I'm new to this site and have been looking around it for any discussions about network forensics, but have been unable to find any.
By the term network forensics, I do mean the capture, analysis and presentation of packet traffic directly 'off the wire', all in a forensically sound manner.
Is this a topic of interest to this board?
Is this a topic of interest to this board?
Most certainly, and welcome to Forensic Focus.
Hey I am also new here and I was looking for information on e-evidence collection within the dynamic scene (network infrastructures), as I am currently working on a similar research topic.
Hope a new topic will start here and I am looking forward to seing opinions about areas of interest (for collecting evidence) and especially the differences between windows and UNIX platforms.
Shall I pose a question like which platform you consider to be more 'rich' in providing solid evidence and why?
Finally anyone knows any good-credible site with relevant information?
Network Forensics is about capturing and analyzing packet traffic directly from a network. The kinds of traffic are many and varied. There will be a good amount of broadcast traffic from switches talking to each other as well as regular network activity in terms of 'sessions' comprising such things as HTTP, SMTP, TELNET, FTP to name but a few. Full blown network forensics involves the capture and reconstruction of all these types of traffic and to that end, it makes little difference as to whether the network comprises Unix, Windows or both.
When it comes to proprietary protocols, such as Microsoft's (NetBios, SMB etc), there is a difference in that these protocols are indecipherable without the proprietary Microsoft decodes.
Good network forensics should allow the ability to be able to understand who was talking to who, in terms of IP to IP, which protocol they were using and the full content of the 'conversation'.
In terms of where to look for information about this I suggest you google 'Carnivore' now renamed DSC1000 which is the FBI's tool for capturing network traffic. Also, google SilentRunner, now renamed eTrust Network Forensics. I believe there are also ads on this site for Sandstorm (NetIntercept?).
Network Forensics is complementary to 'traditional' forensics in that evidence may be captured/seen on the network which can pin-point machines on a network which need to be imaged and examined.
Network Forensics also gives a huge insight into network activity which had gone completely unnoticed by the network admins. Recently there has been considerable activity on networks where it is believed that ARP cache poisoning may be taking place in order to mount man in the middle attacks etc. The issue here is that ARP (Layer 2 on the IP stack) goes completely undetected by IDS (Intrusion Detection Systems).
There have also been large scale outbreaks of 'malware' where the kernals of 'infected' machines have been compromised. These machines, although appearing 'healthy' to the administrators are in fact undertaking large scale probing inside corporate networks. It is usually only though undertaking network analysis/forensics that this type of activity is detected.
I hope this helps 🙂
The easiest way to get started with network forensics is to download a copy of Ethereal for your platform, and start playing with it.
Googling "Carnivore" isn't going to do you a lot of good, b/c all you'll get to do is read about it. The strength of the "Silent Runner" product (originally from Raytheon) isn't its network forensics capabilities, but more it's presentation capabilities…by 'sniffing' emails, for example, you can do N-gram extraction and group emails by content, thereby detecting "conversations" that appear out of the ordinary (an example would be two guys doing insider trading at a brokerage firm).
It is usually only though undertaking network analysis/forensics that this type of activity is detected.
This is true in some cases…but largley b/c the admins don't have daily access to the console. This sort of thing is picked up by the IDS or found in the firewall logs.
>Googling "Carnivore" isn't going to do you a lot of good, b/c all you'll get to do is read about it.
Reading about any of these technologies is a fundamental part of research, particulary when it comes down to the law pertaining to sniffing traffic at an ISP as opposed to sniffing traffic on a corporate network.
>The strength of the "Silent Runner" product (originally from Raytheon) isn't its network forensics capabilities, but more it's presentation capabilities.
SilentRunner can collect every single packet from a network, date/time stamped down to the millisecond. From a forensics point of view good presentation is essential in order to assist the analyst in his/her investigation. It doesn't matter how much data one collects if it cannot be analysed. The presentation of data in an understandable form is an essential part of network forensics, and it is this which actually makes SilentRunner an incredibly powerful tool for network forensics.
> ..by 'sniffing' emails, for example, you can do N-gram extraction
It is actually called n-gram analysis, capable of analyzing any type of electronic file. It is language independent and can differentiate subtle differences in files down at the byte level, as well as having the capability to group files by similarity of content. These files may be textual, pictorial or audio.
> This is true in some cases…but largley b/c the admins don't have daily access to the console. This sort of thing is picked up by the IDS or found in the firewall logs.
Suspect traffic, ARP for example is not detected by IDS nor is it going to be 'detected' by firewalls. This type of activity is purely internal to a network. Just as an aside, SilentRunner can also read in any regularly delimited file to the analyzer component and is often used for firewall/IDS/PBX log analysis and cross correlation, once again using its awesome presentation capablilities to depict these logged events in an understandable form.
Firewall/IDS log analysis rarely happens precisely because of the complexity of making any sense of the logged events. This is due, in no small part, to the volume of such events. SilentRunner is capable of depicting and replaying thousands of events on a single screen.
Craiginusa and Keydet89 thanks both for your advices.
I ve done already a research on the topic and already played with quite a few sniffers and honeypots just to learn their abilities. Though I haven't properly read about 'Silent Runner' and its functions. It sounds powerful IF it can detect ARP calls and present data (evidence):
using its awesome presentation capablilities to depict these logged events in an understandable form.
I shall agree to the opinion that the presentation of data (evidence) associations is more important, otherwise a case could never be legally supported in a court, it would remain an indication of a mal-activity.
My research is generally on 'dynamic world' and not precisely on networks in sense of local structures. I am trying to identify which areas can provide hard evidence apart from log files (either from IDS, honeypots, syslogs etc) and how long these evidence remain in the system or in interconnected systems (like in the ISP servers).
N-gram analysis and pattern recognition by applying data mining techniques appear costly in time and processing power. The point is identifying which evidence are more important to analyse in first stage. So a general limit to how much data and how long should be kept can be established.
As for my question regarding the UNIX, windows platform thanks 'craiginusa' for clarifying, in a way, that in network forensics the focus is in lower layers than the application layer. It sure helps!
The issue here is that ARP (Layer 2 on the IP stack) goes completely undetected by IDS (Intrusion Detection Systems).
That's not quite true, snort has an arp detection plugin and ISS realsecure will detect duplicate IP addresses. None of these really do pickup arp poisoning tools such as Cain & Able ( http://www.oxid.it/cain.html ) in a simple way - more to do with the analysts view of what they have seen. on an aside once you've played with Cain & Able you'll never login anywhere that you haven't secured yourself ever again.
You would really want to run something like arpwatch ( http://linuxcommand.org/man_pages/arpwatch8.html ) though that gets it everytime.
Firewall/IDS log analysis rarely happens precisely because of the complexity of making any sense of the logged events. This is due, in no small part, to the volume of such events.
Really? I do it every day for a living. I'm not a forensics investigator though, just a wannabie. the volume of events is the product of bad tuning of the sensors. Get an application flow done, then tune to that, then add a few signatures to capture anomalies and youre fine.
If anyone has questions on NIDS/HIDS/LFA I can give it a shot, thats my bag, but i believe the ppl here have much more exciting work lives, which is why i read the forums 😉