Network

Forensics
Thai Minh Tuan
([email protected])

Slides are adapted from:

[1] Guide to Computer Forensics and Investigations. Sixth Edition. Cengage Learning, 2018, ISBN-13: 978-1-337-56894-4
[2] Practical Guide to Digital Forensics Investigations, Pearson IT Certification, 2020, ISBN-13: 978-0789759917 1
Outline
● What is network forensic
● Network forensic steps
● Key aspects of network forensics
● Challenges in network forensics
● Network forensics tools and technologies

2
What is network forensic?
● Network forensic refers to the process of collection, analyzing and
interpreting data from computer networks to investigate and uncover
potential security issues
○ heavily focuses on monitoring and analyzing network traffic.
● It is a specialized field within digital forensics that focuses on the
examination of network traffic and activities to under what happened,
how it happened and who may have been involved
● Security incidents like cyberattacks, DDoS and ransomware are quite
prevalent these days, thus making network forensic a vital part of any
modern cyber security investigation.

3
Network forensic steps
● Step 1 — Data Capture
○ Capturing network packets and data using tools such as packet sniffers or network monitoring
software.
○ Data includes information about the flow of data, communication between devices, and potential
security-related events.
● Step 2 — Data Preservation
○ Ensuring the integrity and authenticity of the captured data is crucial.
○ Proper handling of the evidence is essential to maintain the admissibility of network forensic
findings in legal proceedings.
● Step 3 — Analysis
○ Analyze the captured data to identify patterns, anomalies, and indicators of compromise (IOCs).
○ Examine network traffic to reconstruct events.
○ Determine the scope of security incidents.
○ Understand the tactics and techniques used by threat actors.
● Step 4 — Reporting
○ Document the findings from analysis result in reports for legal purposes, internal investigations,
or security improvement recommendations.
4
Key aspects of network forensics
● Identification and Detection
○ Cyberattacks often start with unusual or suspicious network activities.
○ Identifying these anomalies and detecting potential security breaches.
○ Identify patterns and indicators of compromise (IOCs) in network traffic.
○ Monitoring network traffic and behavior in real-time or retrospectively.
● Incident Response
○ Assist in formulating an effective incident response plan when a cyberattack is detected.
○ Provide information on how the attack occurred, its impact, and the affected systems.
○ Aiding in containment and mitigation efforts.
● Evidence Collection
○ Systematic collection of data from various network devices such as routers, switches,
firewalls, intrusion detection systems, and network logs.
○ Reconstructing the attack timeline and understanding the attack vectors.

5
Key aspects of network forensics
● Understanding Incident Details
○ Analyzing network traffic and logs.
○ Understanding the tactics, techniques, and procedures (TTPs) used by attackers.
○ Determining the attack’s source, targets, and any malicious payloads or malware.
○ Blocking threats from the source using IP geolocation solution.
● Attribution
○ Examining the characteristics of the attack, including IP addresses, malware signatures,
and other indicators.
○ Identifying a user’s IP geolocation can indeed enhance the effectiveness of existing
cybersecurity initiatives.
○ Help to attribute a cyberattack to a specific individual, group, or nation-state.

6
Key aspects of network forensics
● Legal and Regulatory Compliance
○ Network forensic evidence is often crucial in legal proceedings and compliance with regulations.
○ Serve as proof of an attack for legal actions and regulatory reporting.
○ Considering that the attackers would interact with an organization’s network in launching their attack(s),
logs from network devices can help in the determination of the type of attack and track the steps taken
by the attacker.
○ In certain cases, data gathered during these steps may need to be presented as evidence before a
regulatory authority or a court.
● Prevention and Hardening
○ Help organizations to identify vulnerabilities and weaknesses in their network infrastructure by analyzing
past cyberattacks.
○ Strengthen security measures and prevent future attacks.
● Lessons Learned
○ The insights gained from network forensics can be used to improve security policies and procedures.
○ Learn from past incidents and apply this knowledge to enhance their overall cybersecurity posture.

7
Challenges in network forensics
● Encryption
○ Widespread use of encryption protocols, such as TLS and HTTPS, can make it difficult to
inspect network traffic.
○ Encrypted communication can hide malicious activities, making it challenging to analyze
data in transit.
● Volume of Data
○ Amount of network traffic data can be massive.
○ Sifting through vast amounts of data to find relevant information is time-consuming and
resource-intensive.
○ Require efficient data storage and retrieval methods to perform analysis.
● Data Retention
○ Retaining network traffic data for an extended period is often necessary for forensic
investigations, thereby increasing storage costs.
○ Require careful management to comply with legal requirements and privacy concerns.

8
Challenges in network forensics
● Real-Time Monitoring
○ Identifying and responding to threats in real time is crucial.
○ Network forensics tools and techniques must provide immediate insights.
○ Alert capabilities to address ongoing attacks.
● Data Fragmentation
○ Network traffic can be fragmented, and pieces of data may be scattered across various
devices and logs.
○ Reassembling fragmented data to reconstruct the complete attack scenario can be
challenging.

9
Challenges in network forensics
● Network Complexity
○ As networks become more complex, with various devices, IoT devices, and interconnected
systems, tracking and understanding network behavior becomes increasingly difficult.
● False Positives
○ False positives leading to an overload of alerts and distracting investigators from actual
threats.
○ Reducing false positives while maintaining effective threat detection is a significant
challenge.

10
Network forensics tools and technologies
● Network traffic analysis software
○ Analyzing network traffic patterns and packets flowing by collecting and analyzing data
like the source and destination IP addresses, ports, traffic protocols, and traffic volume
● Network monitoring software
○ Shows you your entire network and handles different aspects of network components,
devices, and traffic
● Intrusion detection and prevention software (IDPS)
○ Detect and prevent unauthorized access to networks and systems
● Digital forensic software
○ Designed to gather, analyze, and interpret digital evidence from computers, mobile
devices, storage media, and networks
● Security information and event management (SIEM) systems
○ Provide centralized visibility, event correlation, and advanced analytics capabilities
○ Integrate with other network forensics tools

11