Book Chapters 

 

Foreward  
This book is not a comprehensive guide towards Network Forensics or Incident Response, though this may lead to something of that sort in the near future or so. 

I just made this to document all what I could assimilate by reading books written on the same domain, and also partially by real-time experience in this field. 

This book might serve as a pocket guide in understanding the scope of Network Forensics and Analysis. Having said that, I take no responsibility of this being used as a Standard Operating Procedure (SOP) for Incident Response on Network Forensic.  

Good luck!  
- Md. Arif Ali Khan  

The Toolkits which are already available 

Dependency Walker - This is meant to be used to find an executable's dependency. This may be helpful in making portable applications to carry in our pendrive containing forensic toolkit. 

Some important commands/utilities useful in Network Forensics. Some are available by default in a Windows Operating System, while some are available in the SysInternals Suite by Microsoft. 

Netstat.exe—anLists active connections/open ports
Netstat.exe—rnLists the local routing table
Pslist.exeList running processes and associated data
Openports.exeLists active connections and open ports
Psloggedon.exeLists users logged on locally and via network share
Now.exeDisplays system date and time
Nlsinfo.exeLists system details including Name and Time Zone
Psfile.exeLists files opened remotely
Ipconfig.exe /allLists network adapter information
Autorunsc.exeLists programs configured to run at startup and login
Diskmap.exeLists drive information
Portqry.exeLists active connections and open ports

While some tools are specific to the Version of Operating System (Win7/8/10) and its architecture(32/64-bit), we need to create separate folders for each OS version and architecture. 

Harlan's Forensic Server Project - This toolkit helps to collect volatile data from a target machine using a client-server model, where the investigator's machine will be the server and will listen for the communication from the target machine which will be running the client executable which helps in initiating a remote acquisition of volatile data. 

Tips: Always collect volatile data before collecting RAM, as the system might sometimes crash while acquiring RAM. Taking other volatile data in advance prevents its loss if the system crashes while acquiring RAM. 

Until now we have discussed the toolkit already available in the market but is limited to only a given set of tools. 

Way forward in this book, we are going to see what all can be included under the scope of Network Forensic. While we talk about Network Forensic, more importantly we may also include Live Forensic/Incident Response methodologies, without trying to re-invent the wheel.  

Triaging 
This basically is the process of collecting volatile data from a Live system. This includes the following (but not limited to) data:

  • Recent Docs
  • Recently Run Applications
  • Network Information
  • Web History
  • Storage Devices
  • Event Logs
  • Running Processes
  • Services
  • Drivers
  • RAM
  • User accounts
  • Shared/Mapped Devices
  • Screen Capture  

Tools of the trade:  
EnCase Portable 
AccessData Triage 
USB Live Acquisition and Triage Tool (US-LATT)  
WinLiFT developed by C-DAC.

Capture Physical Memory (RAM) - As RAM holds information about all the activities that took place in a session, this is helpful for Forensic Investigators to identify the behavior of a system/user during a session, more importantly for us, over a network. 

Tools of the trade:

  • FTK Imager
  • Win32dd/Win64dd
  • Redline/Memoryze  

Analysis of Volatile Data 
Volatile data is data that will be lost once power is removed from the system. This data resides in RAM.  

This data can include the following: 

  • Who is currently logged into the system?
  • Open ports on the system.
  • Active/Established/Listening network connections.
  • Current processes.
  • Current open files on the system.
  • Files being accessed over the network.    

The toolkit for collection of volatile data may include any/all of the following tools:

Netstat.exe—anLists active connections/open ports
Netstat.exe—rnLists the local routing table
Pslist.exeList running processes and associated data
Openports.exeLists active connections and open ports
Psloggedon.exeLists users logged on locally and via network share
Now.exeDisplays system date and time
Nlsinfo.exeLists system details including Name and Time Zone
Psfile.exeLists files opened remotely
Ipconfig.exe /allLists network adapter information
Autorunsc.exeLists programs configured to run at startup and login
Diskmap.exeLists drive information
Portqry.exeLists active connections and open ports

While the above commands/utilities need to be run individually, an Incident Responder may also choose some of the automated tools which are available both commercially and freely over the internet. Some of the fine commercial softwares are EnCase Portable, AccessData Triage, and US-LATT, while WinAudit is a free tool which pretty much works same in gathering similar type of artefacts from the target system. 

While the above tools are for analysis of volatile data excluding RAM dump, there are specific tools for analysis of RAM dump. 

I personally prefer the free version of WinHex to mount the RAM dump file and then make a regex search for the relevant keyword of interest and find any instances. This method might sound haphazard and might not serve purpose if you need to create a good report, so let me suggest few other alternatives for the same. Tools like "strings" available in the Microsoft-owned SysInternals Suite can be used to print all the readable strings parsed from the RAM dump. 

