Network forensics is defined as the monitoring and analyzing of data on the computer systems. It analyzes concerns the gathering, monitoring, and searching of network activities to uncover the source of attacks, viruses, intrusions or security breaches that occur on a network or in network traffic. It also deals with the analysis of the origins, contents, patterns and transmission paths of e-mail and web pages as well as browser history and web server scripts and header messages.
Network forensics is a fresh field of forensic science. The growing popularity of the Internet in homes means that computing has become network-centric and data is now available outside of disk-based digital evidence.
Compared to computer forensics where evidence is usually preserved on disk, network data is more volatile and unpredictable. Investigators often only have material to examine if packet filters, firewalls, and intrusion detection systems were set up to anticipate breaches of security.
A forensic analysis follows these steps generally:
Network traffic analysis
Assessment of network performance
Detection of threats and attacks
Determination of network protocols in use
Gathering data from sources
Presentation providing of conclusions
Security investigations and responding to the incident.
What are the network forensics analysis tools?
General-purpose tools; Packet collectors (sniffers), protocol analyzers and Network Forensic Analyzers. dumpcap, pcapdump, and netsniff-ng are packet sniffers, which record packets from the network and store them on files. tcpdump, wireshark/tshark, and tstat are protocol analyzers. These tools are used to inspect recorded traffic. Xplico and NetworkMiner are Network Forensic Analysis (NFAT) tools. They are data-centric which analyzes the traffic content.
Which traffic protocols/network layers are analyzed in network forensics?
Traffic examined based on the use case (Internet)
The internet provides services such as WWW, email, chat, file transfer, etc. which makes it rich with digital evidence. This is achieved by identifying the logs of servers deployed on the internet. Servers include web servers, email servers, internet relay chat (IRC), and other types of traffic. These servers collect some information, such as browsing history, email accounts, user account information, etc.
Data-link and physical layer
Applying forensic methods on the Ethernet layer is done by eavesdropping bitstreams with tools called monitoring tools or sniffers. This can be done using Wireshark or Tcpdump, both of which capture traffic data from a network card interface configured in promiscuous mode. Those tools allow the investigator to filter traffic and reconstruct attachments transmitted over the network. The disadvantage of this method is that it requires a large storage capacity.
Transport and network layer (TCP/IP)
The network layer provides router information based on the routing table present on all routers and also provides authentication log evidence. Investigating this information helps determine compromised packets, identifying the source, and reverse routing and tracking data. Network device logs provide detailed information about network activities. Network administrators configure the devices to send logs to a server and store them for a period of time.
This is achieved by collecting and analyzing traffic from wireless networks and devices, such as mobile phones. This extends normal traffic data to include voice communications. The phone location can be also determined. Analysis methods of wireless traffic are similar to wired network traffic but different security issues should be taken into consideration.