Network Forensics Concepts
This article outlines various Network Forensics Concepts that can come handy for beginners. We will begin by understanding what various network security threats are and how attacks happen. We will then discuss what are the various network forensics concepts that can come handy during investigations.
How do attacks happen?
Network forensics to many people is capturing the network traffic and analyzing it for the presence of possible intrusions. Solving the puzzle of real world attacks can consist of much more than that. Attackers often use intelligent tactics and techniques when conducting attacks. Following are different types of network security threats a network forensic investigator should be aware of to better understand the investigation procedure.
Learn Network Forensics
Network Security Threats
There are two main forms of Network Security Threats depending on where the attack originates. They are External Threats and Internal Threats.
External Threats originate from outside of the perimeter of the organization. These attacks typically include a spear phishing attack or exploiting an externally exposed vulnerability. Once the attacker is inside the network, the immediate goal is to get persistence on the target’s computer so access will not be lost even in the cases where the victim reboots the laptop. Once persistence is achieved, the next goal is to elevate the privileges to obtain higher level privileges such as an administrator. After Administrative privileges are obtained, opportunities to laterally move through the network will arise. Depending on the goal of the attacker further attacks may be carried out within the network.
Internal threats originate from within the organization. Most of the internal attacks happen with the insider knowledge the attacker has about the assets and loopholes. These attacks are harder to detect and respond as the traces left by these types of attacks are harder to trace if not impossible.
Network Forensics concepts
When it comes to investigating network attacks, there are several different areas an investigator may need to look into as the sources of evidence can be lying around in different places across the network. We will discuss more details about various sources of evidence in a future article. However, the following section should give a brief introduction to it.
Packet capturing tools and techniques
A network investigation often involves network packet capturing and analysis of captured packets. This gives a reasonable understanding of what’s going on in the network. Tcpdump is a commonly used tool to capture network packets and the captured packets can be analyzed using a tool like Wireshark. It should be noted that Wireshark can be used both for packet capture and analysis. However, there can be situations where a command line tool must be used for packet capturing instead of a tool with GUI. Linux server environments often do not contain GUI. In such cases, tcpdump is useful for packet capturing and the analysis can be done on a different machine using Wireshark.
Network Data exfiltration
A compromised system often makes communications to a Command and Control (C2) Server either to receive commands or to exfiltrate data from the compromised system. An investigator should spend time on the C2 server the victim computers are talking to, how commands are being received and how data is being exfiltrated from the compromised machines. It should be noted that most of the traffic often gets encrypted, so it may not be easy to know what is being sent just by looking at the network traffic.
Logs from Firewalls, WAF, IDS, IPS, Web Proxies and Servers
Network traffic analysis often relies on analyzing logs stored in various places in the network. Depending on the attack we may or (may not) need to investigate logs from all these devices. The primary purpose of a Network based Firewall is to block or allow traffic from various sources from outside the network. Many modern firewalls come with Intrusion Detection and Prevention capabilities and thus these devices may contain logs specific to an attack type. Web proxies on the other hand are used to decide weather traffic should pass through. They are also used for caching to conserve bandwidth. So, any traffic that's going through the proxy to an attacker’s server should be logged in the proxy.
Basic Reverse Engineering
Many attacks often originate through targeted phishing attacks, which contain emails with malicious attachments. Attackers design and develop these emails and attachments in such a way that they bypass protections at the email gateway and the Anti Virus. The attachments also often bypass Endpoint Detection and Response tools available on the work stations. During an investigation, it is required to be able to reverse engineer these attachments and understand it functions.
Active Directory footprints
In an enterprise environment, attacks often make use of the Active Directory to mine data and launch further attacks as AD is a goldmine of data for intruders. Attacks such as Kerberoasting give privileged access to the Domain Controller with less efforts. For the very reason, logs related to AD often help during investigations.
Learn Network Forensics
Conclusion
As discussed in this article, network forensic investigations constitute knowledge in several tools and techniques in addition to analyzing the logs from various sources. Investigators often need good knowledge of networking fundamentals aside to the knowledge on various network related attacks.
Sources
- Network Forensics by Ric Messier - https://www.amazon.com/Network-Forensics-Ric-Messier/dp/1119328284
- Internet Forensics by R Jones - https://www.amazon.com/Internet-Forensics-Digital-Evidence-Computer/dp/059610006X
- Network Forensics by Sheriff Davidoff, Jonathan Ham - https://www.amazon.com/Network-Forensics-Tracking-Hackers-Cyberspace/dp/0132564718
Learn Digital Forensics
Build your digital forensics skills with hands-on training in Infosec Skills. What you'll learn- Forensics concepts
- Computer forensics
- Mobile forensics
- Network forensics
- And more
In this Series
- Network Forensics Concepts
- Digital forensics and cybersecurity: Setting up a home lab
- Top 7 tools for intelligence-gathering purposes
- iOS forensics
- Kali Linux: Top 5 tools for digital forensics
- Snort demo: Finding SolarWinds Sunburst indicators of compromise
- Memory forensics demo: SolarWinds breach and Sunburst malware
- Digital forensics careers: Public vs private sector?
- Email forensics: desktop-based clients
- What is a Honey Pot? [updated 2021]
- Email forensics: Web-based clients
- Email analysis
- Investigating wireless attacks
- Wireless networking fundamentals for forensics
- Protocol analysis using Wireshark
- Wireless analysis
- Log analysis
- Network security tools (and their role in forensic investigations)
- Sources of network forensic evidence
- Network Security Technologies
- Network Forensics Tools
- The need for Network Forensics
- Networking Fundamentals for Forensic Analysts
- Popular computer forensics top 19 tools [updated 2021]
- 7 best computer forensics tools [updated 2021]
- Spoofing and Anonymization (Hiding Network Activity)
- Browser Forensics: Safari
- Browser Forensics: IE 11
- Browser Forensics: Firefox
- Browser forensics: Google chrome
- Webinar summary: Digital forensics and incident response — Is it the career for you?
- Web Traffic Analysis
- Network forensics overview
- Eyesight to the Blind – SSL Decryption for Network Monitoring [Updated 2019]
- Gentoo Hardening: Part 4: PaX, RBAC and ClamAV [Updated 2019]
- Computer forensics: FTK forensic toolkit overview [updated 2019]
- The mobile forensics process: steps and types
- Free & open source computer forensics tools
- An Introduction to Computer Forensics
- Common mobile forensics tools and techniques
- Computer forensics: Chain of custody [updated 2019]
- Computer forensics: Network forensics analysis and examination steps [updated 2019]
- Computer Forensics: Overview of Malware Forensics [Updated 2019]
- Incident Response and Computer Forensics
- Computer Forensics: Memory Forensics
- Comparison of popular computer forensics tools [updated 2019]
- Computer Forensics: Forensic Analysis and Examination Planning
- Computer forensics: Operating system forensics [updated 2019]
- Computer Forensics: Mobile Forensics [Updated 2019]
- Computer Forensics: Digital Evidence [Updated 2019]
- Computer Forensics: Mobile Device Hardware and Operating System Forensics
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Digital forensics
Digital forensics
Digital forensics
Digital forensics