Collecting

Network-based
Evidence
 Collecting network-based evidence includes
setting up a computer system to perform network
monitoring, deploying the network monitor, and
evaluating the effectiveness of the network monitor.

 The analysis of network-based evidence includes

reconstructing the network activity, performing low-level
protocol analysis, and interpreting the network activity.

4/11/2019 2
 Network monitoring is not intended to prevent attacks.
Instead, it allows investigators to accomplish a number of
tasks:
▼ Confirm suspicions surrounding an computer security
incident.
■ Accumulate additional evidence and information.
■ Verify the scope of a compromise.
■ Identify additional parties involved.
■ Determine a timeline of events occurring on the
network.


4/11/2019 3
 Network monitoring can include several different types
of data collection: 1. event monitoring, 2. trap-and-
trace monitoring, and 3. full-content monitoring

 Event Monitoring: Event monitoring is based on rules

or thresholds employed on the network-monitoring
platform. Events are simply alerts that something
occurred on your network.
 Traditional events are generated by a network IDS, but
events can also be created by network monitoring
software like MRTG (Multi Router Traffic Grapher).

4/11/2019 4
 The following is an example of event capture by Snort,
an event data generator: Outbound connection attempt
from web server [**]
[Priority: 0]
02/10-14:21:34.668747 172.16.1.7:49159 ->
66.192.0.70:22
TCP TTL:64 TOS:0x0 ID:42487 IpLen:20 DgmLen:60
DF
******S* Seq: 0x3B0BF3E1 Ack: 0x0 Win: 0xFFFF
TcpLen: 40
TCP Options (6) => MSS: 1460 NOP WS: 1 NOP NOP
TS: 5255946 0

4/11/2019 5
 Noncontent monitoring records the session or transaction
data summarizing the network activity.
 Law enforcement refers to such noncontent monitoring as
a pen register or a trap-and-trace.
 It typically includes the protocol, IP addresses, and ports
used by a network communication.
.

4/11/2019 6
 Session data does not care about the content of a
conversation.
 Here is a sample of session data, generated by tcptrace,
which is a tool that can summarize sessions. It shows four
sessions from a web server listening on port 80:
1322 packets seen, 1302 TCP packets traced
elapsed wallclock time: 0:00:00.025971, 50902 pkts/sec
analysed trace file elapsed time: 0:06:23.119958
TCP connection info:
1: 172.16.1.128:1640 - 172.16.1.7:80 (a2b) 62> 93<
(reset)

4/11/2019 7
 2: 172.16.1.128:1641 - 172.16.1.7:80 (c2d) 86> 132<
(reset)
3: 172.16.1.6:49163 - 172.16.1.7:80 (e2f) 6> 6<
(complete)
4: 172.16.1.6:49164 - 172.16.1.7:80 (g2h) 8> 8<
(complete)

4/11/2019 8
 Full-content monitoring yields data that includes the
raw packets collected from the wire.

 It offers the highest fidelity, because it represents the

actual communication passed between computers on a
network. Full-content data includes packet headers and
payloads.

4/11/2019 9
 The following is a sample packet captured in its entirety
and displayed using tcpdump:

4/11/2019 10
 Network diagnostic and troubleshooting
hardware can capture data reliably and
usually are the most efficient at capturing
data at the full rate of the monitored network
segment.
 For example, they lack remote management
capabilities and proper storage space, and
they usually cost a lot of money.

4/11/2019 11
 Setting up a sniffer box to perform network surveillance
requires a bit of planning and preparation.

 Your ability to deploy a monitor may be affected by your

network architecture, the bandwidth being monitored,
and even external influences such as corporate politics or
a limited budget.

4/11/2019 12
 Creating a successful network surveillance system
involves the following steps:
▼ Determine your goals for performing the network
surveillance.
■ Ensure that you have the proper legal standing to
perform the monitoring activity.
■ Acquire and implement the proper hardware and
software.
■ Ensure the security of the platform, both
electronically and physically.
■ Ensure the appropriate placement of the monitor on
the network.
▲ Evaluate your network monitor.

