Downloaded 279 times
Uploaded byManjushree Mashal
Network forensic
The document discusses network forensics as a branch of digital forensics that involves monitoring and analyzing network traffic to gather evidence and detect intrusions. It outlines the steps in network forensic examination, including identification, preservation, collection, examination, analysis, presentation, and incident response, as well as methods applicable across various network protocols. It also highlights the functions and advantages of network forensic analysis tools while noting challenges in developing intelligent tools for specific traffic analysis.
More Related Content
Network forensic
- 1. NETWORK FORENSIC New paradigmin Network Analysis
- 2. CONTENTS Introduction NetworkForensic Examination Steps Network Forensic Methods Network Forensic with Network Protocol Network Forensic Analysis Tools
- 3. INTRODUCTION Network forensicsis categorized as a single branch of digital forensics; it includes the areas of monitoring and analyzing computer network traffic and allows individuals to gather information, compile evidence, and/or detect intrusions.
- 4. CIA Process forNetwork Forensic
- 5. Network Forensic ExaminationSteps Identification: recognizing and determining an incident based on network indicators. This step is significant since it has an impact in the following steps. Preservation: securing and isolating the state of physical and logical evidences from being altered, such as, for example, protection from electromagnetic damage or interference. Collection: Recording the physical scene and duplicating digital evidence using standardized methods and procedures. Examination: in-depth systematic search of evidence relating to the network attack. This focuses on identifying and discovering potential evidence and building detailed documentation for analysis. Analysis: determine significance, reconstruct packets of network traffic data and draw conclusions based on evidence found. Presentation: summarize and provide explanation of drawn conclusions. Incident Response: The response to attack or intrusion detected is initiated based on the information gathered to validate and assess the incident.
- 6. Network Forensic Methods Catch-it–as-you-can Stop, look and listen
- 7. Network Forensic withNetwork Protocol Network Forensic methods can be applied within the different network protocols or layers. ETHERNET TCP/IP INTERNET WIRELESS
- 8. ETHERNET Methods areachieved with eavesdropping bit streams (on the Ethernet layer). Uses monitoring tools or sniffers (Wireshark ,Tcpdump) Protocols can be consulted for filter traffic and reconstruct attachment transmitted, such as the Address Resolution Protocol (ARP) Network Interface Card (NIC), but can be averted with encryption Disadvantage is large storage Capacity.
- 9. TCP/IP Methods areachieved with router information investigations (on the Network layer). Each router includes routing tables to pass along packets. These are some of the best information sources for data tracking . Follow compromised packets, reverse route, ID the source Network layer also provides authentication log evidence
- 10. INTERNET Methods areachieved by identifying server logs (on the Internet). Includes web-browsing, email, chat, and other types of traffic & communication Server logs collect information Email accounts have useful information except when email headers are faked
- 11. Wireless Forensic Methodsare achieved by collecting & analyzing wireless traffic (Wireless Networks). Mobile Phones A sub-discipline of the field To get that which is considered “valid digital evidence” This can be normal data OR voice communications via VoIP Analysis is similar to wired network situations, with different security issues
- 12. Network Forensic AnalysisTools Functions of a Network Forensic Analysis Tool: Network traffic capturing and analysis Evaluation of network performance Detection of anomalies and misuse of resources Determination of network protocols in use Aggregating data from multiple sources Security investigations and incident response Protection of intellectual property
- 13. Network Forensic Tools dumpcap, pcapdump and netsniff-ng –Packet Sniffer tcpdump, wireshark/tshark and tstat - Protocol Analyzers
- 14. Advantages of Networkforensic Network Performance Benchmarking Network Troubleshooting Transactional Analysis Security Attack Analysis
- 15.
- 16. Conclusion The developmentof intelligent network forensic tools to focus on specific type of network traffic analysis is a challenge in terms of future perspective. This will reduce time delays, less computational resources requirement; minimize attacks, providing reliable and secured evidences, and efficient investigation with minimum efforts
Editor's Notes
- #5 Capture (capture packets) • Identify (identify packets based on certain filtering criterion, such as date and time) • Analyze (both known and unknown packets to understand what's going on
- #6 Investigation Stages: 1) acquisition/imaging of exhibits (write-blocking device), *) --examination (National Instit of Standards and Tech.) 2) analysis (systematic search for differences), and 3) reporting (documented findings and conclusions)
- #7 “Catch-it-as-you-can”: All packets are sent through a traffic point where they are stored in a database. After that, analysis is performed on stored data. Analysis data is also stored in the database. The saved data can be saved for future analysis. It should be noted, though, that this type of system requires a large storage capacity The “stop, look and listen” system is different from the “Catch-it-as-you-can” system, since only data required for analysis is saved into database. The incoming traffic is filtered and analyzed in real-time in memory, which means this system requires less storage but a much faster processor. "Catch-it-as-you-can“ • All packets are captured • Large storage needed • Analysis in batch mode • Usually @ packet level • For later analysis "Stop, look and listen" • Requires faster processor for incoming traffic • Each analyzed in memory • Certain ones are stored • Usually @ packet level • Real-time filtering
- #9 ETHERNET Methods are achieved with eavesdropping bit streams on the Ethernet layer of the OSI model. This can be done using monitoring tools or sniffers such as Wireshark or Tcpdump, both of which capture traffic data from a network card interface configured in promiscuous mode. Those tools allow investigator to filter traffic and reconstruct attachments transmitted over the network. In addition, protocols can be consulted and analyzed, such as the Address Resolution Protocol (ARP) or any higher level protocols. However, this can be averted with encryption. Encryption might indicate that the host is suspicious since the attacker uses encryption to secure his connection and bypass eavesdropping. The disadvantage of this method is that it requires a large storage capacity.
- #10 Transport and network layer Examined (TCP/IP) Apply forensics methods on the network layer. The network layer provides router information based on the routing table present on all routers and also provides authentication log evidence. Investigating this information helps determine compromised packets, identifying source, and reverse routing and tracking data. Network device logs provide detailed information about network activities. Multiple logs recorded from different network devices can be correlated together to reconstruct the attack scenario. Network devices have a limited storage capacity. Network administrators configure the devices to send logs to a server and store them for a period of time
- #11 Traffic examined based on the use case (Internet) The internet provides numerous services such as WWW, email, chat, file transfer, etc. which makes it rich with digital evidence. This is achieved by identifying the logs of servers deployed on the internet. Servers include web servers, email servers, internet relay chat (IRC), and other types of traffic and communication. These servers collect useful log information, such as browsing history, email accounts (except when email headers are faked), user account information, etc.
- #12 Wireless This is achieved by collecting and analyzing traffic from wireless networks and devices, such as mobile phones. This extends normal traffic data to include voice communications. Phone location can be also determined. The Analysis methods of wireless traffic are similar to wired network traffic but different security issues should be taken into consideration.
- #13 What are some popular network forensics tools & resources? Network Forensic Analysis Tools (aka NFATs) allow network investigators and network administrators to monitor networks and gather all information about anomalous or malicious traffic. These tools synergize with network systems and network devices, such as firewalls and IDS, to make preserving long-term record of network traffic possible. NFATs allow a quick analysis of patterns identified by network security equipments.
- #14 Network forensics tools can be classified based on many criteria, for example host based or network-wide-based forensics tools. In this article, we classify those tools as either general purpose tools, specific tasks tools, or libraries/framework. General purpose tools This category include Packet collectors (sniffers), protocol analyzers and Network Forensic Analyzers dumpcap, pcapdump and netsniff-ng are example of packet sniffers, which record packets from the network and store them on files. tcpdump, wireshark/tshark and tstat are popular protocol analyzers. These tools are used to inspect recorded traffic. They can be either packet-centric or session-centric. Xplico and NetworkMiner are Network Forensic Analysis (NFAT) tools. These tools are data-centric which analyze the traffic content. Specific Tasks Tools These are often small programs written to do just one thing. Intrusion detection (snort, suricata, bro) Match regular expressions (ngrep) Extract files (nfex) or pictures (driftnet) Sniff passwords or HTTP sessions (dsniff, firesheep, ettercap, creds) Extract emails (mailsnarf, smtpcat) Print network/packet statistics (ntop, tcpstat, tstat) Extract SSL information (ssldump) Reconstruct TCP flows (tcpflow, tcpick) Fingerprinting (p0f, prads) Libraries and Frameworks Python libraries(Libpcap, Scapy) Bro
- #15 IT organizations can use network forensics for: • Network performance benchmarking for detailed reporting on network performance, business activities, resource allocation, and other purposes. • Network troubleshooting for resolving any type of network problem, especially those that happen intermittently. • Transactional analysis for providing the “ultimate audit trail” for all kinds of transactions, including ecommerce and banking transactions. When server logs and other server-based evidence does not provide sufficient data for characterizing a transaction, network forensics enables IT organizations to locate and examine the exact content and execution of an online transaction. • Security attack analysis for enabling security officers and IT staff to characterize and mitigate an attack that slipped past network defenses. Network forensics enables investigators to find proof of an attack and to trace its effects on IT resources
- #16 High data rate of network traffic creates difficulties for network forensics in capturing and preserving all network packets . Millions of packets are transmitted over the network in no time, which passes through thousands of interconnected network devices To overcome the aforementioned problems, three different solution are proposed including hardware based ,software based and distributive based solution. A huge amount of data is transmitted over the network which is captured and analyzed for investigation. However, such data complicates the situation for network forensics to retrieve evidence from the network. For instance, the captured data needs to be stored on devices with large storage capacity; whereas the storage capacity of the network interconnectivity devices is limited Data integrity plays a vital role in the process of network forensics which has to be tackled. Data integrity in the network is an ability to keep accurate, complete, and consistent data in the network. Data privacy is an important factor in the investigation process of network forensics. A forensic attribution solution is proposed to solve the aforementioned problem related to user privacy . A forensic investigator can view the data of interest by verifying the packet signature to enforce forensic attribution in the network. The access of source IP address of an intruder is an important step in network forensics. Source IP address indicates origin of the attack that assists in the identification of the intruder and stopping the attacks. Distributive nature and virtualized characteristics of networks complicate network forensics in identifying appropriate location and device for extracting the data. A network with thousands of devices connected with each other through high speed data links, which transmit millions of packets per second is difficult to be handled for its each link and device.