FOR572.1: Off the Disk and Onto the Wire
Focus: Although many concepts of network forensics are similar to those of any other digital forensic investigation, the network presents many nuances that require special attention. Today you will learn how to apply what you already know about digital forensics and incident response to network-based evidence. You will also become acclimated to the basic tools of the trade.
Network data can be preserved, but only if captured directly from the wire. Whether tactical or strategic, packet capture methods are quite basic. You will re-acquaint yourself with tcpdump and Wireshark, the most common tools used to capture and analyze network packets, respectively. However, since long-term full-packet capture is still uncommon in most environments, many artifacts that can tell us about what happened on the wire in the past come from devices that manage network functions. You will learn about what kinds of devices can provide valuable evidence and at what level of granularity. We will walk through collecting evidence from one of the most common sources of network evidence – a web proxy server – then go hands-on to find and extract stolen data from the proxy yourself.
The Linux SIFT virtual machine, which has been specifically loaded with a set of network forensic tools, will be your primary toolkit for the week.
FOR572.2: NetFlow Analysis, Commerical Tools, and Visualization
FOCUS: Network connection logging, commonly called NetFlow, may be the single most valuable source of evidence in network investigations. Many organizations have extensive archives of flow data due to its minimal storage requirements. Since NetFlow does not capture any content of the transmission, many legal issues with long-term retention are mitigated. Even without content, NetFlow provides an excellent means of guiding an investigation and characterizing an adversary’s activities from pre-attack through operations.
Just as photos from high-altitude reconnaissance aircraft and satellites are instrumental in national policy decisions, NetFlow data can provide a network investigator with extremely high-value intelligence about network communications. The key to extracting that value is in knowing how to use NetFlow evidence to drive more detailed (and labor-intensive) investigative activities.
In this section, you will learn what data items NetFlow can provide, and the various means of collecting those items. As with many such monitoring technologies, both commercial and open-source solutions exist to query and examine NetFlow data. We will review both categories and discuss the benefits and drawbacks of each.
In the same vein, presenting concise findings from extremely large data sources is an important skill. A network forensicator should be able to aggregate and visually present findings, especially when faced with a years-long compromise incident. Expressing findings supported with visualizations can provide a much clearer picture than words alone.
FOR572.3: Network Protocols and Wireless Investigations
Focus: Network protocols are the foundation on which all network communications build. Without an understanding of how the most fundamental protocols behave, further examination and investigation is simply impossible. More importantly, without honing the skills necessary to learn new protocols, the network forensicator will be unprepared for the future in the rapidly evolving field in which we work.
This section covers some of the most common and fundamental network protocols that you will likely face during an investigation. We will cover a broad range of protocols including the Dynamic Host Configuration Protocol, which “glues” together layers two and three on the OSI model, and Microsoft’s Remote Procedure Call protocol, which provides all manners of file, print, name resolution, authentication, and other services.
While no one course could ever exhaustively cover the dizzying list of protocols used in a typical network environment, you will build the skills needed to learn whatever new protocols may come your way. The “learn how to learn” skill is critical, as new protocols are being developed every day. Advanced adversaries develop their own protocols, too, and as you will see later in this class, successfully understanding and counteracting an adversary’s undocumented protocol is a similar process to learning those you will see in this section.
Finally, we will address the forensic aspects of wireless networking. We will cover similarities with and differences from traditional wired network examination, as well as what interesting artifacts can be recovered from wireless protocol fields. Some inherent weaknesses of wireless deployments will also be covered, including how attackers can leverage those weaknesses during an attack, and how they can be detected.
FOR572.4: Logging, OPSEC, and Footprint
Focus: Full-packet capture evidence is often unavailable. Even when it is, the period of coverage rarely extends past a few weeks. Incidents frequently go undiscovered for months or years, so we must turn to what evidence does exist to characterize the network activity around the time of original compromise. Existing infrastructure assets can also be reconfigured to gather more or higher fidelity evidence during an incident response.
Log data is one of the unsung heroes in the realm of network forensics. While the near-perfect knowledge that comes with full-packet capture seems ideal, it suffers from several shortfalls. It is often unavailable, as many organizations have not yet deployed or cannot deploy comprehensive collection systems. When they are in use, network capture systems quickly amass a huge volume of data, which is often difficult to process effectively and must be maintained in a rolling buffer covering just a few days or weeks.
Understanding log data and how it can guide the investigative process is an important network forensicator skill. Examining network-centric logs can also fill gaps left by an incomplete or nonexistent network capture.
In this section, you will learn various logging mechanisms available to both endpoint and network transport devices. You will also learn how to consolidate log data from multiple sources, providing a broad corpus of evidence in one location. As the volume of log data increases, so does the need to consider automated analytic tools. You will learn various solutions that accomplish this, from tactical to enterprise-scale.
Another benefit available in the network domain of incident response is the ability to repurpose infrastructure devices so they will better serve an ongoing investigation. When properly executed, this practice becomes an invaluable component in the incident response cycle. As incident responders acquire intelligence, they tune collections to better track the adversary’s actions, which then begets better intelligence. This process requires special care, however, since interaction with active devices can create additional network traffic, and therefore, additional source evidence. As in many forensic processes, the key is to take measured steps, make minimal changes, and keep detailed documentation of each step.
Finally, the network domain provides some significantly different challenges than the traditional computer forensic domain. The process of analysis and research is an active one – simply looking up a domain name from a log file can alert an attacker to the response team’s status in the investigation. You will learn which types of activities should be avoided and which can be mitigated to better ensure operational security.
FOR572.5: Encryption, Protocol Reversing, and Automation
Focus: Advancements in common technology have made it easier to be a bad guy and harder for us to track them. Sound encryption methods are readily available and custom protocols are easy to develop and employ. Despite this, there are still weaknesses even in the most advanced adversaries’ methods.
Encryption is frequently cited as the most significant hurdle to effective network forensics – and for good reason. When properly implemented, encryption can be a brick wall in between an investigator and critical answers. However, technical and implementation weaknesses can be used to our advantage. Even in the absence of these weaknesses, the right analytic approach to encrypted network traffic can still yield valuable information about the content. We will discuss the basics of encryption and how to approach it during an investigation. The section will also cover flow analysis to characterize encrypted conversations.
In addition, this section addresses how network forensicators can rebuild fragmented payloads in order to reconstruct original communication streams. We will then address undocumented protocols and how to derive intelligence value with limited or nonexistent knowledge of the protocol.
Finally, we will discuss how to pivot labor-intensive tasks into scalable solutions through automation. Whether chaining single-use tools together to create an end-to-end solution or developing a new tool using various existing forensically minded libraries, your methods can be applied as easily to terabytes of live-source data as they can to a 2-gigabyte pcap.
FOR572.6: Network Forensics Capstone Challenge
Focus: This section will combine all of what you have learned prior to and during this week. In groups, you will examine network evidence from a real-world compromise by an advanced attacker. Each group will independently analyze data, form and develop hypotheses, and present findings. No evidence from endpoint systems is available – only the network and its infrastructure.
Students will present their findings at each stage of the exercise. This will test their understanding of the evidence and ability to articulate and support their hypotheses. The audience will include senior-level decision makers, so all presentations must include executive summaries as well as technical details. Time permitting, students should also include recommended steps that could help to prevent, detect, or mitigate a repeat compromise.