Network forensics overview | Infosec Resources

Most attacks move through the network before hitting the target and they leave some trace. According to Locard’s exchange principle, “every contact leaves a trace,” even in cyberspace.

Network forensics is a science that centers on the discovery and retrieval of information surrounding a cybercrime within a networked environment. Common forensic activities include the capture, recording and analysis of events that occurred on a network in order to establish the source of cyberattacks.

Network forensics can be particularly useful in cases of network leakage, data theft or suspicious network traffic. It focuses predominantly on the investigation and analysis of traffic in a network that is suspected to be compromised by cybercriminals (e.g., DDoS attacks or cyber exploitation).

Accessing internet networks to perform a thorough investigation may be difficult. Most internet networks are owned and operated outside of the network that has been attacked. Investigation is particularly difficult when the trace leads to a network in a foreign country. 

Data enters the network en masse but is broken up into smaller pieces called packets before traveling through the network. In order to understand network forensics, one must first understand internet fundamentals like common software for communication and search, which includes emails, VOIP services and browsers. One must also know what ISP, IP addresses and MAC addresses are. 

Identification of attack patterns requires investigators to understand application and network protocols. Applications and protocols include:

  • Web protocols (e.g., http and https)

  • File transfer protocols (e.g., Server Message Block/SMB and Network File System/NFS)

  • Email protocols, (e.g., Simple Mail Transfer Protocol/SMTP)

  • Network protocols (e.g., Ethernet, Wi-Fi and TCP/IP)

Investigators more easily spot traffic anomalies when a cyberattack starts because the activity deviates from the norm. 

Methods

There are two methods of network forensics:

  • “Catch it as you can” method: All network traffic is captured. It guarantees that there is no omission of important network events. This process is time-consuming and reduces storage efficiency as storage volume grows

  • “Stop, look and listen” method: Administrators watch each data packet that flows across the network but they capture only what is considered suspicious and deserving of an in-depth analysis. While this method does not consume much space, it may require significant processing power

Primary sources

Investigators focus on two primary sources:

  • Full-packet data capture: This is the direct result of the “Catch it as you can” method. Large enterprises usually have large networks and it can be counterproductive for them to keep full-packet capture for prolonged periods of time anyway

  • Log files: These files reside on web servers, proxy servers, Active Directory servers, firewalls, Intrusion Detection Systems (IDS), DNS and Dynamic Host Control Protocols (DHCP). Unlike full-packet capture, logs do not take up so much space

Log files provide useful information about activities that occur on the network, like IP addresses, TCP ports and Domain Name Service (DNS). Log files also show site names which can help forensic experts see suspicious source and destination pairs, like if the server is sending and receiving data from an unauthorized server somewhere in North Korea. In addition, suspicious application activities — like a browser using ports other than port 80, 443 or 8080 for communication — are also found on the log files. Log analysis sometimes requires both scientific and creative processes to tell the story of the incident. 

Network forensics is also dependent on event logs which show time-sequencing. Investigators determine timelines using information and communications recorded by network control systems. Analysis of network events often reveals the source of the attack.

Tools

Free software tools are available for network forensics. Some are equipped with a graphical user interface (GUI). Most though, only have a command-line interface and many only work on Linux systems.

Here are some tools used in network forensics:

  • EMailTrackerPro shows the location of the device from which the email is sent

  • Web Historian provides information about the upload/download of files on visited websites

  • Wireshark can capture and analyze network traffic between devices

According to “Computer Forensics: Network Forensics Analysis and Examination Steps,” other important tools include NetDetector, NetIntercept, OmniPeek, PyFlag and Xplico. The same tools used for network analysis can be used for network forensics.

It is interesting to note that network monitoring devices are hard to manipulate. For that reason, they provide a more accurate image of an organization’s integrity through the recording of their activities.

Legal considerations

Privacy and data protection laws may pose some restrictions on active observation and analysis of network traffic. Without explicit permission, using network forensics tools must be in line with the legislation of a particular jurisdiction. Permission can be granted by a Computer Security Incident Response Team (CSIRT) but a warrant is often required. 

Conclusion: How does network forensics compare to computer forensics?

Network forensics is a subset of digital forensics. Compared to digital forensics, network forensics is difficult because of volatile data which is lost once transmitted across the network. Network forensics focuses on dynamic information and computer/disk forensics works with data at rest.

Similarly to Closed-Circuit Television (CCTV) footage, a copy of the network flow is needed to properly analyze the situation. Due to the dynamic nature of network data, prior arrangements are required to record and store network traffic. The deliberate recording of network traffic differs from conventional digital forensics where information resides on stable storage media. Also, logs are far more important in the context of network forensics than in computer/disk forensics.

As part of the entire digital forensic investigation, network forensics helps assemble missing pieces to show the investigator the whole picture. It can support root-cause analysis by showing initial method and manner of compromise.

Sources