Another tool "BinText" by McAfee does the same. 

To get a category-wise parsing of RAM dump and get a convincingly good report out of it, you may try using BulkExtractor which is also available for free! If you want a more comprehensive analysis, look no further! Volatility is all what you need! 

Summing up the tools for analysis of RAM dump, the list goes as follows: 

  • WinHex
  • Strings
  • BinText
  • BulkExtractor
  • Volatility    

Data Carving from RAM 
While the information you wanted out of RAM can be parsed by the tools mentioned in the previous section, I am going to focus on that part of memory which is either corrupted or of unidentified nature due to various reasons.  

To begin with, Data carving basically refers to extraction of readable data from a block of memory which is subjected to analysis. 

Having done the previous step of identifying readable strings from RAM, let's focus on recovering files from it.  

Tools of Trade: 

  • WinHex
  • DiskDigger
  • GetDataBack
  • Responder CE
  • Volatility
  • Redline  

Network Analysis 

  • Starting from the source of the report and working your way out is usually the best approach.
  • Find a piece of potential evidence and follow the trail to see where it leads.
  • The main points are to be methodical, take good notes as you go and stay focused.
  • It is very easy to lose track of where you are during the examination due to the vast amount of data. Avoid at all costs the temptation to 
  • immediately start gathering logs and data from every device you can think of.
  • The only data that you need to be concerned about collecting immediately is the volatile data discussed previously.  

The most informative evidence is network captures, but you may not be always lucky in finding an organization maintaining packet captures in entirety as it hogs a lot of space on the storage, thus is not a feasible solution to them.  

Well, let's first assume that we have a packet capture dump available at our end for analysis.  

Tools of the trade: 

  • Wireshark (GUI) / TShark (command-line)
  • NetworkMiner
  • NetWitness
  • Snort
  • NeSA  

Let's come back to where we don't have the full packet capture dumps. In this case, we have to manage with logs. Having said that, analysis of logs is chaos in itself. 

Moving on, there are few tools which might help you win this battle of analyzing logs. 

Tools of the trade: 

  • Sawmill (Trial-ware)
  • EnCase CyberSecurity (Commercial)  

Once we identify the specific Host, we can move ahead with Host-based Analysis. 

Host Based Analysis 
When examining a compromised host as part of any computer security incident, timeline analysis plays a large role in the analysis. 

Hash Analysis - Compare the hash value with database of known malwares 

Malware Scanning - Scan the applications to detect any malicious intent or hidden malware in a seemingly legitimate application. 

Signature Analysis - Scan files to detect any malicious files masked with an extension mismatch. For example, a malicious executable stored as a renamed mp4 file to evade basic detection. 

Alternate Data Streams - This came into picture with the NTFS, but can be detected using most of the forensic tools. 

Registry Analysis - for identifying applications for Autorun on startup and other suspicious keys. While the scope of Registry Analysis in this module is limited, let's focus on the same. 

Coming back to our scope, as almost all malwares are configured for automatic execution on startup, here are some locations which contain information on applications configured for automatic execution at startup.   

  • HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce
  • HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  • HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce 

Log Files - Logs play an important role in analysis as they maintain data in chronology probably helping us ease the process of Timeline analysis. Logs that of private web server hosted on a machine, Application Logs, Security Logs and other logs may be co-related to detect the attack vector and perform a timeline based analysis. 

Event Logs - Event log files are binary files that contain information generated by actions, from the system, applications, system access events, or object access audit events. 

In Windows-based Operating Systems, the event logs are stored at: 
%Systemroot%\system32\winevt\Logs\ 

Tools of the Trade: 
FullEventLogView - NirSoft 
Event Log Explorer - FSPro Labs  

Schedule Task Logs - Tasks run within the Windows operating system are stored in a log file, called SchedLgU.txt. The log is located in “C:\Windows\Tasks\” on a machine having Windows 7 and above. 

Note: Here, "C:" is the drive where Windows in installed.  

Anti-Virus Logs - Various Anti-Virus softwares maintain different type of logs. An Analyst can check the logs generated by various Anti-Viruses to identify Indicators of Compromise (IoC) which can be co-related with the other logs generated by the host machine.  

Some other Logs - You may not always find the malicious files on host after compromise as sometimes the malwares are configured for automatic melting (wiping) of data once their motive is achieved. So, in this case you may atleast be able to identify what all was installed.  

SetupAPI.app.log | located in C:\Windows\inf\  

SetupAPI.dev.log | located in C:\Windows\inf\   

These logs can also provide additional evidence of what and when malicious code was installed on the victim. They are simple text logs and can easily be viewed in a text editor and searched.  

