The traditional focus of digital forensics has been on locating evidence on the suspect host's hard drive. Law enforcement officers interested in criminal activity such as fraud or child exploitation can find the evidence required for prosecution on a single hard drive. In the realm of incident response, though, it is critical that the focus goes far beyond a suspected compromised system. For example, there is a wealth of information that can be obtained within the hardware and software along with the flow of traffic from a compromised host to an external Command and Control (C2) server.
This chapter focuses on the preparation, identification, and collection of evidence that is commonly found among network devices and along traffic routes within an internal network. This collection is critical during incidents where an external threat source is in the process of commanding internal systems or stealing data out of the network. Network-based evidence is also useful when examining host evidence as it provides a second source of event corroboration, which is extremely useful in determining the root cause of an incident.
We will cover the following topics in this chapter:
- An overview of network evidence
- Firewalls and proxy logs
- NetFlow
- tcpdump packet capture
- Wireshark packet capture
- Evidence collection