A PHP Error was encountered

Severity: Warning

Message: filemtime(): stat failed for D:\xampp_old\htdocs\ebookreading.net\application\writable1/ci_session74e4c1cfb23ee7dce1542a361b7a01194ebh2kh38jgqt7q9nb9jc99luav10mra

Filename: controllers/Base.php

Line Number: 44

Backtrace:

File: D:\xampp_old\htdocs\ebookreading.net\application\controllers\Base.php
Line: 44
Function: filemtime

File: D:\xampp_old\htdocs\ebookreading.net\application\controllers\View.php
Line: 10
Function: __construct

File: D:\xampp_old\htdocs\ebookreading.net\index.php
Line: 380
Function: require_once

Network Digital Forensics
Network Digital Forensics

Network forensics is the process of looking at network artifacts to determine whether any unauthorized activity has taken place, as well as retrieving artifacts and evidence to prove it. This includes, but is not limited to, network monitoring, network recording, and active/passive analysis of network traffic and events for correlation. Analysts can use these techniques to uncover the origins of security events and perform root cause analysis.

The idea behind a strong forensics practice is to enable the blue team to improve their detection techniques and have better understanding and visibility throughout the network. In this chapter, we will look at how to perform network forensics and learn how to utilize these results to build a strong security mechanism.  

The following topics will be covered in this chapter:

  • Concepts of network forensics 
  • Forensics tools – network analysis and response
  • Key approaches to network forensics
  • Advances in network forensic practices

Technical requirements

You will make the best out of the chapter if you familiarize yourself with network forensic platforms such as the following before you begin:

  • Core Network Insight
  • Corero Network Security
  • NETSCOUT
  • RSA Security (Dell)
  • Wireshark
  • NIKSUN Suite
  • Security Onion
  • Xplico
  • NetworkMiner
  • Hakabana
  • PassiveDNS
  • Solera Networks DS
  • DSHELL
  • LogRhythm Network Monitor

Concepts of network forensics

Due to the number of attacks against network systems such as computers, smartphones, tablets, and so on increasing, the value of network forensics has grown. In order to respond to any major attack, the analyst needs to have the ability to observe, detect, and understand what the threat actor has done by conducting digital forensic principles and examining the network traffic data. 

Network forensics involves collecting and conducting an analysis of the network packets to understand the complete picture of the incident. The crux is to collect and preserve evidence while conducting analysis to get a complete picture of what happened, who did what, and produce sound technical evidence and inferences to support the hypotheses. This includes analyzing the network data from firewalls, IDSes/IPSes, and other perimeters and internal networking devices.

Fundamentals of network forensics

Before we go into the gory details of network forensics, it is important to understand how it is carried out at a broader level. Therefore, let's take a look at the key fundamentals of network forensics:

  • Identification: This is the primary step and deals with identifying the logs, evidence, and artifacts that need to be collected for network forensics analysis.
  • Collection: This involves actually collecting the digital evidence and documenting the aspects of the scene such as physical and digital attributes, as dictated by the law. This evidence and documentation should be admissible in a court of law (if required). Hence, it is best to be familiar with the legal requirements and follow the appropriate procedure.
  • Preservation: This is the act of preserving the evidence and ensuring that it is safely stored for later analysis. This may also include the process of creating a forensic copy of the evidence for later reference. Ensuring there's a chain of custody throughout the process from this point onward is very important.
  • Examination and analysis: This is the stage of the forensic analysis process where collected evidence is cataloged and an in-depth technical examination is carried out. Post this, based on the evidence that's been gathered, the timeline of the attack is created to come to a logical conclusion, as guided by the evidence and inferences drawn from it.
  • Presentation: This is where the technical analysis that's been carried out is summarized in a presentation to showcase the findings to the intended audience.

These were some of the fundamentals/basic steps that you need to keep in mind as you go about performing network forensics. Next, we will take a look at the technical capabilities that a forensic investigator like you should possess to adequately respond to incidents in a live environment.   

