Network connectivity is no longer an exotic or even complicated computing requirement. To the contrary, it is far more common that software or hardware relies on connectivity in some form for its basic functionality in this interconnected landscape. The explosion of network connectivity has also generated a corresponding increase in the use of that same connectivity for malicious purposes. While defensive and preventative measures have helped to thwart countless attacks, the need for post-incident response and security analysis expertise will always exist.

The fundamental tenets of an investigation remain consistent regardless of the domain being examined. Network forensics provides even greater evidence collection potential, but introduces some unique challenges that an investigator must understand and address to provide meaningful findings.

Ephemeral Events, but Diversified Evidence
Perhaps one of the most obvious shortfalls associated with traditional network evidence collection methods is that when dealing with a network capture, there is no “later opportunity” to acquire the packets. Each packet lives for a mere fraction of a second before vanishing forever. Missing that tiny window means the record of that evidence’s existence might be lost forever.

However, there are potentially dozens of devices that process or observe every single packet during its short lifetime. Each of these devices has its own logging capabilities, formats, retention periods, and level of insight to each networked conversation. This broadens the landscape upon which useful evidence can reside, but diversifies the corresponding means of collection, storage, formatting, and analyzing that evidence.

Of course having more evidence is better than having less. In this instance, effective evidence management is an important skill to possess. The best network forensicators will be thoroughly knowledgeable of the potential devices from which they would want to collect and examine that evidence.

Establishing an Analysis-Capable Environment
It would be ideal if incident responders could engineer investigative priorities into every network environment before deployment. Unfortunately, it is far more likely that one must augment an existing environment with incident response functions that will make investigations both less complicated and more comprehensive. In some cases, an incident responder is tasked to an environment in which no investigative priorities were ever considered—let alone implemented.

If the incident responder has appropriate network forensic training, he or she can work with network operations personnel to identify how existing capabilities might be augmented to better support investigative priorities. This might be as simple as enabling or increasing the log configurations on existing systems such as NetFlow/IPFIX collectors, routers, firewalls, log aggregators/SIEMs, or intrusion detection systems. In a particularly unprepared environment, these solutions may need to be deployed during the investigation. While modifying the victim’s environment generally goes against the traditional forensic mindset, it is often paramount for proper network evidence collection.

In either case, the network forensicator must identify the types of evidence that would benefit them during an incident response, then seek to establish an analysis-capable environment as soon as possible. Since many incidents are not even discovered until months or years after they start, long-term collection and archival is often the difference between an effective remediation and an environment that remains compromised or vulnerable long after the incident is “closed”.

Learn Methods Rather than Just Tools
As the field of network forensics continues to thrive and mature, the number and scope of available tools that address this unique domain must scale to meet the demand. To be certain, the only way investigators will be able to provide high quality results will be to learn these tools and understand their particular strengths and weaknesses. This knowledge will emerge from direct experience with each tool, but also from vendors’ tool-oriented training, as they seek to maximize the value to their customers.

Fundamentally, analysts should seek a vendor-neutral forensic training foundation, as they must be able to cross-check any findings with alternate methods. Such parallel validation is the hallmark of forensic science, so analysts should avoid reliance on any single tool in their processes.

The investigator that relies strictly on tool-specific training will also be at a competitive disadvantage. Those that obtain a broader background using the “how to think” approach to learning network forensics and analysis will be easily identified among their peers. By understanding how to use all manner of available tools to reach their findings, this group will be much better prepared to incorporate new attack and defensive technologies and analytic methods into their procedures.

Furthermore, in a dynamic environment with dedicated and wily adversaries, even basic attackers will quickly learn to identify, evade, or neutralize the so-called “push-button forensic” solutions. The evolution back toward network-based computing currently underway clearly establishes network forensics and analysis as a vital capability in the incident response process.

Phil Hagen is a computer forensic and information security consultant with Lewes Technology Consulting, LLC. He is also an instructor for the SANS Institute and author of SANS FOR572: Advanced Network Forensics and Analysis. Phil has worked in the information security field for over 14 years, supporting federal and commercial customers in their computer and network forensic cases.

Want to learn more? Phil will be presenting Advanced Network Forensics and Analysis at DFIRCON 2014 in Monterey, CA March 5–10, 2014. For more information visit: