By John Mounteer, NYSTEC Information Security Consultant
A cybercriminal has just wiped all traces of an attack from your server. Now you’ll never know the source of the attack or the extent of the damage, right?
Not if you have a network forensic investigator on the trail.
The ability to interpret the data in log and capture files and recognize malicious activity in the data is a special skill that requires in-depth knowledge of network and application protocols. This article provides a short introduction to network-based forensic investigations of suspected criminal activity related to information technology systems.
A Thorough Understanding
Criminals attack computer systems for a number of reasons, but primarily for economic gain. Among the most common targets are banking and other personal information stored on PCs and servers that will assist in completing fraudulent financial transactions.
Network forensics—defined as the investigation of network traffic patterns and data captured in transit between computing devices—can provide insight into the source and extent of an attack. It also can supplement investigations focused on information left behind on computer hard drives following an attack.
Identifying attack patterns requires a thorough understanding of common application and network protocols. For example:
- Web protocols, such as http and https
- File transfer protocols, such as Server Message Block (SMB) and Network File System (NFS)
- Email protocols, such as Simple Mail Transfer Protocol (SMTP)
- Network protocols, such as Ethernet, WiFi, and Transmission Control Protocol/Internet Protocol (TCP/IP)
The investigator must understand the normal form and behavior of these protocols to discern the anomalies associated with an attack.
Know the Sources
Network forensic investigators examine two primary sources: full-packet data capture, and log files from devices such as routers, proxy servers, and web servers—these files identify traffic patterns by capturing and storing source and destination IP addresses, TCP port, Domain Name Service (DNS) site names, and other information.
- Full-Packet Capture. The advantage of full-packet capture is that the content, and therefore the meaning and value, of data being transferred can be determined. Packet capture is not usually implemented on networks full-time because of the large amount of storage required for even an hour’s worth of data on a typical business network. In addition, there may be privacy concerns (although most businesses today require all employees to sign an acknowledgement that they do not have a right to privacy while on business-owned systems and networks).
Data capture is typically implemented when suspicious activity has been detected and may still be ongoing. The packet-capture-network tap point must be chosen carefully so that it can capture traffic flowing among all affected devices, or multiple taps must be implemented.
- Log files. Most modern network devices, such as routers, are able to store NetFlow (or equivalent) data into log files on a full-time basis without affecting performance. Web servers, proxy servers, firewalls, Intrusion Detection Systems (IDS), DNS, Dynamic Host Control Protocols (DHCP), and Active Directory server log files also contain much useful information about activity on the network. These log files can be analyzed to identify suspicious source and destination pairs (e.g., your server is communicating with a server in Eastern Europe or China) and suspicious application activity (e.g., a browser communicating on a port other than port 80, 443, or 8080).
One advantage of using log files is the much smaller file size compared to full-packet capture. Another advantage is that the collection points are already in place in key locations, and it is not difficult to collect and store the output from multiple devices into one master log for analysis. There are many free as well as commercial tools for log aggregation.
Know the Tools
There are many free software tools available for network forensics. While a few have a graphical user interface (GUI), most free tools have only a command-line interface, and many run only on Linux.
Especially in the case of full-packet captures, data must be reduced through filtering before detailed analysis is performed.
What You Can Do
There are steps organizations can take before an attack to help network-based forensic investigations be successful. Here are three things you can do:
- Put a process in place. For network forensic investigators to do their work, there need to be log and capture files for them to examine. Organizations should implement event-logging policies and procedures to capture, aggregate, and store log files.
- Make a plan. Incident management planning will help to respond to and mitigate the effects of an attack.
- Acquire the talent. The ability to interpret the data in log and capture files and recognize malicious activity in the data is a special skill that requires in-depth knowledge of network and application protocols. Whether the talent is in-house or external, it’s vital that organizations have access to computer and network forensics investigators who are experienced and accessible.