Collecting

Network-based
Evidence
 Collecting network-based evidence includes
setting up a computer system to perform network
monitoring, deploying the network monitor, and
evaluating the effectiveness of the network monitor.

 The analysis of network-based evidence includes

reconstructing the network activity, performing low-level
protocol analysis, and interpreting the network activity.

05/07/22 2
 Network monitoring is not intended to prevent attacks.
Instead, it allows investigators to accomplish a number of
tasks:
▼ Confirm or dispel suspicions surrounding an alleged
computer security incident.
■ Accumulate additional evidence and information.
■ Verify the scope of a compromise.
■ Identify additional parties involved.
■ Determine a timeline of events occurring on the network.


05/07/22 3
 Network monitoring can include several different types of data
collection: event monitoring, trap-and-trace monitoring, and
full-content monitoring

 Event Monitoring: Event monitoring is based on rules or

thresholds employed on the network-monitoring platform.
Events are simply alerts that something occurred on your
network.
 Traditional events are generated by a network IDS, but events
can also be created by network monitoring software like
MRTG (Multi Router Traffic Grapher).

05/07/22 4
 The following is an example of event capture by Snort,
an event data generator: Outbound connection attempt
from web server [**]
[Priority: 0]
02/10-14:21:34.668747 172.16.1.7:49159 ->
66.192.0.70:22
TCP TTL:64 TOS:0x0 ID:42487 IpLen:20 DgmLen:60
DF
******S* Seq: 0x3B0BF3E1 Ack: 0x0 Win: 0xFFFF
TcpLen: 40
TCP Options (6) => MSS: 1460 NOP WS: 1 NOP NOP
TS: 5255946 0

05/07/22 5
 Noncontent monitoring records the session or transaction
data summarizing the network activity.
 Law enforcement refers to such noncontent monitoring as

a pen register or a trap-and-trace.

 It typically includes the protocol, IP addresses, and ports

used by a network communication.

.

05/07/22 6
 Session data does not care about the content of a
conversation.
 Here is a sample of session data, generated by tcptrace,

which is a tool that can summarize sessions. It shows four

sessions from a web server listening on port 80:
1322 packets seen, 1302 TCP packets traced
elapsed wallclock time: 0:00:00.025971, 50902 pkts/sec
analysed trace file elapsed time: 0:06:23.119958
TCP connection info:
1: 172.16.1.128:1640 - 172.16.1.7:80 (a2b) 62> 93<
(reset)

05/07/22 7
 2: 172.16.1.128:1641 - 172.16.1.7:80 (c2d) 86> 132<
(reset)
3: 172.16.1.6:49163 - 172.16.1.7:80 (e2f) 6> 6<
(complete)
4: 172.16.1.6:49164 - 172.16.1.7:80 (g2h) 8> 8<
(complete)

05/07/22 8
 Full-content monitoring yields data that includes the
raw packets collected from the wire.

 It offers the highest fidelity, because it represents the

actual communication passed between computers on a
network. Full-content data includes packet headers and
payloads.

05/07/22 9
 The following is a sample packet captured in its entirety
and displayed using tcpdump:

05/07/22 10
 Network diagnostic and troubleshooting
hardware can capture data reliably and
usually are the most efficient at capturing
data at the full rate of the monitored network
segment.
 For example, they lack remote management

capabilities and proper storage space, and

they usually cost a lot of money.

05/07/22 11
 Setting up a sniffer box to perform network surveillance
requires a bit of planning and preparation.

 Your ability to deploy a monitor may be affected by your

network architecture, the bandwidth being monitored,
and even external influences such as corporate politics or
a limited budget.

05/07/22 12
 Creating a successful network surveillance system
involves the following steps:
▼ Determine your goals for performing the network
surveillance.
■ Ensure that you have the proper legal standing to
perform the monitoring activity.
■ Acquire and implement the proper hardware and
software.
■ Ensure the security of the platform, both
electronically and physically.
■ Ensure the appropriate placement of the monitor on
the network.
▲ Evaluate your network monitor.

05/07/22 13
 The first step to performing network surveillance is to know why you
are doing it in the first place.
 Determine the goals of your network monitoring, because they will
influence the hardware, software, and filters you use to collect
evidence. Decide what you intend to
accomplish, such as:
▼ Watch traffic to and from a specific host.
■ Monitor traffic to and from a specific network.
■ Monitor a specific person’s actions.
■ Verify intrusion attempts.
■ Look for specific attack signatures.
▲ Focus on the use of a specific protocol.

05/07/22 14
 You can buy a commercial system or build your own network
monitor. The key issue is to ensure your system has the
horsepower required to perform its monitoring function.

