Forensics Sources Part 1: Packet Capture (PCAP)

Introduction

Digital forensics can be described as the science of identifying, extracting, and preserving computer logs, files, cookies, cache, meta-data, internet searches, and any other legally admissible evidence that could be used to solve crimes committed using internet connected infrastructure.

Although most investigations focus on computers, evidence is not limited to workstations and laptops. In recent years, forensics teams have expanded their searches to include social networks, file sharing solutions, cloud service providers, mobile devices, third party applications, and more.

Complicating matters further, some people access the internet from different devices and use multiple web browsers daily, including as Internet Explorer, Chrome, and Firefox. Therefore, forensics investigations can involve correlating multi-device URL visits, cookies, time data was accessed, search terms, caches, and downloaded files.

This post is about packet capture (PCAP). It is part 1 of a 3 part series on data sources that could be used in a digital forensics investigation. The event types are limited to network intrusion detection, malware installation, and file deletion.

The analysis will include commentary about challenges that are common when gathering and inspecting the forensics data. Security professionals must also understand the usefulness of forensics data, so the discussion will include an analysis of how PCAPs should be prioritized during investigations.

The forensics rankings used:

  • Primary Sources=most likely to have relevant data
  • Secondary Sources=may contain relevant data
  • Tertiary Sources=may contain supporting data

Packet Capture (PCAP) Explained

Packet capture, or PCAP, is the systematic recording of data packets flowing through a capture device or devices, and is a representative of the network traffic and patterns for a given time.

Forensically, PCAP can be leveraged to identify deleted or temporary files that may have been transferred during an event by a file transfer mechanism such as FTP, TFTP, or HTTP, and where evidence of the file’s existence is no longer resident on the target or source file system(s).

Additionally, PCAPs can be used in support of malware investigations and to an extent insider file deletions, although effectiveness varies for each use case.

For those entering or transitioning into the field, I recommend learning to use WIRESHARK. The website has great resources and there are tutorials all over the web.

PCAP Collection & Examination Challenges

The value of PCAP is often constrained by a number of factors, depending on the size, speed and number of networks being captured, and as well as the configuration capabilities of the devices used for the PCAP collections.

Forensic investigators must understand these fundamental limitations such that when formulating work plans so they can adjust the focus of their searches. This approach will help with being overwhelmed by the sheer volume of data that may exist from environmental captures and account for the possibility of having to leverage multiple captures to reconstruct an event.  There are other more functional challenges, however to consider.

Numerous PCAPs can be created from a single capture interval, depending on the amount of traffic traversing the network, which also means that numerous PCAPs may have to be investigated in order to re-create the forensically relevant evidence needed by an investigator.  There must be sufficient storage for the PCAP data in order to be forensically relevant.

Many capture technologies (such as TCPDUMP, for example), may default to summary captures (first 68 bytes or so), and may not contain all of the relevant upper protocol data necessary to identify the existence of file movement or complete transfers, in which case the forensic value of the capture diminishes significantly.

Lastly, the investigator must have a robust knowledge and understanding of the OSI model and packet analysis at each layer to effectively leverage PCAP as a forensic mechanism.

PCAP Priority in Intrusions, Malware, and File Deletion Events

Whether the impetus be merely as a mechanism to track malware attacks, or more robustly for digital evidence concerning file deletions or other network based file transactions, PCAPs have use cases for which they are better suited than others. Therefore, some prioritization should be used when considering whether to illicit the data in PCAP as part of a forensic work plan.

PCAP Priority in Network Intrusions

Using PCAP to determine evidence of network intrusion can manifest itself in a number of use cases including:

  • Use cases that investigate the existence of data being aggregated in a location where it should not be (file transfers from one system to another in an irregular or unexpected pattern)
  • Evidence of data being exfiltrated from within the environment in an manner that is irregular for the type of data profiled
  • Aggregation and/or high number of logon attempts from irregular sources

As a secondary source, PCAP is one of the more viable sources available to an investigator when looking for evidence of network intrusions, but should be used with other sources for a more complete reconstruction.

PCAP Priority Malware Installations

Network based communications used by malware would potentially be profiled within PCAP, and evidence of malware would be manifest in indicators of compromise (IOCs) relative to the malware being investigated.

Any scanning or discover activities, such as with APTs, would be generally detectable by PCAPs, as scanning would occur in an irregular fashion, from hosts where it would not be expected.

As a primary source method, PCAP is arguably one of the best ways to profile malware installation and proliferation within an environment.

PCAP Priority in Insider File deletions

While certainly possible as a tertiary source, using PCAP in the investigation of insider file deletions may not necessarily yield forensically useful data, unless the investigator has a time window sufficient enough to determine when a transfer may have occurred.

Even with a robust time sequence, PCAP may only be useful for surmising that a file once existed and was subsequently moved, and because it no longer exists at its origin, must have been deleted.

Additionally, there could potentially be evidence of commands being sent over the network to a host machine deleting files, but this assumes that the file(s) were not deleted locally, which would not manifest itself within a PCAP.

Summary of Key Findings

Packet capture (PCAP) is the systematic recording of data packets flowing through capture devices that are representative of the network traffic. PCAP collection and examination challenges include storage, gaps in capture data, and broken connection paths requiring reconstruction of multiple PCAPs.

All data sources are not created equal, and security professionals must understand how to rank sources by the order of importance.  WIRESHARK should be on your skill set to-do list if you are entering or transitioning into the field.

This concludes Part 1 of a 4 Part Series on data sources that could be used in a digital forensics investigation.

I will cover memory in Part 2, file systems in Part 3, and logs in Part 4.

ICYMI:

Malware: How it hides, detects, and reacts

Security+ Exam Prep Tips

CASP Exam Prep Tips

CISSP Exam Prep Tips