Network forensics
Network forensics is a specific subdomain of the Forensics domain, and it focuses on network traffic investigation. Network forensics discipline covers the work done to access information transmitted by listening and investigating live and recorded traffic, gathering evidence/artefacts and understanding potential problems.
IOW, it is the action of recording packets of network traffic and creating investigatable sources and establishing a root–cause analysis of an event. The ultimate goal is to provide sufficient information to detect malicious activities, security breaches, policy/regulation compliance, system health and user behaviour.
The investigation process identifies communicated hosts in terms of time, frequency, protocol, application and data. An investigation tries to answer the 5W;
Who (Source IP and port)
What (Data/payload)
Where (Destination IP and port)
When (Time and data)
Why (How/What happened)
Note that the network evidence capture and investigation process is meant to be systematic. Having enough data and the right timeline capture for a successful network forensics investigation is crucial.
Primary purposes of network forensics
Security Operations (SOC): Daily security monitoring activities on system performance and health, user behaviour, and security issues.
Incident Handling/Response and Threat Hunting: During/Post-incident investigation activities on understanding the reason for the incident, detecting malicious and suspicious activity, and investigating the data flow content.
Traffic investigation actions fall under Network forensics, and also under NTA. For example, NetworkMiner, used in network forensics and NTA, is capable of processing and handling packet pictures and live traffic. Both live and captured traffic data sources are valuable for forensics investigations, but the main purpose of using NetworkMiner is to investigate the overall flow/condition of a limited amount of traffic, not for a long in-depth live traffic investigation.
Network forensics use cases
Network discovery: Discovering the network to overview connected devices, rogue hosts and network load.
Packets reassembling: Reassembling the packets to investigate the traffic flow. This use case is helpful in unencrypted traffic flows.
Data leakage detection: Reviewing packet transfer rates for each host and destination address helps detect possible data leakage.
Anomaly and malicious activity detection: Reviewing overall network load by focusing on used ports, source and destination addresses, and data helps detect possible malicious activities along with vulnerabilities. This use case covers the correlation of indicators and hypotheses as well.
Policy/Regulation compliance control: Reviewing overall network behaviour helps detect policy/regulation compliance.
Advantages of network forensics
Availability of network-based evidence in the wild: Capturing network traffic is collecting evidence, so it is easier than other types of evidence collections such as logs and IOCs.
Ease of data/evidence collection without creating noise: Capturing and working with network traffic is easier than investigating unfiltered events by EDRs, EPPs and log systems. Usually, sniffing doesn’t create much noise, logs and alerts. The other thing is that network traffic is not destructible like logs and alerts generated by security systems.
It is hard to destroy the network evidence, as it is the transferred data: Since the evidence is the traffic itself, it is impossible to do anything without creating network noise. Still, it is possible to hide the artefacts by encrypting, tunnelling and manipulating the packets. So, the second fact is the challenge of this advantage.
Availability of log sources: Logs provide valuable information which helps to correlate the chain of events and support the investigation hypothesis. The majority of the EDRs, EPPs and network devices create logs by default. Having log files is easy if the attacker/threat/malware didn’t erase/destroy them.
It is possible to gather evidence for memory and non-residential malicious activities: The malware/threat might reside in the memory to avoid detection. However, the series of commands and connections live in the network. So it is possible to detect non-residential threats with Network forensics tools and tactics.
Challenges of network forensics
Deciding what to do: One of the most difficult challenges of Network forensics is “Deciding what to do”. There are several purposes of carving networks; SOC, IH/IR and Threat Hunting. Observing, trapping, catching, or stopping an anomalous activity is also possible.
Sufficient data/evidence collection on the network: One of the advantages of Network forensics is “Ease of collecting evidence”. However, the breadth of this concept poses a challenge. There are multiple points to consider in data/evidence collection.
Short data capture: One of the challenges in data/evidence collection. Capturing all network activity is not applicable and operable. So, it is hard always to have the packet captures that covers pre, during and post-event.
The unavailability of full-packet capture on suspicious events: Continuously capturing, storing and processing full-packets costs time and resources. The inability to have full-packet captures for a long time creates time gaps between captures, resulting in missing a significant part of an event of interest. Sometimes NetFlow captures are used instead of full-packet captures to reduce the weight of having full-packet captures and increase the capture time. Note that full-packet captures provide full packet details and give the opportunity of event reconstruction, while NetFlow provides high-level summary but not data/payload details.
Encrypted traffic: Encrypted data is another challenge of Network forensics. In most cases, discovering the contents of the encrypted data is not possible. However, the encrypted data still can provide valuable information for the hypothesis like source and destination address and used services.
GDPR and Privacy concerns in traffic recording: Capturing the traffic is the same as “recording everything on the wire”; therefore, this act should comply with GDPR and business-specific regulations (e.g. HIPAA, PCI DSS and FISMA ).
Nonstandard port usage: One of the popular approaches in Network forensics investigations is grabbing the low-hanging fruits in the first investigation step. Looking for commonly used patterns (like known ports and services used in enumeration and exploitation) is known as grabbing the low-hanging fruits. However, sometimes attackers/threats use nonstandard ports and services to avoid detection and bypass security mechanisms. Therefor sometimes, this ends up as a challenge of Network forensics.
Time zone issues: Using a common time zone is important for big-scale event investigation. Especially when working with multiple resources over different time zones, usage of different time zones create difficulties in event correlation.
Lack of logs: Network forensics is not limited to investigating the network traffic data. Network devices and event logs are crucial in event correlation and investigation hypotheses. This fact is known by the attackers/threats as well; therefore these logs are often erased by them, in order to make the investigation more difficult.
Investigated data types in network forensics
Live Traffic
Traffic Captures (full packet captures and network flows)
Log Files
Sources of evidence
Capturing proper network traffic requires knowledge and tools. Usually, there is a single chance of gathering the live traffic as evidence. There are multiple evidence resources to gather Network forensics data:
TAPS
InLine Devices
SPAN Ports
Hubs
Switches
Routers
DHCP Servers
Name Servers
Authentication Servers
Firewalls
Web Proxies
Central Log Servers
Logs (IDS/IPS, Application, OS, Device)