Data Security News
Home > Products > Packet Capture > Forensic
Network Forensics and Antiforensics
Establishing facts and digital timelines
When you are the victim of a cyber-incident – network intrusion, data theft or APT – where do you start? The first step in responding to a cyber-incident is to gather the facts: what happened, how did it happen, when did it happen and who did it. A crucial element is establishing an accurate timeline of events, including the points in time when the actions took place and when any related electronic materials originated (e.g. computer files, programs, etc).
At a physical crime scene, the forensic team can interpret and date blood spatter using a variety of techniques. But how do you date a file on a computer, particularly when you know the computer has been tampered with? There are few parallels between the techniques and methods used in physical forensics and those used in computer and digital forensics. The challenge for the cyber-investigator is to reconstruct when and what happened, when the data in question is electronic and ephemeral, not physical.
Contrary to popular belief, in computer forensics it is the fragments of files that aid in establishing the date of a file, rather than the file itself. It is very easy to manufacture a fake, complete file. However, users often save computer files multiple times, creating residual file fragments. It is these fragments that best enable a forensic investigator to date the file, or at least date it relative to the intermingled fragments of other files on the hard drive. This technique, however, is labor intensive and requires expert knowledge of how different types of files are stored on different operating systems. Unfortunately, cybercriminals have developed their own anti-forensic tools to counter-act this and other techniques and it is no longer any more reliable than simply looking at the whole file. Cyber criminals now have methods to create the file fragments just as easily as creating one file, employing anti-forensic techniques to make you think you are looking at a work product created over time (see more on anti-forensics below).
Many are also of the mistaken belief that one can accurately date digital data by examining the physical surface and properties of a hard drive. Despite its extreme expense and labor-intensiveness, this technique yields results that are no more accurate than examining file fragments. At best, computer forensic dating techniques are imprecise – at worst, misleading At a physical crime scene, investigators have a toolbox of chemical analyses at their disposal, which are extremely difficult, if not impossible, to fake, giving them a degree of scientific certainty that cannot be achieved with computer forensics.
Forensic Packet Capture
It is practically impossible to reliably determine the age of bits and bytes. Data on computers and other electronic devices simply do not age in the manner of physical objects. This presents investigators with a bit of a quandary when faced with a multitude of digital data to analyze. How can you date files and electronically-created data after the fact, when you know you cannot trust the data to be original or authentic?
The only practical approach is to have an external, trusted piece of equipment that timestamps the events in your electronic world, that is, in your network, your internet connection and your electronic communications. With this external, trusted equipment (basically a forensic packet capture appliance) you take control of the digital timeline – it cannot escape you.
Packet capture appliances make a difference in computer and network forensic investigations by capturing the actual data streams and assigning each packet a timestamp. If the packet capture device is properly placed on a network, the appliance captures a timeline of events, even more so if you have multiple appliances deployed at multiple network vantage points, creating panoramic forensic surveillance for the network, each of which supports the other.
As an investigator, the absolute timestamp may not be as important as how each packet fits within a larger sequence of packets. What packet capture gives you is the actual sequence and points in time from which to build an exact timeline of events, as well as the evidence of actions: copies of any files transferred, commands sent and received, data downloaded and uploaded. All of this effectively backs up and supports any auxiliary evidence (from log files, hard drives, cache entries, deleted files and etc) that you may gather from computer hard drives, making that computer forensic evidence so much stronger and more reliable.
A forensic packet capture appliance wouldn’t reveal what someone is typing into his/her word processing document, but can yield other clues. Given that computers are connected to each other on a network, if properly positioned a packet capture appliance would capture when the computer was on, when it logged in to the network, who logged in and what information transmitted to and from that computer. Overlay that captured digital data onto the computer data and you have a way of referencing and creating a timeline of events. Going a step further, if a document is sent via email, the packet capture appliance will also have the file accurately timestamped and recorded. Considering that computers and cybercrime involve networks and digital communications in one way or another, the benefit of having a way to accurately establish the facts and timelines for cyber-incidents with a trusted device, i.e., forensic packet capture appliance, is immeasurable.
