Network forensics: Collecting Network Based

Evidence - Investigating Routers - Network

Protocols

FROM: TO:
Himanshu AMAR SARASWAT
2201830014 ASSISTANT
PROFESSOR
School of Engineering & Technology
K.R. Mangalam University, Gurugram (Haryana)
 Network forensics
Network forensics is the process of capturing,
recording, and analyzing network events to
uncover the source of security incidents or
unauthorized activity.

It's a critical aspect of cybersecurity and

digital forensics, focusing on the data moving
across computer networks.

The goal is to collect and preserve evidence

that can be used for investigation and, if
necessary, legal proceedings.
Key Components of Network Forensics
Data Collection

• Packet Capturing: Tools like Wireshark, tcpdump, and NetworkMiner are

used to capture network packets.

• Log Collection: Network devices such as routers, firewalls, and switches

generate logs that record events, traffic patterns, and user activities.
Data Analysis
• Protocol Analysis: Understanding how network protocols
(HTTP, DNS, TCP/IP, etc.) work is crucial in network forensics.

• Anomaly Detection: By analyzing network traffic, forensic

experts can identify deviations from normal behavior, such as
unexpected traffic spikes, communication with known malicious
IP addresses, or unusual access patterns.
 Investigating Network Devices
• Routers and Switches: Investigating
these devices involves examining
configuration files, access control lists
(ACLs).

• Firewalls: Firewalls maintain logs of

traffic allowed or blocked based on
security policies.

• Servers and Endpoints: In some

cases, network forensics also involves
examining logs and traffic on servers.
 Forensic Tools
• Wireshark: A popular tool for capturing and analyzing
network packets. It allows forensic analysts to inspect
individual packets, understand protocol usage, and
identify anomalies.

• tcpdump: A command-line tool for packet capturing. It

provides a quick way to capture and filter network traffic
based on various criteria.

• NetFlow Analyzer: Tools like SolarWinds NetFlow

Traffic Analyzer collect and analyze NetFlow data to
monitor network traffic patterns and identify potential
security issues.

• NetworkMiner: A network forensic analysis tool for

extracting files and credentials from captured network
traffic.
 Evidence Preservation
• Chain of Custody: Properly
documenting the collection, analysis, and
storage of network evidence is crucial for
maintaining its integrity.

• Data Integrity: Ensuring the integrity of

captured data is critical. Techniques such
as hashing are used to verify that
network evidence has not been altered.
 Applications of Network Forensics

• Incident Response: Quickly identifying and mitigating the impact of a

security breach.

• Malware Analysis: Detecting and analyzing malware activity within a

network.

• Data Exfiltration: Identifying unauthorized data transfers and potential

data breaches.

• Intrusion Detection: Spotting unauthorized access attempts and network

intrusions.

• Legal Investigations: Collecting evidence for legal cases involving

cybercrime or policy violations.
Network forensics: Collecting Network Based Evidence

Packet Capture
• Purpose: Capturing network packets provides a detailed view of the data
being transmitted across the network, including the content of
communications and the metadata.
• Tools: Tools like Wireshark, tcpdump, and NetworkMiner are commonly
used for capturing packets. .

Techniques
1. Full Packet Capture: Capturing every packet that passes through a
network interface. This method is data-intensive but provides the most
comprehensive view.
2. Selective Capture: Capturing only traffic related to specific protocols, IP
addresses, or ports to focus on relevant data.
 Log Collection
• Purpose: Logs from network devices, servers, and applications provide records of events and
activities, which are crucial for understanding what happened on the network.

• Routers and Firewalls: These devices log traffic flow, access control events, and potential
intrusions. Router and firewall logs can indicate attempted breaches or unusual traffic patterns.

• Switches: Logs from switches can provide information on network traffic at the data link layer,
including MAC addresses and VLAN activity.
• Servers and Endpoints: Logs from operating systems, applications, and security software can
provide additional context for network activities.
 Network Flow Data
• Purpose: Network flow data provides a high-level summary
of traffic patterns, including information about
communication between IP addresses and ports over time.
Types:
• NetFlow: Developed by Cisco, NetFlow records information
about IP traffic flows, such as source/destination IP
addresses, ports, and protocols.

