigators should make working copies of the best evidence, and analyze those duplications.
      • Network traffic saved on a sensor is the best evidence available.
      • Copies of that traffic transferred to a central location become working copies.
  • Protecting and Preserving Network-Based Evidence
    • Create derivative evidence
      • Ensure you have a SHA256 hash of the original file stored in a safe location.
      • After verifying the hashes match, use the desired Tcpdump filter to extract packets of interest to a new file and directory.
    • elise@bourque$ tcpdump -n -r
    • -w /home/analyst/
    • port 80
    • reading from file
    •, link-type EN10MB (Ethernet)
      • Hash the resulting file locally and remotely.
      • Copy the remote file to the local workstation.
      • Make multiple copies of the new local evidence file, and analyze them at will.
      • Document these steps on both platforms.
  • Analyzing Network-Based Evidence
    • Validate results with more than one system
    • Beware of malicious traffic
    • Document not just what you find, but how you found it
    • Follow a methodology
    You know the ladies used to call me "Jim Kirk." You wouldn't happen to be a green alien...?
  • Analyzing Network-Based Evidence
    • Validate results with more than one system
      • Use different tools. Example: Tcpdump, Snort, Ethereal
      • Use different operating systems. Example: Unix (BSD, Linux, Solaris), Windows
      • Use different architectures. Example: x86, SPARC
      • Use different libraries: Example: Libpcap, Data Link Provider Interface (DLPI on Solaris,
    I'm quite an expert with the police baton, aka the "tonfa" to you martial arts types.
  • Analyzing Network-Based Evidence
    • Follow a methodology
      • Make a new directory on the analysis platform to contain data provided by the client or collected by yourself.
      • Copy the evidence provided by the client into the analysis directory.
      • Change the permissions of the copy to ensure the analyst user cannot accidentally modify the file.
      • Hash the file and copy the hash elsewhere.
      • Use the Capinfos program packaged with Ethereal to gain initial statistics on the capture file.
      • Run Dave Dittrich’s Tcpdstat to obtain basic statistics on the trace .
      • Extract sessions from the trace using Argus.
      • Gain some high-level idea of the contents of the Argus file with Racount.
  • Analyzing Network-Based Evidence
    • Follow a methodology (continued)
      • Use the Rahosts program to create an ordered list of all of the IP addresses seen in the Argus data.
      • (optional) Confirm the number of Argus records.
      • (optional) Enumeration source IP, dest IP, dest port combos.
      • Perform traffic threat assessment.
      • (optional) Process trace with Snort to find obviously malicious events, or build custom signatures.
    When hitting suspects, it's important to keep your eyes closed! Tonfa-chop!
  • Presenting and Defending Conclusions
    • Forget the OSI model
    • Obtain relevant certifications
    • Consider how you would attack the evidence
    Up front, Officer Locklear. We'll take cover behind that mane of yours.
  • Presenting and Defending Conclusions
    • Forget the OSI Model
  • Presenting and Defending Conclusions
    • Forget the OSI model
      • TCP/IP is like the postal service. It gets messages across the globe or country.
      • TCP packets are like message sent via certified mail.
      • UDP packets are like normal, best-effort mail delivery. Nothing is guaranteed but drops are not that common.
      • An IP address is like the street address on an envelope.
      • A hostname is like a well-known name for a specific location. If an IP address is like 1600 Pennsylvania Avenue, Washington DC, a hostname is like “The White House.”
      • A TCP or UDP port is like the name of a person. Multiple people can reside at any address. Names help sort out the recipient of the letter.
  • Presenting and Defending Conclusions
    • Obtain relevant certifications
      • Certified Information Systems Security Professional : CISSP is the must-have certification for security professionals; while its technical merits are lacking, I find its Code of Ethics valuable.
      • Certified Information Forensics Investigator : CIFI is a vendor-neutral forensics certification sponsored by the International Information Systems Forensics Association; will help demonstrate your knowledge of core forensic investigation principles.
      • Cisco Certified Network Associate : CCNA is Cisco’s entry-level networking certification; shows a basic level of comprehension of networking and device configuration.
  • Conclusion
    • This presentation introduced key points on network forensics
    • For more information, attend my next day-long class and/or read my books
    • Contact me at
    Never shoot from the gut when doing network forensics. Warp speed, Mr. Sulu!
  • References
    • Tools
      • Snort:
      • Tcpdump:
      • Ethereal, Tethereal, Capinfos:
      • Argus:
      • SANCP:
      • Tcpdstat:
      • NetFlow format:
    • Certifications
      • CISSP:
      • CISSP code of ethics:
      • CIFI:
      • CCNA: