Network Forensics

To break it down, data is data… If a suspect downloads illegal pictures or movies, that data is broken up into smaller pieces and transferred to the system. It is then rebuilt for the user to access. If you were to record the network traffic, every file transferred would be able to be rebuilt on any other system. If you are lucky enough to have full packet capture on your network, you can rebuild everything. The simple reality is, most organizations do not want to spend the resources. It is very expensive. Imagine a network of twenty systems each downloading ten gigs in one day. The normal noise of the network along with the download sessions would be well over two hundred gigs. That would then have to be stored for analysis which is where the cost comes in. That is why a most people usually do not log everything. They only log the red flag events. 

Network forensics also covers viewing logs from network devices such as routers, intrusion detection systems, firewall, systems, etc… Each computer has a hardware fingerprint (MAC address) and an Internet fingerprint (IP address). These can be traced back in several ways to the owner. The website arin.net or the American Registry for Internet Numbers is a good place to start. 

Some of the information that can be found: 

• Passwords and keys (email, bank accounts, etc.) 

• Internet activity (web browsing, email, chat, etc.) 

• Files downloaded (hacker tools, pirated software, etc.) 

• Malware (rootkits, trojans, worms, viruses, botnets, etc.) 

• Cyber-attacks (denial of services, buffer overflows, SQL injections, known bad ip addresses, etc.) 

• Basically anything to touch your network