【6-6】 Network Forensics

# 【6-6】 Network Forensics *Investigating Attacks Through Network Traffic* --- ## Introduction Not all attacks leave clear traces on a single system. Many attacks unfold across networks, moving between hosts, services, and external infrastructure. **Network forensics** focuses on collecting and analyzing network traffic to understand attacker behavior, data movement, and command-and-control activity. This discipline is essential for detecting lateral movement, data exfiltration, and external communications. --- ## What Is Network Forensics? **Network forensics** is the process of: - Capturing network traffic - Analyzing packet-level data - Identifying malicious communications - Reconstructing attack timelines across systems Unlike host-based forensics, network forensics provides a **system-wide perspective**. --- ## Why Network Forensics Matters Attackers often: - Communicate with external servers - Move laterally between systems - Exfiltrate data over the network - Use encrypted channels to hide activity Network analysis can reveal activity invisible to endpoint logs. --- ## Sources of Network Evidence | Source | Information Provided | |------|----------------------| | Packet captures (PCAP) | Full packet-level detail | | NetFlow data | Traffic metadata | | Firewall logs | Allowed and blocked connections | | IDS/IPS alerts | Detected attack signatures | | Proxy logs | Web access activity | Combining sources increases visibility. --- ## Packet Capture ### What Is a PCAP? A **PCAP** file contains captured network packets, including headers and payloads. PCAPs allow investigators to: - Inspect protocols - Reconstruct sessions - Identify malicious payloads --- ### Capturing Network Traffic Common tools: - tcpdump - Wireshark Example: ```bash tcpdump -i eth0 -w capture.pcap ``` Packet capture should be performed carefully to avoid data loss. --- ## Analyzing Network Traffic ### Protocol Analysis Investigators examine protocols such as: - HTTP and HTTPS - DNS - SMTP - FTP - SMB Unusual protocol usage can indicate malicious behavior. --- ### Session Reconstruction Rebuilding conversations helps identify: - Command-and-control traffic - Data exfiltration - Credential transmission Wireshark allows session reconstruction visually. --- ## Indicators of Malicious Network Activity Common indicators include: - Connections to suspicious IPs or domains - Unusual outbound traffic volume - Beaconing patterns - Use of uncommon ports - Encoded or obfuscated payloads Context is essential to avoid false positives. --- ## Encrypted Traffic Challenges Encryption limits visibility into payloads. Investigators rely on: - Traffic patterns - Metadata analysis - Certificate inspection - Timing and frequency analysis Encrypted does not mean invisible. --- ## Network Timeline Reconstruction Network data helps determine: - When connections occurred - Duration of sessions - Sequence of events across hosts Correlating network timelines with host logs strengthens conclusions. --- ## Tools Used in Network Forensics | Tool | Purpose | |----|---------| | Wireshark | Interactive packet analysis | | tcpdump | Command-line capture | | Zeek | Network security monitoring | | Suricata | Intrusion detection | | NetFlow analyzers | Traffic flow analysis | Tool choice depends on scale and environment. --- ## Ethical and Privacy Considerations Network data may contain: - Credentials - Personal communications - Sensitive business data Investigators must: - Follow scope limitations - Protect captured data - Apply least-privilege access Privacy applies during investigations. --- ## Practical Exercise ### Network Analysis Practice In a lab environment: 1. Capture network traffic 2. Identify protocol usage 3. Detect suspicious patterns 4. Correlate with host logs Focus on reasoning and interpretation. --- ## Common Mistakes - Ignoring encrypted traffic - Relying on single data sources - Overlooking internal traffic - Failing to document findings Network forensics requires broad perspective. --- ## Reflection 1. Why is network forensics essential for detecting lateral movement? 2. How can attackers hide in encrypted traffic? 3. Why is correlation with host data critical? --- ## Summary - Network forensics analyzes traffic and communications - PCAPs provide packet-level visibility - Encrypted traffic still reveals patterns - Correlation improves accuracy - Network analysis uncovers system-wide attacks > In the next section, you will explore **【6-7】 Malware Analysis Basics**, focusing on understanding malicious code behavior.