Network-based data collection_Practical Windows Forensics-QQ阅读男生中文都市网

书名：Practical Windows Forensics
作者名：Ayman Shaaban Konstantin Sapronov
本章字数：1401字
更新时间：2025-02-17 15:50:30

Network-based data collection

Nowadays, it is difficult enough to find computers that don't have any network connections. This is almost impossible in the enterprise environment. Network connections reflect the interaction of computers with the outer world. Also, the network is the main source of threats. Today, the Internet is a very aggressive environment. Threats of various levels from spam to APT often penetrate computers via networks.

So, in almost every incident, computers have network activities that are related to the incident. There are a lot of examples of such events from receiving e-mails with malicious attachments and visits of a malicious URL. However, sometimes to have only host-based evidence to get a whole picture about an incident is not enough. In such cases, network-based evidence can help a lot.

Network forensics is a vast topic. We won't cover all the issues. In this chapter, we just want to look at this as an additional source of evidence. There is a lot of network-based evidence, but we will focus on network traffic acquisition.

Forensics investigators can capture the network traffic from physical media, such as cables or air and network devices, such as switches or hubs.

Now, we will give a short introduction to this topic to understand how we can collect network traffic.

Hubs

These are a simple network devices that allow connecting all devices from a local subnet. Hubs don't have any functionality beside the physical connection of all devices.

When such a device receives the network frame, it transfers packets on other ports. Thus, every device that is connected to the hub will receive all traffic that is dedicated for other devices. In the case of a hub-based network, it is simple enough to capture traffic from a given segment of a network. We should note that sometimes some manufactures designate some devices which are in reality switches as hubs.

The most reliable way to figure out what kind of device you are dealing with is to connect the station to the device, turn the network interface to promiscuous mode, and capture the traffic using the tcpdump utility or a similar utility. If you only have a broadcast and packets are dedicated to this station, this means that you have a switch device. If the traffic contains packets for other stations, you have a hub.

Investigators should be careful when they use hubs to capture traffic. In this case, investigators could see all traffic, but it could also be everybody from a local network. A compromised system could work as a passive sniffer and eavesdrop on all transferred data. Any investigator activities and data in the network could be intercepted. So, it's a good idea to use an already installed hub, but the installation of a new one to capture the network traffic will bring new risks.

Switches

Switches are the most prevalent network devices used to build local networks. They also serve as hubs serve to connect network devices into the network. However, unlike hubs, they use software to keep track of the stations connected to the ports of the switch. This information will be kept in the CAM table. When the switch receives a new packet, it will forward this packet only to a certain port according to the CAM table. So, each station receives only its traffic.

Investigators can often capture the network traffic on switch devices because most of them have the functionality of replicating traffic from one or a few ports to other ports for aggregation and analysis. Various vendors use different terms for this, the most widely used is SPAN (Switched Port Analyzer) or RSPAN (Remote SPAN). Sometimes, the term port mirroring is used. Also, switches have various hardware capacities. Port mirroring is limited by the physical capacity of a device. Consider this example, we have a 100 Mbps switch, and we want to mirror four ports to another one. With an average load of 50 Mbps for every port, the load for mirror ports will be 200 Mbps, which is far from the capacity of every port. Thus, some packets will be dropped in the process.

We should note that the approach with the SPAN port can change the collected traffic. However, there is one more method to capture the traffic. This is a network tap.

Network taps are placed between stations and switches and can look at and capture all traffic for this host. Network taps duplicate all traffic, including corrupted and any other packets. So, this approach is more suitable for forensics.

After we finally choose the method that we will use to capture the traffic, we need some software. A common solution for this is the libpcap library and software based on it, including tcpdump, Wireshark, and so on.

There are two main approaches to using such software to capture the traffic. They are filtering in capturing, and capturing all data and filtering it later.

In some cases, filtering during collection is a good idea if you have limited storage space to keep the traffic. From other side, libpcap has a very powerful filtering capability called Berkley Packet Filter (BPF). Using BPF filters, we can control what traffic we will capture and what we will drop. If you know exactly what you want to capture, this approach can save a lot of time and resources for you. BPF can filter traffic based on a comparison of fields in the protocols at second, third, and fourth levels. Also, the BPF language has some built-in primitives: host id, dst host id, src host id, net id, dst net id, src net id, ether id, dst ether id, src ether id, port id, dst port id, src port id, gateway id, ip proto id, ether proto id, tcp, udp, icmp, and arp. You could find more in manual documentation on pcap-filter.

Tcpdump

tcpdump is a tool to capture, filter, and analyze network traffic. The main purpose of this tool is to capture the traffic and print it out or store it in a file. tcpdump captures the traffic in bit-to-bit as it is transferred via media. We can use tcpdump to analyze traffic for troubleshooting in the network. In this case, you will use BPF to prefilter. However, usually this approach is a good fit for the initial triage only:

In forensics practice, other approaches are more prevalent. Tcpdump is used to capture traffic during long periods of time and to store it in a file on disk with further analysis and correlation with other data.

The tcpdump is a high-fidelity tool, but the quality of captured traffic depends on resources available on the host where tcpdump is running. For instance, the performance of tcpdump will depend on the power of the CPU. The capturing of packets is a CPU-intensive activity, and if CPU is overloaded, tcpdump will fail and drop packets. In forensics cases, we want to capture all packets and this issue could be critical. In the case of high-loaded networks, the storage space for traffic is also an important question. As we mentioned earlier, you can use filtration of traffic and keep only useful information.

Despite the fact that filtration will save resources, such as CPU, disk space, and capacity, it should be implemented carefully because excessive filtration could cause a loss of evidence.

Wireshark

One more popular utility for capture and traffic analysis is Wireshark:

Wireshark is a tool with an easy to use graphical user interface. So it can be a good tool for beginners in network forensics. It also has a lot of features for filtration, decryption, and analysis of network traffic. Therefore, this makes Wireshark a must-have tool for any network investigator. Wireshark allows capturing traffic from any interface on the system if you have the necessary permissions, displaying it in real time, and storing it in a file on disk.

Moreover, there are a few useful command-line tools, which are distributed together with Wireshark.

Tshark

Tshark is the CLI version of Wireshark. It has almost the same functionality and works with the same file formats:

Dumpcap

One more useful tool from the Wireshark kit is Dumpcap. It is dedicated to capturing network packets. Therefore, it is optimized for good performance in capture and will spend less system resources. If you plan to capture the traffic and analyze it with Wireshark, then the Dumpcap utility will be a good tool to capture the network traffic: