The development of intelligent network forensic tools to focus on specific type of network traffic analysis is a challenge in terms of future perspective.
This will reduce time delays, less computational resources requirement; minimize attacks, providing reliable and secured evidences, and efficient investigation with minimum efforts
3. INTRODUCTION
Network forensics is categorized as a single branch of digital forensics;
it includes the areas of monitoring and analyzing computer network traffic
and allows individuals to gather information, compile evidence, and/or
detect intrusions.
5. Network Forensic Examination Steps
Identification: recognizing and determining an incident based on network
indicators. This step is significant since it has an impact in the following steps.
Preservation: securing and isolating the state of physical and logical evidences
from being altered, such as, for example, protection from electromagnetic damage
or interference.
Collection: Recording the physical scene and duplicating digital evidence using
standardized methods and procedures.
Examination: in-depth systematic search of evidence relating to the network
attack. This focuses on identifying and discovering potential evidence and building
detailed documentation for analysis.
Analysis: determine significance, reconstruct packets of network traffic data and
draw conclusions based on evidence found.
Presentation: summarize and provide explanation of drawn conclusions.
Incident Response: The response to attack or intrusion detected is initiated
based on the information gathered to validate and assess the incident.
7. Network Forensic with Network Protocol
Network Forensic methods can be applied within the different network
protocols or layers.
ETHERNET
TCP/IP
INTERNET
WIRELESS
8. ETHERNET
Methods are achieved with eavesdropping bit streams (on the Ethernet
layer).
Uses monitoring tools or sniffers (Wireshark ,Tcpdump)
Protocols can be consulted for filter traffic and reconstruct attachment
transmitted, such as the Address Resolution Protocol (ARP)
Network Interface Card (NIC), but can be averted with encryption
Disadvantage is large storage Capacity.
9. TCP/IP
Methods are achieved with router information investigations (on the
Network layer).
Each router includes routing tables to pass along packets.
These are some of the best information sources for data tracking .
Follow compromised packets, reverse route, ID the source
Network layer also provides authentication log evidence
10. INTERNET
Methods are achieved by identifying server logs (on the Internet).
Includes web-browsing, email, chat, and other types of traffic &
communication
Server logs collect information
Email accounts have useful information except when email headers are
faked
11. Wireless Forensic
Methods are achieved by collecting & analyzing wireless traffic (Wireless
Networks). Mobile Phones
A sub-discipline of the field
To get that which is considered “valid digital evidence”
This can be normal data OR voice communications via VoIP
Analysis is similar to wired network situations, with different security issues
12. Network Forensic Analysis Tools
Functions of a Network Forensic Analysis Tool:
Network traffic capturing and analysis
Evaluation of network performance
Detection of anomalies and misuse of resources
Determination of network protocols in use
Aggregating data from multiple sources
Security investigations and incident response
Protection of intellectual property
13. Network Forensic Tools
dumpcap, pcapdump and netsniff-ng –Packet Sniffer
tcpdump, wireshark/tshark and tstat - Protocol Analyzers
16. Conclusion
The development of intelligent network forensic tools to focus on specific
type of network traffic analysis is a challenge in terms of future
perspective.
This will reduce time delays, less computational resources requirement;
minimize attacks, providing reliable and secured evidences, and efficient
investigation with minimum efforts
Editor's Notes
Capture (capture packets) • Identify (identify packets based on certain filtering criterion, such as date and time) • Analyze (both known and unknown packets to understand what's going on
Investigation Stages:
1) acquisition/imaging of exhibits (write-blocking device),
*) --examination (National Instit of Standards and Tech.)
2) analysis (systematic search for differences),
and 3) reporting (documented findings and conclusions)
“Catch-it-as-you-can”: All packets are sent through a traffic point where they are stored in a database. After that, analysis is performed on stored data. Analysis data is also stored in the database. The saved data can be saved for future analysis. It should be noted, though, that this type of system requires a large storage capacity
The “stop, look and listen” system is different from the “Catch-it-as-you-can” system, since only data required for analysis is saved into database. The incoming traffic is filtered and analyzed in real-time in memory, which means this system requires less storage but a much faster processor.
"Catch-it-as-you-can“
• All packets are captured •
Large storage needed
• Analysis in batch mode
• Usually @ packet level
• For later analysis
"Stop, look and listen"
• Requires faster processor for incoming traffic
• Each analyzed in memory •
Certain ones are stored
• Usually @ packet level
• Real-time filtering
ETHERNET
Methods are achieved with eavesdropping bit streams on the Ethernet layer of the OSI model.
This can be done using monitoring tools or sniffers such as Wireshark or Tcpdump, both of which capture traffic data from a network card interface configured in promiscuous mode.
Those tools allow investigator to filter traffic and reconstruct attachments transmitted over the network. In addition, protocols can be consulted and analyzed, such as the Address Resolution Protocol (ARP) or any higher level protocols. However, this can be averted with encryption. Encryption might indicate that the host is suspicious since the attacker uses encryption to secure his connection and bypass eavesdropping. The disadvantage of this method is that it requires a large storage capacity.
