Network Protocol Analyzers and Forensic

Investigation: An In-Depth Guide

• 1. Network Protocol Analyzers

• What are Network Protocol Analyzers?
• Definition: Network protocol analyzers are specialized software or hardware tools
that capture, decode, and examine network traffic, enabling a comprehensive view
of data exchanges across communication channels.
• Purpose: These tools are indispensable for network administrators, security
analysts, and forensic investigators. They help in diagnosing network issues,
reinforcing security, and performing forensic analysis to detect unauthorized or
suspicious activity within networks.
•

• Core Features of Network Protocol Analyzers

• Packet Capture: Collects real-time network traffic or retrieves stored packet data
for in-depth examination. This feature allows users to capture all traffic moving
through a network interface or a targeted segment of the network.
• Protocol Analysis: Decodes a wide range of protocols such as HTTP, TCP, DNS,
SSL, and others, giving insights into the specifics of each network conversation and
enabling better understanding and problem-solving.
• Traffic Analysis: Provides patterns and trends by analyzing data flow. It identifies
"normal" behavior in network traffic and makes it easier to spot unusual or
suspicious anomalies, which can be a red flag for potential security issues.
• Data Export: Offers options for exporting captured data in various formats
(e.g., .pcap, .txt), making it easy to archive data for long-term storage or conduct
further analysis in other specialized tools.
•
• Network Protocol Analyzers in Security

• Network protocol analyzers play a crucial role in network security and forensic
analysis:
• Intrusion Detection: Detects abnormal or suspicious network behavior, such as
unusual port scanning or unexpected IP address communications, which might
indicate ongoing attacks or reconnaissance activities.
• Data Breach Detection: Identifies potential unauthorized attempts to exfiltrate
sensitive data by recognizing unusual data flows and traffic patterns.
• Traffic Monitoring: Allows continuous monitoring to detect unauthorized
communication channels, unauthorized protocol usage, or malicious domains,
helping to prevent breaches or isolate infected systems.
•

• Types of Attacks Detected Using Network Protocol Analyzers

• Network protocol analyzers can reveal various types of attacks by analyzing

network traffic:
• Man-in-the-Middle (MitM) Attacks: In these eavesdropping attacks, an attacker
intercepts and can alter communications between two parties, gaining access to
sensitive data or even modifying messages in transit.
• Denial of Service (DoS) Attacks: These attacks overwhelm network resources by
flooding them with traffic, leading to service outages. Protocol analyzers detect
such attacks by spotting sudden traffic surges and traffic spikes.
• Malware Communication: Detects Command and Control (C2) traffic, which
involves communication between compromised devices and an attacker’s server,
indicating potential infection or botnet activity.
• ARP Spoofing: Alters the ARP (Address Resolution Protocol) cache, redirecting
network traffic through an attacker’s system. This attack is commonly used to
intercept and monitor local network traffic.
• DNS Spoofing/Poisoning: Involves providing false DNS responses to redirect users
to malicious sites, often used in phishing attacks. Protocol analyzers can identify
discrepancies in DNS traffic that indicate tampering.
•
• Popular Network Protocol Analyzers

• Below are some of the most commonly used network protocol analyzers that cater
to various security and network analysis needs:
• Wireshark: A widely used, open-source protocol analyzer known for its extensive
protocol support and robust packet analysis capabilities.
• Tcpdump: A command-line tool that provides basic packet capture and analysis,
popular among professionals who prefer lightweight, fast network analysis.
• NetFlow: Primarily used for traffic analysis and monitoring. It helps detect
anomalies and generates reports on network usage trends.
• Nmap: Known primarily as a network scanner, Nmap also offers packet capture
capabilities and is especially useful for network discovery and security auditing.
• NetworkMiner: A network forensic tool that focuses on reconstructing sessions
and extracting files from packet captures, making it a valuable tool for forensic
analysis.
•

a. 2. Wireshark and Network Analysis

b. Overview of Wireshark
c. Definition: Wireshark is a powerful, open-source network protocol analyzer
that provides granular inspection of network traffic, widely utilized in network
diagnostics, troubleshooting, and forensic investigations. It’s ideal for
capturing and dissecting network packets to gain insights into
communication flows and protocol interactions.
d. Supported Protocols: Wireshark can analyze over 2,000 protocols, including
HTTP, HTTPS, FTP, SMTP, DNS, SMB, and many more. This vast protocol
support makes it versatile for nearly any network scenario, from web and
email traffic to file transfers and secure communications.
e.

f. Security Implications of Wireshark

g. Wireshark can be indispensable for both defensive and investigative roles in

network security:
2. Active Monitoring: It enables administrators to monitor data flows in real time,
making it easier to detect unexpected data transmissions or unauthorized access
attempts.
3. Password Sniffing: By examining unencrypted traffic, Wireshark can reveal plain-
text credentials, emphasizing the importance of encryption protocols like TLS for
securing sensitive data.
4. Intrusion Detection: Wireshark is effective at identifying suspicious traffic patterns
that might indicate malicious activities, such as unusual port scanning,
unauthorized access attempts, or potential malware communications.
a.

b. Common Attacks Detected with Wireshark

c. Wireshark’s advanced filtering and analysis capabilities make it suitable for

detecting and investigating various network-based attacks:
5. Password Interception (Credential Harvesting):
a. Vulnerability: Monitoring unencrypted HTTP traffic can expose user login
credentials.
b. Wireshark Technique: Using the filter http.request.method == "POST"
allows users to track forms sending credentials, particularly on non-secure
pages.
6. Port Scanning:
a. Vulnerability: Attackers may scan open ports to identify exploitable services.
b. Wireshark Technique: The filter tcp.flags == 0x002 can detect SYN
requests associated with port scanning activities, helping analysts to locate
potential reconnaissance attempts.
7. SSL/TLS Decryption (with Pre-Master Secret Key):
a. Vulnerability: Insecure SSL/TLS configurations can lead to sensitive data
exposure.
b. Wireshark Technique: Using decryption keys enables the analysis of SSL/TLS
traffic, identifying weak cipher suites or improper configurations that might
expose sensitive information.
c.

d. Advanced Usage and Filters in Wireshark

e. Wireshark’s advanced filtering options enable precise data analysis by

narrowing down traffic to specific criteria:
8. Common Display Filters:
a. IP-based Filter: ip.addr == 192.168.1.1 isolates traffic involving a
particular IP address.
 b. Protocol-based Filter: Use protocols like http, tcp, dns, or udp to filter by
protocol type.
c. Port-based Filter: tcp.port == 80 limits displayed traffic to HTTP (port 80)
requests.
9. Packet Analysis: Use tcp.analysis.flags to highlight flags like retransmissions
or duplicate ACKs, which can indicate issues such as packet loss or network
instability.
a.

b. Example Analysis Workflow

c. Wireshark offers a structured approach to capture, filter, analyze, and report

network data:
10. Capture Traffic: Select the correct network interface, initiate the capture, and save
the captured data as a .pcap file for further examination.
11. Filter for Relevant Data: Apply display filters to narrow down the view to specific
types of traffic, such as http or tcp.port == 443 for secure web traffic.
12. Analyze Payloads: By right-clicking and selecting “Follow TCP/UDP Stream,” you
can trace a conversation between endpoints, examining the data payloads
exchanged in each packet.
13. Spot Anomalies: Leverage color-coding schemes and advanced filters to identify
unusual activity quickly, which might signal an attack or network issue.
14. Generate Reports: Export filtered data in formats like CSV to facilitate reporting or
further presentation of findings.
a.

b. Hands-on Examples

c. 1. Detecting Malware Beaconing:

15. Scenario: Repeated outbound connections to a suspicious IP every hour.
16. Wireshark Steps: Use ip.dst == suspicious_IP and tcp.flags.syn == 1
filters to track repetitive outbound connection attempts, which could indicate
malware beaconing to a command-and-control server.
a. 2. Spotting a Man-in-the-Middle Attack:
17. Scenario: Unusual ARP replies suggest ARP spoofing on the local network.
18. Wireshark Steps: Apply arp.duplicate-address-detected == 1 to detect ARP
poisoning by identifying duplicated ARP addresses.
a. 3. Tracking Data Exfiltration:
 19. Scenario: Anomalous high-volume FTP traffic from a sensitive server, suggesting
data exfiltration.
20. Wireshark Steps: Use the ftp filter to view FTP-related traffic and track commands
like STOR or RETR, which could indicate uploads or downloads, signaling
unauthorized data transfer.
a.

3. Computer Forensic Investigation

What is Computer Forensics?

Definition: Computer forensics is a specialized branch of cybersecurity dedicated to the

extraction, analysis, and preservation of data from digital devices for investigative and
legal purposes. It plays a critical role in both criminal and civil investigations, especially in
cases involving digital evidence.

Scope: Computer forensics encompasses a wide array of digital devices and sources,
including hard drives, USB devices, mobile devices, network logs, emails, memory dumps,
cloud storage, and much more.

