N etwork forensics is the technique in capturing, storing, and analysing net-work logs in incident events. It also comes in other names, such as specific packet mining, packet forensics, or

digital forensics. Regardless of names, the idea behind is the same: to record every packet of net-work traffic (emails, database queries, Web brows-ing – all kinds of traffic traversing an organization’s network) into a single searchable repository to facilitate the detailed network examination. This paper presents challenges raised and technics to perform network forensics.

Introduction

Network Forensics gathers network activity evid-ences to address security breach and operational issues. Referring to SANS Institute notes, “Network forensics can reveal who communicated with whom, when, how, and how often. It can uncover the low-level addresses of the systems communic-ating, which forensics investigators will use to trace the pattern of conversation back to a physical device. The entire contents of emails, IM conversa-tions, Web surfing activities and file transfers can be recovered and reconstructed to reveal the ori-ginal transaction. More significantly, the protocol data that surrounded each conversation is ex-tremely valuable.”1

In general, network forensics is best known as a methodology for investigating security incidents,

such as data breaches and fraud cases. In security-triggered event, an Intrusion Detection System (IDS) will raise an alert about suspicious network activity and security analysts will proceed to con-firm the presence of an attack2. Therefore, the examination of a comprehensive record of network traffic will start as soon as the alert is raised. This facilitates the search and gathering of proofs for security experts during an incident breach. If the investigation result is positive, the next step will be the attack remediation. Without an ongoing packet analysis of network traffic, security analysts would have no hint whether a threatening activity oc-curred while the alert was raised.

Emerging Threat

Over the past few years, the emerging trend in Cyber Threats shows that actors behind Advanced Persistent Threat (APT) have become more and more well-coordinated. Moreover, APT attackers use wide range of exploits tools which were previ-ously deployed by other types of cyber criminals. Therefore, discerning attackers’ goal becomes critical to evaluate incidents impact. Forensics experts will have to carry out the required verifica-tions to determine it. Attackers will use the follow-ing tools to perform their APT:

Page 1

Network ForensicsFinding a hidden needle in the haystack

Social Engineering

Social engineering is a method generally used in cyber espionage mission. The “espionage actor” will create social media profiles and contact company employees in order to enforce them to download Backdoors.

Custom Malware and Tools

APT creators are well-known in creating their own custom tools. Once, cyber crim-inals deployed more than 70 malware and utilised crafted malware to target the victim’s environment. Moreover, APT28,3 a Russia-based APT group, has systematic-ally evolved its malware for more than seven years, creating malware platforms which give them flexibility in staying in a vulnerable eco-systems.

Crimeware

Crimeware includes crafted Trojan / back-door toolkits; they are available for sale via underground website. While some cyber criminals are financially-motivated, some crafted Trojan/backdoor serve political purpose. In one case, Israel cyber-army executed zero-day exploits by deploying Black Energy, a custom backdoor toolkits that targeted Iranian Nuclear energy systems. Many remote access tools or “RAT” were used heavily by APT and underground cybercriminals4. In most cases, RAT became the primary weapon in launching different types of attacks.

Maintaining Persistent in Eco-sys-tems

Maintaining persistent5 communication has always been a hallmark of APT / cy-bercriminals, who work to stay in an eco-system until they’ve completed their mis-sion. For instance, cyber criminals main-tain subtle persistence by using well-known vulnerable Windows start-up registry locations to launch their malware. This method had proved to be useful in remaining in the registry for more than five years.

Data Theft

Data theft usually happens on a broader scale, and it goes broader in its selected target of sensitive data subsets. Cybercrim-inals continue to steal personal identifica-tion information (PII) for other illegal purposes, such as fraud or even selling it in underground markets. Cyber-criminals even use PII to launch zero-day attack to gain money. Underground APT groups, such as APT186,, have been identified as the attacker behind the leak of US health data for Chinese drug company.7

Challenges

Several challenges need to be addressed in order to increase network forensics effi-ciency and subsequently provide oppor-tunities for industry and academia to capture new competencies, capacities and finally better address network analysis issues. Generally speaking, there are four

Page 2

Advanced Persistent Threat

Most cyber offences aim at disrupting systems, whereas APT attacks exploit vulner-abilities to collect sensitive data.

