Class 2

Network Forensics

  • Traditional digital forensics primarily focuses on locating evidence on compromised endpoints, particularly within a system's storage, to investigate criminal activities

  • Network-based evidence plays a crucial role in incident investigations by providing a secondary source of event corroboration, which aids in determining the underlying cause of the incident and complements the examination of host-based evidence

Switches - Access Layer

Switches are widely present throughout enterprise networks. Incident responders can use the CAM table to map physical ports to connected devices aiding in the identification of rogue devices

Switches can also capture network traffic if they were set up to mirror or monitor ports

Routers

Routers connect LANs together. They can provide evidentiary information through the routing tables, logs of allowed traffic and data flows, and offer NetFlow data for analyzing IP's, ports, and protocols of network traffic.

NetFlow is Cisco's implementation for tracking conversations on the network. Other vendors have the same feature under different names

Firewalls

NGFWs offer advanced features such as intrusion detection, web filtering, DLP and detailed logging of traffic. They can be signature or anomaly-based.

IDS/IPS

An IDS monitors network traffic passively and alerts administrators about detections. An IPS monitors traffic, alerts administrators, AND blocks traffic if it deems it malicious in any kind of way. This is signature-based

Web Proxies, Domain Controllers, DHCP Servers and Application Servers

Web Proxies
Domain Controllers
DHCP Servers
Application Servers

Control web interactions

Authentication server

Assign IP's dynamically

Host varioud applications

Provide enterpise-wide web traffic insights

Hold details of logins, credential manipulation, credential usage

Maintains logs for tracking specific devices

Logs specific to each application type

Alert on connections to malicious servers

Logs on remote connections

Keeping an up-to-date and detailed network topology/diagram is crucial for incident responders for network incident investigations

Configurations of devices

Having the standard configurations for all the network devices in the network readily available can help with determining whether or not modifications were made by attackers.

These configurations should also be stored for disaster recovery purposes.

Network Discovery Tools

  • Netdiscover

  • Nmap

  • Shodan.io (kinda lol)

Netdiscover

netdiscover -i <int> -r <network+mask>

Netdiscover uses ARP requests to find devices

Nmap

nmap <network+mask>
nmap -p- --min-rate=1000 <IP>
nmap -p <ports> -sC -sV <IP>

Packet Capture

Capturing network traffic is very important for understanding how incidents went down and can help identify suspicious activity like data exfiltration or C2 traffic.

Network taps can be setup between compromised hosts and switches to capture traffic

  • tcpdump

  • Wireshark

  • WINCAP and RAWCAP

WINCAP and RAWCAP

  • WINCAP and RAWCAP can be used for capturing packets on Windows machines after an incident.

  • WinPcap is a widely recognized standard for Windows packet captures but requires installation on the system (which can be problematic)

  • RawCap can be used to run directly off a USB to combat those problems

Mergecap

Mergecap can be used to merge multiple pcap files together for analysis

mergecap -w switches.pcap switch1.pcap switch2.pcap switch3.pcap 

Remote Evidence Collection

The preferred method for acquiring data is direct contact with the suspect system. However, geographical constraints can limit this approach in larger organizations.

In remote acquisition, the same tools can be used by remote technology for system access and capture need to be used. Documentation needs to be much more extensive for this

Velociraptor

Essentially a managed C2 server that can control endpoints that have agents installed on them.

Last updated