Key Principles of Computer Forensics

1. Preservation of Evidence: Ensuring the integrity and authenticity of digital

evidence so it remains admissible in legal proceedings. This involves taking
measures to protect data from accidental or intentional tampering.
2. Minimizing Impact: Using forensic techniques that do not alter or damage the
original data. This typically involves creating forensic images of drives and using
specialized tools to interact with data in a non-destructive manner.
3. Repeatability: Forensic procedures must be meticulously documented and
replicable, allowing independent experts to verify the findings by following the same
processes and methodologies.
Security Aspects of Computer Forensics

• Confidentiality: Protecting collected evidence from unauthorized access or

disclosure, often using encryption and access controls.
• Integrity: Ensuring data remains unaltered throughout the forensic process.
Hashing algorithms like MD5 and SHA-256 are used to generate unique signatures
for data, allowing any changes to be detected.
• Chain of Custody: Maintaining a clear and documented record of every individual
who has accessed the evidence. This includes tracking who, when, and how
evidence was handled to preserve its admissibility and credibility in court.

Typical Cyber Attacks Involved in Forensics

Forensic investigations are often prompted by various cyber incidents, including:

• Data Breaches: Unauthorized access and theft of sensitive data from an

organization’s systems.
• Malware Incidents: Investigating the origin, spread, and impact of malicious
software within a network.
• Insider Threats: Situations where an employee or associate abuses their access
rights for malicious purposes, often involving data exfiltration or sabotage.
• Ransomware Attacks: The encryption of critical files by an attacker, who then
demands a ransom for the decryption key.
• Advanced Persistent Threats (APTs): Highly targeted and sophisticated attacks
aiming for long-term infiltration, often perpetrated by organized groups or nation-
states.

Types of Evidence in Computer Forensics

1. Volatile Evidence: Data that is lost when a device is powered off, such as RAM
contents, running processes, and open network connections.
2. Non-Volatile Evidence: Persistent data stored on physical media, including
documents, emails, and system logs on hard drives or external storage.
3. Network Evidence: Logs from network devices like routers, firewalls, and network
appliances, which can reveal traffic patterns and suspicious connections.
 4. Cloud Evidence: Data stored on third-party cloud platforms, including user files,
system logs, and account activities.
5. Mobile Evidence: Information extracted from mobile devices, including call
records, SMS, app data, and geolocation data.

Forensic Tools Overview

Various forensic tools specialize in different areas of data analysis:

• Disk Imaging: Tools like dd, FTK Imager, and EnCase create exact copies (images)
of storage media to preserve the original data.
• File Recovery: Autopsy, Recuva, and R-Studio are used to retrieve deleted files,
especially those removed without standard deletion practices.
• Log Analysis: Tools like Log Parser and Splunk allow detailed examination of logs to
identify abnormal or suspicious activity patterns.
• Memory Forensics: Volatility and Rekall analyze memory (RAM) dumps to extract
valuable insights on live processes, network connections, and potential malware.

Forensic Methodology with Examples

Computer forensics follows a structured methodology to ensure a thorough and

systematic investigation:

1. Identification: Detect and label potential evidence relevant to the investigation.

a. Example: Identifying compromised systems after noticing unusual traffic
patterns on the network.
2. Preservation: Isolate and create forensic images of systems to prevent data
alteration.
a. Example: Using FTK Imager to create a bit-by-bit copy of a suspect’s hard
drive for analysis.
3. Collection: Gather all data and information necessary for the investigation.
a. Example: Collecting server logs, database snapshots, and relevant files after
a breach incident.
4. Examination: Use forensic tools to scrutinize and extract relevant information from
the collected data.
 a. Example: Analyzing deleted emails from a PST file using EnCase to recover
possible evidence.
5. Analysis: Correlate findings to construct a timeline and determine the sequence of
events.
a. Example: Using Autopsy to piece together a timeline of file access history to
trace unauthorized data access.
6. Reporting: Document the findings in a clear, structured format to support legal
proceedings or organizational reporting.
a. Example: Creating a report with visual aids such as screenshots,
timestamps, and descriptions of evidence for presentation to a legal team.

4. Analyzing Digital Evidence

Types of Digital Evidence

1. Primary Data: The core evidence consisting of raw files, documents, emails,
images, and other user-generated content that may contain traces of activity or
incriminating data.
2. Metadata: Often hidden, metadata includes detailed information about files, such
as creation and modification dates, geolocation tags in images, and application-
specific attributes, offering insights into file history and usage.
3. Registry Data: On Windows systems, the registry stores configuration settings,
system preferences, and user activity, such as connected USB devices and recently
accessed files, making it valuable for user activity reconstruction.
4. System Artifacts: Transient data like log files, temporary files, cache, and browser
history. These artifacts often reveal application usage patterns, internet browsing
history, and interaction timelines, providing context to user activities.

