Network Forensics

Network Forensics Overview 2

Guide to Computer Forensics and Investigations, Fifth Edition

 Network forensics
 Process of collecting and analyzing raw network data and tracking network traffic
 To ascertain how an attack was carried out or how an event occurred on a network
 Intruders leave a trail behind
 Knowing your network’s typical traffic patterns is important in spotting variations in
network traffic
Developing Procedures for Network 3

Forensics

Guide to Computer Forensics and Investigations, Fifth Edition

 Network forensics can be a long, tedious process
 Standard procedure that is often used:
 Always use a standard installation image for systems on a network
 Fix any vulnerability after an attack
 Attempt to retrieve all volatile data
 Acquire all compromised drives
 Compare files on the forensic image to the original installation image
Developing Standard Procedures for 4

Network Forensics

Guide to Computer Forensics and Investigations, Fifth Edition

 In digital forensics
 You can work from the image to find most of the deleted or hidden files and partitions
 In network forensics
 You have to restore drives to understand attack
 Work on an isolated system
 Prevents malware from affecting other systems
Reviewing Network Logs 5

Guide to Computer Forensics and Investigations, Fifth Edition

 Network logs record incoming and outgoing traffic
 Network servers
 Routers
 Firewalls
 Tcpdump and Wireshark - tools for examining network traffic
 Can generate top 10 lists
 Can identify patterns
Using Network Tools 6

Guide to Computer Forensics and Investigations, Fifth Edition

 Sysinternals
 A collection of free tools for examining Windows products
 Examples of the Sysinternals tools:
 RegMon shows Registry data in real time
 Process Explorer shows what is loaded
 Handle shows open files and processes using them
 Filemon shows file system activity
Using Packet Analyzers 7

Guide to Computer Forensics and Investigations, Fifth Edition

 Packet analyzers
 Devices or software that monitor network traffic
 Most work at layer 2 or 3 of the OSI model
 Most tools follow the Pcap (packet capture) format
 Some packets can be identified by examining the flags in their TCP headers
 Tools
 Tcpdump
 Tethereal
What is Wireshark?

 Wireshark is an open-source packet analyzer, which is used for education,

analysis, software development, communication protocol development, and
network troubleshooting.
 It is used to track the packets so that each one is filtered to meet our specific
needs. It is commonly called as a sniffer, network protocol analyzer, and
network analyzer. It is also used by network security engineers to examine
security problems.
Uses of Wireshark:
Wireshark can be used in the following ways:

 It is used by network security engineers to examine security problems.

 It allows the users to watch all the traffic being passed over the network.
 It is used by network engineers to troubleshoot network issues.
 It also helps to troubleshoot latency issues and malicious activities on your
network.
 It can also analyze dropped packets.
 It helps us to know how all the devices like laptop, mobile phones, desktop,
switch, routers, etc., communicate in a local network or the rest of the world.
What is a packet?
 A packet is a unit of data which is transmitted over a network between the origin
and the destination. Network packets are small, i.e., maximum 1.5 Kilobytes for
Ethernet packets and 64 Kilobytes for IP packets. The data packets in the
Wireshark can be viewed online and can be analyzed offline.
What is color coding in Wireshark?

 The packets in the Wireshark are highlighted with blue, black, and purple etc

color. These colors help users to identify the types of traffic. It is also called
as packet colorization. The kinds of coloring rules in the Wireshark
are temporary rules and permanent rules.
• The temporary rules are there until the program is in active mode or until we quit
the program.
• The permanent color rules are available until the Wireshark is in use or the next
time you run the Wireshark.
Features of Wireshark

 It is multi-platform software, i.e., it can run on Linux, Windows, OS X, FreeBSD, NetBSD, etc.
 It performs deep inspection of the hundreds of protocols.
 It often involves live analysis, i.e., from the different types of the network like the Ethernet,
loopback, etc., we can read live data.
 It has sort and filter options which makes ease to the user to view the data.
 It can also capture raw USB traffic.
 Various settings, like timers and filters, can be used to filter the output.
 It can only capture packet on the PCAP (an application programming interface used to capture the
network) supported networks.
 Wireshark supports a variety of well-documented capture file formats such as the PcapNg and
Libpcap. These formats are used for storing the captured data.
 It is the no.1 piece of software for its purpose. It has countless applications ranging from the tracing
down, unauthorized traffic, firewall settings, etc.
The screen/interface of the Wireshark is divided
into five parts:
 First part contains a menu bar and the options displayed below it. This part is at the top of the
window.
 The second part is the packet listing window. It includes the packet number, time, source,
destination, protocol, length, and info. We can sort the packet list by clicking on the column name.
 Next comes the packet header- detailed window (Bottom Left). It contains detailed information about
the components of the packets. The protocol info can also be expanded or minimized according to the
information required.
 The bottom right window called the packet contents window, which displays the content in ASCII
and hexadecimal format.
 At last, is the filter field which is at the top of the display. The captured packets on the screen can be
filtered based on any component according to your requirements.
Most used Filters in Wireshark

 Whenever we type any commands in the filter command box, it turns green if
your command is correct. It turns red if it is incorrect or the Wireshark does not
recognize your command.
Common Filters
Filters Description

ip.addr It is used to specify the IP address as the source or the

Example- ip.addr==10.0.10.142 destination.
ip.src This example will filter based on this IP address as a
ip.dst source and a destination.

protocol This command filters based on the protocol.

Example- dns or http It requires the packet to be either dns protocol or http
'Dns and http' is never used. protocol and will display the traffic based on this.
We would not use the command 'dns and http' because it
requires the packet to be both, dns as well as http, which
is impossible.
Filters Cont….
tcp.port It sets filter based on the specific port number.
Example: tcp.port==443 It will filter all the packets with this port number.

tcp.analysis.flags Wireshark can flag TCP problems. This command will only display the issues that
Wireshark identifies.
Example, packet loss, tcp segment not captured, etc. are some of the problems.

6.!() It is used to filter the list of protocols or applications, in which we are not
For example, !(arp or dns or icmp) interested.
It will remove arp, dns, and icmp, and only the remaining will be left or it
clean the things that may not be helpful.
Common Filters
http.request It will display all the http
For the responses or the response requests in the trace file.
code, you can type You can see all the servers, the
http.response.code==200 client is involved.
Wireshark packet sniffing
 Wireshark is a packet sniffing program that administrators can use to isolate and troubleshoot
problems on the network. It can also be used to capture sensitive data like usernames and
passwords. It can also be used in wrong way (hacking) to ease drop.

 Packet sniffing is defined as the process to capture the packets of data flowing across a
computer network. The Packet sniffer is a device or software used for the process of sniffing.

 Below are the steps for packet sniffing:

 Open the Wireshark Application.

 Select the current interface. Here in this example, interface is Ethernet that we would be using.
 The network traffic will be shown below, which will be continuous. To stop or watch any
particular packet, you can press the red button below the menu bar.
Username and password sniffing

It is the process used to know the passwords and username for the particular website. Let's take an
example of gmail.com. Below are the steps:

Open the Wireshark and select the suitable interface.

Open the browser and enter the web address. Here, we have entered gmail.com, which is highly
secured. Enter your email address and the password. The image is shown below: