Chapter 4. Using Python for Network Forensics
In this chapter, we will focus on the parts of the forensic investigation that are specific to the network layer. We will choose one of the most widely used Python packages for the purpose of manipulating and analyzing network traffic (Scapy) as well as a newly released open source framework by the U.S. Army Research Laboratory (Dshell). For both the toolkits, we have selected the examples of interesting evidence. This chapter will teach you the following:
How to search for IOC in network traffic
How to extract files for further analysis
How to monitor accessed files through Server Message Block (SMB)
How to build your own port scanner
Using Dshell during an investigation
Dshell is a Python-based network forensic analysis toolkit that is developed by the U.S. Army Research Laboratory and released as open source at the end of 2014. It can help in making the forensic investigations on the network layer a little easier. The toolkit comes with a large number of decoders that can be used out of the box and are very helpful. Some of these decoders are as follows:
dns: Extracts and summarizes DNS queries/responses
reservedips: Identifies the DNS resolutions that fall in the reserved IP space
large-flows: Displays the netflows that have at least transferred 1MB
rip-http: Extracts the files from the HTTP traffic
protocols: Identifies non-standard protocols
synrst: Detects failed attempts to connect (SYN followed by a RST/ACK)
Dshell can be installed in our lab environment by cloning the sources from GitHub at, https://github.com/USArmyResearchLab/Dshell and running install-ubuntu.py
. This script will automatically download the...
Using Scapy during an investigation
Another great Python-based tool to analyze and manipulate the network traffic is Scapy. According to the developer website, http://www.secdev.org/projects/scapy/:
"Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more."
Scapy differs from the standard tools (and also from Dshell) by providing an investigator with the ability to write small Python scripts that can manipulate or analyze the network traffic—either in a recorded form or in real-time. Furthermore, Scapy has the ability to perform deep packet dissection, passive OS fingerprinting, or plotting via third-party tools, such as GnuPlot, as built-in features are already available.
The following Python script, which is taken from Grow Your Own Forensic Tools: A Taxonomy of Python Libraries Helpful for Forensic Analysis, SANS Institute InfoSec Reading...
This chapter provided an overview of the domains of network-based forensic investigations and the examples with Dshell and Scapy. We have demonstrated how to search for suspicious HTTP connections (such as file downloads) or how to search for leaked data through the SMB protocol with Dshell. In the second section, we created our own port scanner with the help of Scapy and used it to gather more information about the potentially compromised systems.
After we discussed the areas of forensic algorithms, Windows and Unix systems, as well as the network layer, the following chapter will deal with virtualized systems and hypervisors that are becoming an important part of every company.