Network forensics

In August 2021, an IT giant Accenture confirmed that LockBit ransomware operators stole data from its systems during an attack that impacted the company’s network. Accenture’s network was reportedly hacked by the LockBit ransomware team, which claimed to have taken six terabytes of data released against a ransom of $50 million.
Source – Hackernews.com

An unknown marketing services supplier is responsible for the compromise of 3.3 million Volkswagen and Audi customers and prospects in Canada and the United States due to insecure data. In March, an unauthorized entity gained access to the sensitive data, which was collected between 2014 and 2019. The information ranged from the type and model of vehicles purchased or enquired about to a smaller number of leaked Social Security numbers, tax IDs, loan numbers, and driver’s license numbers. The data that was stolen appears to be up for sale in a cybercrime marketplace. With the help of the data stolen one can create accounts, receive benefits, obtain identification documents, and even work in the victim’s name if they have the victim’s full name, street address, date of birth, and SSN number. Theft of a driver’s license number is less serious, but it’s typically enough to start an identity theft operation.

So according to the above mentioned example it is clear that every organization, large or small, has sensitive data to safeguard, such as corporate information, personal information about customers, or private files that should not be shared publicly or leaked. As a result, security monitoring should be incorporated into the operations of the vast majority of businesses. Modern attacks are highly targeted, and attackers spend a significant amount of time trying to evade detection. In most circumstances, data leakage does not result in an alarm because it occurs in small amounts and is done in an encrypted manner. These features make it far more difficult for forensic investigators to detect and respond to attacks, necessitating the use of advanced technologies and skilled investigators.
Network Forensics‘ is one of the most significant components of security monitoring for detecting threats. Network forensics provides a high level of visibility into the traffic passing through the company. This allows detectives to search the network and dive deep into details.
Majority of people work from home due to COVID – 19 , this has raised the importance of network security. The office system has been deployed across multiple locations as a single large network. Similarly, there is no centrally controlled system in place to protect network devices from being hacked. As a result, hackers have more opportunities to attack. As firms switched to new processes and technologies, companies focused on three actions throughout the crisis: analyzing and eliminating hot spots, reinforcing incremental digital gains and correcting and mopping up operations. Here’s an example of how companies have built their cyber infrastructure to support remote work.
A large financial-services company was able to support its remote workforce swiftly by distributing Wyse thin-client terminals to all call-center staff for secure remote connections. Performing VPN split tunnelling as well as improving firewall infrastructure fixed some initial bandwidth and performance difficulties. By updating all of its AnyConnect remote servers, the corporation also enabled remote patching to all end-user devices.

Setting up a network security system for an organization is more complicated than simply installing an antivirus programme on your own computer. If you don’t have a good network forensics and security plan in place, your network can be vulnerable to assaults no matter how big your company is. For that there are many network forensic analysis tools available to safeguard your network. Network Forensic Analysis Tools enable network investigators to examine networks and acquire data on malicious activity. Dumpcap, tcpdump, and Xplico are useful network tools for general use. On the other hand, tools such as Intrusion Detection (snort), Match Regular Expression (ngrep), and Print Network (ntop, tstat, tcpstat) can be used for specific tasks. These technologies are used for a variety of tasks, including traffic capture and analysis, network performance evaluation, anomaly detection, network protocol determination, security investigation and incident response, and intellectual property protection. A sophisticated tool like the ‘Network Miner,’ on the other hand, can assist an agency or organization in overcoming hurdles and using network forensic techniques.

NETWORK MINER

“NetworkMiner is an open source Network Forensic Analysis Tool (NFAT) for Windows (but also works in Linux / Mac OS X / FreeBSD). NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files.
NetworkMiner makes it easy to perform advanced Network Traffic Analysis (NTA) by providing extracted artifacts in an intuitive user interface. The way data is presented not only makes the analysis simpler, it also saves valuable time for the analyst or forensic investigator.
NetworkMiner has, since the first release in 2007, become a popular tool among incident response teams as well as law enforcement. NetworkMiner is today used by companies and organizations all over the world”.
NetworkMiner also comes as a professional version.

NetworkMiner also comes as a professional version.

NetworkMiner (free edition)NetworkMiner Professional
Live SniffingYESYES
Parse PCAP filesYESYES
Parse PcapNG filesYES
Parse ETL filesYESYES
Network Packet Carver IPv6YES
Extract files from FTP, TFTP, HTTP, HTTP/2, SMB, SMB2, SMTP, POP3, IMAP and LPR trafficYESYES
Extract X.509 certificates from SSL encrypted traffic like HTTPS, SMTPS, IMAPS, POP3S, FTPS etc.YESYES
Decapsulation of GRE, 802,1Q, PPPoE, VXLAN, OpenFlow, SOCKS, MPLS, EoMPLS and ERSPANYESYES
Receive Pcap-over-IPYESYES
Runs in Windows and LinuxYESYES
OS Fingerprinting (*)YESYES
JA3 and JA3S hash extractionYESYES
Audio extraction and playback of VoIP callsYES
OSINT lookups of file hashes, IP addresses, domain names and URLsYES
Port Independent Protocol Identification (PIPI)YES
User Defined Port-to-Protocol Mappings (decode as)YES
Export to CSV/Excel/XML/CASE/JSON-LDYES
Configure file output directoryYES
Configurable time zone (UTC, local or custom)YES
Geo IP localization (**)YES
DNS Whitelisting (***)YES
Advanced OS fingerprintingYES
Web browser tracing (4:10 into this video)YES
Online ad and tracker detectionYES
Host coloring supportYES
Command line scripting supportYES (through NetworkMinerCLI)
PriceFree$ 1200 USD

 

Leave a Reply

Your email address will not be published.