Security
Reader small image

You're reading from  Digital Forensics and Incident Response

Product typeBook
Published inJul 2017
PublisherPackt
ISBN-139781787288683
Edition1st Edition
Tools
Wireshark
Concepts
Forensics
Right arrow
Author (1)
Gerard Johansen
Gerard Johansen
author image
Gerard Johansen

Gerard Johansen is an incident response professional with over 15 years' experience in areas like penetration testing, vulnerability management, threat assessment modeling, and incident response. Beginning his information security career as a cyber crime investigator, he has built on that experience while working as a consultant and security analyst for clients and organizations ranging from healthcare to finance. Gerard is a graduate of Norwich University's Master of Science in Information Assurance program and a certified information systems security professional. He is currently employed as a senior incident response consultant with a large technology company, focusing on incident detection, response, and threat intelligence integration.
Read more about Gerard Johansen

Right arrow

Chapter 3. Network Evidence Collection

The traditional focus of digital forensics has been to locate evidence on the host hard drive. Law enforcement officers interested in criminal activity such as fraud or child exploitation can find the vast majority of evidence required for prosecution on a single hard drive. In the realm of incident response though, it is critical that the focus goes far beyond a suspected compromised system. For example, there is a wealth of information to be obtained within the points along the flow of traffic from a compromised host to an external C2 server.

This chapter focuses on the preparation, identification, and collection of evidence that is commonly found among network devices and along the traffic routes within an internal network. This collection is critical during an incident where an external threat source is in the process of commanding internal systems or is in the process of pilfering data out of the network. Network-based evidence is also useful when...

Preparation

The ability to acquire network-based evidence is largely dependent on the preparations that are undertaken by an organization prior to an incident. Without some critical components of a proper infrastructure security program, key pieces of evidence will not be available for incident responders in a timely manner. The result is that evidence may be lost as the CSIRT members hunt down critical pieces of information. In terms of preparation, organizations can aid the CSIRT by having proper network documentation, up-to-date configurations of network devices, and a central log management solution in place.

Aside from the technical preparation for network evidence collection, CSIRT personnel need to be aware of any legal or regulatory issues in regards to collecting network evidence. CSIRT personnel need to be aware that capturing network traffic can be considered an invasion of privacy absent any other policy. Therefore, the legal representative of the CSIRT should ensure that all...

Network device evidence

There are a number of log sources that can provide CSIRT personnel and incident responders with good information. A range of manufacturers provides each of these network devices. As a preparation task, CSIRT personnel should become familiar on how to access these devices and obtain the necessary evidence:

  • Switches: These are spread throughout a network through a combination of core switches that handle traffic from a range of network segments and edge switches that handle the traffic for individual segments. As a result, traffic that originates on a host and travels out the internal network will traverse a number of switches. Switches have two key points of evidence that should be addressed by incident responders. First is the content addressable memory (CAM) table. This CAM table maps the physical ports on the switch to the Network Interface Card (NIC) on each device connected to the switch. Incident responders in tracing connections to specific network jacks can...

Packet capture

Capturing network traffic is critical to having a full understanding of an incident. Being able to identify potential C2 traffic IP addresses may provide further information about the type of malware that might have infected a host. In other types of incidents, CSIRT members may be able to identify potential exfiltration methods that an external threat actor is utilizing.

One method is to set up what is referred to as a network tap. A network tap is a system in-line with the compromised host and the switch. For example, in the network diagram, if the host that is compromised is on the 192.168.1.0/24 subnet, the tap should be placed in between the host and the switch. This often involves placing a system in between the host and the switch.

Another option is to configure a Switched Port Analyzer (SPAN) port. In this configuration, the switch closest to the compromised host will have port mirroring enabled. This then sends the traffic from the entire segment the switch is on to...

Evidence collection

In order to conduct a proper examination of log files and other network data such as packet captures, they often have to be moved from the log source and examined offline. As with any source of evidence, the log files or packet captures have to be handled with due care to ensure that they are not corrupted or modified during the transfer. One simple solution is to transfer the evidence immediately to a USB drive or similar removable medium. From there, a hash can be created for the evidence prior to any examination.

The acquisition of network evidence such as a packet capture or log file should be thoroughly documented. Incident response personnel may be acquiring log files and packet captures from a number of sources over the entire network. As a result, they should ensure that they can trace back every separate piece of evidence to its source as well as the date and time that the evidence was collected. This can be recorded in a network evidence log sheet and entries...

Summary

Evidence that is pertinent to incident responders is not just located on the hard drive of a compromised host. There is a wealth of information available from network devices spread throughout the environment. With proper preparation, a CSIRT may be able to leverage the evidence provided by these devices through solutions such as a SIEM. CSIRT personnel also have the ability to capture the network traffic for later analysis through a variety of methods and tools. Behind all of these techniques, though, are the legal and policy implications that CSIRT personnel and the organization at large needs to navigate. By preparing for the legal and technical challenges of network evidence collection, CSIRT members can leverage this evidence and move closer to the goal of determining the root cause of an incident and bringing the organization back up to operations.

This chapter discussed several sources of evidence available to incident response analysts. Logs from network devices, whether they...

lock icon
The rest of the chapter is locked
Previous Chapter
Chapter 10 of 18
Next Chapter
You have been reading a chapter from
Digital Forensics and Incident Response
Published in: Jul 2017Publisher: PacktISBN-13: 9781787288683
© 2017 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at €14.99/month. Cancel anytime

Author (1)

author image
Gerard Johansen

Gerard Johansen is an incident response professional with over 15 years' experience in areas like penetration testing, vulnerability management, threat assessment modeling, and incident response. Beginning his information security career as a cyber crime investigator, he has built on that experience while working as a consultant and security analyst for clients and organizations ranging from healthcare to finance. Gerard is a graduate of Norwich University's Master of Science in Information Assurance program and a certified information systems security professional. He is currently employed as a senior incident response consultant with a large technology company, focusing on incident detection, response, and threat intelligence integration.
Read more about Gerard Johansen

Other recommended products

Related to this chapter

Digital Forensics and Incident Response

Digital Forensics and Incident Response

An understanding of how digital forensics integrates with the overall response to cybersecurity incidents is a must for all organizations. This book offers concrete and detailed guidance on how to conduct the full spectrum of incident response and digital forensic activities.

BookJan 2020448 pages
Digital Forensics with Kali Linux

Digital Forensics with Kali Linux

Kali Linux is used mainly for penetration testing and digital forensics. This book will help you explore and unleash the tools available in Kali Linux for effective digital forensics investigations. Using practical examples, you will be able to make the most of forensics process such as investigation, evidence acquisition, and analysis.

BookDec 2017274 pages
Digital Forensics with Kali Linux

Digital Forensics with Kali Linux

Kali Linux is considered as a reliable source for penetration testing and digital forensics. This book will give readers hands-on experience in utilizing Kali Linux tools to implement all the pillars of digital forensics such as acquisition, extraction, analysis, and presentation.

BookApr 2020334 pages
Windows Forensics Cookbook

Windows Forensics Cookbook

Digital forensics (sometimes known as digital forensic science) is a branch of forensic science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime. Whether talking about digital forensics conducted by law enforcement or a corporate security department, the simple fact is that forensics is difficult and there are always challenges to be faced.

BookAug 2017274 pages
Learn Computer Forensics

Learn Computer Forensics

Computer forensics touches on a lot of skills - from answering legal or investigative questions to preparing for an investigation, evidence acquisition, and more. The goal of this book is to acquaint you with some of the forensic tools and techniques to successfully investigate cybercrimes, and become a proficient computer forensics investigator.

BookApr 2020368 pages
Practical Cyber Intelligence

Practical Cyber Intelligence

Cyber intelligence is the missing link between your cyber defense operation teams, threat intelligence, and IT operations to provide your organization with a full spectrum of defensive capabilities. This book kicks off with the need for cyber intelligence and why it is required in terms of a defensive framework.

BookMar 2018322 pages
Cisco Certified CyberOps Associate 200-201 Certification Guide

Cisco Certified CyberOps Associate 200-201 Certification Guide

The Cisco Certified CyberOps Associate 200-201 certification exam helps you gain the skills and knowledge needed to prevent, detect, analyze, and respond to cybersecurity incidents. This book offers complete up-to-date coverage of the 200-201 exam so you can confidently pass first time while getting hands-on cybersecurity experience.

BookJun 2021660 pages
Information Security Handbook

Information Security Handbook

Having an information security mechanism is one of the most crucial factors for any organization. Important assets of organization demand a proper risk management and threat model for security, and so information security concepts are gaining a lot of traction. This book covers the concept of information security, and shows you why it’s important.

BookDec 2017330 pages
Hands-On Network Forensics

Hands-On Network Forensics

In the era of network attacks and malware threat, it becomes important to have skills to investigate the attack evidence and vulnerabilities prevailing in the network. This book focuses on how to acquire and analyze the evidence, write a report and use the common tools in network forensics.

BookMar 2019358 pages1
Hands-On Network Forensics

Hands-On Network Forensics

In the era of network attacks and malware threat, it becomes important to have skills to investigate the attack evidence and vulnerabilities prevailing in the network. This book focuses on how to acquire and analyze the evidence, write a report and use the common tools in network forensics.

BookMar 2019358 pages3
Incident Response in the Age of Cloud

Incident Response in the Age of Cloud

This book is a comprehensive guide for organizations on how to prepare for cyber-attacks and control cyber threats and network security breaches in a way that decreases damage, recovery time, and costs, facilitating the adaptation of existing strategies to cloud-based environments.

BookFeb 2021622 pages
Learning Android Forensics

Learning Android Forensics

This book will introduce you to Android forensics helping you to set up a forensic environment, handle mobile evidence, analyze how and where common applications store their data. You will also learn to identify malware on a device, and how to analyze it.

BookDec 2018328 pages

Personalised recommendations for you

Based on your interests and search pattern

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Attacks will help you understand how to identify attack surfaces and detect vulnerabilities. This book takes a hands-on approach to implementation and associated methodologies and equips you with the knowledge and skills needed to effectively combat web attacks.

BookAug 2023338 pages
Automotive Cybersecurity Engineering Handbook

Automotive Cybersecurity Engineering Handbook

This Automotive Cybersecurity Engineering Handbook untangles the complexities of building secure automotive products and helps you to comply with cybersecurity standards. It provides practical tools, tips, and techniques coupled with real-world examples to enable you to create cyber-resilient automotive products with ease.

BookOct 2023392 pages
Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

This book will help you to design, develop, and operate security controls on Google Cloud as well as discover best practices for relevant security domains, including identity and access management, network, and data.

BookAug 2023496 pages
Cloud Penetration Testing for Red Teamers

Cloud Penetration Testing for Red Teamers

The advent of cloud networks and the AWS, Azure, and GCP platforms has revolutionized how companies of all sizes in all industries do business online. This book will help you meet the emerging demand for pentesting as it guides you through the tools, techniques, and security measures used by pentesters and red teamers in the 2020s and beyond.

BookNov 2023298 pages
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Certification Guide is an enterprise IT risk management professional’s dream. With its in-depth approach and various self-assessment exercises, this book arms you with knowledge of every single aspect of the certification, and is a fantastic career companion after you’re certified.

BookSep 2023316 pages5
Burp Suite Cookbook

Burp Suite Cookbook

Burp Suite is an immensely powerful and popular tool for web application security testing. This book provides a collection of recipes that address vulnerabilities in web applications and APIs. It offers guidance on how to configure Burp Suite, make the most of its tools, and explore into its extensions.

BookOct 2023450 pages
Building and Automating Penetration Testing Labs in the Cloud

Building and Automating Penetration Testing Labs in the Cloud

This hands-on guide will help you design and build a variety of penetration testing labs that mimic modern cloud environments running on AWS, Azure, and GCP. In addition to these, you will explore a number of practical strategies on how to manage the complexity, cost, and security risks involved when setting up vulnerable cloud lab environments.

BookOct 2023562 pages
Ethical Hacking Workshop

Ethical Hacking Workshop

As cyber-attacks grow and APT groups advance their skillset, you need to be able to protect your enterprise against cyber-attacks. In order to limit your attack surface, you need to ensure that you leverage the same skills and tools that an adversary may use to hack your environment and discover the security gaps. This book will teach you how to think like a hacker, use state-of-the-art hacking tools, and protect yourself and your organizaiton.

BookOct 2023220 pages
Windows Forensics Analyst Field Guide

Windows Forensics Analyst Field Guide

This book contains step-by-step processes to guide you in any investigation related to Windows OS. You’ll find out how to acquire evidence using multiple tools as well as examine and analyze the collected artifacts, while discovering multiple techniques used in real-world forensic incidents.

BookOct 2023318 pages
Implementing DevSecOps Practices

Implementing DevSecOps Practices

This book is a comprehensive, hands-on guide for individuals new to DevSecOps who want to implement DevSecOps practices successfully and efficiently. With its help, you’ll be able to shift security toward the left, enabling you to merge security into coding in no time.

BookDec 2023258 pages