This section shows where network forensic methods can be applied within the different network protocols or layers.
Data-link and physical layer examined (Ethernet)
Methods are achieved with eavesdropping bit streams on the Ethernet layer of the OSI model. This can be done using monitoring tools or sniffers such as Wireshark or Tcpdump, both of which capture traffic data from a network card interface configured in promiscuous mode. Those tools allow investigator to filter traffic and reconstruct attachments transmitted over the network. In addition, protocols can be consulted and analyzed, such as the Address Resolution Protocol (ARP) or any higher level protocols. However, this can be averted with encryption. Encryption might indicate that the host is suspicious since the attacker uses encryption to secure his connection and bypass eavesdropping. The disadvantage of this method is that it requires a large storage capacity.
Transport and network layer Examined (TCP/IP)
Apply forensics methods on the network layer. The network layer provides router information based on the routing table present on all routers and also provides authentication log evidence. Investigating this information helps determine compromised packets, identifying source, and reverse routing and tracking data. Network device logs provide detailed information about network activities. Multiple logs recorded from different network devices can be correlated together to reconstruct the attack scenario. Network devices have a limited storage capacity. Network administrators configure the devices to send logs to a server and store them for a period of time.
Traffic examined based on the use case (Internet)
The internet provides numerous services such as WWW, email, chat, file transfer, etc. which makes it rich with digital evidence. This is achieved by identifying the logs of servers deployed on the internet. Servers include web servers, email servers, internet relay chat (IRC), and other types of traffic and communication. These servers collect useful log information, such as browsing history, email accounts (except when email headers are faked), user account information, etc.
This is achieved by collecting and analyzing traffic from wireless networks and devices, such as mobile phones. This extends normal traffic data to include voice communications. Phone location can be also determined. The Analysis methods of wireless traffic are similar to wired network traffic but different security issues should be taken into consideration.
Feel free to contact E-SPIN for the various technology solution that can facilitate your network forensics infrastructure availability and security monitoring.