Home Upgrade Search Memberlist Extras Hacker Tools Award Goals Help Wiki Contact
Hack Forums Blog Introduction to Network Forensics

HF Rulez the UniverseHF Rulez the Universe
BiNBo
The Church Of Stanley
Networking CCNA Network Forensics Forensics Network Monitoring Network Analysis Packet Analysis

Introduction to Network Forensics

Posted Oct 11, 2023 10:35 PM
Introduction to Network Forensics
Network Forensics is a specific subdomain of Forensics. It focuses on network traffic analysis and investigations. The discipline of network forensics is the work that takes place to access information transmitted by listening and investigating live and recorded traffic, gathering artefacts and evidence, and understanding any potential problems. In short it's the action of recording packets of live network traffic and creating investigable sources while establishing a root cause analysis of an event. The ultimate goal of this is to provide enough information to detect malicious activities, security breaches, policy compliance, system health, and user behavior.

Industry guidelines outline that the investigation process is in place to identify communicated hosts in terms of time, frequency, protocols, applications, and other specific data and information. This can be broken down simply into the 5 W's:

  1. Who - Source IP and Port
  2. What - Payload and or Data
  3. Where -Destination IP and Port
  4. When - Time and date
  5. Why - How and what happened.


Keep in mind that the network evidence capture and investigation process must be systematic in its performance. Having enough data and the proper timeline capture for a network forensics investigation is pivotal.

Primary Purposes of Network Forensics
We'll cover some of the more detailed use cases below, however there are two primary reasons in network forensics investigations:
  1. Security Operations - Regular security monitoring activities to track system performance, system health, user behavior, and security issues.
  2. Incident Handling, Response, and Threat Hunting - Both during and post-incident investigation activities on understanding the reason for the incident, the detection of malicious and or suspicious activity, and investigating the content of data flows.

Network Forensics Use Cases
Network forensics is a powerful tool that can be used to protect organizations from a wide range of cyber threats. By understanding the different use cases for network forensics, organizations can develop a more effective security posture. The most common use cases for network forensics are:
  • Network Discovery - The discovery of network topology, connected devices, rogue hosts, and network load.

  • Packet Reassembly - The reassembly of packets to investigate the traffic flow. This use case in particular is helpful when analyzing unencrypted traffic flows.

  • Data Loss Prevention (DLP) and Detection - The review of packet transfer rates for each host and destination address to look for discrepancies that could point towards data exfiltration.

  • Anomalous and Malicious Activity Detection - The review of overall network load by focusing on used ports, resources, source an destination addresses, and data to help detect possible malicious activities along with vulnerabilities. This use case covers the correlation of indicators and hypotheses as well.

  • Policy and Regulation Compliance Control - The review of overall network behavior helps in detecting policy and regulation compliance and non-compliance.

Advantages of Network Forensics
Network forensics can also help organizations improve their overall security posture by providing a deeper understanding of their network traffic and how it is being used. This information can be used to develop more effective security policies and procedures. Some of these advantages include:
  • Availability of network-based evidence - Evidence collection is as easy as capturing network traffic. Making evidence collection easier and more simplified.

  • Ease of silent data/evidence collection - Capturing and analyzing network traffic is much easier than investigating unfiltered events by EDRs, EPPs, SIEMs, etc. Sniffing doesn't create as much noise, logs, or alerts. Network traffic also carries a level of non-repudiation since the traffic isn't destructible like logs and alerts generated by security systems such as IDS/IPS.

  • Non-repudiation and evidence control - Because the evidence is the traffic itself, it is impossible to do anything without creating network noise. Nonetheless, it is still possible to hide the artefacts by encrypting, tunneling and manipulating the packets. So there are challenges to this advantage.

  • Log Source Availability - The information provided by logs is incredibly valuable. This information can help to correlate the chain of events and support the investigations claims. The majority of EDRs, EPPs, and network devices create logs by default. If these logs can be secured and aggregated. However, it's important to keep in mind that an attacker or threat could erase, modify, or destroy them if not properly secured.

  • Ability to gather evidence for memory and non-residential activities - Malware, attackers, and other threats might reside in memory in order to avoid being detected. However, the series of commands necessary for this reside in the network layers. So, it is possible to detect these types of threats with network forensics.

Challenges of Network Forensics
Network forensics is a critical tool for investigating cybersecurity incidents. However, it is a complex and challenging task, due to the volatile and dynamic nature of network traffic, the volume of data generated, and the complexity of network protocols. Additionally, network forensics can be invasive and disruptive, and investigators must be careful not to violate the privacy of network users. Generally, the challenges of network forensics can be summed up into a few categories:
  • Decision Making - One of the most difficult aspects of network forensics is deciding how to handle your findings. In some instances you will have a clearly defined chain to follow, such as providing your findings to the appropriate personnel within a security operations center (SOC). Network forensics can be used to support incident handling and incident response (IH/IR) and threat hunting. In other cases it can serve the needs of observation, entrapping, capturing, or preventing malicious or anomalous activity.

  • Data/evidence collection - While a major advantage of network forensics is the ease of evidence collection. The span of this can quickly pose challenges. There are several points to consider before beginning any data or evidence collection.

  • Short data captures - One major challenge in evidence collection is that capturing all network activity is not always applicable or possible. In turn, it is difficult to ensure that any captures cover events before, during, and afterwards.

  • Encrypted Traffic - Encrypted data poses even further challenges to network forensics. Discovering the contents of encrypted data is not always possible. However, the encrypted data itself can still provide valuable information to support investigators hypotheses such as source and destination addresses alongside used services.

  • Non-standard port usage - One popular approach to network forensics is grabbing at the, "low hanging fruits." In the first steps of an investigation. Looking for commonly used patterns in ports and services is often an easy way to catch suspicious activities. For example, metasploit (an open-source penetration testing framework) very often uses port 4444 when creating reverse shells. However, tools such as this and more complicated tools, are by no means limited to using just this port. There may also be legitimate services running through these ports.

  • GDPR and Privacy Concerns - Traffic capture essentially records everything taking place within its scope. In turn, you may find yourself limited by regulation and compliance as you attempt to operating within specific frameworks (GDPR, HIPPA, PCI DSS, FISMA, CMMC, etc.) In turn, you need to ensure that any captures must meet applicable regulations regarding privacy and compliance.

There are many more challenges we could cover, but these should give you an idea of the complexities faced when performing network forensics. The guidelines you fall under could vary vastly depending on the organization(s) you are working for or under.

Sources of Network Forensics Evidence
In order to properly capture network traffic you'll need to have specific knowledge and tools. In many cases you will find that you only have one opportunity at gathering live traffic as evidence. In turn there are multiple resources that can be used to gather network and forensics data. The following can be used but are not the only possible sources:
  • Logs (IDS/IPS, Application, OS, Device, etc.)
  • Central Log Servers (SIEMs)
  • Web Proxies
  • Firewalls
  • Web Proxies
  • Routers/switches/Hubs
  • DHCP Servers
  • Name Servers
  • Authentication Servers
  • TAPS
  • InLine Devices
  • SPAN Ports


Conclusion on Network Forensics
Network forensics is a complex and challenging field, but it is essential for investigating and responding to cybersecurity incidents. By understanding the basics of network forensics, you can better protect yourself or your organization from cyberattacks.
RECENT ARTICLES
HF Rulez the Universe