SANS Digital Forensics and Incident Response Blog

Network Forensics On A Shoestring Budget Pt 1

By John Sawyer

Ever had that case where so many more questions could have been answered if you had recordings of network traffic to backup your other evidence? Yeah, me, too. Network forensics can be a really valuable tool but commercial solutions don't come cheap. In this post and its followup, I'll be discussing how you can do network forensics in-house with little to no cost.

First off, what is network forensics? It is essentially an extension of computer forensics where network traffic is analyzed to backup answers or answer questions that couldn't be answered by traditional disk-based forensics. Their are two main approaches: capture all data on the network and capturing just network flow data. Both approaches are valuable with the former providing the best evidence because all traffic is recorded and deep packet analysis can be performed to determine what really happened. Files can be extracted, exploits replayed and much more.

The network flow data approach tends to focus more on behaviors of hosts on the network and detection of anomalies by looking only at flow data and not packet contents. Looking at network flow data is like looking at the phone bill of a suspect. You can see his number called other numbers, when and how long they talked, but you know nothing about the conversation or who was doing the actual talking. While it can seem extremely limiting, network flow data can be extremely valuable. For example, I've been able to determine how a machine was compromised using flow data combined with the Windows Registry and antivirus logs, so don't discount it yet.

Network forensics often seems out of grasp for those of us with meager budgets due to security not being a company priority or simply the suffering economy. We're stuck with dreams of what we could do with network forensic solutions and left knowing that a couple hundred thousand dollars isn't going to drop from the sky to make that a reality. I know those dreams quite well and often look for ways to accomplish them on a minimal budget. In this blog, I will cover some methods of using open source and free tools to help bring some semblance of those network forensic dreams to fruition for only the cost of commodity hardware.

My focus will be on capturing all network traffic, analyzing the captured traffic and the respective tools to do it cheaply and effectively. Please realize that this solution is not enough to solve all forensic investigations, and there is no centralized point and click dashboard. It is merely a piece of the puzzle that must be coupled with things like intrusion detection systems, host-based forensics, memory analysis, log collection and analysis, interviews and more. With that out of the way, let's get started.

  1. Placement - What is it you want to monitor? That's going to be an internal question that may be debated back and forth a bit. For some, monitoring just the traffic passing into and out of the network from the Internet Gateway will be enough. Other groups may want to monitor and record everything including traffic within user workstation VLANs and traffic internal to just the datacenter. Here's some of the more common monitoring scenarios that I see deployed.
    • Internet Gateway Monitoring
    • Internet Gateway Monitoring

    • Data Center Ingress/Egress Monitoring
    • Data Center Monitoring

    • Pure Paranoia...Monitoring Everything
    • Monitoring Everywhere

  2. Hardware - This is going to depend on a few things. How much traffic? Speed of links? If you're dealing with a lot of data, then you may need to invest in fast SATA/SAS drives to handle writing the packets to disk. Hard drive space is cheap these days so load up your system-the more space, the longer you can search backwards when performing an investigation. If you're really trying to go down the path of least cost, just use some old hardware you have laying around as your capture devices.
  3. Operating System - About half of the tools I'll be discussing in my next post are cross-platform, so you can use just about any OS you want; however, whatever you use, make the install as minimal as possible and turn off ALL unnecessary services/processes. Personally, when designing a system like this, I lean towards Linux, FreeBSD or OpenBSD, with my preference being a streamlined install of Ubuntu Server. Again, whatever you choose, it needs to be be doing only one thing and that is capturing traffic so keep that in mind when making your choice.

In Part 2, I'll discuss and provide examples of how to use network capture software, network forensic software to analyze the recorded traffic and how to narrow your search when presented with a lot of data.

John Sawyer, GCFA #0257 also currently holds the GCIH #631, GCFW #413 and CISSP certifications. He is a Senior Security Engineer on the University of Florida IT Security Team and specializes in intrusion detection, incident response, digital forensics, vulnerability assessment and penetration testing.