• IPFIX: An IETF standard based on NetFlow, providing

similar flow information.

• sFlow: Provides statistical sampling of packets passing

through a network device, giving an overview of traffic
flows.
 Artifact Collection
• Purpose: Network artifacts, such as ARP tables, DNS records, and DHCP
leases, provide context for network activities and help identify devices on
the network.

Examples:
• ARP Tables: Show the mapping between IP addresses and MAC
addresses, which can help identify devices on the network.

• DNS Logs: Record DNS queries and responses, which can be used to
track domain lookups and identify potential command and control (C2)
communications in malware infections.
 Network Device Configuration Files
• Purpose: Configuration files from routers, switches, and
firewalls can provide evidence of how a network was set up,
including security policies, access control lists (ACLs), and
routing protocols.

• Techniques:

• Configuration Backups: Regularly backing up configuration

files helps in comparing changes over time to identify
unauthorized modifications.
Best Practices for Collecting Network-Based Evidence

• Ensure Proper Legal Authorization: Ensure that you have the

necessary legal authority and consent to capture network traffic
and access logs, to comply with privacy laws and organizational
policies.

• Use Timestamp Synchronization: Ensure all devices and logs

are time-synchronized using NTP (Network Time Protocol) to
maintain accurate timelines for events.
Network forensics- Investigating Routers

• Investigating routers is a crucial

aspect of network forensics as routers
play a central role in directing traffic
and enforcing network security
policies.

• Here’s an overview of the key

concepts involved in router
investigation within network forensics
 Understanding Routers in Network Forensics
• Role of Routers: Routers connect
different networks by directing data
packets to their destinations. They
manage traffic between internal and
external networks, making them
critical points for monitoring and
securing data flow.

• Forensic Significance: Routers log

various activities such as traffic flow,
access attempts, and configuration
changes, providing valuable evidence
for forensic investigations.
 Types of Evidence Collected from Routers

• Traffic Logs: Routers can log data about the traffic that passes
through them, including source and destination IP addresses,
ports, and protocols used.

• Configuration Files: These contain settings such as access

control lists (ACLs), routing tables, and network address
translation (NAT) configurations.

• Event Logs: Record administrative actions, configuration

changes, and system events that could indicate unauthorized
access or network anomalies.
 Investigating Router Logs
• Access Logs: Show which devices and users accessed the
router and when. These logs can help identify unauthorized
access attempts or successful breaches.

• Traffic Flow Analysis: By examining logs of incoming and

outgoing traffic, investigators can detect anomalies such as
unusual data transfers, connections to known malicious IP
addresses, or unexpected protocols.
 Analyzing Router Configuration
• Access Control Lists (ACLs): Define rules that control incoming and
outgoing traffic based on IP addresses, ports, and protocols.

• NAT and PAT Configurations: Network Address Translation (NAT) and

Port Address Translation (PAT) hide internal IP addresses from external
networks.
 Investigating Routing Tables
• Route Analysis: Routing tables determine the paths that data
packets take through the network. By analyzing these tables,
investigators can identify unauthorized route changes or traffic
redirection.
• Dynamic vs. Static Routes: Investigating whether routes are
dynamically or statically configured can provide insights into
how the network is managed and if any anomalies exist.
 Capturing Router Traffic
• Port Mirroring (SPAN): Some routers support port mirroring,
allowing investigators to capture and analyze traffic passing
through the router.
• Flow Data (NetFlow, sFlow): Collecting flow data provides a
summary of network traffic patterns, helping identify unusual
data flows or potential exfiltration events.
 Tools for Router Forensics
• Syslog Servers: Collect and centralize logs from routers for
easier analysis. Popular tools include Graylog and Splunk.

• Configuration Management Tools: Tools like SolarWinds

Network Configuration Manager help track changes in router
configurations over time.

• Packet Analyzers: Wireshark and tcpdump can be used to

capture and analyze traffic flowing through routers.
 Challenges in Router Forensics
• Access Control: Gaining access to
routers requires administrative
privileges, and investigators must
follow legal protocols to avoid violating
privacy or network policies.

• Encryption: Encrypted traffic poses a

challenge for analysis, as packet
content cannot be easily inspected
without decryption keys.
Best Practices for Router Investigation

• Documenting the Configuration: Regularly document router

configurations and maintain backups to compare with current
settings during an investigation.
• Timestamp Synchronization: Ensure routers are synchronized
with a network time protocol (NTP) server to maintain accurate
timestamps in logs.
• Log Retention and Security: Implement log retention policies
and secure log storage to preserve evidence integrity.
 Case Studies and Examples
• Incident Analysis: Investigating how an attacker exploited a
misconfigured router to gain unauthorized access to a network.

• Data Exfiltration: Detecting and analyzing a case where

sensitive data was exfiltrated through a router using unusual
traffic patterns.

• Router Malware: Examining how malware targeting routers can

change configurations to enable further attacks.
Network forensics:- Network Protocols
Network protocols play a crucial role in network forensics as they
define the rules and conventions for data communication over a
network.
Understanding these protocols is essential for analyzing traffic,
detecting anomalies, and identifying security incidents.
 Understanding Network Protocols in Forensics

• Definition: Network protocols are sets of rules that dictate how

data is transmitted, received, and interpreted over a network.
• Importance in Forensics: Analyzing protocol-level data helps
investigators understand the nature of network traffic, identify
suspicious activities, and reconstruct events.
Common Network Protocols and Their Forensic Significance

• TCP/IP (Transmission Control Protocol/Internet Protocol):

• TCP: Establishes reliable connections between devices. Forensic analysis
focuses on sequence numbers, flags, and sessions to detect anomalies
like spoofing or session hijacking.
• IP: Handles addressing and routing. IP headers are analyzed for source
and destination addresses, TTL values, and fragmentation, which can
indicate attempts to evade detection.
UDP (User Datagram Protocol)

• UDP is a Transport Layer protocol. UDP is a part of the Internet Protocol

suite, referred to as UDP/IP suite. Unlike TCP, it is an unreliable and
connectionless protocol.
• So, there is no need to establish a connection before data transfer.

• The UDP enables process-to-process communication.

HTTP (Hypertext Transfer Protocol )

The Hypertext Transfer Protocol (HTTP) is the foundation of the World Wide
Web, and is used to load webpages using hypertext links.
HTTP is an application layer protocol designed to transfer information
between networked devices and runs on top of other layers of the network
protocol stack.
HTTPS

• HTTPS stands for Hypertext Transfer Protocol Secure, and it's a

security protocol that encrypts data sent between a web browser and
a website.
• HTTPS is an extension of the Hypertext Transfer Protocol (HTTP), and
it's the standard for securing users' data on websites.
DNS (Domain Name System)
• The Domain Name System (DNS)
turns domain names into IP addresses,
which browsers use to load internet
pages.

• Every device connected to the internet

has its own IP address, which is used
by other devices to locate the device.
FTP/FTPS (File Transfer Protocol / Secure)

• FTPS (File Transfer Protocol Secure) is

an extension of the popular File Transfer
Protocol that supports Transport Layer
Security (TLS) and the new defunct
Secure Sockets Layer (SSL).

• Broadly speaking, FTPS is a secure file

transfer protocol that allows businesses
to connect securely with their trading
partners, users, and customers.
SMTP/IMAP/POP3 (Email Protocols)
• SMTP stands for Simple Mail Transfer
Protocol and it’s the industry standard
protocol for email sending.

• The key thing to keep in mind when

thinking about whether to use SMTP
or IMAP, is that SMTP is about
sending email. So, if you’re looking to
enable email sending within your
application, then you’ll want to go
ahead with using SMTP over IMAP.
ICMP (Internet Control Message Protocol)
• The Internet Control Message Protocol (ICMP) is a protocol that devices
within a network use to communicate problems with data transmission.

• This makes ICMP an important aspect of the error reporting process and
testing to see how well a network is transmitting data.
SNMP (Simple Network Management Protocol):
• Simple Network Management Protocol
(SNMP) is a widely used protocol for
network management that provides a
standardized framework for monitoring and
managing network devices such as
routers, switches, servers, and printers.

• It operates within the application layer of

the Internet protocol suite and allows
network administrators to manage network
performance, find and solve network
problems, and plan for network growth.
 Protocol Analysis in Network Forensics
• Deep Packet Inspection (DPI):
Involves examining packet headers and payloads to identify the nature of
traffic. DPI can detect protocol misuse, hidden data in non-standard fields, or
signature-based threats.

• Protocol Anomaly Detection:

Identifying deviations from normal protocol behavior, such as unexpected
port numbers, malformed packets, or unusual sequence of commands.

• Signature-Based Detection:
Using known patterns of malicious traffic for specific protocols (e.g., exploit
signatures, malware C2 communication) to detect threats.
 Encrypted Traffic and Forensics
• Challenges:
Encryption (e.g., SSL/TLS) can obscure payloads, making it difficult to
inspect the content of communications.

• Analysis Techniques:
Metadata Inspection: Analyzing unencrypted portions like headers,
certificates, and handshake messages for anomalies.

• SSL/TLS Decryption: Where lawful and possible, decrypting traffic

using keys to inspect contents (e.g., using network security ).
 Using Network Protocols for Incident Response
• Reconstructing Events:
Analyzing network protocols helps reconstruct the timeline of events, such
as the order of connections, data transfers, and communications.

• Identifying Attacks:
• Protocol analysis can reveal various types of attacks, including:

• Man-in-the-Middle (MITM):
Interception of communications.
Using Network Protocols for Incident Response

• DDoS: Unusual traffic patterns using protocols like UDP or

ICMP.

• SQL Injection or XSS:

Malicious payloads in HTTP requests.

• Tracing Malicious Activity:

Tracking the source of an attack or the path of data exfiltration
using IP addresses, port numbers, and routing information within
protocols.
 Tools for Protocol Analysis
• Wireshark:
A powerful network protocol analyzer that allows for detailed inspection of
traffic at the packet level, including the ability to decode a wide variety of
protocols.

• tcpdump:
Command-line packet analyzer for capturing and analyzing network packets.
Useful for quick analysis and scripting.
Tools for Protocol Analysis

• Snort/Suricata:
Network intrusion detection systems (NIDS) that use predefined
rules to detect malicious activity at the protocol level.

• Bro/Zeek:
A network analysis framework that provides high-level analysis of
network traffic, including protocol analysis and anomaly
detection.
 Case Studies and Examples
• Malware Communication:
How malware uses protocols like HTTP/HTTPS or DNS for C2
communication, avoiding detection by mimicking normal traffic.

• Data Exfiltration:
Use of protocols such as FTP or HTTP to exfiltrate sensitive data from the
network, often hidden within legitimate-looking traffic.

• Network Scanning and Reconnaissance:

Attackers use ICMP, TCP, and UDP to perform network discovery and
scanning. Analysis of these protocols can identify reconnaissance activities.
 Challenges and Considerations

• High Volume of Data: Network forensics involves analyzing large volumes

of traffic data, which can be resource-intensive.

• Encryption and Privacy: Balancing the need for deep inspection with
privacy concerns and encryption challenges.

• Real-Time Analysis: The need for real-time or near-real-time analysis to

quickly respond to active threats.
Best Practices for Protocol Analysis in Forensics
• Comprehensive Logging: Ensure that network devices log
sufficient protocol-level data for forensic analysis.

• Use of Threat Intelligence: Incorporating threat intelligence

feeds to identify known malicious IP addresses, domains, or
signatures within protocol analysis.

• Regular Monitoring and Baseline Creation: Establish normal

traffic patterns to identify anomalies and deviations in protocol
usage.
 THANK YOU

School of Engineering & Technology

K.R. Mangalam University, Gurugram (Haryana)