Investigation of Network Traffic in this Network forensics are often defined as sniffing, recording, acquisition, and analysis of the network traffic and event logs so as to research a network security incident. It allows investigator to examine network traffic and logs to spot and locate the attacking system.
Devices connected to network still proliferate; computers, smartphones, tablets etc. because the number of attacks against networked systems grow, the importance of network forensics has increased and become critical. To deploy immediate response just in case of an attack, network clerks should be ready to discover and understand what attackers did thus far and do that by investigating and analyzing the network traffic data. this text initially presents an introduction about networked forensics, followed by the kinds of network traffic analyzed in network forensics, and eventually with a study of sorts of systems wont to collect network traffic with respectively their pros and cons. Furthermore, it provides an exhaustive list enumerating popular tools which will be utilized during a network forensic investigation.
Related Product : Computer Hacking Forensic Investigator | CHFI
What is Network Forensics?
Network forensics is capture, recording and analysis of network packets so as to work out the source of network security attacks. the main goal of network forensics is to gather evidence. It tries to research network traffic data, which is collected from different sites and different network equipment, like firewalls and IDS. additionally, it monitors on the network to detect attacks and analyze the character of attackers. Network forensics is additionally the method of detecting intrusion patterns, that specialize in attacker activity.
What traffic protocols and network layers are analyzed in network forensics?
This section shows where digital forensic methods are often applied within the various network protocols or layers.
Data-link and physical layer examined (Ethernet)
Methods are achieved with eavesdropping bit streams on the Ethernet layer of the OSI model. this will be done using monitoring tools or sniffers like Wireshark or Tcpdump, both of which capture traffic data from a network card interface configured in promiscuous mode. Those tools allow investigator to filter traffic and reconstruct attachments transmitted over the network. additionally, protocols are often consulted and analyzed, like the Address Resolution Protocol (ARP) or any higher level protocols. However, this will be averted with encryption. Encryption might indicate that the host is suspicious since the attacker uses encryption to secure his connection and bypass eavesdropping. The disadvantage of this method is that it requires an outsized storage capacity.
Transport and network layer Examined (TCP/IP)
Apply forensics methods on the network layer. The network layer provides router information supported the routing table present on all routers and also provides authentication log evidence. Investigat-ing this information helps determine compromised packets, identifying source, and reverse routing and tracking data. Network device logs provide detailed information about network activities. Multiple logs recorded from different network devices are often correlated together to reconstruct the attack scenario. Network devices have a limited storage capacity. Network administrators configure the devices to send logs to a server and store them for a period of your time.
Traffic examined supported the utilization case (Internet)
The internet provides numerous services like WWW, email, chat, file transfer, etc. which makes it rich with digital evidence. this is often achieved by identifying the logs of servers deployed on the web. Servers include web servers, email servers, internet relay chat (IRC), and other sorts of traffic and communication. These servers collect useful log information, like browsing history, email accounts (except when email headers are faked), user account information, etc.
This is achieved by collecting and analyzing traffic from wireless networks and devices, like mo-bile phones. This extends normal traffic data to incorporate voice communications. Phone location are often also determined. The Analysis methods of wireless traffic are almost like wired network traffic but different security issues should be taken into consideration.
Also Read : Sample DHCP Audit Log File
Why Investigate Network Traffic?
Investigating network traffic can help the administrator or the investigator to seek out out if the traffic is normal and abnormal. they will execute the subsequent functions:
- Detect any suspicious activity within the environment and check out to attenuate the severity of the attack
- Identify and avoid security intrusions
- Detect if an attacker compromises a system and deletes files that only the network based evidence can help the investigators for forensic analysis
- Identify suspicious activities
- Adjust bandwidth as per the usage.
Network forensics ensures a faster incident response to an attack. It provides the power to research the attacks by tracing the attack back to the source and discovering the character of the attacker if it’s an individual, host or a network. additionally, network forensics provides methods to predict future attacks by correlating attack patterns from previous records of intrusion traffic data. This facilitates the presentation of admissible evidence during a court of law. this text was quick survey of network forensics, the various traffic data types and therefore the differing types of systems wont to collect them.
Questions related to this topic
- How do you analyze network traffic?
- What is network forensic analysis tool?
- What is network traffic analysis?
- What is network forensics used for?
This Blog Article is posted by
Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
Contact us – www.info-savvy.com