 Companies selling such sturdy boxes include Niksun,

Sandstorm Enterprises, and Network Associates.

 These three specifications—CPU type, RAM amount, and hard

drive—define your collection capabilities, and we’ll take a
closer look at them in the following sections.

05/07/22 15
05/07/22 16
 The amount of hard drive space your system requires
depends on the specificity of your filters and the amount
of network traffic traversing the monitored segment.

 Hard drive space is getting cheaper, so splurge and get at

least a 40GB drive on a laptop and a 80GB drive on a
tower. The bottom line is that you should buy a big drive.

05/07/22 17
 On Internet based networks, applying a trap-and-trace
on your network means monitoring the IP headers and
the TCP headers (or other Transport layer protocol
header), without monitoring any content within the
packets themselves.
 This is a nonintrusive way of determining the source of

a network-based attack.
 Trap-and-trace monitors are extremely helpful in DoS

cases, where they may provide

the only evidence other than oral testimony that “the
router crashed six times yesterday.”

05/07/22 19
 The following command line initiates a trap-
and-trace using tcpdump with no filtering
and prints the output to the screen:

[root@linux taps]# tcpdump tcpdump: listening

on eth0

05/07/22 20
 1. Listing possible network interfaces on the
system

tcpdump -D 

 2. Capture packets from a particular interface 

tcpdump -i interface-name

05/07/22 21
 3. Capture only N number of packets

 tcpdump -c N 

 4. Capture the packets and write into a file 

tcpdump -w file.pcap

 5. To capture and store network frames full-length

tcpdump -s 0

05/07/22 22
 6. Reading the packets from a saved file

tcpdump -r file.pcap

 Capture packets with proper readable timestamp

tcpdump -tttt

05/07/22 23
# tcpdump -i eth0 src 192.168.0.2

# tcpdump -i eth0 dst 192.168.0.2

05/07/22 26
 After you have your network monitor system set up,
you are ready to begin full-content monitoring,
collecting the raw packets from the network. The
following command
line begins the writing of packets to disk with
tcpdump:
tcpdump -n -i dc0 -s 1514 -w
/var/log/tcpdump/emergency_capture.lpc &
Here is what the switches mean for modern
tcpdump implementations (libpcap 3.6.2
and tcpdump 3.6.2 and newer):

05/07/22 27
 Here is what the switches mean for modern tcpdump
implementations (libpcap 3.6.2
and tcpdump 3.6.2 and newer):
▼ -n Do not resolve hostnames to IP addresses or ports to
port names. This avoids seeing “www” instead of “80” as
the port number.
■ -i dc0 Listen on interface dc0. The interface doesn’t
need an IP address to capture packets. To bring up an
interface in Unix without an IP address and without a
capability to transmit packets on the wire, use the
following command (replace dc0 with the name of your
sniffing interface): ifconfig dc0 up –arp.

05/07/22 28
 ■ -s 1514 Set the “snap” length to 1514 bytes. This will
capture entire Ethernet
frames and avoid tcpdump’s default snap length of 68
bytes.
■ -w /var/log/tcpdump Write tcpdump’s output to a file
in the /var/
tcpdump directory called emergency_capture.lpc. (This
filename and .lpc
extension are arbitrary.)
▲ & Send the process into the background.

05/07/22 29
 In situations where you are collecting too much traffic for your
monitoring system to handle, you will need to filter the full-
content data. The simplest way to implement filtering in tcpdump
relies on building Berkeley Packet Filters. The tcpdump manual
page offers numerous options for pointing the tool’s attention
toward specific packets.
During computer security incidents, we often depend on watching
traffic either from hosts of interests or to hosts of interests. For
example, to record all traffic to or from the 12.44.56.0/24 network
block, we would use the following command line: tcpdump -n -i
dc0 -s 1514 -w /var/log/tcpdump/emergency_capture.lpc
net 12.44.56 &

05/07/22 30
 Do not overlook all the potential sources of evidence
when responding to an incident!
Most network traffic leaves an audit trail somewhere
along the path it traveled. Here are some examples:
▼ Routers, firewalls, servers, IDS sensors, and other
network devices may maintain logs that record
network-based events.
■ DHCP servers log network access when a PC
requests an IP lease.
■ Modern firewalls allow administrators an extensive
amount of granularity when creating audit logs.

05/07/22 31
 IDS sensors may catch a portion of an attack
due to a signature recognition or
anomaly detection filter.
■ Host-based sensors may detect the
alteration of a system library or the addition
of a file in a sensitive location.
▲ System log files three time zones away on
the primary domain controller may
show a failed authentication during a logon
attempt.

05/07/22 32