Module IV

Network and Memory Forensics

1. Network Forensics

This section explores the methodologies and tools used to capture, record, and analyze
network traffic for investigative purposes.

1.1 Protocols and Network Analysis Tools

Understanding network protocols and utilizing appropriate analysis tools are fundamental to
network forensics.

 Common Network Protocols Relevant to Forensics:

o TCP/IP (Transmission Control Protocol/Internet Protocol) Suite: The
foundation of internet communication. Understanding TCP (connection-
oriented, reliable), UDP (connectionless, fast), IP (addressing and routing),
ICMP (error reporting), and ARP (address resolution) is crucial.
o HTTP/HTTPS (Hypertext Transfer Protocol/Secure HTTP): Used for web
browsing and data transfer. Analyzing HTTP headers, request/response
bodies, and URLs can reveal valuable information. HTTPS involves
encryption using protocols like TLS/SSL.
o SMTP/POP3/IMAP (Simple Mail Transfer Protocol/Post Office Protocol
version 3/Internet Message Access Protocol): Protocols for email
communication. Analyzing email headers and content can be critical in
investigations.
o FTP/SFTP (File Transfer Protocol/Secure FTP): Used for transferring files.
Examining FTP commands and transferred data can be relevant. SFTP uses
SSH for secure file transfer.
o DNS (Domain Name System): Translates domain names to IP addresses.
Analyzing DNS queries can reveal communication with malicious domains.
o DHCP (Dynamic Host Configuration Protocol): Assigns IP addresses to
devices on a network. Examining DHCP logs can help identify devices
connected at specific times.
o SNMP (Simple Network Management Protocol): Used for managing
network devices. SNMP data can provide insights into network performance
and device status.
o VPN Protocols (e.g., IPsec, OpenVPN): Used for creating secure tunnels.
Analyzing VPN traffic can be challenging due to encryption.
o Wireless Protocols (e.g., Wi-Fi 802.11): Understanding Wi-Fi authentication,
encryption (WEP, WPA, WPA2/3), and traffic patterns is essential for
investigating wireless network incidents.
 Network Analysis Tools: A variety of tools are used for capturing and analyzing
network traffic:
o Packet Sniffers (e.g., Wireshark, tcpdump, Tshark): These tools capture
network traffic in real-time, allowing investigators to examine individual
packets and their contents. Wireshark provides a graphical user interface,
while tcpdump and Tshark are command-line tools.
 o Network Intrusion Detection/Prevention Systems (NIDS/NIPS): While
primarily used for security monitoring, logs from NIDS/NIPS can provide
valuable information about network attacks and suspicious activity.
o Firewall Logs: Firewalls record network connections and blocked traffic,
offering insights into attempted intrusions and communication patterns.
o Router and Switch Logs: These logs can provide information about network
activity, routing changes, and device connectivity.
o NetFlow/IPFIX Analyzers (e.g., SolarWinds NetFlow Traffic Analyzer,
ntopng): These tools collect and analyze network flow data, providing a
summary of network traffic patterns, communication endpoints, and
bandwidth usage.
o Protocol Analyzers (integrated within packet sniffers like Wireshark):
These tools can dissect network packets according to their protocol, making it
easier to understand the communication flow and identify anomalies.
o Network Forensic Workstations: Dedicated systems equipped with
specialized hardware and software for capturing, storing, and analyzing large
volumes of network traffic.

1.2 Detecting and Analyzing Network-Based Attacks

Network forensics plays a crucial role in detecting, analyzing, and responding to various
network-based attacks.

 Common Network-Based Attacks and Their Forensic Footprints:

o Denial of Service (DoS) and Distributed Denial of Service (DDoS)
Attacks: Characterized by a flood of traffic from single or multiple sources,
overwhelming the target system. Forensic analysis involves identifying the
source IPs, attack patterns (e.g., SYN flood, UDP flood), and the impact on
the target.
o Malware Communication (Command and Control - C2): Malware often
communicates with C2 servers to receive instructions and exfiltrate data.
Network analysis can identify communication patterns, protocols used (e.g.,
HTTP, DNS tunneling, IRC), and the destination servers.
o Network Scanning and Reconnaissance: Attackers often scan networks to
identify open ports and vulnerabilities. Forensic analysis can reveal scanning
activity through unusual connection attempts and port scan patterns in firewall
and intrusion detection logs. Tools like Nmap are commonly used by
attackers.
o Man-in-the-Middle (MITM) Attacks: Attackers intercept communication
between two parties. Forensic evidence might include ARP poisoning, DNS
spoofing, or the use of rogue access points. Analyzing network traffic can
reveal altered packets or suspicious routing.
o SQL Injection Attacks: Attackers inject malicious SQL code into web
applications to gain unauthorized access to databases. Web server logs and
network traffic can reveal the injected SQL queries and the attacker's actions.
o Cross-Site Scripting (XSS) Attacks: Attackers inject malicious scripts into
websites viewed by other users. HTTP traffic analysis can reveal the injected
scripts and the potential impact.
 o Brute-Force Attacks: Attackers attempt to guess passwords by trying
numerous combinations. Authentication logs (e.g., SSH, FTP, web application
logs) will show multiple failed login attempts from specific IP addresses.
o Data Exfiltration: Attackers attempt to steal sensitive data from a network.
Network traffic analysis can identify large outbound data transfers to unusual
destinations. Tools like file carving might be necessary to reconstruct
exfiltrated files from captured packets.
 Analysis Techniques for Attack Detection:
o Signature-Based Detection: Comparing network traffic patterns with known
attack signatures (used by NIDS/NIPS).
o Anomaly-Based Detection: Identifying deviations from normal network
behavior (e.g., unusual traffic volume, port usage, or communication patterns).
o Behavioral Analysis: Observing the actions of network entities (e.g., hosts,
users) over time to detect suspicious activities.
o Correlation of Logs and Events: Combining information from various
sources (firewall logs, IDS alerts, server logs) to build a comprehensive
picture of an attack.
o Traffic Flow Analysis: Analyzing NetFlow or IPFIX data to identify
communication patterns and potential anomalies.
o Deep Packet Inspection (DPI): Examining the content of network packets to
identify malicious payloads or indicators of compromise.

