SANS Digital Forensics and Incident Response Blog

Acquisition is Dead, Long Live Acquisition

SANS Sec558 - Network Forensics Flag

Vive Sec558!

Sign up to take Sec558: Network Forensics at SANSFIRE!

By Jonathan Ham

Ahh, Acquisition. What a breeze, huh? We just dd (or dcfldd) the drive, store it all away with MD5 sums in a locker somewhere, and breeze through our work. Sometimes I wonder why they actually pay us for such trivialities!

And then reality hits:

The investigator found the attacker system, and unplugged it and brought it here...But it the drive was encrypted with a key we don't know. Doh!

-or-

Umm? what system was that? Where was it? Did that hard drive get repurposed? Doh!

-or-

The source of the attack is gone, once connected to some WAP or another, never to be seen again. Doh!

And then I wake up in a cold sweat.

I'm a packet geek. I've spent almost my entire career digging through the packets. Looking at how data moves, understanding the protocols that shuttle it around. And the most critical cases that I've seen (and solved) hinged on the ability to correlate filesystem data with network data.

Much of the time I feel like an interloper in the realm of hard drive forensics, crunching data off of primary or secondary storage. Don't get me wrong- I've done my time in the trenches doing timeline analysis and data recovery, and spent countless hours in depositions too. It's just that FAT16, NTFS, and EXT seem, well, less elegant than TCP/IP. And often hard drives are not the most fruitful place to look. Let me explain?

Modern data forensic investigations, as we perform them today, tend to focus on hard drive analysis. This is analogous to putting the body on the cold table and cutting it apart.

With network forensics, you get to see how the body went from stranding, to tilting, to gurgling, to on the ground. You can replay packets that were sent from the attacker to the victim systems. You can carve exploits out of packet captures. Network-based forensics routinely aggregates multiple sources of evidence to present a multidimensional picture of the event.

A hard drive is just a small part of the picture. More often than not, the attacker entered commands into the victim system over the network. Even if the attacker is smart enough to clean up tracks on the victim systm, remnants remain in firewall logs, web proxy caches, and other sources.

Filesystem forensics is like conducting an autopsy on the victim. Network forensics is like following the attacker's footprints and analyzing evidence from the whole environment, not just the body itself.

If you're interested in this perspective, and gaining the skills to leverage all of the non-filesystem evidence, take a look at our new course: Sec558 Network Forensics!

Jonathan Ham is an independent security consultant and a SANS Certified Instructor, who teaches forensics and other tracks. When he goes to sleep at night, he counts packets as they leap through firewalls.