Performing Network Forensics with Packet Data
Say, there is a network breach at your enterprise, and it’s just about time for network forensics. You need to dig in to find what the problem is, and where it’s originating from. So how do you get started? Which tools do you use? Well, if you are here, it is probably because your enterprise has chosen to use packet analysis as a unit or as part of a unified solution to conduct network forensics.
First things first, network forensics in reference to packet capture refers to the analysis of sniffed, captured and documented packet data, to determine the source of a network error, breach or security threats. Forensics can choose to focus on either of these two angles:
- The major aim which is the collection of evidence. Here, network forensics is focused on detecting and monitoring network security concerns such as hacker activities, by beaming the searchlight on intrusion patterns to aid the investigation of cybercrimes.
- For the occasional analysis of network traffic to gain insight on how the various components of the network are performing. To determine areas that need improvement, or which might be/become the source of common network errors.
Using Packet Capture for Network Forensics: An Overview
As a network analyst, your skillset is not complete if you are unable to analyze captured packets during network analysis. One can easily go wrong while trying to analyze packet data, as in the case of hacker activities, an operating system can be stacked with malware that will provide incorrect information that will throw an analyst off the path to any digital prints left by the attacker. Fortunately, there are tools that make it easier for NetOps to follow up on network security errors or temporally errors, using packet data. They are called packet capture.
Packet capture tools refer to any technology deployed in a network to aid in detecting and recording bits traveling through a network, which are captured and stored as packet data. As a standalone tool, packet capture is the only network forensics tool that enables network analysts to fully reconstruct even the minutest detail of an intrusion on a network. And that makes it an important tool to use, especially in combination with other tools as an integrated solution.
A significant characteristic of capturing packet data for analysis is the huge volumes which they can amount to in record time. Assuming a company is running its network on a 10 GB link, a packet capture of its network activities could fill a one terabyte hard drive between 14 to 17 minutes. The rate at which storage space gets consumed makes it hard to store captured packet data for a long period. Consequently, conducting network forensics for attacks that were not quickly detected, probably after some weeks, might not be feasible for enterprises running on limited storage space.
Owing to the amount of data that could be accumulated in just a few minutes, there are two variants to packet capture.
Filtered Packet Capture
With filtered packet capture, the tool in use focuses on a traffic subset, depending on the filters which have been programmed into it by a network engineer. These filters may be limited to capturing specific parameters such as MAC addresses, protocols or IP addresses flowing through, or in and out of a network. Filtered packet capture is most suitable for purpose-defined operations.
It is important to note that any packet that was not captured can never be retrieved.
With full-packet capture analysis, nothing is ignored. It remains the best packet capture option for network forensics, especially in cases of cyber-attacks and overly problematic network errors. Since all activities on the Ethernet or IP are captured and recorded with full packet capture, it is hard to miss vital data during analysis, even if it has been obscured by malware.
To maximize space and usage, full-packet capture is mostly implemented when SecOps catches a whiff of ongoing suspicious activity in an enterprise network.
Application of Packet Data for Network Forensics
Just like with your home, installing a home security system after an armed robbery attack will do nothing to erase the hurt of the past, but it will help prevent future occurrence. Such is same with enterprise networks, conducting network forensics on a bare network after an attack will be like playing a game of charades – everybody keeps guessing what must have happened until a right assumption are validated…
So, it is always better to have a packet capture appliance (full or filtered) installed in your network to give details that can be used to reconstruct web sessions for thorough investigations of current and past network activities, as well as provide a real-time view into the network.
The entry or tap points of a packet capture appliance have to be chosen carefully, to ensure that the appliance captures the flow of traffic among all the devices involved. For a packet capture process to be complete, three sets of tools will have to be deployed in the network. They include
Packet Sniffers, which detect and record all or relevant packet data (in the case of filtered capture) and store them in designated files for quick retrieval, E.g., netsniff-ng, dumpcap. Pcapdump, etc.
Protocol Analyzers – which can also act as sniffers are used to inspect either the sessions or packets in recorded traffic. E.g., tcpdump, windump, tstat, etc.
Network Forensic Analyzers – used in analyzing all the packet data in recorded traffic.
Essentially, a packet capture program inserts itself into a network stack, to extract copies of frames and store them before they are sent out to an end device, and repeats the same procedure for incoming packet data.
Following the OSI model, sniffers such as tcpdump when deployed will eavesdrop bitstreams on the data-link and physical layer, detecting and providing summary details on the headers of frames captured from the NIC, or simply format the extracted copies and write them on designated disks, for referential analysis.
At the network and transport layer (TCP/IP), the packet capture program will monitor network devices to retrieve logged information on faulted packets, packet identifiers, and data tracking records stored by the devices. Alternatively, the devices can be programmed to send these logs to a particular server for analysis, thus conserving storage space. Networking experts can study the data provided to determine the extent of various activities, enabling them to conduct network forensics successfully.
Captured packet data can be used for –
- A detailed reconstruction of all network activities of users, intruders, protocols and applications.
- Network performance analysis and troubleshooting
- Detecting data leakage
- Investigating data breach
- Fast incidence response and mitigation
It gets easier with LiveCapture
For large enterprises, setting up a packet capture entry point across all devices can be a lot of work to handle and process during network forensics. More so, it creates a complex structure for assessment, which might make a response to threats a lot slower than it should be. Hence, tools like LiveCapture, along with Omnipeek protocol analyzer, or LiveWire, along with LiveNX network monitoring platform, exist to make the work a lot easier by digging deep into an enterprise network to conduct advanced packet capture analysis, through its range of deployed packet capture appliances.
LiveAction’s LiveNX is the industry’s first unified network monitoring solution providing flow, packet, WiFi and virtually any other data source in a single solution. Contact us today and learn how LiveAction solutions can be an essential part of your network forensic investigations.