Technical capabilities for responding to forensic incidents

Forensic investigations can be quite complex, so it becomes important for experts to be equipped with a few technical capabilities. Some of the key aspects that we should consider for a forensic engagement include the following:

  • Evidence acquisition: This includes data acquisition from a wide variety of devices and media types and maintaining the integrity of the evidence.
  • Platform-specific analysis: This includes examining and analyzing platform-specific artifacts. This covers network communication, the operating system, data storage, the application and database, memory forensics, as well as mobile device forensics.
  • Data recovery: This includes extracting logical data from datasets, file fragments reconstruction, recovering deleted files and lost passwords, and decrypting encrypted data.
  • Data analysis: This involves searching and correlating potential evidence, as well as a variety of other ways to discover useful information.
  • Reporting: Reporting the results of the analysis. This includes a description of the actions, tools, and procedures used. This is where your findings are interpreted.

In most forensic engagements, you will be working as part of a larger team overseeing the response capability to an incident. Some of the key aspects that are essential for the success of the engagement include the following:

  • Incident management framework and capabilities: Maintain an up-to-date view of the internal and external capabilities required to conduct an incident response, including identify, mitigate, and recover.
  • IR risk assessment: Identify the source of legal/regulatory risk to ensure the compliance of IR processes with applicable laws, identify regulators or enforcement authorities, and understand the potential breach of contracts (vendors, customers, and banks).
  • Incident response plan definition: Define and maintain the incident response plan with the right procedures and personnel to identify, mitigate, and recover from incidents.
  • Incident response contingency plan: Ensure that the incident response plan aligns with the general contingency plan, including business continuity, crisis communication, and disaster recovery plans.
  • Compromise and exposure assessment: Assess your environment's defense-in-depth controls, and look for evidence of past or current compromises through this unique assessment.
  • Cyber defense maturity assessment: Assess the maturity of your cyber defense controls, tabletop and hands under the hood, with cyber health check assessments for detection capabilities.
  • Incident response training/exercises: Train the key people in your incident response process and run tabletop and simulation exercises to ensure the plan is in place.
  • Red team/persistent red team exercises: Perform adversary simulations and persistent red team exercises to test and refine your defenses against the most advanced threats, tools, and techniques.

This list highlights the key aspects that should be considered for a forensic exercise; however, given the size and priority of the engagement, there may be additional points that would be mandated by the organization to meet these requirements. Different types of network data can be pieced together so that we realize the complete picture of malicious network activity. This includes network telemetry data, application data, and packet data.

Network forensics is not easy. Some key challenges include collecting the relevant artifacts from the network and data correlation, as shown in the following diagram:

In the next section, we will take a look at the various network protocols and communication layers, as well as the tools and platforms that we will use to dig deeper into the network. This will also allow us to collect evidence and piece together the incident timeline. 

Network protocols and communication layers

Some of the most commonly analyzed network protocols and communication layers in network forensics are as follows:

  • Data link and physical layer detection (Ethernet): We utilize various sniffing tools such as WindShark and TCPDump in order to capture the relevant data traffic from the network interface. This enables you to filter data that needs further investigation and helps form a picture of the transmissions that have happened over the network. 
  • Transport and network layer detection (TCP/IP): Here, the focus is on retrieving information pertaining to the network activity in the target network, such as packet transmission, routing tables, and source information. This information helps in piecing together a picture of the attack scenario.
  • Examining traffic based on the use case (internet): This is a vast pool of rich evidence that can range from services such as email, chat, web browsing, and file transfer, among others.
  • Wireless: This can help with identifying devices that are connected to a particular wireless connection, hence giving us its approximate location. Services used, sites visited, and data transmitted can also be analyzed if certain monitoring mechanisms are in place. 

Besides these communication layers and protocols, there is also a tool known as Damballa, which is an advanced threat detection system. It provides us with many advantages when we perform a forensic examination of our network. 

Damballa network threat analysis 

Damballa Failsafe, now known as Core Network Insight, is a network security monitoring tool that utilizes sensors to monitor network traffic for malicious activity and anomalies. It enables deeper visibility into the network's activities via an interactive management console. It has features such as retroactive analysis, integration with EDR solutions, and high throughput, enabling it to process a large number of threats simultaneously. This realistically reduces the mean time to respond to network threats by enabling the security team to detect, validate, and respond to threats in a seamless manner.

This special threat protection solution is specifically designed to identify hidden threats operating in a corporate network using an array of patent-pending techno-technologies. The following are some of its core advantages:

  • Automatically detects and analyzes suspicious executables entering the network to uncover zero-day and unknown malware
  • Identifies rapid command and control (C&C) behavior and criminal traffic on enterprise networks
  • Relates to malware and communication evidence to quickly indicate live infections
  • Criminal communication to prevent data theft and cyber espionage
  • Playback of complete forensic evidence and incidents to provide actionable intelligence-ligands to help clear a breach

False-positives are virtually eliminated as Damballa Failsafe uses eight different profiles to identify malicious traffic. The tool doesn't just look at a file and call it bad. It identifies a malicious file or other activity and then looks for an indication that the file has actually been executed or has performed an additional activity to strengthen the case that it infected the last one. Eliminating false positives can be a big time-saver for IT employees. If the antivirus software had removed the malicious file, there would be no execution on the device and would result in time and effort savings for the team.

Damballa Failsafe also prioritizes each infection so that employees can deal with the higher-priority infection first. Along with detecting the infection, it provides an extensive forensic report for each identified infection, thereby answering questions such as when, what, who, and how the incident took place. 

The following is a screenshot of the Damballa Failsafe dashboard, which shows the number of infected assets and other results:

In this section, we learned about the fundamentals of network forensics and the capabilities that you will need as a forensic expert to detect threats. Now, we'll take a look at the leading network forensic tools and platforms that should form your cyber arsenal for conducting network analysis.

Forensics tools  network analysis and response

What would you do if a hacker infiltrated your network today? What if an insider, such as a disgruntled employee, decides to detonate ransomware? These are threats that organizations of all shapes and sizes can face at any given instance. Hence, it is important to not only have a detailed and well-tested response plan, but also a mechanism to monitor such an attack and respond to it adequately.

Real-time network analysis and monitoring can cater to this requirement, provided you have the team trained on the right skillset and the monitoring solutions have been placed and are working as intended. From a skill perspective, you should be familiar with tactics and techniques such as understanding industry frameworks such as cyber kill chain and ATT&CK matrix, industry-leading tools such as EDR, and forensics suites used for conducting live forensics, e-discovery, and data recovery. You should also be familiar with memory forensics, timeline analysis, and detecting anti-forensics tactics. SANS FOR508 is a good training course that takes participants through all of these modules. 

Besides these, there are many tools that can be used to our advantage for network analysis and forensics. The upcoming sections will take you through the most common ones. 

Wireshark

Wireshark is an open source traffic and packets analyzer that can be used to perform a deep-dive analysis of network traffic:

Wireshark enables the investigator to see real-time traffic in the network. This can be used to understand the different protocols in use and the information being exchanged across the network.

The NIKSUN Suite

NIKSUN is a comprehensive network monitoring toolset with signature-based anomaly detection, analysis, and forensics capabilities. It has various offerings, such as NetDetector, NetDetectorLive, and IntelliDefend.

The following screenshot shows the dashboard of NIKSUN:

The NIKSUN Suite is handy for forensically reconstructing network activities in order to get clarity and a complete understanding of your network. It is one of the best analytical tools available on the market and has powerful features and flexibility. 

Security Onion

Security Onion is an Ubuntu-based Linux distribution that can be used for conducting network monitoring, intrusion detection, log management, and so on.

The following screenshot shows the dashboard of Security Onion:

It includes an array of security tools such as Snort, OSSEC, Suricata, NetworkMiner, and Bro, among others. Its user-friendly interface helps the user get started right away without any issues. 

Xplico

Xplico is a network forensic analysis tool that can extract data from internet traffic and the underlying application.

The following screenshot shows the dashboard of Xplico:

It can extract data from protocols such as HTTP, IMAP, SMTP, POP, FPT, SIP, and so on. 

NetworkMiner

NetworkMiner is a comprehensive network forensic analysis tool that has become increasingly popular among security professionals for its capability and efficiency. It has the ability to passively sniff network packets, which can assist in detecting details such as OSes, hostnames, open ports, and so on.

The following screenshot shows the dashboard of NetworkMiner:

Unlike other sniffers such as Wireshark, NetworkMiner's user-friendly interface explicitly presents hosts and their features instead of raw packets. This means that you are able to understand events that occur without extensive knowledge of networking. 