Transport and network layer Examined (TCP/IP)
Apply forensics methods on the network layer. The network layer provides router information based on the routing table present on all routers and also provides authentication log evidence. Investigating this information helps determine compromised packets, identifying source, and reverse routing and tracking data. Network device logs provide detailed information about network activities. Multiple logs recorded from different network devices can be correlated together to reconstruct the attack scenario. Network devices have a limited storage capacity. Network administrators configure the devices to send logs to a server and store them for a period of time
Traffic examined based on the use case (Internet)
The internet provides numerous services such as WWW, email, chat, file transfer, etc. which makes it rich with digital evidence. This is achieved by identifying the logs of servers deployed on the internet. Servers include web servers, email servers, internet relay chat (IRC), and other types of traffic and communication. These servers collect useful log information, such as browsing history, email accounts (except when email headers are faked), user account information, etc.
Wireless
This is achieved by collecting and analyzing traffic from wireless networks and devices, such as mobile phones. This extends normal traffic data to include voice communications. Phone location can be also determined. The Analysis methods of wireless traffic are similar to wired network traffic but different security issues should be taken into consideration.
What are some popular network forensics tools & resources?
Network Forensic Analysis Tools (aka NFATs) allow network investigators and network administrators to monitor networks and gather all information about anomalous or malicious traffic. These tools synergize with network systems and network devices, such as firewalls and IDS, to make preserving long-term record of network traffic possible. NFATs allow a quick analysis of patterns identified by network security equipments.
Network forensics tools can be classified based on many criteria, for example host based or network-wide-based forensics tools. In this article, we classify those tools as either general purpose tools, specific tasks tools, or libraries/framework.
General purpose tools
This category include Packet collectors (sniffers), protocol analyzers and Network Forensic Analyzers
dumpcap, pcapdump and netsniff-ng are example of packet sniffers, which record packets from the network and store them on files.
tcpdump, wireshark/tshark and tstat are popular protocol analyzers. These tools are used to inspect recorded traffic. They can be either packet-centric or session-centric.
Xplico and NetworkMiner are Network Forensic Analysis (NFAT) tools. These tools are data-centric which analyze the traffic content.
Specific Tasks Tools
These are often small programs written to do just one thing.
Intrusion detection (snort, suricata, bro)
Match regular expressions (ngrep)
Extract files (nfex) or pictures (driftnet)
Sniff passwords or HTTP sessions (dsniff, firesheep, ettercap, creds)
Extract emails (mailsnarf, smtpcat)
Print network/packet statistics (ntop, tcpstat, tstat)
Extract SSL information (ssldump)
Reconstruct TCP flows (tcpflow, tcpick)
Fingerprinting (p0f, prads)
Libraries and Frameworks
Python libraries(Libpcap, Scapy)
Bro
IT organizations can use network forensics for:
• Network performance benchmarking for detailed reporting on network performance, business activities, resource allocation, and other purposes.
• Network troubleshooting for resolving any type of network problem, especially those that happen intermittently.
• Transactional analysis for providing the “ultimate audit trail” for all kinds of transactions, including ecommerce and banking transactions. When server logs and other server-based evidence does not provide sufficient data for characterizing a transaction, network forensics enables IT organizations to locate and examine the exact content and execution of an online transaction. • Security attack analysis for enabling security officers and IT staff to characterize and mitigate an attack that slipped past network defenses. Network forensics enables investigators to find proof of an attack and to trace its effects on IT resources
High data rate of network traffic creates difficulties for network forensics in capturing and preserving all network packets . Millions of packets are transmitted over the network in no time, which passes through thousands of interconnected network devices To overcome the aforementioned problems, three different solution are proposed including hardware based ,software based and distributive based solution.
A huge amount of data is transmitted over the network which is captured and analyzed for investigation. However, such data complicates the situation for network forensics to retrieve evidence from the network. For instance, the captured data needs to be stored on devices with large storage capacity; whereas the storage capacity of the network interconnectivity devices is limited
Data integrity plays a vital role in the process of network forensics which has to be tackled. Data integrity in the network is an ability to keep accurate, complete, and consistent data in the network.
Data privacy is an important factor in the investigation process of network forensics. A forensic attribution solution is proposed to solve the aforementioned problem related to user privacy . A forensic investigator can view the data of interest by verifying the packet signature to enforce forensic attribution in the network.
The access of source IP address of an intruder is an important step in network forensics. Source IP address indicates origin of the attack that assists in the identification of the intruder and stopping the attacks.
Distributive nature and virtualized characteristics of networks complicate network forensics in identifying appropriate location and device for extracting the data. A network with thousands of devices connected with each other through high speed data links, which transmit millions of packets per second is difficult to be handled for its each link and device.