Security Implications of Digital Evidence

Handling digital evidence demands careful security practices to maintain data integrity
and confidentiality:

• Tampering Prevention: Digital evidence must be protected from modification after

capture, often secured using cryptographic hashes (e.g., SHA-256) to ensure
integrity and verify authenticity.
 • Data Encryption: Sensitive evidence data should be encrypted during storage and
transmission to safeguard it from unauthorized access, especially if the data
contains confidential or personally identifiable information.
• Confidentiality of Information: Digital forensics teams handle sensitive data and
must follow strict protocols to prevent data leaks, maintaining compliance with
legal and regulatory standards.

Attacks and Evidence Analysis

Forensic investigations often involve analyzing evidence to trace the path and impact of
specific attacks:

• Ransomware Analysis:
o Attack Vector: Ransomware encrypts files on the victim’s system and
demands a ransom payment for the decryption key.
o Forensic Steps: Identify the ransomware variant, trace the initial infection
vector (e.g., email, exploit, or remote desktop), and attempt decryption if
feasible. Examination may also reveal shadow copies or alternative recovery
options.
• Phishing Attack Investigation:
o Attack Vector: Phishing emails are crafted to impersonate trusted entities,
often aiming to steal user credentials or install malware.
o Forensic Steps: Analyze email headers to identify sender IPs, extract any
embedded links or attachments, and cross-reference with known phishing
domains. Correlate with affected users’ login history to identify potential
data compromise.
• APT Detection and Investigation:
o Attack Vector: Advanced Persistent Threats (APTs) are sophisticated,
prolonged attacks often targeting sensitive data in specific organizations or
industries.
o Forensic Steps: Utilize threat intelligence to identify known indicators of
compromise (IOCs), monitor C2 (Command and Control) traffic, collect
malware samples, and conduct behavior analysis to understand attacker
motives and techniques.
Evidence Collection Tools

Different forensic tools are specialized for capturing and analyzing specific types of digital
evidence:

• Forensic Images: FTK Imager and dd are popular tools for creating exact forensic
copies (images) of disks, preserving the original data for analysis.
• Memory Analysis: Volatility is used to examine RAM dumps, revealing processes,
active connections, and possible malware.
• Network Evidence: Tcpdump and Wireshark capture live network traffic, enabling
forensic analysis of network data, including packet inspection for signs of
infiltration or data exfiltration.

In-Depth Analysis Techniques

1. Data Carving:
a. Purpose: Recover data from unallocated or deleted space where traditional
file recovery methods may fail.
b. Tools: PhotoRec and Foremost can extract specific file types, like JPEGs,
from partially overwritten or fragmented files.
c. Example: Carving out partially deleted images from a memory dump to
recover visual evidence.
2. Timeline Analysis:
a. Purpose: Establish the sequence of events related to a security incident or
user activity.
b. Tools: Plaso and Autopsy enable the creation of detailed timelines, showing
the order and timestamps of events.
c. Example: Correlating file modification timestamps with user logins to
determine if unauthorized access occurred during a breach.
3. Keyword Searching:
a. Purpose: Quickly locate relevant terms or patterns within large datasets,
facilitating targeted investigation.
b. Tools: Sleuth Kit supports advanced keyword searches for sensitive terms
like "confidential" or specific user IDs.
c. Example: Searching for "confidential" in an employee’s emails to investigate
possible data leaks.
 4. Registry Analysis:
a. Purpose: Examine the Windows registry to reveal user activity and system
changes, such as installed applications and user activity logs.
b. Tools: Registry Explorer and RegRipper are used to parse and analyze registry
data.
c. Example: Identifying recently accessed files or recently installed software on
a suspect's system.

Reporting

Effective reporting is critical in forensic investigations, especially for legal and

organizational purposes:

• Documentation: Detailed reports should include all findings, complete with

screenshots, data exports, and event correlations. The documentation provides a
clear narrative of the forensic process and results.
• Expert Testimony: Forensic analysts should be prepared to present findings in
court, explaining technical processes in layman’s terms to ensure clarity for legal
professionals and juries.
• Visuals: Diagrams and flowcharts illustrate attack sequences, showing how
attackers breached systems, exfiltrated data, or otherwise interacted with the
compromised environment. Timelines can clarify the order of events, helping non-
technical stakeholders understand complex incidents.