Network Forensics
Packet analysis, network evidence, traffic reconstruction, and forensic investigation.
Overview
Network forensics investigates network-based incidents.
Forensic Process
Architecture Diagram
1. Capture → Record network traffic
2. Filter → Isolate relevant packets
3. Reconstruct → Rebuild sessions
4. Analyze → Identify malicious activity
5. Report → Document findings
Capture Techniques
# Full packet capture
tcpdump -i eth0 -w capture.pcap -c 1000000
# Filter by protocol
tcpdump -i eth0 -w http.pcap port 80
# Ring buffer for continuous capture
tcpdump -i eth0 -w capture.pcap -C 100 -W 10
Wireshark Analysis
Architecture Diagram
# Display filters
http.request.method == "POST"
dns.qry.name contains "malware"
tcp.flags.syn == 1 and tcp.flags.ack == 0
frame contains "password"
Session Reconstruction
# Reconstruct TCP streams
from scapy.all import *
def reconstruct_stream(packets):
streams = {}
for pkt in packets:
if TCP in pkt:
stream_id = (pkt[IP].src, pkt[IP].dst,
pkt[TCP].sport, pkt[TCP].dport)
if stream_id not in streams:
streams[stream_id] = []
streams[stream_id].append(pkt)
return streams
Evidence Types
| Type | Description |
|---|---|
| PCAP files | Full packet capture |
| NetFlow | Connection metadata |
| Firewall logs | Traffic decisions |
| DNS logs | Domain queries |
| Proxy logs | Web activity |
Analysis Tools
| Tool | Purpose |
|---|---|
| Wireshark | Packet analysis |
| NetworkMiner | Network forensics |
| Zeek | Network monitoring |
| Moloch | Packet search |
| Arkime | Full packet capture |
Practice
Analyze a PCAP file to identify malicious network activity.