Network forensic investigators examine two primary sources: full-packet data capture, and log files from devices such as routers, proxy servers, and web servers—these files identify traffic patterns by capturing and storing source and destination IP addresses, TCP port, Domain Name Service (DNS) site names, and other information.
Full-Packet Capture. The advantage of full-packet capture is that the content, and therefore the meaning and value, of data being transferred can be determined. Packet capture is not usually implemented on networks full-time because of the large amount of storage required for even an hour’s worth of data on a typical business network. In addition, there may be privacy concerns (although most businesses today require all employees to sign an acknowledgement that they do not have a right to privacy while on business-owned systems and networks).
Data capture is typically implemented when suspicious activity has been detected and may still be ongoing. The packet-capture-network tap point must be chosen carefully so that it can capture traffic flowing among all affected devices, or multiple taps must be implemented.
Log files. Most modern network devices, such as routers, are able to store NetFlow (or equivalent) data into log files on a full-time basis without affecting performance. Web servers, proxy servers, firewalls, Intrusion Detection Systems (IDS), DNS, Dynamic Host Control Protocols (DHCP), and Active Directory server log files also contain much useful information about activity on the network. These log files can be analyzed to identify suspicious source and destination pairs (e.g., your server is communicating with a server in Eastern Europe or China) and suspicious application activity (e.g., a browser communicating on a port other than port 80, 443, or 8080).
One advantage of using log files is the much smaller file size compared to full-packet capture. Another advantage is that the collection points are already in place in key locations, and it is not difficult to collect and store the output from multiple devices into one master log for analysis. There are many free as well as commercial tools for log aggregation.
Feel free to contact E-SPIN for the various technology solution that can facilitate your network forensics infrastructure availability and security monitoring.