Therefore, the attacker will remain in the system as long as he can, in order to gather as data as possible. Main targets are govern-ments or organisations with high-value information in sector such as defence or financial industries. The maintenance of access is paramount.

Main APT attacks are performed by groups. Some well-known threat groups have even been renamed as APT18 or APT28.

thematic challenges which stand out from others according to various case studies:

Big Data

Large amounts of data set are transmitted through the network, in capacity of giga-bytes a day. Therefore, it is tedious to look for evidences and it is almost impossible to find them. Consequently, this domain remains challenging and researchers have to focus on it.

Internet Protocols

Each packet header transmitted through network layer will have their source and destination stored in IP packet format. It includes MAC addresses, IP addresses, encapsulations and data, which can be potentially spoofed. Therefore, technical skills and use of reliable products purpose-built are required to perform forensic analysis. Such products enable cases resol-ution through the analysis of network activity.

Digital Evidence

Forensic assessment can be executed through forensic software via collection, normalising, filtering, labelling, stream reassembly, correlation and analysis of multiple sources of traffic data. Although some sophisticated forensic tools already aimed at each of these tasks, the introduc-tion of new features is blurring the distinc-tion between categories. As a result, the number of suspicious behaviours over the network grows significantly. Therefore, only appropriate network activity data

should be collected. Digital evidence should include raw network packets, which contain traffic details, logs data available from applications, authentication systems, routers and firewalls.

TCP reassembly

TCP reassembly9 is the collection of raw network traffic from a single source in order to present all data within a connec-tion session as a complete stream. TCP reassembly is performed by protocol analysis tools, which isolate the specific communications taking place between two or more of the apparent endpoints or relay points. This is the first step in determining who communicated, when and what was transmitted. Most forensic tools provide a tree-oriented view of sessions and proto-cols used within the sessions. This comes with visual presentation of network traffic mapping which helps forensic investigat-ors to understand exactly what happened on the network.

Requirements for NetworkForensic

To facilitate investigations, network forensics generally will focus on three essential capabilities: capturing and re-cording data, discovering data, and analys-ing data.

Page 3

SocialEngineering Case8

A manufacturing firm ranked among Fortune 500 companies was targeted by an APT. Four executives received an email contain-ing a link. One of them clicked on it. Due to this action, the attacker was able to gather highly sensit-ive data stored in the vic-tim’s computer and emails. Moreover, the company was performing Merge and acquisition. Due to this data leakage, the acquisition failed.

Social engineering does not required to be technical. Therefore, no-one is im-mune to the possible attack of APT.

Capturing and Recording Data

This is the ability to capture and store multiple terabytes of data from high capacity network throughput (including 10GBps and even 40GBps networks)10 without dropping any single packet. However, network forensics assessment has its limitations, which includes sustainable throughput capacity, packets analysis per second, data map-ping and search functions. These limitations are usually assessed during lab assessment and shall be renewable and documented.

Discovering Data

The second requirement of network forensics is data filtering by interest (by IP address, applica-tion, context, etc.). Forensic experts rely on discov-ery tools for sniffing through terabytes of data to find specific network conversations between internal nodes or external communications.

Analysing Data

To further accelerate the process of data discovery and analysis, forensic experts will use network analyser and forensic tools to examine the suspi-cious anomalies and communication pattern found during network assessment. Automated analysis, including deep discovery results that explain the network events, helps forensic expert to quickly identify potential security breaches.

Practical Approach in Network Forensics

In case of a security incident, an organisation will quickly engage forensic experts from Cyber Incid-ent Response Team (CIRT). They will have to perform within two days investigation, con-

sultancy and installation of forensic equipment to the client site, in order to establish the extent of the incident, and contain it within the 48 hours11. Below are the steps of a practical approach in Network Forensics.

Identification: Indication that an incident has occurred or is in progress. This is the first step to identify the severity level of an incident and the entry stage of a CIRT engagement.

Triage: Prioritise resources and target segment to focus on business critical targets and sensitive data storages which have been compromised.

Collection: Acquire data and network behaviour related to the incident by deploying responders and the latest forensic tools.

Analysis: Determine the attack vectors, indications of compromise, extent of compromise and timelines of the incident.

Reporting: Provide results analysis, observations and remediation steps to close the incident.

Such is a standard practice in a 48-hour engage-ment; it is considered as the best approach to

Page 4

Figure 1: Practical Network Forensics in Cyber

Incident Response Engagement

perform network forensic assessment. Evidences found within the two-day engagement provide arguments to the senior management for imple-menting further preventive measures.

Applications ofNetwork Forensics

Applications of network forensics are not limited to PCAP, Wireshark or XYR, they can also find, explore and perform deep technical analysis of a cyber incident or network and system disruption when third party analyst tools fail. For examples:

An attacker might be able to erase all log files on a compromised host. Thus, Firewall and IDS/IPS “logs” or “alert” based evid-ence might be the only proofs available for forensic analysis. They remain undetected during the scanning because they are passive and attackers would not realise their presence.

Analysis of captured network traffic can include tasks such as TCP reassembling transferred files, searching for suspicious keywords and recovering data which might have been lost during breach. Appropriate tools recommended are Wireshark or wild packet.

Deploy the Security Information and Event Management (SIEM)-based alerts as appro-priate platform with integrated network forensic or Anti-DDOS devices.

Use network forensic devices to under-stand the security flaw over other network

security devices, applications, OS and databases.

Network forensic tools and protocol ana-lyser are useful for traffic monitoring like chats, FTP, telnet, email and web surfing, regardless of language type12. Generally, these devices support TCP reassembling of contextual ontology characters as Arabic, Japanese, Chinese, Hindi and German, etc. Network forensic tools are able to provide string search in these languages. Usually, these strings are converted into HEX value and their conformity with the initial data is examined.

Practical approach in dealing Zero-Day attacks requires network forensic tools and devices which are able to perform retrospective analysis of pack-ets. This helps forensic investigators to identify if network has been compromised in the past and how the threats can be contained in future.

Use Case of using Network Forensics in a Universiti Tekno-

logi Malaysia – AIS Environment13

UTM-AIS run case study at their Cyber Forensic Lab in Malaysia to simulate cyber incident and study the effectiveness of their cyber incident response procedure on the campus, During the simulation process, the network based IDS on an enterprise network raised an alert about unusual activity on a server. (In the screenshots below, the compromised node is identified as the address 10.4.3.248). When a team of forensics analyst was

Page 5

conducting an investigation, they discovered that the server was compromised by a security attack. Unfortunately, the IDS logs provided no further information about the attack, as the list of other compromised systems or attacker’s details. With the aid of forensic tools – dashboard (in this case, WildPackets Compass), forensics experts were able to identify compromised system. In fact, the Com-mon Internet File System (CIFS) traffic spiked shortly after the attack had begun. The screenshot below shows an example of such a CIFS spike.

One of the advantages about network forensic appliance in this scenario is that it recorded all network traffic around the time of spike; this gave the forensics experts an upper hand to examine network activity in depth and explore this burst of traffic and its consequences.

To present the discovery process more accurately, the forensic analyst would start a Peer Map which showed all IP communications during the spike period. As suspected, the Peer Map revealed how

the compromised server had communicated with several other internal systems.

Then, the forensic analysts filtered the traffic and highlighted communications from the comprom-ised server. This facilitated the task of identifying the other three systems which had communicated with the compromised server during the attack.

Afterwards, forensics analysts segmented detailed information on four internal systems during the critical time of CIFS spike. This would give forensic analysts the advantage of narrowing down the investigation scope, and enable them to conclude on the root cause, and how the communication with other internal systems occurred.

Page 6

Figure 2. Forensic tools dashboard provided a clear view of the spike in CIFS traffic

Figure 3. Peer Map segmented all network conversa-tions during a selected period of time

Figure 4. Peer Map filtered compromised systems and other internal systems

Eventually, forensic analysts were able to identify which servers they would have to focus on in order to contain the attack and reverse its effects. In addition to quarantining and repairing 10.4.3.128, the forensic team would also focus on 10.4.58.15, 64.12.165.91, and 205.188.9.185.