Prefetch Files Windows Prefetch files maintain information about the date/time of execution of an application. These files can be analysed by tools like WinPrefetchView or Windows File Analyzer, to name a few.   

Live Analysis

If you are lucky, there is a chance to catch malware while it is still working on your machine. Though there is no standard method for dealing with every malware, I can share the most common approach in dealing with most of the malwares while they are off the disk and into the wire. Nice line, right? Recollected this one while I was reading some material for reference by SANS, on Advanced Network Forensics.  

Moving on, some of the tools to carry in arsenal while dealing with catching a malware, or while auditing a network incident, are as follows:  

  • Process Explorer - To detect the DLLs loaded upon execution of a program.
  • Process Monitor - This is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity.
  • RegShot - This is a registry compare utility that allows you to quickly take a snapshot of your registry and then compare it with a second one—done after doing system changes or installing a new software product.
  • TCPView - Lists all Network connections to and from your machine.
  • WireShark - Tool for network packet inspection and capture.
  • HashCalc - Tool to calculate hash values of files; Useful during the process of documentation.   

Reporting 

Analysis should always end with generation of some sort of report for review by other people involved in the operation, and to remember the sequence of steps involved in analysis, to be easy to refer and recreate the exact modus, at a later point in time, and also to help other people who are dealing with similar scenarios with a reference material. 

Following are some of the key points to be noted while documenting the report. This is not a comprehensive list though. Times change, and so do the methods and things to be added in report change. 

  • Hash the evidence
  • Scan the device for malicious code
  • List relevant software, and highlight suspicious applications
  • Draft a glossary, provide terms used so that those not technically savvy understand the terms
  • Perform a Registry analysis, an in depth analysis
  • Set the proper time zone, best practices may be to set to IST
  • Detail the device information
  • Perform a signature analysis
  • Perform a manual review of the evidence
  • Perform a keyword search
  • Identify any password protected or encrypted files and attempt to recover the passwords
  • Data carve
  • Web artifacts (Email and Web history)
  • Client based Email analysis
  • IM and social networking analysis
  • Removable media link analysis
  • Print spool exam
  • Timeline analysis 
  • MFT
  • Shellbag  

Mention the process/technique you used in Detection of Suspicious software, and tools used for its analysis. This is very important information to include in a report since the software used for analysis is constantly under development and listing the version number will help if there are any issues in the future. It also helps for others who follow your analysis so that they can verify your results.

Write the report in such a way that even a layman understands it. Everything should be explained in depth so that there are no questions left unanswered. The finalized report should list the above items as well as the items that were analyzed.  

Recommendations from SANS on creating Report.  

Host based analysis 

  • Artifacts of file downloads:
  • Open/save MRU
  • Email attachments
  • Skype/IM chat history
  • Index.dat/Places.sqlite.
  • Downloads.sqlite  

Program execution

  • User assist
  • Last visited MRU
  • RunMRU :"Start Run”
  • Application compatibility cache
  • Win7 jump lists
  • Prefetch
  • Services events  

File opening/creation

  • Open/save MRU 
  • Last visited MRU
  • Recent files.
  • Office recent files.
  • Shell bags (Enscript).
  • Link files.
  • Win 7 jump lists.
  • Prefetch and superfetch.
  • Index.dat    

Deleted file or file knowledge

  •  XP search ACMRU
  • Win7 search word wheel query
  • Last visited MRU
  • Thumbs.db
  • Vista/Win 7 thumbnails
  • XP recycle bin
  • Win 7 recycle bin
  • Index.dat file

 Account usage

  • Last login
  • Last password change
  • Successful or failed log in attempts
  • Logon types
  • RDP usage

 Browser usage

  • History
  • Cookies
  • Cache
  • Session restore
  • Flash and super cookies   

RAM analysis

  • Date and time RAM was collected
  • HASH of the RAM capture file
  • Tools used to analyze:

i. Bulk Extractor 
ii. WinHex 
iii. Mandiant’s Redline 
iv. Volatility  

List the details of the findings and present that information in a structure format for the reader.

Network analysis

  • Date and time pcap was collected
  • Hash of the PCAP file (network trace)
  • Tools used to analyze:

i. Network Miner 
ii. CapLoader 
iii. Xplico 
iv. Wireshark

List the details of the findings and present that information in a structure format for the reader.   

That's all for now, folks!   

References: This document has been developed by referring to following books to understand practical nuances of this domain, and to know about the tools of the trade. 

Reporting - SANS report guidelines 
Titles - Network Intrusion Analysis - Joe Fischer, Steven Bolt  
Titles - Network Forensics - Ric Messier

-- Mohammed Arif Ali Khan (itsmeRiF) 
"If you take a mic off my hands, I'm just plain."