Digital forensic analysis

Chris Bell, WildPackets

Photo of Chris Bell Crime Scene Investigation (CSI) has a lot to answer for. The public now have a significant misconception as to how forensics works, in particular network forensics, which doesn't get as much airtime as the more physical 'fingerprint variety'. Chris Bell, European sales engineer at WildPackets, explains what digital forensics is really all about and lays some of those misconceptions to rest.

The ringing of the mobile phone heralds the news that every network security professional dreads: 'I think the network was hacked.' Suddenly you are faced with answering five questions you hoped never to encounter:

(i). Who was the intruder?
(ii). How did the intruder penetrate security?
(iii). What damage has been done?
(iv). Did the intruder leave anything such as a worm or Trojan horse behind?
(v). Did you capture sufficient data to analyze and reproduce the attack?

The classic model of network forensics requires retrieving a myriad of data elements from a multitude of sources, such as firewall logs, router logs, intrusion detection systems (IDS), server logs, hard drives and system dumps. The resulting collection must then be pieced together into a coherent picture, but more often results in an incomplete picture (Figure 1).

Thanks to countless crime-based programmes on television today the concept of forensics conjures up images of people in white overalls scouring a crime scene for evidence of wrongdoings. It is useful then to remind ourselves that the term 'forensics' simply applies to a series of logical arguments leading to a single irrefutable conclusion. The scenario above represents a worst-case.

However the use of forensics is far more widespread than that in today's digital world. Indeed network managers have become the sleuths of the here and now, applying the principles of digital forensics on a routine basis to address common network problems, from application performance issues to policy compliance and network security investigations.

Unlike physical forensics, the digital world is a highly dynamic one. Data packets, the source of all digital forensics, often disappear once they have traversed a network and have been processed. As such, digital forensics presents a unique set of challenges that need to be tackled.

These can be categorized as data capture, data discovery and data analysis. All too often, manufacturers and suppliers take a piecemeal approach to forensics, targeting a single issue within each product. We believe that the industry needs a single, integrated solution.

Digital forensic analysis draws upon the capabilities of existing network analyzers to capture, analyze and reconstruct the packet stream on demand. As these types of products are already designed to capture packets and provide detailed analysis of a wide variety of data, they are ideally suited for this additional function. This examination of the individual packet streams and their component packets allows reconstruction of the sequence of events during a particular timeframe.

When integrated with the new generation of high-performance, linerate capture appliances, containing large amounts of disk storage (multi-terabyte), the resulting capture files allow the network security professional to reconstruct the security event and to analyze in depth down to the individual bit if necessary.

This resulting analysis can be used not only to answer each of the five forensics questions (above), but it can be further utilized to identify all of the affected nodes within the network and even used as a basis for updating the existing IDS.

As currently implemented, digital forensic analysis builds upon more traditional network analysis in several significant aspects. While most network analysis is concerned more with gathering and analyzing statistics, such as network utilization, top talkers, protocol distribution etc., digital forensics focuses on the detailed behaviour of certain networks or nodes, often within a specific time period.

The sequence of events for using this kind of analysis can be summarized in the following six steps (derived from the classic six-step troubleshooting methodology):

(i). select;
(ii). locate;
(iii). analyze;
(iv). reconstruct;
(v). construct;
(vi). summarize.

Step 1

Selecting the relevant nodes, conversations and/or packet streams is the critical first step that requires the network engineer to first evaluate network behaviour and determine the possible scope of the security event. Any suspected abnormalities, in either network or node performance, are noted for further evaluation. During this step initial theories regarding the event in question should be formulated.

Step 2

Locating and determining the relevant trace files involves determining the approximate time of the security event in question and retrieving them from the storage location. Storage locations could be as simple as the current packet capture buffer, current online network data recorders or as complex as retrieving from an offline storage area network (SAN).

Step 3

Analysis of the selected trace files focuses upon identifying and selecting the key nodes, packet streams and conversations for detailed analysis. This can be accomplished using a number of tools, many often built into the network analyzer.

Detailed analysis may be conducted in several ways, including through packetby-packet inspection. This method, while providing the most detailed results, requires a great deal of expertise in packet level analysis and is also very time-consuming. An alternative to this is to utilize visual analysis and evaluation of the trace file that relies upon visual analysis capabilities.

Evaluation of the resulting packets requires detailed study of many features contained within the packets including packet headers, media access control (MAC) and network layer addresses, transmission control protocol (TCP)/internet protocol (IP) option fields and examination of ASCII payload contents, if present. Critical information is typically found within the ASCII payload portion of the packets as many network protocols still carry their payload data in this format.

Step 4

Reconstruction and detailed evaluation of the event is closely related to the previous step and can be accomplished using a variety of methodologies. The most effective way to perform this is by using visual payload reconstruction techniques that provide reassembly of individual packet payloads into a single, coherent display for examination.

Step 5

Construction and testing of specific packet filters, network integrated defence systems (IDS) alarms and/or capture triggers is crucial. This activity identifies the source of the event, as well as other affected nodes and networks, for evaluation and corrective action. Further, the results of this testing can be used to modify and update network security such as firewalls and IDS devices.

Step 6

Summarizing and reporting findings are two of the most overlooked aspects of forensics analysis. These elements often form the basis for future legal actions, typically provide an in-depth, postmortem evaluation of network security, and are used to further test and implement security solutions.


In spite of the seeming simplicity of a six-step approach, we are not looking at a 'one-size fits all' system. Companies of all shapes and sizes, for whom security is a priority, can have very different needs. To offer each one the same solution would be foolish. That's why the solution has to be available in a number of incarnations to meet the specific requirements of each company and to integrate seamlessly with their existing systems.

For instance digital forensic analysis is not only useful in determining the damage due to a successful attack from outside the network. Recent legislation, such as Sarbanes-Oxley in the US and its European counterpart Basel2, may be paving the way for techniques, used to monitor the traffic generated from within a protected environment, to become much more widely implemented.

Given that it is possible to reconstruct emails, instant messenger conversations, visited websites and even Voice over IP (VoIP) conversations, the applications of digital forensics are extremely numerous, especially when such legislation is so very loosely worded and therefore open to broad interpretation in a court of law.

Statistics show that the recent introduction of chip and PIN technology for authorization of credit card transactions may have had the effect of moving fraudsters from the high street and onto the internet.

It is worth remembering that once a cardholder claims that a transaction is fraudulent, the payment process stops and the retailers are left out of pocket. So what steps can online retailers take to prove that transactions are valid? Well, by capturing and storing all of the network packets going to and from servers, it is at least possible to prove to the banks which transactions were valid and which were in fact fraudulent.

Indeed the information captured during fraudulent transactions can be used to bring offenders to trial and secure convictions. Where 'bricks-and-mortar' retailers can rely on CCTV to identify theft, online retailers now have similar technology at their disposal.

It seems highly probable that the demand for digital forensics will continue to grow at a powerful rate over the years to come and it is hoped that the security industry can keep up with the demands made upon it. A failure to do so could be disastrous.

For further information please visit