Introduction to Network Forensics FINAL VERSION 1.1 AUGUST 2019 www.enisa.europa.eu European Union Agency For Cybersecurity Introduction to Network Forensics FINAL | Version 1.1 | August 2019 02 Introduction to Network Forensics FINAL | Version 1.1 | August 2019 About ENISA The European Union Agency for Cybersecurity (ENISA) is a centre of network and information security expertise for the EU, its member states, the private sector and Europe’s citizens. ENISA works with these groups to develop advice and recommendations on good practice in information security. It assists EU member states in implementing relevant EU legislation and works to improve the resilience of Europe’s critical information infrastructure and networks. ENISA seeks to enhance existing expertise in EU member states by supporting the development of cross-border communities committed to improving network and information security throughout the EU. More information about ENISA and its work can be found at www.enisa.europa.eu. Contact For queries in relation to this paper, please use: [email protected] PGP Key ID: 31E777EC 66B6052A PGP Key Fingerprint: AAE2 1577 19C4 B3BE EDF7 0669 31E7 77EC 66B6 052A For media enquiries about this paper, please use: [email protected]. 03 Introduction to Network Forensics FINAL | Version 1.1 | August 2019 Legal notice Notice must be taken that this publication represents the views and interpretations of ENISA, unless stated otherwise. This publication should not be construed to be a legal action of ENISA or the ENISA bodies unless adopted pursuant to the Regulation (EU) No 526/2013. This publication does not necessarily represent state-of the-art and ENISA may update it from time to time. Third-party sources are quoted as appropriate. ENISA is not responsible for the content of the external sources including external websites referenced in this publication. This publication is intended for information purposes only. It must be accessible free of charge. Neither ENISA nor any person acting on its behalf is responsible for the use that might be made of the information contained in this publication. Copyright Notice © European Union Agency for Cybersecurity (ENISA), 2018 Reproduction is authorised provided the source is acknowledged. ISBN: 978-92-9204-288-2, DOI: 10.2824/995110 04 Introduction to Network Forensics FINAL | Version 1.1 | August 2019 Table of Contents About ENISA 3 Executive Summary 9 1. Introduction to Network Forensics 10 Relation to other fields of digital forensics 11 Computer forensics 12 Memory forensics 12 Mobile forensics 12 Different types of network-based evidence 13 Full content data 13 Session data 14 Alert data 14 Statistical data 15 Relation to intrusion detection/prevention systems 15 Difference between forensic investigation and intrusion detection 16 IDS alerts as a starting point of a forensic investigation 16 Collecting network-based evidence 17 Acquiring traffic in cables 17 Acquiring traffic in radio networks 22 Short introduction to some well-known tools 23 Packet capturing tools: tcpdump, dumpcap 24 A simple pattern matching engine: ngrep 24 A flow capture & analysis tool: Argus 25 Network intrusion detection system example: Snort 26 The full-scale analysis tool: Wireshark 26 2. Logging and Monitoring 29 Useful sources for analysis 29 Host-based sources 29 Network-based sources 35 Prerequisites to enable suitable network forensics 40 Monitoring policy 40 Monitoring targets 41 Additional data sources 41 Timeline analysis 42 Aggregation and correlation of different sources, normalisation of data 44 Address normalisation 45 Name resolution 46 Time normalisation 46 05 Introduction to Network Forensics FINAL | Version 1.1 | August 2019 Collecting and storing traffic data 47 Collecting agents 47 Storage 48 Data transfer 49 Legal basics 50 Obligations 51 Constraints 52 3. Detection 53 Distinguishing regular traffic from suspicious/malicious traffic 53 Baselining of normal traffic 53 Filtering of network traffic 57 Building signatures 58 Detecting intrusions 58 Detecting enumeration 58 Detecting lateral movement 59 Detecting data exfiltration 60 Using threat intelligence 60 4. Analysis (data interpretation) 63 Overview 63 The value and importance of Network forensics 64 Where can one find Network forensics? 65 Logging and monitoring 65 Combining the pieces 66 What is the purpose of data visualisation? 67 Chain of Custody 68 What is Chain of Custody? 68 Why is a careful Chain of Custody so important? 68 Integrity 69 Traceability 70 Practical issues 71 Legal value 72 Example of a Chain of Custody form 72 From data to information 73 Introduction to data capture files 73 Data Analysis Tools 74 Command line tools 81 Encryption and making the best of an encrypted capture 84 CIA triad, Privacy and Anonymity 84 Networks 86 Encryption 89 IPsec 91 06 Introduction to Network Forensics FINAL | Version 1.1 | August 2019 VPN 93 Wireless 95 Network Forensics and Encryption 96 Tool sources 99 Further reading 99 5. Use Cases 100 ICS/SCADA environment 100 Summary 100 Summary Table 102 Introduction to the exercise and overview 103 Task 1: Setting up the monitoring environment 103 Task 2: Baselining of regular traffic 107 Task 3: Initial attack detection 116 Task 4: Second attack stage analysis 120 Task 5: Analysing the attack on the PLCs 127 Summary of the exercise 137 Tools used in this use-case 138 Evaluation metrics 138 Further reading 138 Detecting exfiltration on a large finance corporation environment 139 Summary 139 Summary Table 139 Introduction to the training 140 Introduction – proxy server 141 Setup 142 Network Traffic Analysis 151 Detecting data exfiltration over DNS 171 Log analysis summary/recommendations 182 Tools used 183 Evaluation metrics 183 Analysis of an airport third-party VPN connection compromise 184 PART1: Summary 184 PART2: Summary table 184 PART 3: Introduction to the exercise and tools overview 185 PART 4: The Examination 200 Summary of the exercise 214 Conclusions / Recommendations 215 Tools repository 215 Evaluation metrics 215 6. Glossary 216 7. References 217 07 Introduction to Network Forensics FINAL | Version 1.1 | August 2019 08 Introduction to Network Forensics FINAL | Version 1.1 | August 2019 Executive Summary This material contains an update to the existing ENISA Collection of CERT exercises, specifically focusing on the trainings labelled under “Network Forensics” on the ENISA CSIRT training webpages1. The revised/renewed training materials are based on good practices, and include all needed methodologies, tools and procedures. The updated scenarios also include content that is in line with the current technologies and methodologies. The training includes the performance indicators and means, supporting those who use it to increase their operational competence. It is made available in a ready-to-use version. The duration of the training is 3 full working days (or approximately 24 hours). The training consists of an extensive introduction (sections 1–4) and three exercises (section 5). The exercises are targeted mainly towards the national, governmental and other types of CSIRTs who are focused on enhancing their skills, effectiveness, quality of service and cooperation with other teams and stakeholders. 1 https://www.enisa.europa.eu/topics/trainings-for-cybersecurity-specialists/online-training-material/technical- operational 09 Introduction to Network Forensics FINAL | Version 1.1 | August 2019 1. Introduction to Network Forensics This chapter will establish a basic understanding of network forensics and proceed with how it relates to other forensic fields, most importantly host-based forensics, memory forensics, and mobile forensics. Section 1.2 introduces different levels of traffic capture and data retention and how it can be used. Section 1.3 deals with the relation of network forensics to intrusion detection, while the process of how network evidence is captured from different media (cable, wireless) is covered in section 1.4. The chapter will be closing with a brief introduction of common tools used in network forensics. The material presentation is at the discretion of the trainer. If the trainees have enough knowledge about the basics, some or all of this material can be skipped. The word forensics comes from the Latin words forensis and scientia, meaning “on the forum” and “knowledge”. In ancient Rome, criminal proceedings were held in public at the market place (forum). Forensic science is hence referring to the process of applying scientific methods to criminal and civil proceedings. Correspondingly, a forensic scientist collects, preserves, and analyses scientific evidence during an investigation. They may also testify as expert witnesses in courts. Over time, the technical aspects of forensic investigations have evolved into sub-fields relating to the special conditions of the evidence involved, like toxicology, fingerprint analysis, etc. with digital forensics being the branch of forensic science encompassing the recovery and investigation of material found in digital devices. From Jones et al. (2013, see also ENISA 2013a): “There are five main principles that draw up a basis for all dealings with electronic evidence. These principles were adopted as part of European Union and the Council of Europe project to develop a ‘seizure of e-evidence’ guide. As stated before, while laws regarding admissibility of evidence differ between countries, using these principles is considered appropriate, as they are common internationally”. Data integrity: