Network and Internet Forensics

15-09-2022

Introduction

In the Network and Internet Forensics module, we built upon the concepts of digital forensics from the previous year and gained practical experience in extracting, analyzing, and preserving network and internet-related forensic evidence. The key areas of focus included browser forensics, network packet capture, email analysis, and integrity checking. We also simulated the chain of custody for forensic evidence, ensuring that it remained untampered and securely handled throughout the investigation process.

Key Concepts Covered:

  • Browser Forensics: In this section, we explored how to extract forensic evidence from browsers like Chrome, Opera, and Firefox. This involved analyzing browser history, cookies, and cache files to uncover evidence of user activity. Understanding browser artifacts is crucial for investigating online behavior and uncovering potentially hidden evidence.

  • Network Packet Capture Using Wireshark: Wireshark is a powerful tool for capturing and analyzing network packets. We used Wireshark to intercept and inspect network traffic, looking for suspicious activity or data leakage. By analyzing packet captures, we could reconstruct network communications, identify security breaches, and gather evidence for cybercrime investigations.

  • Powershell & Windows Event Logs: We continued our work with Powershell and Windows Event Logs to analyze system activity and recover logs that could provide insights into a system's behavior. This included identifying unusual login attempts, application errors, and security events that could indicate a security breach or attack.

  • Contemporaneous Notes: Throughout the module, we emphasized the importance of taking accurate contemporaneous notes during forensic investigations. These notes help maintain a clear record of the actions taken, evidence collected, and the chain of custody, ensuring that the integrity of the evidence is preserved.

  • Windows Registry & Hives: We continued exploring Windows Registry and hives, focusing on how they can store valuable forensic evidence, including system configurations, installed software, and user activity. By analyzing registry files, we could uncover traces of applications and processes that may have been used during a cyber attack or incident.

  • Mock Forensic Case: The module also involved a mock forensic case, where we applied our knowledge and skills to investigate a simulated cyber incident. This hands-on exercise helped us understand the entire forensic process, from evidence collection to analysis and reporting, while simulating real-world conditions and challenges.

  • Email Analysis: We examined how to analyze email data for forensic evidence, such as tracing the origin of emails, identifying attachments, and recovering deleted messages. Email analysis is crucial for investigating phishing attacks, email-based malware, and social engineering tactics.

  • Integrity Checking: A key aspect of this module was learning about integrity checking in forensic investigations. We used checksums and hashing algorithms to ensure that evidence collected during the investigation remained unaltered. This is essential for maintaining the credibility of the evidence in court.

Key Tools Used:

  • Winhex: Winhex is a hexadecimal editor used to view and edit files at the byte level. We used this tool to examine files and disk images for hidden data or metadata that might not be visible in standard file viewers. It was particularly useful for recovering deleted or fragmented data.

  • Dcode: Dcode is a tool that converts data into human-readable timestamps. This was helpful in decoding time-based data from logs, emails, or packet captures, providing context to the forensic evidence and allowing us to reconstruct timelines of events.

  • FTK Imager: FTK Imager is a tool used to create disk images of forensic evidence. It allowed us to create bit-for-bit copies of storage devices for analysis while ensuring the original data remained intact. FTK Imager also enabled us to preview files and analyze disk structures before conducting in-depth forensic analysis.

  • FTK Registry: This tool was used to examine Windows registry files. It helped us explore the registry's data structure and identify information related to programs, files, and operating system configurations. Analyzing registry files was crucial for uncovering evidence related to system activity and software installations.

  • Oracle VirtualBox: Oracle VirtualBox is a Type 2 hypervisor that allowed us to set up virtual machines for testing forensic tools and techniques in a controlled environment. By installing forensic software on these virtual machines, we could safely examine potentially harmful data without risking the host system.

  • HashCalc: HashCalc is a tool used to calculate hash values for files and data. By generating hash values for collected evidence, we ensured its integrity and verified that it had not been altered during the investigation process.

  • Autopsy: Autopsy is an all-purpose digital forensics tool used to analyze disk images, recover deleted files, and search for hidden evidence. It was essential for examining file systems and extracting data from storage devices in our investigations.

  • AccessData Registry Viewer: This tool allowed us to examine Windows Registry files to identify system settings, installed applications, and user activity. It was vital for uncovering evidence of system configuration changes and other forensic details.

  • DB Browser for SQL Lite: DB Browser for SQL Lite was used to analyze application data stored in SQLite databases, such as browser history or chat logs. It allowed us to extract useful information from SQLite-based applications for forensic analysis.

  • Wireshark: Wireshark is a network protocol analyzer used to capture and analyze network traffic. We used Wireshark to capture packets from live network traffic and inspect them for signs of malicious activity or data leakage, making it an essential tool for network forensics.

  • Kali Linux: Kali Linux is a Linux distribution that comes preloaded with a wide range of security and forensic tools. We used Kali Linux to run various penetration testing and forensic tools, providing us with a versatile platform for conducting network and internet forensics.

Key Learning and Practical Insights:

  • Forensic Evidence from Browsers: Learning how to analyze browser data for forensic evidence was a critical skill. Browsers store a wealth of data, such as browsing history, cookies, and cache files, all of which can reveal significant information about user activity.

  • Network Packet Analysis with Wireshark: Capturing and analyzing network packets with Wireshark was a highlight of this module. It gave us the ability to intercept and inspect network traffic, which is invaluable for uncovering hidden communications, data exfiltration, or attack activities.

  • Email Analysis: Analyzing email data is essential for tracing cyber incidents, especially when dealing with phishing or malware distribution. This module taught us how to analyze email headers, attachments, and content to track the origin of attacks.

  • Preserving Evidence with Hashing and Checksums: The importance of preserving the integrity of forensic evidence cannot be overstated. Learning how to use checksums and hashing algorithms to verify that evidence has not been tampered with was crucial for ensuring the validity of our findings.

  • Chain of Custody Simulation: The hands-on experience of simulating the chain of custody was invaluable. We learned how to maintain a detailed record of every step in the forensic process to ensure that evidence could be used in legal proceedings without being compromised.

Conclusion

The Network and Internet Forensics module gave me the opportunity to dive deeper into the world of digital forensics, specifically focusing on internet and network-related evidence. By using tools like Wireshark, Autopsy, and FTK Imager, I gained practical experience in capturing and analyzing network packets, extracting browser and email data, and ensuring the integrity of forensic evidence.

This module not only strengthened my forensic analysis skills but also emphasized the importance of maintaining a meticulous record of evidence collection, from ensuring data integrity to properly handling the chain of custody. The knowledge and skills acquired will be crucial for pursuing careers in digital forensics, cybersecurity, and incident response.

Sources:

  • None