Network Forensics - what is in your toolbox

Question

In similar vein to this question on computer forensics, what tools would you have in your toolbox for infrastructure and network forensics. Typical example cases would be if you were called in either after an incident, or on suspicion of an incident, and asked "Have we been compromised? What did the attacker do? How did they do it? Are we still compromised? and Is an attack still underway?"

Assume the organisation has logs - which ones would be of most value? What would you have as essential tools?

Umm, I might be misunderstanding something, but isnt network forensics *during* the incident? After the incident already occured, theres nothing going over the wire - and that goes back to regular computer forensics. No? — AviD, Dec 15 '10 at 10:58
I still dont quite get the difference between "infrastructure" and the other forensics question. As I understand it (and I admit this is not my area of expertise), network forensics refers to monitoring *traffic*. Otherwise, its just "forensics" (okay, computer/digital forensics). Logs are not part of traffic, even e.g. firewall logs, they're part of computer forensics. Where am I wrong? — AviD, Dec 15 '10 at 11:40
Ah okay - what I'm trying to describe here is not just a look at a server or database or other platform to see what happened on that host. I'm more describing the case where there may be an incident still occurring, or have periods of activity. For example, something raises suspicions, so forensics look at a computer - it was compromised - should analysis stop there? Best to check the extent of compromise and identify what is still going on. — Rory Alsop, Dec 15 '10 at 12:37
Thanks for a well-phrased question that will be well indexed. See the answers to the recent "Jump bag" question here: http://security.stackexchange.com/questions/935/what-should-be-included-in-a-jump-bag-and-how-often-should-it-be-reviewed — nealmcb, Dec 14 '10 at 22:08
+1 - these 3 questions are nicely related: Jump bag, computer forensics (as in the server/desktop) and network forensics. All good for an incident response person. — Rory Alsop, Dec 14 '10 at 22:11

score 6 · Accepted Answer · answered Dec 15 '10 at 00:51

Well, for the first 3 questions I would perform a full examination on the machine back at the office. We are lucky enough to have ongoing network monitoring in several locations in our network, both in the form of firewalls and flow collectors.

Flow Records from Argus (similar to Net- or J-flows)
Firewall logs (from both 'near by' hosts and hardware firewalls)
tcpdump (captured from a mirrored port if possible, hub/tap if necessary)
perl/grep/awk

The majority of the magic comes in the form of the perl scripts we have developed over the years, and the analysis/aggregation tools shipped with Argus.

The majority of compromises that I have examined are being used to either serve up illegal movies/music/etc or perform denial of service attacks. In both cases the infections are easy to track from either the flow records or firewalls.

have been reading up on Argus as I haven't used it before - that's a pretty good suite of tools. Cheers — Rory Alsop, Jan 11 '11 at 19:08

score 5 · Answer 2 · answered Dec 14 '10 at 22:00

5

A couple of tools I've found useful for this sort of thing.

Analyzing packet captures, if they're available

Wireshark of course
Network Miner

For text log analysis, I tend to rely on a combination of grep and ruby.

answered Dec 14 '10 at 22:00

Rory McCune

60,923
14
136
217

2

I hadn't used Network Miner, looks interesting. – Scott Pack Dec 15 '10 at 00:28

score 5 · Answer 3 · answered Dec 15 '10 at 01:19

5

Again not my list, but this is my toolbox: http://www.forensicswiki.org/wiki/Tools:Network_Forensics

plus a few things for wireless detection (such as inssider)

answered Dec 15 '10 at 01:19

iivel

1,583
10
13

score 4 · Answer 4 · edited Mar 17 '17 at 13:14

Thought I'd pop up some of the tools I or my team have had to use on a few occasions. Assuming a server is compromised (and you have your computer forensic toolkit on hand to look at that) then I'd want the following:

Wireshark
tcpdump
ngrep
grep/perl scripts (although I am slowly learning ruby)
netflows (although looking at Argus I think it might be a better bet)

Depending on the initial assessment of the server, you might pull the power, disconnect from network, or drop into an investigative network. If I'm pulling power I then want to review from the infrastructure around the server, and the path to the Internet - looking for compromise within the network and communications through the perimeter. For the 3rd option I'd want to be monitoring live logs from my investigation network. In any case I'd want a check throughout the network for signs of compromise.

SIEM tools at this point can be very effective when enterprise wide - they can be updated as the investigation progresses, helping to limit further compromise.

But the majority of the effort will come after the fact - and most of my dealings with logs have all been down the grep route.

Network Forensics - what is in your toolbox

4 Answers4

Linked