Definition of Network Forensics
Marcus Ranum: capture, recording, and analysis of network events in order to discover the source of security attacks or other problem incidents.
Two forms of systems for collect network data
1 - “Catch-it-as-you-can”
2. “Stop, look and listen”
Catch it as you can
all packets at a traffic point captured and saved. Analysis in batch mode. Requires much storage.
Stop look and listen
each packet analyzed in memory, only select info saved for analysis. Requires faster processor to keep up with traffic.
Places for network info collection (3)
firewalls
intrusion detection systems (IDS)
packet captures from network forensic devices
Advantages of Packet capture devices (4)
- Most IDSs dispose of data after sign. comparisons
- Firewalls validate and inspect traffic/packets
- Packet capture record traffic
- Packet capture devices usually outside view of users (can’t be manipulated)
Problems with Packet Capture
- volume of data (terabytes)
- multiple computers, many are noise
Monitoring Points for capture devices
external - can have at each entry point
internal - gets traffic between computers
Problem: multiple might be cost-prohibitive
Network appliances Access
in cloud-based environments users may not have access to network appliances:
firewalls
switches
routers
NFATs
Network Forensic Analysis Tools (network forensic products)
Promiscuous Mode
network packet capture devices have NICs that operate in promiscuous mode, i.e. they don’t drop packets that are destined for other NICs.
Optimal conditions for network forensics
- controlled environment, owns LAN or data center
- cloud environment, but must address limitation of not having access to hardware.
- hosted environments - must be addressed during deisgn and implementation phases.
Interrogation Sources (3)
DHCP servers (IP and MAC registered) DNS servers (computer's name) WINS servers
