Understand the Importance of Network Forensics in this this article Network Forensics is the implementation of sniffing, recording, acquisition, and analysis of network traffic and event logs to investigate a network security incident. Capturing network traffic over a network is simple in theory, but relatively complex in practice due to many inherent reasons such as the large amount of data flow and complex nature of Internet protocols. Recording network traffic involves a lot of resources. It is often not possible to record all the data flowing through the network due to the large volume. Again, these recorded data need to be backed up to free recording media and for future analysis.
The analysis of recorded data is the most critical and time-consuming task. There are many automated analysis tools for forensic purposes, but they are insufficient, as there is no foolproof method to recognize bogus traffic generated by an attacker from a pool of genuine traffic. Human judgment is also critical because with automated traffic analysis tools, there is always a chance of false positives.
Network forensics is necessary in order to determine the type of attack over a network and to trace the culprit. A proper investigation process is required to produce the evidence recovered during the investigation in the court of law.
Related Product : Computer Hacking Forensic Investigator | CHFI
Postmortem and Real-Time Analysis
Forensic examination of logs has two categories:
Postmortem
Investigators perform postmortem of logs to detect something that has already occurred in a network/device and determine what it is.
Here, an investigator can go through the log files a number of times to examine and check the flow of previous runs. When compared to real-time analysis, it is an exhaustive process, since the investigators need to examine the attack in detail and give a final report.
Real-Time Analysis
Real-time analysis is an ongoing process, which returns results simultaneously, so that the system or operators can respond to the attacks immediately.
Real-time analysis is an analysis done for the ongoing process. This analysis will be more effective if the investigators/administrators detect the attack quickly. In this analysis, the investigator can go through the log files only once to evaluate the attack, unlike postmortem analysis.
Network Vulnerabilities
The massive technological advances in networking have also led to a rapid increase in the complexity and vulnerabilities of networks. The only thing that a user can do is minimize these vulnerabilities, since the complete removal of the vulnerabilities is not possible. There are various internal and external factors that make a network vulnerable.
Internal network vulnerabilities
Internal network vulnerabilities occur due to the overextension of bandwidth and bottlenecks.
- Overextension of bandwidth: Overextension of bandwidth occurs when user need exceeds total resources.
- Bottlenecks: Bottlenecks usually occur when user need exceeds resources in particular network sectors.
The network management systems direct these problems and software to the log or other management solutions. System administrators examine these systems and identify the location of network slowdowns. Using this information, they reroute the traffic within the network architecture to increase the speed and functionality of the network.
External network vulnerabilities
External network vulnerabilities occur due to threats such as DoS/DDoS attacks and network data interception. DoS and DDoS attacks result from one or numerous attacks. These attacks are responsible for slowing down or disabling the network and are considered as one of the most serious threats that a network faces. To minimize this attack, use network performance monitoring tools that alert the user or the administrator about an attack.
Data interception is a common vulnerability among LANs and WLANs. In this type of attack, an attacker infiltrates a secure session and thus monitors or edits the network data to access or edit the network operation. In order to minimize these attacks, the user or administrator needs to apply user authentication systems and firewalls to restrict unauthorized users from accessing the network.
Also Read : Mac Forensics
Network Attacks
Most common attacks against networks:
1. Eavesdropping
Eavesdropping is a technique used in intercepting the unsecured connections in order to steal personal information, which is illegal.
2. Data Modification
Once the intruder gets access to sensitive information, his or her first step is to alter the data. This problem is referred to as a data modification attack.
3. IP Address Spoofing
IP spoofing is a technique used to gain unauthorized access to a computer. Here, the attacker sends messages to the computer with an IP address that indicates the messages are coming from a trusted host.
4. Denial of Service (DoS)
In a DoS attack, the attacker floods the target with huge amount of invalid traffic, thereby leading to exhaustion of the resources available on the target. The target then stops responding to further incoming requests, thereby leading to denial of service to the legitimate users.
5. Man-in-the-Middle Attack
In man-in-the-middle attacks, the attacker makes independent connections with the users/victims and relays messages between them, making them believe that their conversation is direct.
6. Packet Sniffing
Sniffing refers to the process of capturing traffic flowing through a network, with the aim of gaining sensitive information such as usernames and passwords and using them for illegitimate purposes. In the computer network, packet sniffer captures the network packets. Software tools known as Cain&Able are used to server this purpose.
7. Enumeration
Enumeration is the process of gathering information about a network that may help in an attacking the network. Attackers usually perform enumeration over the Internet. During enumeration, the following information is collected:
- Topology of the network
- List of live hosts
- Architecture and the kind of traffic (for example, TCP, UDP, IPX)
- Potential vulnerabilities in host systems
8. Session Hijacking
A session hijacking attack refers to the exploitation of a session-token generation mechanism or token security controls, such that the attacker can establish an unauthorized connection with a target server.
9. Buffer Overflow
Buffers have data storage capacity. If the data count exceeds the original capacity of a buffer, then buffer overflow occurs. To maintain finite data, it is necessary to develop buffers that can direct additional information when they need. The extra information may overflow into neighboring buffers, destroying or overwriting the legal data.
10. Email Infection
This attack uses emails as a means to attack a network. Email spamming and other means are used to flood a network and cause a DoS attack.
11. Malware Attacks
Malware is a kind of malicious code or software designed to damage the system. Attackers try to install the malware on the targeted system; once the user installs it, it damages the system.
12. Password-based attacks
Password-based attack is a process where the attacker performs numerous login attempts on a system or an application to duplicate the valid login and gain access to it.
13. Router attacks
It is the process of an attacker attempting to compromise the router and gaining access to it.
Attacks specific to wireless networks:
1. Rogue Access Point Attack
Attackers or insiders create a backdoor into a trusted network by installing an unsecured access point inside a firewall. They then use any software or hardware access point to perform this kind of attack.
2. Client Mis-association
The client may connect or associate with an AP outside the legitimate network either intentionally or accidentally. An attacker who can connect to that network intentionally and proceed with malicious activities can misuse this situation. This kind of client mis-association can lead to access control attacks.
3. Misconfigured Access Point Attack
This attack occurs due to the misconfiguration of the wireless access point. This is the easiest vulnerability the attacker can exploit. Upon successful exploitation, the entire network could be open to vulnerabilities and attacks. One of the means of causing the misconfiguration is to apply default usernames and passwords to use the access point.
4. Unauthorized Association
In this attack, the attacker takes advantage of soft access points, which are WLAN radios present in some laptops. The attacker can activate these access points in the victim’s system through a malicious program and gain access to the network.
5. Ad Hoc Connection Attack
In an Ad Hoc connection attack, the attacker carries out the attack using an USB adapter or wireless card. In this method, the host connects with an unsecured station to attack a particular station or evade access point security.
6. HoneySpot Access Point Attack
If multiple WLANs co-exist in the same area, a user can connect to any available network. This kind of multiple WLAN is highly vulnerable to attacks. Normally, when a wireless client switches on it probes nearby wireless networks for a specific SSID. An attacker takes advantage of this behavior of wireless clients by setting up an unauthorized wireless network using a rogue AP. This AP has high-power (high gain) antennas and uses the same SSID of the target network. Users who regularly connect to multiple WLANs may connect to the rogue AP. These Aps mounted by the attacker are “honeypot” APs. They transmit a stronger beacon signal than the legitimate APs. NICs searching for the strongest available signal may connect to the rogue AP. If an authorized user connects to a honeypot AP, it creates a security vulnerability and reveals sensitive user information such as identity, user name, and password to the attacker.
7. AP MAC Spoofing
Using the MAC spoofing technique, the attacker can reconfigure the MAC address in such a way that it appears as an authorized access point to a host on a trusted network. The tools for carrying out this kind of attack are changemac.sh,SMAC, and Wicontrol.
8. Jamming Signal Attack
In this attack, the attacker jams the WiFi signals to stop the all the legitimate traffic from using the access point. The attacker blocks the signals by sending huge amounts of illegitimate traffic to the access point by using certain tools
Where to Look for Evidence
Logs contain events associated with all the activities performed on a system or a network. Hence, analyzing these logs help investigators trace back the events that have occurred, Logs collected in the network devices and applications serve as evidence for investigators to investigate network security incidents. Therefore, investigators need to have knowledge on network fundamentals, TCP/IP model, and the layers in the model.
Transmission Control Protocol/Internet Protocol (TCP/IP) is a communication protocol used to connect different hosts in the Internet. Every system that sends and receives information has a TCP/IP program, and the TCP/IP program has two layers:
- Higher Layer: It manages the information sent and received in the form of small data packets sent over Internet and joins all those packets as a main message.
- Lower Layer: It handles the address of every packet so that they all reach the right destination.
The TCP/1P model and 051 seven-layer models are similar in appearance. As shown in the above figure, the Data Link Layer and Physical Layer of OSI model together form Network Access Layer in TCP/IP model. The Application Layer, Presentation Layer, and Session Layer together form the Application Layer in the TCP/IP Model.
Layer 1: Network Access Layer
This is the lowest layer in the TCP/IP model. This layer defines how to use the network to transfer data. It includes protocols such as Frame Relay, SMDS, Fast Ethernet, SLIP, PPP, FDDI, ATM, Ethernet, ARP, etc., which help the machine deliver the desired data to other hosts in the same network.
Layer 2: Internet Layer
This is the layer above Network Access Layer. It handles the movement of data packet over a network, from source to destination. This layer contains protocols such as Internet Protocol (IP), Internet Control Message Protocol (ICMP), Address Resolution Protocol (ARP), Internet Group Management Protocol (IGMP), etc. The Internet Protocol (IP) is the main protocol used in this layer.
Layer 3: Transport Layer
Transport Layer is the layer above the Internet Layer. It serves as the backbone for data flow between two devices in a network. The transport layer allows peer entities on the source and destination devices to carry on a communication. This layer uses many protocols, among which Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) are the most widely used.
TCP is preferable in case of reliable connections, while UDP can handle non-reliable connections.
Layer 4: Application Layer
This is the topmost layer of the TCP/IP protocol suite. This layer includes all processes that use the Transport Layer protocols, especially TCP and UDP, to deliver data. This layer contains many protocols, with HTTP, Telnet, FTP, SMTP, NFS, TFTP, SNMP, and DNS being the most widely used ones.
Log Files as Evidence
In network forensic investigation, information log files help the investigators lead to the perpetrator. Log files contain valuable data about all the activities performed on the system. Different sources on a network/device produce their respective log files. These sources may be operating systems, IDS, firewall, etc. Comparing and relating the log events help the investigators deduce how the intrusion occurred. The log files collected as evidence need to comply with certain laws to be acceptable in the court; additionally, an expert testimony is required to prove that the log collection and maintenance occurred in the admissible manner.
Questions related to this topic
- What are security problems with TCP IP?
- What is TCP protocol vulnerability?
- What are the 5 layers of TCP IP?
- What are network layer attacks?
This Blog Article is posted by
Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
Contact us – www.info-savvy.com