2. Memory Forensics

This section focuses on the acquisition and analysis of volatile data residing in a computer's
memory (RAM).

2.1 Understanding Volatile Data

Volatile data is information stored in RAM that is lost when the system is powered off.
However, during the system's operation, RAM contains a wealth of valuable forensic
information that can be crucial for understanding the system's state at a specific point in time.

 Types of Volatile Data Relevant to Forensics:

o Running Processes: Information about all active processes, their process IDs
(PIDs), parent-child relationships, and associated threads. This can reveal
malicious processes that might not be evident through file system analysis.
o Network Connections: Details of active network connections, including
source and destination IP addresses and ports, protocols used, and the state of
the connection. This can help identify communication with C2 servers or other
malicious hosts.
o Open Files and Registry Handles: Information about files and registry keys
currently being accessed by running processes. This can provide context about
the activities of those processes.
o Loaded Libraries and DLLs (Dynamic Link Libraries): Lists of libraries
loaded into process memory, which can reveal dependencies and potentially
identify malicious code injected into legitimate processes.
o Cached Information: Data cached by the operating system and applications,
such as DNS cache, ARP cache, browser history, and clipboard contents.
 o Cryptographic Keys and Certificates: In some cases, encryption keys and
digital certificates might be present in memory, potentially allowing the
decryption of encrypted data.
o User Credentials and Passwords: Although often protected, sensitive
information like cached credentials or passwords might be temporarily present
in memory.
o Kernel Modules and Drivers: Information about loaded kernel modules and
device drivers, which can reveal the presence of rootkits or other kernel-level
malware.
o RAM Contents of Applications: The active data and state of running
applications, which can provide insights into user activity and potentially
reveal sensitive information.

2.2 Memory Acquisition and Analysis Techniques

Memory forensics involves carefully acquiring a memory dump and then analyzing its
contents using specialized tools.

 Memory Acquisition Techniques: Due to the volatile nature of RAM, acquisition

must be performed quickly and carefully to minimize data alteration.
o Software-Based Acquisition: Using specialized software tools running on the
live system to capture a memory dump. Examples include:
 Volatility Framework's memdump plugin: A versatile tool for
acquiring memory images on various operating systems.
 FTK Imager: A popular forensic imaging tool that can also acquire
memory.
 DumpIt: A simple command-line tool for memory acquisition on
Windows.
o Hardware-Based Acquisition: Using dedicated hardware devices that can
directly access and copy the system's memory without relying on the operating
system. This method can be more reliable in cases of malware infection or
system instability. Examples include:
 Memory grabbers connected via FireWire or PCIe.
o Virtual Machine Snapshotting: For virtualized systems, taking a snapshot of
the virtual machine's state captures the memory at that point in time.
 Memory Analysis Techniques: Once a memory image is acquired, various analysis
techniques are employed to extract and interpret the forensic artifacts.
o Profiling: The first step often involves profiling the memory image to identify
the operating system, service pack, and architecture. Tools like Volatility's
imageinfo plugin are used for this.
o Process Listing: Identifying all running processes at the time of the memory
dump using tools like Volatility's pslist, pstree, or psscan plugins.
Suspicious or unknown processes can be flagged for further investigation.
o Network Analysis: Examining active and recently closed network
connections using tools like Volatility's netscan or connections plugins.
This can reveal communication with malicious IPs or domains.
o File Handle Analysis: Identifying open files and directories associated with
running processes using tools like Volatility's handles plugin.
 o DLL and Library Analysis: Listing loaded DLLs and libraries for each
process using tools like Volatility's dlllist plugin. This can help identify
injected code or malicious libraries.
o Registry Analysis: Examining relevant registry keys and values present in
memory using tools like Volatility's hivelist and reglookup plugins.
o Code Injection Detection: Identifying instances where malicious code has
been injected into legitimate processes. Techniques involve scanning for
unusual memory regions or comparing process memory with known good
states.
o Rootkit Detection: Using specialized plugins (e.g., kpcrscan, malfind) to
identify kernel-level rootkits that might be hidden from traditional process
listings.
o Credential Extraction: Attempting to extract cached credentials or passwords
from memory using tools like Volatility's mimikatz plugin (use with caution
and legal authorization).
o Malware Analysis: Analyzing memory regions associated with suspicious
processes to identify malware signatures, configuration data, or injected code.
o Timeline Reconstruction: Correlating timestamps of various events extracted
from memory to reconstruct the sequence of actions.
o String Searching: Searching the memory image for specific strings (e.g.,
URLs, IP addresses, file names, keywords) that might be relevant to the
investigation.
o YARA Rule Scanning: Using YARA rules (pattern matching rules) to
identify known malware signatures or indicators of compromise within the
memory image.

Memory forensics provides a unique and valuable perspective on the state of a system at a
specific moment, often revealing malicious activities that leave little or no trace on the file
system. It is an essential component of a comprehensive cyber forensic investigation.