Benefits of Network Forensics

Counting on the robust network forensic methodo-logy described above, university can react and response with the appropriate plan and counter-measures in case of cyber incidents. Suspicious network activity or intrusion activity can be picked up in time for a timely response. Crucial nodes or segments within all types of systems, from net-work devices to computers, can be further fine-tuned in specific areas of concern such as database, email, and log information. In today’s emerging cyber attacks14, a number of sophisticated attacks are programmed to erase log files, hiding the damage inflicted. In many of these cases, network forensic is the only way to uncover what happened. The benefits that can be reaped are evident and presented in very precise and accurate manners, such as environment recovery, forecasting, audit-ing, damage assessment, and beyond. With a

variety of options in the network forensics triage, there can be many ways to explore what benefits each system can bring to the university infrastruc-ture.

Conclusion

Network forensics is the technique of capturing, storing, and analysing network logs in security incident requiring highly professional skills. Forensic experts in CIRT team handle the investig-ation with sophisticated forensic method and tools in order to keep pace with today’s high-speed networks. New tools and forensic practices are mandatory to ensure that the IT unit of all univer-sities keeps networks and systems stable and secure.

Starting from a vague security alert, forensic ex-perts will make use of forensic tools to identify specific systems to quarantine and where to focus on during the clean-up of the attack. Network forensics enables the team to find evidences of the attack and trace its effects.

By investing in network forensics with the best practices listed in this paper, University IT Team can ensure that speed, availability and integrity of connectivity does not come at the expense of visib-ility, control, or security. User data privacy, secur-ity standards and reputation of the university will be fully protected and upheld.

Page 7

Figure 5. Forensics tools segmented information about the communication between 4 systems during

the critical time of the attack.

Page 8

References

1. “Security 558: Network Forensics Course Description” 15 October 2015, Web, October 20152. “Honey Pot Intrusion Detection System” K. L. Ogweno et al. 2014k pdf.3. “APT28, a window into Russia’s Cyber Espionage Operations?” APT, 2014, pdf.4. “Crimeware or APT Malware: Fifty Shades of Grey “ N. Villeneuve, 2014, pdf.5. “Advanced Persistent Threats – Attack and Defense” 2013 Web. October 2015, pdf.6. “The Chinese government has a clear motive to steal U.S. health data” Mark Sullivan Venture Beat News, 2014, pdf. 7. “APT Gang Branches Out to Medical Espionage in Community Health Breach” M. Mimoso, 2014, pdf.8. “Gaining awareness to prevent social engineering techniques, attacks” May 2011, Web, October 20159. “TCP Reassembly” 2015 Web. October 201510. “A Comprehensive Review on Adaptability of Network Forensics Frameworks for Mobile Cloud Computing” S. Khan et

al, 2014, pdf.11. “Good Practice Guide for Incident Management” ENISA, 2010, pdf.12. “Network forensic system for port scanning attack" Kaushik et al. 2010, pdf.13. “Tracing Source of Compromise Server” UTM Forensics Simulation Lab Assessment, 2013, pdf.14. “Security Threat Report 2014, Smarter, Shadier, Stealthier Malware” SophosLab, 2014, pdf.

Copyright Statement

All material in this document is, unless otherwise stated, the property of the Joint Universities Computer Centre (“JUCC”). Copyright and other intellectual property laws protect these materials. Reproduction or retransmission of the materials, in whole or in part, in any manner, without the prior written consent of the copyright holder, is a violation of copyright law.

A single copy of the materials available through this document may be made, solely for personal, non-commercial use. Individuals must preserve any copyright or other notices contained in or associated with them. Users may not distribute such copies to others, whether or not in electronic form, whether or not for a charge or other consideration, without prior written consent of the copyright holder of the materials. Contact information for requests for permission to reproduce or distribute materials available through this document are listed below:

copyright@jucc.edu.hkJoint Universities Computer Centre Limited (JUCC)c/o Information Technology ServicesThe University of Hong KongPokfulam Road, Hong Kong