Network Forensics

What is Network Forensics?

This branch of digital forensics basically deals with monitoring and analysis of a computer network. This is mainly for the purpose of information gathering, legal evidence or intrusion detection. Network forensics generally has two uses. The first, relating to security, involves monitoring a network for anomalous traffic and identifying intrusions. The main purpose of network forensics is henceforth

  • Intrusion Detection
  • Recording and logging the events

Why do we need Network Forensics ?

An attacker might be able to erase all log files on a compromised host, network-based evidence might therefore be the only evidence available for forensic analysis. In this case, analysis of captured network traffic can include tasks such as reassembling transferred files, searching for keywords and parsing human communication such as emails or chat sessions. The network traffic can give us a lot of clues like + The websites that the attacker communicated with + The files transferred(which includes bank details, chats, pictures etc.) + It can also include evidence about the activity of certain types of malware. In a computer network the data is transferred across as packets.

What is a PCAP ?

PCAP files are data files that have the data of a network session. These files contain data regarding what kind of connection was established between the hosts, how did the attacker penetrate the system(in case of an intrusion), all data that was transferred through the network, like files transferred etc are all recorded and kept. Hence they are analysed thoroughly for clues regarding an attack. Commonly used tool for analysing a PCAP file is Wireshark.

Wireshark is an open-source tool used by professionals and amateurs alike.