Book Image

Learning Network Forensics

By : Samir Datt
Book Image

Learning Network Forensics

By: Samir Datt

Overview of this book

We live in a highly networked world. Every digital device—phone, tablet, or computer is connected to each other, in one way or another. In this new age of connected networks, there is network crime. Network forensics is the brave new frontier of digital investigation and information security professionals to extend their abilities to catch miscreants on the network. The book starts with an introduction to the world of network forensics and investigations. You will begin by getting an understanding of how to gather both physical and virtual evidence, intercepting and analyzing network data, wireless data packets, investigating intrusions, and so on. You will further explore the technology, tools, and investigating methods using malware forensics, network tunneling, and behaviors. By the end of the book, you will gain a complete understanding of how to successfully close a case.
Table of Contents (17 chapters)
Learning Network Forensics
About the Author
About the Reviewers

Identifying threats to the enterprise

Based on the source of the threat, attacks can be broadly classified into the following types:

  • Internal

  • External

  • Hybrid

Internal threats

Threats or attacks that originate from within the network or organization are classified as internal threats. These can be intentional or unintentional.

Typically, such threats involve an insider with a mala fide intention, insider knowledge and/or access. This insider is looking to steal, misuse, modify, corrupt, or destroy enterprise resources. Quite naturally, the insider has no intention of getting caught and hence, makes every attempt to cover their tracks. However, as we will see later in this chapter, every interaction with the crime scene leaves a trace as per Locard's exchange principle.

Weak and ill-defined rules, network policies, security systems, and so on aid and abet such insiders. Unlimited and unmonitored access of network resources and data by the users are a sure recipe for disaster. Improperly implemented controls, random permissions, unsecured physical access to server rooms, and poor password hygiene contribute to serious threats to the network resources.

External threats

External threats are those that originate from outside the perimeter of the network. This could be from individuals, groups, or even governments. A spate of network attacks world-wide have been traced to state actors such as China, North Korea, and even the USA. Revelations by Snowden have opened everyone's eyes to the real threat of state-sponsored surveillance.

External threats come in all shapes and sizes. Just like internal threats, these can be intentional or unintentional. There are all sorts of people out there who want to get into your network. Some want to do it to get the information you store, some do it to shut down your network, some do it as they did not like the statement your company's CEO gave out last Wednesday, and some want to do it just because they can. Let's leave motivations aside for the moment. I say for the moment as a part of our network forensics investigations requires answering the Why part of the equation at a later date.

Any outsider wanting access to your network has to carry out a number of concrete steps before they can gain access of any sort. It's best to be disabused of the notion that, like in the movies, a hacker sits before his computer, starts typing, and has Administrator-level access within a couple of minutes. That is unadulterated fiction.

The first step any attacker has to take is to reconnoiter the target. Just as any good or accomplished thief will case the neighborhood to identify the potential targets, locate their weak spots, plan the right time to break in, and figure out a way to get in; any criminal with the intent to get into the network has to undergo a similar process. This process is called footprinting. This consists of a number of steps followed by scanning for open UDP & TCP ports, which can be exploited. An attempt is then made to try and get the password via multiple means such as social engineering, password lists, brute forcing, or rainbow tables. This mode of password discovery is the most difficult method of getting into the network. Another example would be to exploit the weakness such as unpatched OS and run programs that exploit a vulnerable software leading to open access, followed by privilege escalation to administrator level.

Once in, the accomplished spy will not do anything to give away the fact that they have administrator-level access. It is only script kiddies or publicity-hungry hackers that go ahead to deface websites to earn their two minutes of fame or notoriety.

The next objective is to create a backdoor for uninterrupted access and take every precaution to cover their tracks.

It can be months and, in some cases, years before an intrusion of such sort can be discovered or detected. That is the holy grail of the attacker. Spying undetected! Forever!

However, that is exactly where you come in, Mr. 007. You have to figure out what's going on in the network. At times, this needs to be done extremely covertly. Once the data breach is detected, you need to go into your licensed to kill mode to identify such intrusions and gather all the evidence of the related processes!

You need to identify the perpetrator, interrogate him or the witnesses (forensic interrogation of data packets, media, and memory) to identify the what, when, where, why, and how.

Intention →

Source ↓




Insider data theft

Insider sabotage

Information leakage

Assistance to outsiders

Sexual harassment within the enterprise

Tampering with sensitive data

Accidental assistance to outsiders

Inadvertently letting malicious software loose on the network

Unintentional use of compromised software on bring your own device (BYOD)

Insiders social engineered to give away information such as passwords and so on


Targeted phishing or spear phishing to extract confidential information

Network scans / OS fingerprinting / vulnerability assessments of outside-facing network components

Denial of Service attacks

State-sponsored surveillance

An outsider accidentally stumbling onto sensitive data because of a flaw/vulnerability in the network

Accidental power outage

Natural disasters

An unsuspecting user's system can be taken over and used as part of a bot herd

Network threat examples