4/11/2019 13
 The first step to performing network surveillance is to
know why you are doing it in the first place.
 Determine the goals of your network monitoring, because
they will influence the hardware, software, and filters you
use to collect evidence. Decide what you intend to
accomplish, such as:
▼ Watch traffic to and from a specific host.
■ Monitor traffic to and from a specific network.
■ Monitor a specific person’s actions.
■ Verify intrusion attempts.
■ Look for specific attack signatures.
▲ Focus on the use of a specific protocol.
4/11/2019 14
 You can buy a commercial system or build your own
network monitor. The key issue is to ensure your system
has the horsepower required to perform its monitoring
function.

 Companies selling such sturdy boxes include Niksun,

Sandstorm Enterprises, and Network Associates.

 These three specifications—CPU type, RAM amount,

and hard drive—define your collection capabilities, and
we’ll take a closer look at them in the following sections.

4/11/2019 15
4/11/2019 16
 The amount of hard drive space your system requires
depends on the specificity of your filters and the amount
of network traffic traversing the monitored segment.

 Hard drive space is getting cheaper, so splurge and get at

least a 40GB drive on a laptop and a 80GB drive on a
tower. The bottom line is that you should buy a big drive.

4/11/2019 17
 On Internet based networks, applying a trap-
and-trace on your network means monitoring
the IP headers and the TCP headers (or other
Transport layer protocol header), without
monitoring any content within the packets
themselves.
 This is a nonintrusive way of determining the
source of a network-based attack.
 Trap-and-trace monitors are extremely helpful
in DoS cases, where they may provide
the only evidence other than oral testimony that
“the router crashed six times yesterday.”
4/11/2019 18
 The following command line initiates a trap-
and-trace using tcpdump with no filtering
and prints the output to the screen:

[root@linux taps]# tcpdump tcpdump: listening

on eth0

4/11/2019 19
4/11/2019 20
 After you have your network monitor system
set up, you are ready to begin full-content
monitoring, collecting the raw packets from
the network. The following command
line begins the writing of packets to disk with
tcpdump:
tcpdump -n -i dc0 -s 1514 -w
/var/log/tcpdump/emergency_capture.lpc &
Here is what the switches mean for modern
tcpdump implementations (libpcap 3.6.2
and tcpdump 3.6.2 and newer):

4/11/2019 21
 Here is what the switches mean for modern tcpdump
implementations (libpcap 3.6.2
and tcpdump 3.6.2 and newer):
▼ -n Do not resolve hostnames to IP addresses or ports to
port names. This avoids seeing “www” instead of “80” as
the port number.
■ -i dc0 Listen on interface dc0. The interface doesn’t
need an IP address to capture packets. To bring up an
interface in Unix without an IP address and without a
capability to transmit packets on the wire, use the
following command (replace dc0 with the name of your
sniffing interface): ifconfig dc0 up –arp.

4/11/2019 22
 ■ -s 1514 Set the “snap” length to 1514 bytes. This will
capture entire Ethernet
frames and avoid tcpdump’s default snap length of 68
bytes.
■ -w /var/log/tcpdump Write tcpdump’s output to a file
in the /var/
tcpdump directory called emergency_capture.lpc. (This
filename and .lpc
extension are arbitrary.)
▲ & Send the process into the background.

4/11/2019 23
 In situations where you are collecting too much traffic
for your monitoring system to handle, you will need to
filter the full-content data. The simplest way to
implement filtering in tcpdump relies on building
Berkeley Packet Filters. The tcpdump manual page
offers numerous options for pointing the tool’s
attention toward specific packets.
During computer security incidents, we often depend
on watching traffic either from hosts of interests or to
hosts of interests. For example, to record all traffic to or
from the 12.44.56.0/24 network block, we would use
the following command line: tcpdump -n -i dc0 -s 1514
-w /var/log/tcpdump/emergency_capture.lpc
net 12.44.56 & 4/11/2019 24
 Do not overlook all the potential sources of
evidence when responding to an incident!
Most network traffic leaves an audit trail
somewhere along the path it traveled. Here
are some examples:
▼ Routers, firewalls, servers, IDS sensors, and
other network devices may maintain logs that
record network-based events.
■ DHCP servers log network access when a
PC requests an IP lease.
■ Modern firewalls allow administrators an
extensive amount of granularity when
creating audit logs.
4/11/2019 25
 IDS sensors may catch a portion of an attack
due to a signature recognition or
anomaly detection filter.
■ Host-based sensors may detect the
alteration of a system library or the addition
of a file in a sensitive location.
▲ System log files three time zones away on
the primary domain controller may
show a failed authentication during a logon
attempt.

4/11/2019 26