Hands-On Network Forensics E-Book

Hands-On Network Forensics

Copyright © 2019 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Commissioning Editor: Gebin GeorgeContent Development Editor:Abhishek JadhavTechnical Editor:Aditya KhadyeCopy Editor:Safis EditingProject Coordinator:Jagdish PrabhuProofreader: Safis EditingIndexer: Priyanka DhadkeGraphics:Tom ScariaProduction Coordinator: Shraddha Falebhai

First published: February 2019

Production reference: 1300319

Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK.

ISBN 978-1-78934-452-3

www.packtpub.com

– Nipun Jaswal

Mapt is an online digital library that gives you full access to over 5,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career. For more information, please visit our website.

Why subscribe?

Spend less time learning and more time coding with practical eBooks and Videos from over 4,000 industry professionals

Improve your learning with Skill Plans built especially for you

Get a free eBook or video every month

Mapt is fully searchable

Copy and paste, print, and bookmark content

Packt.com

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.packt.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details.

At www.packt.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks. 

Contributors

About the author

Nipun Jaswal is an International Cyber Security Author and an award-winning IT security researcher with a decade of experience in penetration testing, vulnerability research, surveillance and monitoring solutions, and RF and wireless hacking. He is currently working as an Associate Partner in Lucideus where he is leading services such as red teaming and vulnerability research along with other enterprise customer services. He has authored Metasploit Bootcamp and Mastering Metasploit, and co-authored the Metasploit Revealed set of books. In addition to this, he has authored numerous articles and exploits that can be found on popular security databases, such as Packet Storm and Exploit-DB. Please feel free to contact him at @nipunjaswal.

About the reviewer

Charlie Brooks fell in love with the internet in 1978, and hasn't strayed far from it since. He has worked as a developer, technical lead, and software architect, developing network management, network performance analysis, and managed VPN services. Since 2005, he has worked as a course developer and instructor in data storage, network security analysis, and forensics.

Charlie has served as a technical reviewer for several books, including Network Forensics and the Network Analysis Using Wireshark Cookbook, and is also the author of the All-In-One CHFI Computer Hacking Forensic Investigator Certification Exam Guide. He holds an MS in Computer Information Systems from Boston University and holds the CISSP, CHFI, and CTT+ certifications.

Packt is searching for authors like you

If you're interested in becoming an author for Packt, please visit authors.packtpub.com and apply today. We have worked with thousands of developers and tech professionals, just like you, to help them share their insight with the global tech community. You can make a general application, apply for a specific hot topic that we are recruiting an author for, or submit your own idea.

Table of Contents

Title Page

Copyright and Credits

Hands-On Network Forensics

Dedication

About Packt

Why subscribe?

Packt.com

Contributors

About the author

About the reviewer

Packt is searching for authors like you

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the color images

Conventions used

Get in touch

Reviews

Disclaimer

Section 1: Obtaining the Evidence

Introducing Network Forensics

Technical requirements

Network forensics investigation methodology

Source of network evidence

Tapping the wire and the air

CAM table on a network switch

Routing tables on routers

Dynamic Host Configuration Protocol logs

DNS servers logs

Domain controller/authentication servers/ system logs

IDS/IPS logs

Firewall logs

Proxy server logs

Wireshark essentials

Identifying conversations and endpoints

Identifying the IP endpoints

Basic filters

Exercise 1 – a noob's keylogger

Exercise 2 – two too many

Summary

Questions and exercises

Further reading

Technical Concepts and Acquiring Evidence

Technical requirements

The inter-networking refresher

Log-based evidence

Application server logs

Database logs

Firewall logs

Proxy logs

IDS logs

Case study – hack attempts

Summary

Questions and exercises

Further reading

Section 2: The Key Concepts

Deep Packet Inspection

Technical requirements

Protocol encapsulation

The Internet Protocol header

The Transmission Control Protocol header

The HTTP packet

Analyzing packets on TCP

Analyzing packets on UDP

Analyzing packets on ICMP

Case study – ICMP Flood or something else

Summary

Questions and exercises

Further reading

Statistical Flow Analysis

Technical requirements

The flow record and flow-record processing systems (FRPS) 

Understanding flow-record processing systems

Exploring Netflow

Uniflow and bitflow

Sensor deployment types

Analyzing the flow

Converting PCAP to the IPFIX format

Viewing the IPFIX data

Flow analysis using SiLK

Viewing flow records as text

Summary

Questions

 Further reading

Combatting Tunneling and Encryption

Technical requirements

Decrypting TLS using browsers

Decoding a malicious DNS tunnel

Using Scapy to extract packet data

Decrypting 802.11 packets

Decrypting using Aircrack-ng

Decoding keyboard captures

Summary

Questions and exercises

Further reading

Section 3: Conducting Network Forensics

Investigating Good, Known, and Ugly Malware

Technical requirements

Dissecting malware on the network

Finding network patterns

Intercepting malware for fun and profit

PyLocky ransomware decryption using PCAP data

Decrypting hidden tear ransomware

Behavior patterns and analysis

A real-world case study – investigating a banking Trojan on the network

Summary

Questions and exercises

Further reading

Investigating C2 Servers

Technical requirements

Decoding the Metasploit shell

Working with PowerShell obfuscation

Decoding and decompressing with Python

Case study – decrypting the Metasploit Reverse HTTPS Shellcode

Analyzing Empire C2

Case study – CERT.SE's major fraud and hacking criminal case, B 8322-16

Summary

Questions and exercises

Further reading

Investigating and Analyzing Logs

Technical requirements

Network intrusions and footprints

Investigating SSH logs

Investigating web proxy logs

Investigating firewall logs

A case study – defaced servers

Summary

Questions and exercises

Further reading

WLAN Forensics

Technical requirements

The 802.11 standard

Wireless evidence types

Using airodump-ng to tap the air

Packet types and subtypes

Locating wireless devices

Identifying rogue access points

Obvious changes in the MAC address

The tagged perimeters

The time delta analysis

Identifying attacks

Rogue AP attacks

Peer-to-peer attacks

Eavesdropping

Cracking encryption

Authentication attacks

Denial of service

Investigating deauthentication packets

Case study – identifying the attacker

Summary

Questions

Further reading

Automated Evidence Aggregation and Analysis

Technical requirements

Automation using Python and Scapy

Automation through pyshark – Python's tshark

Merging and splitting PCAP data

Splitting PCAP data on parameters

Splitting PCAP data in streams

Large-scale data capturing, collection, and indexing

Summary

 Questions and exercises

Further reading

Other Books You May Enjoy

Leave a review - let other readers know what you think

Assessments

Chapter 1: Introducing Network Forensics

Chapter 6: Investigating Good, Known, and Ugly Malware

Chapter 7: Investigating C2 Servers

Chapter 9: WLAN Forensics

Preface

Network forensics is a subset of digital forensics that deals with network attacks and their investigation. In the era of network attacks and malware threats, it's now more important than ever to have the skills required to investigate network attacks and vulnerabilities.

Hands-On Network Forensics starts with the core concepts within network forensics, including coding, networking, forensics tools, and methodologies for forensic investigations. You'll then explore the tools used for network forensics, followed by understanding how to apply those tools to a PCAP file and write the accompanying report. In addition to this, you will understand how statistical flow analysis, network enumeration, tunneling and encryption, and malware detection can be used to investigate your network. Toward the end of this book, you will discover how network correlation works and how to bring all the information from different types of network devices together.

By the end of this book, you will have gained hands-on experience of performing forensic analysis tasks.

Who this book is for

This book is aimed at incident responders, network engineers, analysts, forensic engineers, and network administrators who want to extend their knowledge beyond that of a beginner to a level where they understand the science behind network protocols and the critical indicators in an incident, and are able to conduct a forensic search over the wire.

What this book covers

Chapter 1, Introducing Network Forensics, lays the network forensics base for you and will focus on the key concepts that will aid in understanding network anomalies and behavior.

Chapter 2, Technical Concepts and Acquiring Evidence, focuses on developing some fundamental knowledge and insights into network forensics. This chapter will discuss the IP suite, the collection of evidence, and internetworking through hands-on practical exercises.

Chapter 3, Deep Packet Inspection, focuses on key concepts related to widely used protocols, such as Dynamic Host Configuration Protocol (DHCP), Simple Mail Transfer Protocol (SMTP), and Hyper Text Transfer Protocol (HTTP).

Chapter 4, Statistical Flow Analysis, demonstrates statistical flow analysis, collection and aggregation, and protocols and flow record export protocols.

Chapter 5, Combatting Tunneling and Encryption, focuses on network tunneling, its concepts, and an analysis from the perspective of network forensics.

Chapter 6, Investigating Good, Known, and Ugly Malware, focuses on malware forensics over an infected network by making use of various tools and techniques. It discusses many modern malware examples, their modus operandi, and focuses on developing skills in investigating network behavior and patterns in relation to malware.

Chapter 7, Investigating C2 Servers, focuses on Command and Control (C2) servers, their execution over the network, widely used C2 ecosystems, and the most critical identifiers to look for while working with C2-based malware.

Chapter 8, Investigating and Analyzing Logs, primarily focuses on working with a variety of log types and gathering inputs to ultimately aid your network forensics exercises.

Chapter 9, WLAN Forensics, highlights critical concepts in relation to Wi-Fi forensics, and discusses various packet structures and sources of evidence while familiarizing you with finding rogue access points and identifying attack patterns.

Chapter 10,Automated Evidence Aggregation and Analysis, focuses on developing scripts, tools, segregation techniques, and methodologies for automation while processing a large evidence set. This chapter also highlights the insights of reading network packets and PCAP through programming while automating manual techniques.

To get the most out of this book

The book details practical forensic approaches and explains techniques in a simple manner. The content is organized in a way that allows a user who only has basic computer skills to examine a device and extract the required data. A Windows computer would be helpful to successfully repeat the methods defined in this book. Where possible, methods for all computer platforms are provided.

Download the color images

We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: http://www.packtpub.com/sites/default/files/downloads/9781789344523_ColorImages.pdf.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, mention the book title in the subject of your message and email us at [email protected].

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packt.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in, and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Reviews

Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you!

For more information about Packt, please visit packt.com.

Disclaimer

The information within this book is intended to be used only in an ethical manner. Do not use any information from the book if you do not have written permission from the owner of the equipment. If you perform illegal actions, you are likely to be arrested and prosecuted to the full extent of the law. Packt Publishing does not take any responsibility if you misuse any of the information contained within the book. The information herein must only be used while testing environments with proper written authorizations from appropriate persons responsible.

Section 1: Obtaining the Evidence

This section focuses on the basics of network forensics while covering essential concepts, tools, and techniques involved in executing a network forensic investigation.

The following chapters will be covered in this section:

Chapter 1

,

Introducing Network Forensics

Chapter 2

,

Technical Concepts and Acquiring Evidence

Introducing Network Forensics

Network forensics is one of the sub-branches of digital forensics where the data being analyzed is the network traffic going to and from the system under observation. The purposes of this type of observation are collecting information, obtaining legal evidence, establishing a root-cause analysis of an event, analyzing malware behavior, and so on. Professionals familiar with digital forensics and incident response (DFIR) know that even the most careful suspects leave traces and artifacts behind. But forensics generally also includes imaging the systems for memory and hard drives, which can be analyzed later. So, how do network forensics come into the picture? Why do we need to perform network forensics at all? Well, the answer to this question is relatively simple.

Let's consider a scenario where you are hunting for some unknown attackers in a massive corporate infrastructure containing thousands of systems. In such a case, it would be practically impossible to image and analyze every system. The following two scenarios would also be problematic:

Instances where the disk drives may not be available

Cases where the attack is in progress, and you may not want to tip off the attackers

Whenever an intrusion or a digital crime happens over the wire, whether it was successful or not, the artifacts left behind can help us understand and recreate not only the intent of the attack, but also the actions performed by the attackers.

If the attack was successful, what activities were conducted by the attackers on the system? What happened next? Generally, most severe attacks, such as Advanced Package Tool (APT), ransomware, espionage, and others, start from a single instance of an unauthorized entry into a network and then evolve into a long-term project for the attackers until the day their goals are met; however, throughout this period the information flowing in and out of the network goes through many different devices, such as routers, firewalls, hubs, switches, web proxies, and others. Our goal is to identify and analyze all these different artifacts. Throughout this chapter, we will discuss the following:

Network forensics methodology

Sources of evidence

A few necessary case studies demonstrating hands-on network forensics

Technical requirements

To perform the exercises covered in this chapter, you will require the following:

A laptop/desktop computer with an i5/i7 processor or any other equivalent AMD processor with at least 8 GB RAM and around 100 GB of free space.

VMware Player/VirtualBox installation with Kali OS installed. You can download it from

https://www.offensive-security.com/kali-linux-vm-vmware-virtualbox-image-download/

.

Installing Wireshark on Windows: 

https://www.wireshark.org/docs/wsug_html_chunked/ChBuildInstallWinInstall.html

.

Netcat From Kali Linux (already installed).

Download NetworkMiner from 

https://www.netresec.com/?page=Networkminer

.

The PCAP files for this chapter, downloaded from

https://github.com/nipunjaswal/networkforensics/tree/master/Ch1

.

Every investigation requires a precise methodology. We will discuss the popular network forensics methodology used widely across the industry in the next section.

Network forensics investigation methodology

To assure accurate and meaningful results at the end of a network forensic exercise, you, as a forensic investigator, must follow a rigid path through a methodological framework. This path is shown in the following diagram:

Obtain, Strategize, Collect, Analyze, and Report (OSCAR) is one such framework that ensures appropriate and constant results. Let's look at each phase from a network forensics point of view:

Obtain information

: Obtaining information about the incident and the environment is one of the first things to do in a network forensics exercise. The goal of this phase is to familiarize a forensic investigator with the type of incident. The timestamps and timeline of the event, the people, systems, and endpoints involved in the incident—all of these facts are crucial in building up a detailed picture of the event. 

Strategize

: Planning the investigation is one of the critical phases in a network forensics scenario, since logs from various devices can differ in their nature; for example, the 

volatility of 

log entries from a firewall compared with that of details such as the ARP of a system would be very different. A good strategy would impact the overall outcome of the investigation. Therefore, you should keep the following points in mind while strategizing the entire forensics investigation process:

Define clear goals and timelines

Find the sources of evidence

Analyze the cost and value of the sources

Prioritize acquisition

Plan timely updates for the client

Collect

: In the previous phase, we saw how we need to strategize and plan the acquisition of evidence. In the collect phase, we will go ahead and acquire the evidence as per the plan; however, collecting the evidence itself requires you to document all the systems that are accessed and used, capturing and saving the data streams to the hard drive and collecting logs from servers and firewalls. Best practices for evidence collection include the following:

Make copies of the evidence and generate cryptographic hashes for verifiability

Never work on the original evidence; use copies of the data instead

Use industry-standard tools

Document all your actions

Analyze

: The analysis phase is the core phase where you start working on the data and try your hands at the riddle. In this phase, you will make use of multiple automated and manual techniques using a variety of tools to correlate data from various sources, establishing a timeline of events, eliminating false positives, and creating working theories to support evidence. We will spend most of the time in this book discussing the analysis of data.

Report

: The report that you produce must be in layman's terms—that is, it should be understood by non-techie people, such as legal teams, lawyers, juries, insurance teams, and so on. The report should contain executive summaries backed by the technical evidence. This phase is considered one of the essential stages, since the last four steps need to be explained in this one.

Source of network evidence

Network evidence can be collected from a variety of sources and we will discuss these sources in the next section. The sources that we will be discussing are:

Tapping the wire and the air

CAM table on a network switch

Routing tables on routers

Dynamic Host Configuration Protocol logs

DNS server logs

Domain controller/ authentication servers/ system logs

IDS/IPS logs

Firewall logs

Proxy Server logs

Tapping the wire and the air

One of the purest and most raw forms of information capture is to put taps on network and optical fiber cables to snoop on traffic.

 Many commercial vendors provide network taps and SPAN ports on their devices for snooping where they will forward all traffic seen on the particular port to the analyzer system. The technique is shown in the following diagram:

In the case of WLAN or Wi-Fi, the captures can be performed by putting an external wireless receptor into promiscuous mode and recording all the traffic for a particular wireless access point on a particular channel. This technique is shown in the following diagram:

CAM table on a network switch

Network switches contain content-addressable memory tables that store the mapping between a system's MAC address and the physical ports. In a large setup, this table becomes extremely handy, as it can pinpoint a MAC address on the network to a wall-jacked system, since mappings are available to the physical ports. Switches also provide network-mirroring capabilities, which will allow the investigators to see all the data from other VLANs and systems.

Routing tables on routers

Routing tables in a router maps ports on the router to the networks that they connect. The following table is a routing table. These tables allow us to investigate the path that the network traffic takes while traveling through various devices:

Most of the routers have inbuilt packet filters and firewall capabilities as well. This means that they can be configured to log denied or certain types of traffic traveling to and from the network.

Dynamic Host Configuration Protocol logs

Dynamic Host Configuration Protocol (DHCP