Hakabana

Hakabana is a monitoring tool that provides visualization for network traffic by using Haka and Kibana. It takes advantage of the Haka framework to capture packets, separate them, and extract various pieces of information from the network, such as bandwidth, GeoIP data, connection information, HTTP and DNS details, and so on.

The following screenshot shows the dashboard of Hakabana:

Hakabana exports the information it captures to an ElasticSearch server, which is then made available through the Kibana dashboard. It provides easy customization, allowing you to extract your desired data (for example, you are able to write a new protocol dissector using Haka grammar and expose some parsed fields).

NetWitness NextGen

NetWitness NextGen is a good tool for dealing with data leakage, compliance, insider threat, and network e-discovery. It is being used by various government agencies and financial institutions to ensure the safety of their network and to track threats proactively.

The following screenshot shows the dashboard of NetWitness NextGen:

This tool is now known as RSA NetWitness and has been highly effective in providing much-needed deep insights into network activities. It has also introduced capabilities such as UEBA and advanced network analytics. 

Solera Networks DS

Solera Networks DS is a network forensic tool that enables deep visibility into networks by capturing, collecting, and filtering network traffic data for forensic investigations. This creates network insights that can be leveraged for in-depth packet analysis.

The following screenshot shows the dashboard of Solera Networks:

Solera Networks has now been acquired by Blue Coat Systems. Due to this, it has become a great boon for users as they can now leverage the evolved product, which provides them with an end-to-end solution for their network needs.

DSHELL

DSHELL is an extensible network forensic analysis framework that supports the dissection of network packets: 

 

It is supported with key features such as the Ruste evaluation stream, IPv4 and IPv6 support, custom output handlers, and worthy decoders.

LogRhythm Network Monitor

LogRhythm Network Monitor provides capabilities such as full packet capture, analysis, and advanced correlation. Network Monitor allows us to swiftly detect emerging threats in the network. It enables us to detect unauthorized applications and suspicious and malicious network activities across layers two to seven, as well as to perform network forensic analysis and investigations.

The following screenshot shows the dashboard of LogRhythm Network Monitor:

Besides the ones we discussed in this section, there are various other open source tools that are available for specific activities pertaining to network security, such as the following:

  • Sniffing: Dsniff, Ettercap, Creds, and firesheep
  • Extracting emails: Smtpcat and mailsnarf
  • Extracting network statistics: Tstat, Tcpstat, and ntop
  • Extracting SSL info: ssldump
  • Traffic flow reconstructing: Tcpflow and tcpick
  • Fingerprint: P0f and prads

This concludes the list of leading tools and platforms that will come in handy while you conduct forensic analysis on a network. Please be aware that, every other day, a new tool may hit the market and that, as an analyst, you should always be open to try and experiment with as many tools as you can. This will not only hone your knowledge and tool expertise but will also enable you to choose which tool is best for the problem at hand, meaning you're not limited to a certain set.

Next, we will take a look at the key approaches to network forensics and how they can help you conduct network forensic analysis.

Key approaches to network forensics

As a forensic investigator, it is essential for you to know about all the aspects of the network that need to be looked at for a comprehensive investigation. Full visibility of your network and the ability to collect artifacts and evidence is important for successful forensic analysis. Some of the key aspects of forensic investigation that should be looked at include database forensics, email forensics, audio and video forensics, memory forensics, and a few others, as shown in the following diagram:

It is important that the forensic investigation process has effective evidence collection and storage capabilities for capturing and cataloging all meaningful artifacts. It should also have an automated investigation capability in order to be effective and efficient in searching and analysis across vast datasets. On top of this, it should have an acceptable reporting capability.

Forensic investigators like you are also encouraged to align your practices to industrialized frameworks such as the Integrated Digital Investigation Process (IDIP) framework, which includes 17 phases. You should be familiar with other key frameworks such as Evidence Graphs for Network Forensics Analysis, Forensics Zachman (FORZA), and the Generic Process Model for Network Forensics, among others. 

For more information on the network forensic investigation process approach, please visit http://ijcat.com/archives/volume5/issue5/ijcatr05051012.pdf0.

Industry best practices and standards

While carrying out network forensics, we need to adhere to a few standards and acts that have network forensics as a crucial aspect. Some of them are listed here:

  • The Federal Information Security Management Act (FISMAof 2002 
  • NIST Standards
  • Payment Card Industry Data Security Standard (PCI-DSS)
  • The Health Insurance Portability and Accountability Act (HIPAAof 1996 

The following diagram shows the basic life cycle process of a network forensic process that the aforementioned best practices mandate and that are followed by organizations:

There are variations based on the particular requirements, but the overall base structure remains more or less the same. 

The four steps to dealing with digital evidence

The International Organization for Standardization (ISO), and the International Electrotechnical Commission (IEC) have various published standards concerning the approach to digital evidence handling. The main four steps are as follows:

  • Recognize: This focuses on discovering and verifying the relevancy of the evidence and its documentation.
  • Collection: This is where the evidence is collected. This may involve static or live acquisition based on the situation. 
  • Acquisition: The focus here is to maintain the sanctity of the evidence and prevent any event that leads to its compromise.
  • Protection: This is where we establish a chain of custody, ensuring that all the steps are taken to protect the evidence from tampering and to prevent it from being inadmissible in a court of law by following the laid out protocols.
The remaining stages of the digital forensic process (analysis and reporting) are not included in ISO/IEC 27037.

There are various best practice guides available that focus on the process of digital evidence handling. Next, we will take a look at some of the new advancements in the world of network forensics and how those principles can be utilized to protect networks.

Advances in network forensics practices

Over time, there have been various advancements in fields such as deep learning and artificial intelligence. Both of these have the potential to improve digital forensics based on their application to investigations. For one, smartphone forensics has gained a lot of attention due to the widespread usage of smartphones and it being the primary mode of communication and exchange of information. In this section, we will take a look at such topics in detail.

Big data analytics-based forensics

Forensics is a branch of science dating back to 1248. On the other hand, it only evolved into practical applicability during the late 1980s. The evolution of technology has been a big boon for the larger forensics community. With innovations such as facial detection, fingerprint matching, and audio/video forensics automated applications, it is an exciting time to be a forensic analyst. In recent years, digital forensics has also seen progress with the development of software that can be used for the automated analysis of data from smartphones, laptops, and other electronic devices. These can collect, analyze, and report a variety of data sources from emails, saved images, and other content, including IM chats, location details, and deleted data, to create a complete timeline of activities performed on, and by, that device.

Intelligent forensics is an approach that utilizes technological resources for investigations. This includes the usage of AI, social network analysis, and computational modeling in order to increase the efficiency and effectiveness of digital forensic investigations. The idea is to speed up and automate the forensic steps such as evidence collection, data retrieval, analysis, and documentation in a more effective manner.

From a corporate as well as a law enforcement standpoint, smartphones have become a major point of interest. Cellebrite is a known name in the mobile forensics industry for being one of the most effective and advanced service providers on the market. They are known for their capability to unlock iPhones and Android platforms. They are currently being used by more than 6,000 law enforcement agencies across the globe. Other top names in this area include XRY, CellDEK, Athena and Aceso, SUMURI, Belkasoft, ElcomSoft, MSAB, Magnet Forensics, and AccessData. The acquisition of data, in the case of mobile forensics, takes place in either a logical or physical location, with data being collected ranging from CDRs, GPS, SMS and IM chats, application data, and stored information such as images, videos, and files.

Big data is a collection of a vast amount of diverse datasets. These can be either unstructured (unorganized data) or multi-structured. Big data consists of three main properties, also known as the 3Vs:

  • Volume (size of data)
  • Velocity (speed of data processing)
  • Variety (diversity of data types)

Now, as you know, a large organizational network has all three of these attributes. Hence, it only makes sense to figure out ways to integrate two for better performance. Networks typically have a large number of events generated on a daily basis, which consist of different data types from different devices coming in at the same speed as the events that are actually taking place in the network.  

One of the recommended sources for learning more about the different ways to implement big data for forensics is a Packt publication written by Joe Sremack, titled Big Data Forensics – Learning Hadoop Investigations.

Conducting a tabletop forensics exercise

One of the ways to test the efficiency of how well we are prepared with respect to our forensic process is to test it via a tabletop exercise. The idea here is to learn about the process gaps and streamline the process, along with making the team and individual analysts familiar and fluent with the expected actions. Let's take a look at this in more detail.

Familiarizing yourself with the stakeholders

The first step is to become familiar with the stakeholders of the service or business line in the scope of the investigation. You can start with stakeholder interviews to understand the business operations, technological aspects of the process, and the regulatory and compliance requirements at play. Ensure that all key participants, from the executive leader to the analyst, are part of the tabletop exercise to ensure that everyone knows and understands their role in the overall process, as well as how to respond in the event of an actual investigation. 

Creating the ideal scenario

Based on the business operations and the technical aspects, a realistic scenario can be created that mimics the most prominent threats faced by the organization or by its industry peers. Next, get representatives from all security teams to take part and pitch in for the exercise. Threat intelligence and threat hunting knowledge can be leveraged to make the scenario more advanced and reflect advanced capabilities from the threat actor's perspective.

Gamification

Gamification is the process of introducing gaming concepts to make the current exercise more engaging and competitive. Ensure that all your security teams' responses are measured against each other and that points are awarded for each correct action. Certain curveballs may also be thrown to test the resilience and out-of-the-box thinking capabilities of the teams. Guide and provide hints when certain teams get stuck to help them proceed further. This stage can be crucial to measure the level of engagement, teamwork, efficiency, and knowledge they have, as well as the operational gap that may exist. 

Document lessons learned

This is where the output of the entire exercise is developed. Document broad aspects such as where the team was able to complete all the challenges or problem statements, the time taken to complete them, and so on. We can also document gaps that should be improved in the future, the tools and platforms used and suggest better alternatives (if any), document recommendations to streamline or automate the process further from its current maturity stage, and training modules to enhance the knowledge base of the team. This can also be presented in an executive summary format to senior leadership so that they implement the recommendations and process improvements that were the outcome of this exercise. 

Summary

In this chapter, we became familiar with the core concepts of digital forensics and the various tools and platforms that can be used by a digital forensic investigator to conduct a network forensics investigation. We touched upon the aspects and leading platforms for network analysis, as well as the industry best practices and standards that you should be aware of.

We then learned about the various attributes that need attention while conducting a network forensic investigation and the various tools that should be part of your arsenal as an investigator. We also learned about the various frameworks that can be utilized to formulate the investigation procedure. After this, we ensured that all the steps and phases of a forensic investigation are conducted so that they're aligned with industry best practices. This helps us avoid any evidence being dismissed by a court of law or those who are the audience of the final forensic report.

In the next chapter, we will take a look at network auditing and study the various attributes of a network auditing engagement. We will be taking a look at basic risk management and the various tools and platforms that can be used as part of an auditing engagement.

Questions

The following is a list of questions to help you test your knowledge regarding this chapter's material. You will find the answers in the Assessments section of the Appendix:

  1. Which of the following branches of forensics can assist in determining whwther a network is being attacked?
    • Broadcast forensics
    • Network forensics 
    • Computer forensics
    • Traffic forensics
  2. Which of the following can be used for performing live acquisition via a bootable CD?
    • Helix
    • DTDD
    • Inquisitor
    • Neon
  3. Which of the following can be used to examine network traffic?
    • Netdump
    • Slackdump
    • Coredump
    • Tcpdump
  4. Which of the following is a part of Sysinternals?
    • EnCase
    • PsTools
    • R-Tools
    • Knoppix

  5. Which of the following is a network IDS that can be used to perform packet capture and analysis in real time?

    • Ethereal
    • Snort
    • Tcpdump
    • John
  1. Which OSI model layer do most packet sniffers operate on?
    • 1
    • 3
    • 5
    • 7
  1. Packet sniffers can generally read which of the following formats?
    • SYN
    • DOPI
    • PCAP
    • AIAT
  1. Which of the following can be used for communicating between two computers?
    • HDHOST
    • DiskHost
    • DiskEdit
    • HostEditor
  2.  What is the evidence collected from network device logs?
    • Flow analysis
    • Active acquisition
    • Modes of detection
    • Packet analysis
  3. By which method can you gain access to information such as SSID, MAC addresses, supportedencryption/authentication algorithms?
    • Intercepting traffic in wireless media
    • Higher-layer traffic analysis
    • Intercepting traffic from hubs
    • Intercepting traffic from switches

Further reading

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.145.156.250