Network forensics is a science that centers on the discovery and retrieval of information surrounding a cybercrime within a networked environment.
Network forensic analysis concerns the gathering, monitoring and analyzing of network activities to uncover the source of attacks, viruses, intrusions or security breaches that occur on a network or in network traffic.
Common forensic activities include the capturing, recording and analysis of events that occurred on a network in order to establish the source of cyberattacks.
What makes network forensics differ?
Network forensic analysis centers on data that is volatile, unpredictable as it is always changing. This is unlike other disciplines of computer forensics, which mostly deals with static data that does not change. Network forensic data is information always in motion, as data is being sent over a network and then erased forever. Thus plans have to be put in place before a security incident occurs to grab network data and store it; otherwise, conducting an investigation after the fact is essentially worthless.
Network forensics involves network logs. Network logs store data about traffic and network usage. Other types of forensics may turn to logs in some scenarios; none depend on event logs exclusively like network forensics does.
Importance of Network Forensics
Network forensics can be essentially useful in cases of network leakage, data theft or suspicious network traffic.
Forensic is useful in network protection from malicious threats, and network forensics can help an organization investigate and stop data breaches that cost money, or competitive advantage, or both.
Network forensics is necessary in order to determine the type of attack over a network and to trace the culprit.
Noting that the attackers would interact with an organization’s network in launching their attack(s), logs from network devices can help in the determination of the type of attack and track the steps taken by the attacker
Network Forensics is important because it helps in identifying the reasons that have made network unusable or to identify reason of major network issues occurred.
When you should apply network forensics
Forensics can be applied to solve performance, security and policy problems and many other situations on networks. These include:
- Finding proof of a security attack
- Troubleshooting performance issues
- Monitoring user activity for compliance with IT policies
- Identifying the source of data leaks and thefts
- Monitoring business transactions
- Troubleshooting VoIP and video over IP
Common Network Attacks
Some of the common attacks include:
- Denial of service attacks- this attack overwhelms a system’s resources so that it cannot respond to service requests making it unavailable
- Distributed denial of service attacks
- Man in the middle attack- attack occurs when an attacker inserts itself between the communications of a client and a server
- Password attacks- occurs by sniffing a network connection to acquire unencrypted passwords.
- SQL injection attacks- it is a common issue with database-driven websites and occurs when attacker executes a SQL query to the database via the input data from the client to server.
- Cross site scripting attacks- involves use of third-party web resources to run scripts in the victim’s web browser or scriptable application
- Eavesdropping attacks- this attacks occur through the interception of network traffic thus can obtain sensitive information
Some of the important skills in network forensic
In order to understand network forensics, one must first understand internet fundamentals like common software for communication and search, which includes emails, VOIP services, browsers.
Understanding of networking, staff like the OSI model
One must also know what ISP, IP addresses and MAC addresses are
Identification of attack patterns requires investigators to understand application and network protocols. Applications and protocols include:
- Web protocols (e.g., http and https)
- File transfer protocols (e.g., Server Message Block/SMB and Network File System/NFS)
- Email protocols, (e.g., Simple Mail Transfer Protocol/SMTP)
- Network protocols (e.g., Ethernet, Wi-Fi and TCP/IP)
Threat intelligence -Investigators more easily spot traffic anomalies when a cyberattack starts because the activity deviates from the norm.
Methods of Evidence Collection
There are two methods of collecting network forensics evidence:
- Catch it as you can method – This involves gathering all network traffic available and analyzing all of it. This can be a tedious process with a large volume of data to sort through thus it is time consuming.
- Stop, look and listen method – This involve watching each data packet that flows across the network but they capture only what is considered suspicious and deserving of an in-depth analysis. While this method does not consume much space, it may require significant processing power
Sources of Evidence in Network Forensic
Investigators focus on two primary sources:
- Full-packet data capture: This is the direct result of the “Catch it as you can” where the network traffic is captured for analysis.
- Log files: Log files provide useful information about activities that occur on the network, like IP addresses, mac addresses, TCP ports and Domain Name Service (DNS). Log files also show site names which can help forensic experts see suspicious source and destination pairs, suspicious application activities are also found on the log files. Network forensics is also dependent on event logs which show time sequencing. Investigators determine timelines using information and communications recorded by network control systems. Analysis of network events often reveals the source of the attack.
Where DO Log Files Reside?
These are files that reside on web servers, proxy servers, Active Directory servers, firewalls, Intrusion Detection Systems, Domain Name Service (DNS)s and Dynamic Host Control Protocols (DHCP), routers and switches. Basically on network appliances
Tools Used For Network Forensics
Free software tools are available for network forensics. Some are equipped with a graphical user interface (GUI), while only have a command-line interface and many only work on Linux systems but most can work in most operating systems. Here are some tools used in network forensics:
- EMailTrackerPro shows the location of the device from which the email is sent
- Web Historian provides information about the upload/download of files on visited websites
- Wireshark is tool used to capture and analyze network traffic between devices
- Snort is a network intrusion detection system designed to capture live network traffic or playback precaptured network traffic for advance intrusion analysis.
- NetworkMiner is a comprehensive Network Forensic Analysis Tool (NFAT) for Windows (but also works in Linux / Mac OS X / FreeBSD.
- Security Onion is a Linux distro for intrusion detection, network security monitoring, and log management.
Other tools include NetDetector, NetIntercept, OmniPeek, PyFlag and Xplico.
The same tools used for network security can be used for network forensics.
What Organizations Can Do To Aid Network Forensic Process
Here are some steps an organizations can take before an attack to help network-based forensic analysis to be successful. They include:
- Put a process in place – For network forensic to be successful, there is need to obtain log and capture files for them to examine. Organizations should implement event-logging policies and procedures to capture, aggregate, and store log files.
- Make a plan – Incident response planning will help to respond to and mitigate the effects of an attack.
- Acquire the talent – The ability to interpret the data in log and capture files and recognize malicious activity in the data is a special skill that requires in-depth knowledge of network and application protocols. Whether the talent is in-house or external, it’s vital that organizations have access to computer and network forensics investigators who are experienced and accessible or alternatively seek technical training for their IT personnel