Network Forensics is a branch of Digital Forensics that deals with the capture, storage and analysis of network traffic. Incident handlers working on computer incident response and security operations teams around the world engage in this type of analysis in order to answer the “Five Ws” in relation to incidents:
- [W]ho did it?
- [W]hat happened?
- [W]here (in the virtual realm) did this occur?
- [W]hen did this occur?
- [W]hy did this occur?
When an incident has been declared, the incident handling team’s primary objectives are to minimize damage, return systems to a normal state, and implement safeguards to prevent such events from occurring in the future. Network event analysis often fosters understanding of an attack, be it perpetrated by an external or internal entity. Since the merits of a strong network forensics background are relevant in the security field, one question plagues many security teams: How can we test our aptitude for network forensics? (Note: ‘apt-get install network_forensics_skillz’ doesn’t exist :-) .)
The answer? A challenge! Enter: LMG Security’s Network Forensics Puzzle Contest.
The Challenge: Plan of Attack
Every year at DefCon, the world’s largest hacker conference, LMG Security holds their Network Forensics Puzzle Contest (NFPC). The event has evolved from an analysis and tool creation challenge to an all-out network forensics fest, requiring skill and dedication in spades. The best part about the challenge is that even if your team comes in dead last, you will learn a great deal.
When engaging in such a challenge, a team should approach the task as they would an actual incident. An incident coordinator (IC) should work with the team to derive tasks that need to be accomplished. The IC should then assign tasks to team members. A scribe can be assigned to document the team’s progress. Keep in mind that successes and failures should both be taken into account. (Let’s be honest: We often learn more from our failures than we do from our successes.) Of course, to perform the tasks required to participate in such a challenge, a team must use the right tools for the job.
Tools of the Trade
A veritable cornucopia of tools exists that will help security analysts with analyzing network traffic. Major tools include Wireshark, tcpdump, Network Miner, and others. Meanwhile, general-purpose tools such as bash, Python, perl, and others can be quite useful in these endeavors. The following is a breakdown of various tools and their applicable uses when it comes to network forensics. Please keep in mind that this list is just the “tip of the iceberg,” so to say. This list is by no means meant to be comprehensive. In fact, this list of more of a “some basic things to check out” kind of deal.
Wireshark is an open-source traffic capture and analysis tool with a massive following and a dedicated team of developers. This tool is a staple of the traffic analysis world, as indicated by the sheer number of dedicated books, workshops, training sessions, and even conferences in existence. In a network forensics challenge, Wireshark can be used to open a packet capture (often contained within a .pcap file) in order to analyze the traffic contain within.
tshark is often thought of as the engine behind Wireshark. Technically, the two tools do not share a codebase, but rather take from one another in major ways. In fact, you can think of tshark as the command line interface (CLI) equivalent of Wireshark (I know some diehard and/or OCD network guys and gals are going to lose it over this comment, but it is a fair comparison).
tcpdump is a command line-driven packet analyzer. This puppy is one of the most reliable when it comes to packet capture, as the low overhead afforded by a CLI-based interface decreases the chances of dropped packets, which are more common with tools, such as Wireshark, and requires far more processing power to operate. In addition to capturing traffic, tcpdump can be used to analyze packet captures.
Python is a programming language that has captured the hearts of security professionals around the world. Lol. Seriously though, the language has been adopted for darn near “all the things” when it comes to security. Python can be used to encode or decode data; automate tasks; extract and process specific data types; and much more.
We use Python for our automation tasks, which extends to automating network analysis. As a random example, I recently wrote a short Python script (< 50 lines) that extracts a blob of data from a chunked half-duplex network stream. While tools such as NetworkMiner might do this for the analyst, these tools do not always understand the protocol in which you are interested or have the options that you need in the heat of competition.
The Bourne Again Shell, or bash, is a fantastic tool for… well, everything. In terms of network forensic analysis, bash can facilitate piping one tool’s output to another; counting; sorting; deduping; and other tasks. Our team uses Bash extensively, which is highlighted in my network forensics workshop. I will digress on the multitude of tools one can call from within bash but we use other tools, such as perl, sed, and awk, for text processing, including running things such as regular expressions against data.
Network Miner aims to be an all-in-one analysis tool that works in a “point-and-click” fashion. The tool can be used to load (or even create) a packet capture file in order to extract specific data types, such as messages, files, sessions, etc. The #1 tip to keep in mind when considering NetworkMiner is: Do not let the tool become your crutch. Make sure that you understand how and why it works, as this will enable you to compensate for when it does NOT work.
Although utilizing tools, such as those mentioned above, is a reward in and of itself, some of the major takeaways from participating in this type of challenge are the identification of strengths and weaknesses along with the evolution of one’s skillset.
As an example, challenge participation provides insight into a team’s (or individual’s) strengths and weaknesses. This type of understanding is unique, as teams often are not able to ascertain this information without going through a real incident. However, when it comes to a learning environment, it doesn’t take long to decide between learning from a contest (a form of pseudo incident, if you will) and an active incident. Forget tabletop exercises, get your hands dirty!
What was done well? What could have been done differently? Did the IC and the team communicate well? Did the task assignment work well? Were any individuals not able to perform required tasks? Was task progress tracked properly? Did the scribe and IC work well with one another? Was the final documentation or report thorough, and did the report tell the story from start to finish? Was the team aware of the challenge status at all times? Did everyone participate? How can any inadequacies be addressed? Which tactics used were new to the team? Which of those tactics would work well within the teams official methods and procedures list?
These are just some of the myriad questions that can be answered through review of notes taken during this type of challenge. Of course, the team also learns how to solve problems that they would otherwise not be able to solve. This type of training can be priceless.
Want to Learn More?
If you are interested in learning more about how to complete a challenge such as LMG’s NFPC, please stay tuned. I am running a network forensics workshop at BSides San Francisco on Monday, April 20. My workshop covers, step-by-step, how our team from Bechtel Corp. won LMG’s NFPC @ DefCon 22 in 2014. Although the workshop is full at this time, you might want to follow me on Twitter, as I will be releasing the workshop contents to GitHub on the day of the event. If you will be attending BSidesSF 2015, please stop by the workshop area, as I will have plenty of extra handouts.
Additionally, stay tuned to the DefCon 23 (2015) website and LMG’s contest-specific website. Details regarding LMG’s 2015 NFPC are sure to flow soon.
About the Author: Ryan J. Chapman (@rj_chap) works as a SOC Lead for Bechtel Corporation. In this capacity, he functions as an incident handler on a daily basis, which includes host- and network-based forensic analysis, along with malware analysis. Prior to this position, Ryan worked as an Application Developer during his transition from a full-time training career. Ryan has a zest for life-long learning and holds the GREM, GCIH, LPIC-1, SUSE CLA, Linux+, Security+, A+ and ACHDS certifications. Ryan also holds a graduate degree in Information Assurance and an undergrad in Networking, both from Regis University. Overall, Ryan loves retro gaming, “nerd vomitting” on people, and “geeking it up” with infosec pals.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.