network forensics

Introduction to Network Forensics

  • Forensics Definition: Application of scientific knowledge to legal issues.

  • Digital Forensics: Scientific analysis of digital evidence.

  • Network Forensics: Study of network-based evidence related to incidents or legal questions.

Network Evidence Collection

Data Types

  • IDS Alert: Intrusion Detection System alerts related to network events.

  • Traffic & Log Files: Records of activity on networked systems.

  • IP Address & DHCP: Unique identifiers for devices on a network.

  • Physical Port & Switch: Hardware facilitating device connectivity.

  • MAC Address: Unique identifier for network interfaces.

Significance

  • Scraped data from networks (e.g., Parler) includes posts and images that may contain geolocation, which is critical for investigations.

  • Deleted posts still stored may provide valuable evidence despite attempts at removal by users.

  • Attribution of data breaches highlights engineering and testing failures.

Network-Based Digital Evidence

  • Definition: Evidence generated from communications within a network.

  • Examples:

    • Emails and Instant Messaging

    • Browsing Activity

    • Operating System Logs

    • Packet Logs

  • Considerations:

    • Acquisition Difficulty: Specific evidence may be hard to locate due to network complexity.

    • Content Storage: Many devices lack granularity in evidence storage.

    • Privacy Concerns: Legal issues surrounding network data can arise.

    • Seizure Challenges: Disruption to network services can result from seizing devices.

    • Admissibility: Varying legal precedents for network evidence acceptance.

Incident Investigation Process

Key Steps

  • Obtain Information: Details of the incident, timeline, and involved parties.

  • Strategize: Understand investigation goals, resources, and evidence prioritization.

  • Collect Evidence:

    • Maintain logs and documentation of all actions taken and systems accessed.

    • Ensure evidence is captured accurately and securely stored.

  • Analyze:

    • Correlate multiple evidence sources.

    • Construct a timeline and identify significant events.

    • Develop interpretations of the case based on findings.

  • Report:

    • Ensure comprehensibility for non-technical audiences.

    • Maintain factual integrity, allowing for a defensible stance in legal or managerial settings.

Network Hardware and Data Sources

Hubs & Switches

  • Hubs: Layer 1 devices, broadcast traffic. Used for capturing and increasing network traffic.

  • Switches:

    • Connect devices intelligently and learn device MAC addresses on ports.

    • Utilize Content Addressable Memory (CAM) for address storage.

    • Forward traffic specifically to devices rather than broadcasting.

Routers

  • Forward packets between different networks at Layer 3.

  • Use routing tables and ACLs for network traffic management and filtering.

  • Log denied traffic and may keep statistics on allowed traffic.

Other Network Devices

  • DHCP Server: Logs IP addresses assigned to devices and lease information.

  • DNS Server: Logs queries for IP address and hostname resolutions, including timestamps.

  • Authentication Servers: Log login attempts and authentication events across devices.

  • Intrusion Detection/Prevention Systems (NIDS/NIPS): Provide data on network attacks and misconfigurations, logging critical event details.

Firewalls and Proxies

  • Firewalls: Feature granular logging and can alert on network activity.

  • Web Proxies: Maintain extensive logs, aiding in content retrieval for analysis (e.g., malware investigation).

Centralized Systems

  • Central Log Server: Aggregates event logs for ease of access and long-term storage from various network devices.

  • Server Types: Database, web, email, chat, and VoIP servers also generate logs critical for investigations.