If your packet capture appliances is forensic class, the information it captures is harder to refute (or fake, for that matter). Consider this: if there is no way to authenticate a file, the value of it as evidence can be called into question. Unlike people, files have no fingerprints, digital or otherwise. No digital equivalent to fingerprints exists because electronic data can be altered and faked at any time, due its ephemeral nature. In extreme cases, the “smoking gun”, digitally speaking, could very well be an elaborate hoax or campaign of misinformation.
What makes a packet capture appliance forensic? Most importantly, the data captured by a forensic packet capture appliance can be authenticated. Second most, the data cannot be erased or altered. Other considerations include the strength of encryption used to protect the captured data as well as the digital and physical security of the appliance itself. For example, IPCopper packet capture appliances feature integrated security features such as electronically invisibility and 20,000 bit encryption. DIY and non-dedicated packet capture, though useful for some applications, do not rise to a forensic-class level. When investigating electronic theft and cybercrime, you need to have strong, verifiable forensic evidence in order to prosecute. The ability to date and authenticate digital data is crucial for any cyber-investigation.
Forensic packet capture appliances save time and improve the productivity of digital forensic investigators. With a packet capture appliance on hand, the investigators first steps are to secure copies of the clues and evidence needed to get to the bottom of a cyber-event. This would include making mirror copies of the suspected hard drives and gathering copies of server logs, caches and so on – basically whatever information you can lay your hands on that may be useful. Then you start working with the packet capture data, figuring out key points and key events in the timeline and how they relate to the other digital data from the hard drives, logs and etc. Once the barebones timeline is in place, you can start fleshing it out with other data either from the packet capture or other sources.
The Rise of Anti-forensics
In the 1990s computer forensics became a new investigative tool, relying on file fragments and the dating based on those fragments. At the time computer forensics yielded decent results, largely because the perpetrators were not familiar with the concept or techniques employed. Now that the techniques of computer forensics are well known, cybercriminals know how to thwart them. Often they just need to manufacture their own evidence to plant on the victim computers, cover their tracks and mislead investigators. A computer may contain ten file fragments that were overwritten or partially deleted – fifteen years ago an investigator could have reasonably relied on these fragments to help date the digital data on the computer. Now they have to contend with the possibility that those fragmented files were remotely copied onto the computer’s hard drive. There is no way to tell, unless you know what data streams transferred in and out of that computer… or hope that the cyber-criminals made a mistake that you can detect.
Anti-forensics is very real. Hackers are very much aware of computer forensic methods and started developing anti-forensic techniques several years ago, with the goal of misleading forensic investigations and obfuscating what actually happened. Several known programs have been in use for years and will continue to be employed as long as cybercrime continues to be a lucrative trade. Computers and networks are a permanent part of everyday life, and it is much safer to rob someone’s bank account from 10,000 miles away than to break into a business or home.
Unless you have a reliable packet capture appliance on your network the chances of prosecution are meager. With a forensic packet capture appliance on hand, however, evidence is much harder to hide and much harder to fake. To fake evidence on a packet capture appliance, the perpetrator would have to carefully manufacture it over time and in a certain sequence (due to the timestamps). This would be practically impossible to achieve on a busy network because of the multitude of elements one would need to control for. By comparison, faking and inserting a file on a computer is easy.
Here we are intentionally omitting an in-depth discussion of the computer forensic techniques used to find and support computer evidence. Though valuable, these techniques are not bulletproof when the other side employs anti-forensic methods to cover their tracks. If properly deployed, forensic packet capture appliances can and will bolster any investigation, regardless of whether anti-forensics are in play or not. Having the reliable records collected by a forensic packet capture appliance from which to create a timeline of events saves both time and resources for any investigator when examining the “scene” of any cybercrime.
IPCopper manufactures easy to install, automatic, full packet capture appliances for network forensics, cybersurveillance and network monitoring. Learn more about IPCopper's forensic-class packet capture appliance. Custom features are available for increased productivity and to fulfill specific deployment requirements. Please contact us for more information.