Class 2
Network Forensics
Traditional digital forensics primarily focuses on locating evidence on compromised endpoints, particularly within a system's storage, to investigate criminal activities
Network-based evidence plays a crucial role in incident investigations by providing a secondary source of event corroboration, which aids in determining the underlying cause of the incident and complements the examination of host-based evidence
Switches - Access Layer
Switches are widely present throughout enterprise networks. Incident responders can use the CAM table to map physical ports to connected devices aiding in the identification of rogue devices
Switches can also capture network traffic if they were set up to mirror or monitor ports
Routers
Routers connect LANs together. They can provide evidentiary information through the routing tables, logs of allowed traffic and data flows, and offer NetFlow data for analyzing IP's, ports, and protocols of network traffic.
NetFlow is Cisco's implementation for tracking conversations on the network. Other vendors have the same feature under different names
Firewalls
NGFWs offer advanced features such as intrusion detection, web filtering, DLP and detailed logging of traffic. They can be signature or anomaly-based.
IDS/IPS
An IDS monitors network traffic passively and alerts administrators about detections. An IPS monitors traffic, alerts administrators, AND blocks traffic if it deems it malicious in any kind of way. This is signature-based
Web Proxies, Domain Controllers, DHCP Servers and Application Servers
Control web interactions
Authentication server
Assign IP's dynamically
Host varioud applications
Provide enterpise-wide web traffic insights
Hold details of logins, credential manipulation, credential usage
Maintains logs for tracking specific devices
Logs specific to each application type
Alert on connections to malicious servers
Logs on remote connections
Keeping an up-to-date and detailed network topology/diagram is crucial for incident responders for network incident investigations
Configurations of devices
Having the standard configurations for all the network devices in the network readily available can help with determining whether or not modifications were made by attackers.
These configurations should also be stored for disaster recovery purposes.
Network Discovery Tools
Netdiscover
Nmap
Shodan.io (kinda lol)
Netdiscover
Netdiscover uses ARP requests to find devices
Nmap
Packet Capture
Capturing network traffic is very important for understanding how incidents went down and can help identify suspicious activity like data exfiltration or C2 traffic.
Network taps can be setup between compromised hosts and switches to capture traffic
tcpdump
Wireshark
WINCAP and RAWCAP
WINCAP and RAWCAP
WINCAP and RAWCAP can be used for capturing packets on Windows machines after an incident.
WinPcap is a widely recognized standard for Windows packet captures but requires installation on the system (which can be problematic)
RawCap can be used to run directly off a USB to combat those problems
Mergecap
Mergecap can be used to merge multiple pcap files together for analysis
Remote Evidence Collection
The preferred method for acquiring data is direct contact with the suspect system. However, geographical constraints can limit this approach in larger organizations.
In remote acquisition, the same tools can be used by remote technology for system access and capture need to be used. Documentation needs to be much more extensive for this
Velociraptor
Essentially a managed C2 server that can control endpoints that have agents installed on them.
Last updated
