Network forensics
Encyclopedia
Network forensics is a sub-branch of digital forensics
relating to the monitoring and analysis of computer network
traffic for the purposes of information gathering, legal evidence, or intrusion detection
. Unlike other areas of digital forensics, network investigations deal with volatile and dynamic information. Network traffic is transmitted and then lost, so network forensics is often a pro-active investigation.
Network forensics generally has two uses. The first, relating to security, involves monitoring a network for anomalous traffic and identifying intrusions. An attacker might be able to erase all log files on a compromised host; network-based evidence might therefore be the only evidence available for forensic analysis. The second form of Network forensics relates to law enforcement. In this case analysis of captured network traffic can include tasks such as reassembling transferred files, searching for keywords and parsing human communication such as emails or chat sessions.
Two systems are commonly used to collect network data; a brute force "catch it as you can" and a more intelligent "stop look listen" method.
. Network forensics can be performed as a standalone investigation or alongside a computer forensics
analysis (where it is often used to reveal links between digital devices or reconstruct how a crime was committed).
Marcus Ranum is credited with defining Network forensics as “the capture, recording, and analysis of network events in order to discover the source of security attacks or other problem incidents.”
Compared to computer forensics, where evidence is usually preserved on disk, network data is more volatile and unpredictable. Investigators often only have material to examine if packet filters, firewalls, and intrusion detection systems were set up to anticipate breaches of security.
Systems used to collect network data for forensics use usually come in two forms:
layer is done by eavesdropping bit streams with tools called monitoring tools or sniffers. The most common tools on this layer is Wireshark
(formerly known as Ethereal). It collects all data on this layer and allow the user to filter for different events. With these tools websites, email attachments and more that has been transmitted over the network can be reconstructed. An advantage of collecting this data is that it is directly connected to a host. If, for example the IP address or the MAC address of a host at a certain time is known, all data for or from this IP or MAC address can be filtered.
To establish the connection between IP and MAC address, it is useful to take a closer look at auxiliary network protocols. The Address Resolution Protocol (ARP) tables list the MAC addresses with the corresponding IP addresses.
To collect data on this layer, the network interface card (NIC) of a host can be put into "promiscuous mode". By this, it collects all traffic that comes over the network not only the traffic meant for this special host.
However, if an intruder or attacker is aware that his connection might be eavesdropped, he might use encryption to secure his connection. It is almost impossible to break nowadays encryption but the fact that a suspect's connection to another host is all the time encrypted might indicate that the other host is an accomplice of the suspect.
(IP) is responsible for directing the packets generated by TCP
through the network (e.g., the Internet) by adding source and destination information which can be interpreted by routers all over the network. Cellular digital packet networks, like GPRS, use similar protocols like IP, so the methods described for IP work with them as well.
For the correct routing, every intermediate router must have a routing table to know where to send the packet next.
These routing tables are one of the best sources of information if investigating a digital crime and trying to track down an attacker. To do this, it is necessary to follow the packets of the attacker, reverse the sending route and find the computer the packet came from (i.e., the attacker).
Another source of evidence on this layer are authentication logs. They show which account and which user was associated with an activity and may reveal who was the attacker or at least sets limits to the people who come into consideration of being the attacker.
, synchronous chat and peer-to-peer
traffic. For example web server logs can be used to show when (or if) a suspect accessed information related to criminal activity. Email accounts can often contain useful evidence; but email headers are easily faked and, so, network forensics may be used to prove the exact origin of incriminating material. Network forensics can also be used in order to find out who is using a particular computer by extracting user account information from the network traffic.
Wireless forensics is a sub-discipline of network forensics. The main goal of wireless forensics is to provide the methodology and tools required to collect and analyze (wireless) network traffic
that can be presented as valid digital evidence in a court of law. The evidence collected can correspond to plain data or, with the broad usage of Voice-over-IP (VoIP) technologies, especially over wireless, can include voice conversations.
Analysis of wireless network traffic is similar to that on wired networks, however there may be the added consideration of wireless security measures
.
Digital forensics
Digital forensics is a branch of forensic science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime...
relating to the monitoring and analysis of computer network
Computer network
A computer network, often simply referred to as a network, is a collection of hardware components and computers interconnected by communication channels that allow sharing of resources and information....
traffic for the purposes of information gathering, legal evidence, or intrusion detection
Intrusion detection
In Information Security, intrusion detection is the act of detecting actions that attempt to compromise the confidentiality, integrity or availability of a resource. When Intrusion detection takes a preventive measure without direct human intervention, then it becomes an Intrusion-prevention...
. Unlike other areas of digital forensics, network investigations deal with volatile and dynamic information. Network traffic is transmitted and then lost, so network forensics is often a pro-active investigation.
Network forensics generally has two uses. The first, relating to security, involves monitoring a network for anomalous traffic and identifying intrusions. An attacker might be able to erase all log files on a compromised host; network-based evidence might therefore be the only evidence available for forensic analysis. The second form of Network forensics relates to law enforcement. In this case analysis of captured network traffic can include tasks such as reassembling transferred files, searching for keywords and parsing human communication such as emails or chat sessions.
Two systems are commonly used to collect network data; a brute force "catch it as you can" and a more intelligent "stop look listen" method.
Overview
Network forensics is a comparatively new field of forensic science. The growing popularity of the Internet in homes means that computing has become network-centric and data is now available outside of disk-based digital evidenceDigital evidence
Digital evidence or electronic evidence is any probative information stored or transmitted in digital form that a party to a court case may use at trial...
