Network Connections
A computer network functions by establishing connections between devices, enabling them to exchange data and communicate with each other. To establish a network connection, there is a combination of hardware and software components.
Hardware: Enables devices to establish network connections for data transmission and reception.
Software: Implements protocols that define communication standards, ensuring proper data transmission and verification processes.
This process is defined within the stages of the Open Systems Interconnection (OSI) Model. OSI was created by the International Organization for Standardization (ISO) to establish a framework of the functions within the network system. Below is a overview of OSI:
Network Forensics
Network forensics involves the analysis of network activity, logs, and data to investigate and respond to security incidents, identify potential threats, and gather evidence for investigations.
Network forensics finds diverse applications across various contexts and scenarios, serving distinct purposes such as:
Red Team (offensive approach) – The emphasis is placed on proactively addressing vulnerabilities by identifying weaknesses through activities such as penetration testing, exploitation, and simulated hacking, with the ultimate goal of prevention.
Blue Team (defensive approach) – The core objective is to uphold network security by employing monitoring techniques and conducting traffic analysis. These measures ensure ongoing protection while also facilitating post-incident investigations to reveal the specifics of security events and gain valuable insights into system activities.
Regardless of the specific application, it is crucial to have a comprehensive understanding of the underlying network infrastructure before utilizing the skills in any context.
Basic network commands
Basic network commands are essential for analysis, troubleshooting and configuration purposes. Below are the basic networking commands that can be utilized to better understand a network:
Basic Network Commands Reference Guide.
Network data sources
When adopting a Blue Team approach, there are various data sources within a network that can be gathered and analyzed to conduct a comprehensive investigation. These data sources include:
Source: Intrusion Detection Systems (IDS)
Benefit: A security tool that monitors network traffic for signs of unauthorized access, suspicious activities and provides alerts and notifications to protect against potential cyber threats.
Source: Firewall
Benefit: The logs from a firewall contain a record of network traffic and security events, providing information about incoming and outgoing connections, blocked or allowed traffic, and potential security incidents.
Source: Security Information and Event Management (SIEM)
Benefit: The management system combines security event monitoring, log collection, and analysis for centralized visibility and effective monitoring of network incidents.
Source: Packet Sniffers
Benefit: Is a tool that captures packets transferred on a network, allowing for the inspection of data exchanged between devices for security analysis and/or network optimization purposes.
Source: Network Forensics Analysis Tools (NFAT)
Benefit: Specialized software that monitors the network traffic dedicated to enhance security, identify threats and actively protect a network.
Network Collection tools
Multiple tools are available to gather network related data. The following is a compilation of commonly used tools:
Tcpdump – packet capture tool used for analyzing and inspecting network traffic run via the command line.
Nmap – network scanning tool used for assessing and discovering hosts, open ports, and services on computer networks.
Wireshark – network protocol analyzer used for capturing and examining live network traffic.
SolarWinds – network management software that provides tools for monitoring, analyzing, and optimizing network performance and security.
Network Miner – network forensic analysis tool that extracts and displays valuable information from captured network traffic, aiding in the identification of potential security threats and incidents.
Conclusion
In network forensics, investigations revolve around the collection and analysis of network data following a security incident. Before conducting any assessment, it is crucial to comprehend the network’s configuration. Once a thorough understanding of the network’s infrastructure is obtained, the process of data collection and analysis can commence.