7 min read

In this article by Samir Datt, the author of the book Learning Network Forensics, you will learn to get your hands dirty by actually capturing and analyzing network traffic. We will learn how to use different software tools to capture and analyze network traffic with real-world scenarios of accessing data over the Internet and the resultant network capture.

The article will cover the following topics:

  • Packet sniffing and analysis using NetworkMiner
  • Case study – sniffing out an insider

(For more resources related to this topic, see here.)

Packet sniffing and analysis using NetworkMiner

NetworkMiner is a passive network sniffing or network forensic tool. It is called a passive tool as it does not send out requests—it sits silently on the network, capturing every packet in the promiscuous mode.

NetworkMiner is host-centric. This means that it will classify data based on hosts rather than packets, which is what most sniffers such as Wireshark do.

The different steps to NetworkMiner usage are as follows:

  1. Download and install the NetworkMiner.
  2. Then, configure it.
  3. Capture the data in NetworkMiner.
  4. Finally, analyze the data.

NetworkMiner is available for download at SourceForge: http://sourceforge.net/projects/networkminer/.

Though NetworkMiner is not as well known as it should be, it’s host-centric approach is refreshingly different and effective. Allowing the users to classify traffic based on the IP addresses and not packets helps us to zero in on activities related to the specific computers that are under suspicion or are being investigated.

The NetworkMiner interface is shown in the following screenshot:

To begin using NetworkMiner, we start by selecting a network adapter from the drop-down list. NetworkMiner places this adapter in the promiscuous mode. Clicking Start begins NetworkMiner on the task of packet collection.

While NetworkMiner has the capability of collecting data packets across the network, its real strength comes in to play after the data has been collected. In most of the scenarios, it makes more sense to use Wireshark to capture packets and then use NetworkMiner to do the analysis on the .pcap file that is captured.

As soon as data capturing begins, NetworkMiner swings into action by sorting the packets based on the host IP addresses. This is extremely useful since it allows us to identify traffic that is specific to a single IP on the network. Consider that we have a single suspect with a known IP on the network, then we can focus our investigative resources on just that single IP address.

Some really great additional features include the ability to identify the media access control (MAC) address of the network interface card (NIC) in use and also the OS of the suspect system. In fact, the icon on the left-hand side of the IP address shows the OS icon, if detected, as shown in the following screenshot:

As we can see in the preceding image, some of the devices that are connected to the network under investigation are Windows and BSD devices.

The next tab is the Frames tab. The Frames tab view is similar to that of Wireshark and is perhaps one of the lesser used tabs in NetworkMiner, due to the fact that there are so many other richer options available, as shown in the following screenshot:

It gives us inputs on the packet length, source and destination IP address, as well as time to live (TTL) of the packet.

NetworkMiner has the ability to collate the packets and then reconstruct the constituent files for viewing by the investigator. These files are shown in the Files tab.

Assuming that some files were copied/accessed over a network share, it would be possible to view the reconstructed file in the Files tab.

The Files tab also depicts the SSL certificates used over a network. This can also be useful from an investigation perspective, as shown in the following screenshot:

Similarly, if pictures have been viewed over the network, these are reconstructed in the Images tab.

In fact, this can be quite useful especially, when scanned documents are a part of the network traffic. This may happen when the bad guys try to avoid detection from the keyword-based searching.

The following is an image depicting the Images tab:

The reconstructed graphics are usually depicted as thumbnails. Right-clicking the thumbnail allows us to open the graphic in a picture editor/viewer.

DNS queries are also accessible via another tab, as shown in the following image:

There are additional tabs available that are notable from the perspective of an investigation.

One of these is the Credentials tab.

This stores the information related to interactions involving the exchange of credentials with resources that require logons. It is not uncommon to find username and passwords for plain-text logons listed under this tab. One can also find user accounts for popular sites such as Gmail and Facebook.

A screenshot of the Credentials tab is as follows:

In a number of cases, it is possible to determine the username and passwords of certain websites.

Another great feature in NetworkMiner is the ability to import a set of keywords that are to be used to search within packets in the captured .pcap file.

This allows us to separate packets that contain our keywords of interest.

A screenshot is as follows:

Case study – tracking down an insider

XYZ Corporation, a medium-sized Government contractor, found that it had begun to lose business to a tiny competitor that seemed to know exactly what the sales team at XYZ Corp was planning.

The senior management suspected that an insider was leaking information to the competitor.

A network forensic 007 was called in to investigate the problem.

A preliminary information-gathering exercise was initiated and a list of keywords was compiled to help in identifying packets that contained information of interest. A list of possible suspects, who had access to the confidential information, was also compiled.

The specific network segment relating to the department in question was put under network surveillance. Wireshark was deployed to capture all the network traffic. Additional storage was made available to store the .pcap files generated by Wireshark.

The collected .pcap files were analyzed using NetworkMiner.

The following screenshot depicts Wireshark capturing traffic:

An in-depth analysis of network traffic produced the following findings:

  • An image showing the registration certificate of the company that was competing with XYZ Corp, providing the names of the directors
  • The address of the company in the registration certificate was the residential address of the sales manager of XYZ Corp
  • E-mail communications using personal e-mail addresses between the directors of the competing company and the senior manager sales of XYZ Corp
  • Further offline analysis showed that the sales manager’s wife was related to the director of the competing company
  • It was also seen that the sales manager was connecting to the office Wi-Fi network using his android phone
  • The sales manager was noted to be accessing cloud storage using his phone and transferring important files and contact lists
  • It was noted that the sales manager was also in close communication with a female employee in the accounts department and that the connection was intimate

The information collected so far was very indicative of the sales manager’s involvement with competitors.

Based on the preceding network forensics exercise, it was recommended that a full-fledged digital forensic exercise should be initiated, including that of his assigned laptop and phone device. It was also recommended that sufficient corroborating evidence should be collected using log analysis, RAM analysis, and disk forensics to initiate legal/breach of trust action against the suspect(s).

Summary

In this article, we moved our skills up a notch. You learned how to analyze the captured packets to see what is happening on the network. We also studied how to see the traffic from the specific IP addresses as well as protocol-specific traffic. We also understood how to look for specific traffic based on keywords. Files, private credentials, and images have been examined to identify activities of interest. We have now become a lot better at investigating network activity.

Resources for Article:

 


Further resources on this subject:


LEAVE A REPLY

Please enter your comment!
Please enter your name here