Modern Network Forensics
Network devices are constantly storing, sending and receiving data packets. The two methods used to conduct network forensics are through analyzing packet captures which are data packets sent between devices or through analyzing log data which is stored on a device such as a router. These two methods of network forensics can help investigators find multiple pieces of information that help to further their understanding of an incident.
For example the packet captures analyzed through a protocol analyzer such as WireShark will display information such as IP addresses, directional flow of data, data amounts being transferred, protocols being used and plain text communications. Log data on a device will show investigators information about what devices were connected in the past through tables which will show the physical hardware devices that connected to a router or other network device.
From these two methods of analysis investigators can determine a large amount of information about how an information system was used and whether or not that activity was in violation of the law or corporate policy. Incident responders can also use this information to determine if an attack took place, and if so how it effected the organization. For example a network based DDoS attack would show an unordinary large amount of data packets flooding into the network. This would be very obvious to detect through a network analysis tool. In a law enforcement setting investigators would be able to determine whether or not a certain IP address was visited by a user. This could be useful in the process of proving a person used a device for illicit purposes such as using a dark web market place.
There are a variety of free and paid tools that can be used for network forensics and which ever one you use depends largely on your objectives. Free tools such as WireShark and NetworkMapper (NMAP) provide the user with the ability to conduct Network Traffic Analysis (NTA) and a variety of other tasks such as OS fingerprinting and port scanning. Web Historian is a tool that allows the user to view and analyze data that was transferred over websites over the network being analyzed. Email Tracker Pro is another tool that was discussed that allows the investigator to analyze the location of a device that sent a specific email. The combination of these tools and others like them allows investigators to gain invaluable data that can lead solving crimes, catching criminals and gathering information about certain security related incidents.
Capturing network data is common way that authorities collect electronic data on individuals. This in certain instances can become a breach of privacy which is against the law. The article explains that violating these laws can violate the Computer Fraud and Abuse Act or other laws and restrictions. It is advised that if one is conducting network forensics they must have the required permission granted by either the owner of the device or a decision maker who can authorize the activity.