. Network forensics can be performed as a standalone investigation or alongside a computer forensics
Computer forensics
Computer forensics is a branch of digital forensic science pertaining to legal evidence found in computers and digital storage media...
analysis (where it is often used to reveal links between digital devices or reconstruct how a crime was committed).
Marcus Ranum is credited with defining Network forensics as “the capture, recording, and analysis of network events in order to discover the source of security attacks or other problem incidents.”
Compared to computer forensics, where evidence is usually preserved on disk, network data is more volatile and unpredictable. Investigators often only have material to examine if packet filters, firewalls, and intrusion detection systems were set up to anticipate breaches of security.
Systems used to collect network data for forensics use usually come in two forms:
- "Catch-it-as-you-can" - This is where all packets passing through certain traffic point are captured and written to storage with analysis being done subsequently in batch mode. This approach requires large amounts of storage.
- "Stop, look and listen" - This is where each packet is analyzed in a rudimentary way in memory and only certain information saved for future analysis. This approach requires a faster processorCentral processing unitThe central processing unit is the portion of a computer system that carries out the instructions of a computer program, to perform the basic arithmetical, logical, and input/output operations of the system. The CPU plays a role somewhat analogous to the brain in the computer. The term has been in...
to keep up with incoming traffic.
Ethernet
Applying forensic methods on the EthernetEthernet
Ethernet is a family of computer networking technologies for local area networks commercially introduced in 1980. Standardized in IEEE 802.3, Ethernet has largely replaced competing wired LAN technologies....
layer is done by eavesdropping bit streams with tools called monitoring tools or sniffers. The most common tools on this layer is Wireshark
Wireshark
Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education...
(formerly known as Ethereal). It collects all data on this layer and allow the user to filter for different events. With these tools websites, email attachments and more that has been transmitted over the network can be reconstructed. An advantage of collecting this data is that it is directly connected to a host. If, for example the IP address or the MAC address of a host at a certain time is known, all data for or from this IP or MAC address can be filtered.
To establish the connection between IP and MAC address, it is useful to take a closer look at auxiliary network protocols. The Address Resolution Protocol (ARP) tables list the MAC addresses with the corresponding IP addresses.
To collect data on this layer, the network interface card (NIC) of a host can be put into "promiscuous mode". By this, it collects all traffic that comes over the network not only the traffic meant for this special host.
However, if an intruder or attacker is aware that his connection might be eavesdropped, he might use encryption to secure his connection. It is almost impossible to break nowadays encryption but the fact that a suspect's connection to another host is all the time encrypted might indicate that the other host is an accomplice of the suspect.
TCP/IP
On the network layer the Internet ProtocolInternet Protocol
The Internet Protocol is the principal communications protocol used for relaying datagrams across an internetwork using the Internet Protocol Suite...
(IP) is responsible for directing the packets generated by TCP
Transmission Control Protocol
The Transmission Control Protocol is one of the core protocols of the Internet Protocol Suite. TCP is one of the two original components of the suite, complementing the Internet Protocol , and therefore the entire suite is commonly referred to as TCP/IP...
through the network (e.g., the Internet) by adding source and destination information which can be interpreted by routers all over the network. Cellular digital packet networks, like GPRS, use similar protocols like IP, so the methods described for IP work with them as well.
For the correct routing, every intermediate router must have a routing table to know where to send the packet next.
These routing tables are one of the best sources of information if investigating a digital crime and trying to track down an attacker. To do this, it is necessary to follow the packets of the attacker, reverse the sending route and find the computer the packet came from (i.e., the attacker).
Another source of evidence on this layer are authentication logs. They show which account and which user was associated with an activity and may reveal who was the attacker or at least sets limits to the people who come into consideration of being the attacker.
The Internet
The internet can be a rich source of digital evidence including web browsing, email, newsgroupNewsgroup
A usenet newsgroup is a repository usually within the Usenet system, for messages posted from many users in different locations. The term may be confusing to some, because it is usually a discussion group. Newsgroups are technically distinct from, but functionally similar to, discussion forums on...
, synchronous chat and peer-to-peer
Peer-to-peer
Peer-to-peer computing or networking is a distributed application architecture that partitions tasks or workloads among peers. Peers are equally privileged, equipotent participants in the application...
traffic. For example web server logs can be used to show when (or if) a suspect accessed information related to criminal activity. Email accounts can often contain useful evidence; but email headers are easily faked and, so, network forensics may be used to prove the exact origin of incriminating material. Network forensics can also be used in order to find out who is using a particular computer by extracting user account information from the network traffic.
Wireless forensics is a sub-discipline of network forensics. The main goal of wireless forensics is to provide the methodology and tools required to collect and analyze (wireless) network traffic
Network traffic measurement
In computer networks, network traffic measurement is the process of measuring the amount and type of traffic on a particular network. This is especially important with regard to effective bandwidth management.- Tools :...
that can be presented as valid digital evidence in a court of law. The evidence collected can correspond to plain data or, with the broad usage of Voice-over-IP (VoIP) technologies, especially over wireless, can include voice conversations.
Analysis of wireless network traffic is similar to that on wired networks, however there may be the added consideration of wireless security measures
Wireless security
Wireless security is the prevention of unauthorized access or damage to computers using wireless networks.Many laptop computers have wireless cards pre-installed. The ability to enter a network while mobile has great benefits. However, wireless networking is prone to some security issues...
.