Remote Data Acquisitions

Posted on | May 12, 2010 | No Comments

Remote forensics is a growing area of specialty within the overall realm of digital forensics.  There are a few things that you should know about how remote forensics differs from normal hard drive forensics.  For purposes of this post, we will treat the terms “network forensics” and “remote forensics” as the same.  Depending on the context, remote forensic acquisition can also be a catch-all term which can also describe creating a hard drive image over the network, but we will discuss that possibility in another post.

Network forensics does not rely upon the actual physical content of the hard drive, but instead upon analysis of network traffic that is being sent to other machines.  Tools for network packet acquisition can range from the simple and open-source (such as the swiss-army knife netcat) to complex, enterprise-level tools that can conduct both data acquisition and analysis.  For a forensic examiner, I recommend basic familiarity with not only netcat, but also Wireshark, nmap, and optionally Nessus (for vulnerability checks) and kismet (for wireless networks).

The above tools will help capture and analyze packets efficiently, allowing the forensic examiner to determine what packets are being sent to which computers.  Obviously if a company suspects someone of visiting nefarious websites or sending confidential data over the internet, they can’t simply ask the employee to capture their own packets!  You will want to install a network tap between the suspect and their path to the internet, so all the traffic can be monitored.  You can configure a network tap to either collect all data that passes through it, or filter it to only include certain types of traffic (such as HTTP requests) or ports (ports 25 and 80, for example).

Wireshark is one of my favorite tools for analyzing captured packets (also known as a pcap).  There are quite a few Wireshark tutorials online, and I’d recommend watching a few of them to get a feel for how best to use Wireshark, especially the powerful filtering and expressions options.  One of my favorite views is to click a packet that you wish to examine, and under the Analzye menu, click “Follow TCP Stream” – this will display the back-and-forth communication between the host and client.

I’m skimping on the details for now, but I’ll be reviewing some of my favorite tools and techniques that I discussed in some upcoming posts – I’m also working on a few tutorial-style videos to accompany them, so have patience and thanks for reading!

Comments

Recent Posts

• Uses of Computer Forensics
• Cellebrite UFED and Cell Phone Forensics
• Google-Motorola acquisition
• Updated the glossary
• Full-Disk Encryption comes to Android
• Information Security – Protecting your business online
• DEFT Linux 6 coming soon
• Digital Copiers as a Forensic Utility
• Cybersecurity Paper from Harvard National Security Journal
• SANS Blog Survey Results

Tags

Android antivirus attorney client privilege Autopsy celebrity Computer Forensics computer security Cyber Crime data recovery DEFT digital evidence disk image drive-by download encryption expectation of privacy facebook firefox Google Guymager hard drive failure law enforcement lawsuit linux Live CD malware mcafee MFT Nessus noscript online banking Ophcrack Password security phishing SANS scam SIM card Sleuthkit social media social networking svchost.exe tax return twitter Webmail workplace yahoo mail

Categories

• Android
• Cell Phone Forensics
• Computer Forensics
• computer security
• Encryption
• Evidence Analysis
• GPS
• Internet Privacy
• iPhone

Archives

• November 2011
• September 2011
• August 2011
• March 2011
• February 2011
• January 2011
• November 2010
• October 2010
• August 2010
• July 2010
• June 2010
• May 2010
• April 2010
• March 2010

Blogroll

• Ediscovery Trends
• SANS Computer Forensics Blog