Network Forensics Overview

Introduction: Start with the basics

Most attacks move through the network before hitting the target and they leave some trace. According to Locard’s exchange principle, “every contact leaves a trace,” even in cyberspace.

Network forensics is a science that centers on the discovery and retrieval of information surrounding a cybercrime within a networked environment. Common forensic activities include the capture, recording and analysis of events that occurred on a network in order to establish the source of cyberattacks.

Network forensics can be particularly useful in cases of network leakage, data theft or suspicious network traffic. It focuses predominantly on the investigation and analysis of traffic in a network that is suspected to be compromised by cybercriminals (e.g., DDoS attacks or cyber exploitation).

Accessing internet networks to perform a thorough investigation may be difficult. Most internet networks are owned and operated outside of the network that has been attacked. Investigation is particularly difficult when the trace leads to a network in a foreign country. 

Data enters the network en masse but is broken up into smaller pieces called packets before traveling through the network. In order to understand network forensics, one must first understand internet fundamentals like common software for communication and search, which includes emails, VOIP services and browsers. One must also know what ISP, IP addresses and MAC addresses are. 

Identification of attack patterns requires investigators to understand application and network protocols. Applications and protocols include:

  • Web protocols (e.g., http and https)
  • File transfer protocols (e.g., Server Message Block/SMB and Network File System/NFS)
  • Email protocols, (e.g., Simple Mail Transfer Protocol/SMTP)
  • Network protocols (e.g., Ethernet, Wi-Fi and TCP/IP)

Investigators more easily spot traffic anomalies when a cyberattack starts because the activity deviates from the norm. 


(Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Dimitar Kostadinov. Read the original post at: