Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Forensic Packet Analysis

Forensic Packet Analysis
By Tim Dillman, Security Consultant • CISSP, CHP
Securely Enabling Business
Corporate Headquarters 1710 Walnut St. Kansas City, MO 64108 • 888.732.9406
ID# 11WP0005 Last Modified 11.03.2011
© 2011 FishNet Security. All rights reserved.
Forensic Packet Analysis
By Tim Dillman, Security Consultant
CISSP, CHP
Securely Enabling Business
Copyright
The information transmitted in this document is intended only for the addressee and may contain confidential
and/or privileged material. Any interception, review, retransmission, dissemination or other use of or taking of
any action upon this information by persons or entities other than the intended recipient is prohibited by law
and may subject them to criminal or civil liability.
Proprietary and Confidential Information shall include, but not be limited to, performance, sales, financial,
contractual and special marketing information, ideas, technical data and concepts originated by the disclosing
party, its subsidiaries and/or affiliates, not previously published or otherwise disclosed to the general public,
not previously available without restriction to the receiving party or others, nor normally furnished to others
without compensation, and which the disclosing party desires to protect against unrestricted disclosure or
competitive use, and which is furnished pursuant to this document and appropriately identified as being proprietary when furnished.
Copyright © 2011 FishNet Security, Inc. All rights reserved. The FishNet Security logo is a registered trademark
of FishNet Security. All other products and company names mentioned herein are trademarks or registered
trademarks of their respective owners.
Version Control
Incident Response
Document Issue Number
1.0 (Final)
Document Creator
Tim Dillman
Approved By
Benjamin Stephan
Data Classification
Public
Corporate Headquarters 1710 Walnut St. Kansas City, MO 64108 • 888.732.9406
ID# 11WP0005 Last Modified 11.03.2011
© 2011 FishNet Security. All rights reserved.
Forensic Packet Analysis
By Tim Dillman, Security Consultant
CISSP, CHP
Securely Enabling Business
Table of Contents
Preface............................................................................................................................................................4
Overview.....................................................................................................................................................4
The Tools........................................................................................................................................................5
Capsa version 7...........................................................................................................................................5
OmniPeek 6.6.............................................................................................................................................6
NetworkMiner 1.0......................................................................................................................................7
NetWitness Investigator 9.5.......................................................................................................................8
Conclusion.....................................................................................................................................................9
Summary.....................................................................................................................................................9
FishNet Security’s Recommendations..........................................................................................................9
Corporate Headquarters 1710 Walnut St. Kansas City, MO 64108 • 888.732.9406
ID# 11WP0005 Last Modified 11.03.2011
© 2011 FishNet Security. All rights reserved.
Forensic Packet Analysis
By Tim Dillman, Security Consultant
CISSP, CHP
Securely Enabling Business
Preface
In April 1965, Dr. Gordon E. Moore published a landmark article in the Electronics Journal entitled
“Cramming More Components onto Integrated Circuits.” In summary, Moore’s Law, as it has come to be
known, defines an evolutionary exponential rate of technological improvements in electronics. Forty-six
years later, the forward-looking predictions continue to bear relevance in everything from data processing
and transmission speeds to storage form factors and circuit board density.
Those same guiding principles hold true for a secondary discipline, packet analysis. Packet analysis
was borne from a need to monitor and troubleshoot the ever-increasing volume of information being
transmitted throughout the world’s networks. Packet analysis has since evolved from the early protocol
analyzers to modern packet analysis tools.
The focus of this paper is not to provide a history lesson on electronics. However, when evaluating packet
analysis tools, it’s important to understand where the state-of-the-art has been if we’re to have any hope
of understanding where it is going. It is also important to note that although the packet analysis market is
quite vast, this paper is focused on forensic packet analysis tools, i.e., tools which can be used for solving a
broad range of business security issues.
Businesses competing in today’s economy understand that Information Assurance is a necessary cost
of doing business. Protecting the confidentiality, integrity and availability of intellectual property can
be the difference between success and failure. This is why having the ability to quickly and effectively
detect, contain and eradicate network-based threats is of paramount importance. With that in mind, this
comparison has been assembled.
Overview
In this section, the author will look at four different tools that can be used for forensic packet analysis,
acknowledging, of course, that this is an abbreviation of a much longer list. This list was created with the
following constraints:
•
•
•
•
Is the tool software based?
Is the tool Windows OS-compatible?
Is the tool free to use or at least try?
Does the tool contain features that can be used in a forensic investigation?
From these criteria, the following tools were selected for this review:
•
Capsa (Colasoft)
•
OmniPeek (WildPackets)
•
NetworkMiner 1.0 (Netresec)
•
NetWitness Investigator 9 (NetWitness)
Corporate Headquarters 1710 Walnut St. Kansas City, MO 64108 • 888.732.9406
ID# 11WP0005 Last Modified 11.03.2011
© 2011 FishNet Security. All rights reserved.
Forensic Packet Analysis
By Tim Dillman, Security Consultant
CISSP, CHP
Securely Enabling Business
The Tools
Capsa version 7
Capsa is easy to install, intuitive to learn, and offers a clean and colorful display out of the box. Its basic
premise is capturing traffic and categorizing it with parsers for analysis. Upon installation, the Investigator
can start looking for ARP attacks, port scans, worm traffic, DoS attacks and attack targets. Other features
include being able to identify lower than normal time to live (TTL) packet expiration values, slow DNS
response times, SYN floods and malformed ARP packets. All of these features are easy to configure and
almost all results can be drilled down on for timeline, conversation and hex level detail.
The Investigator can import IP network addresses to monitor or simply use the program’s built-in ability to
discover and organize those subnetworks that are visible. Filters for over 140 common protocol types, the
ability to add your own custom protocol, and the ability to filter out network chatter are all handy features.
The tool also offers a library of instructional videos that explain how to set up specific use cases, such as
capturing IM conversations, identifying bandwidth top talkers and creating customized alarms.
Reporting is not included with the free version. Remediation is by suggestion, with a brief description of
the attack type and a possible reason and resolution. Ideally there would be a more automated form of
fixing the issue, but identification is still the crucial first step in Incident Response. Overall, Capsa can be
a useful tool during the chaos of a network attack by providing solid actionable intelligence in a clear and
concise manner.
Dashboard view of Capsa
Corporate Headquarters 1710 Walnut St. Kansas City, MO 64108 • 888.732.9406
ID# 11WP0005 Last Modified 11.03.2011
© 2011 FishNet Security. All rights reserved.
Forensic Packet Analysis
By Tim Dillman, Security Consultant
CISSP, CHP
Securely Enabling Business
OmniPeek 6.6
OmniPeek is easy to setup and use, which can be of added value when a crisis situation strikes. It took the
author just a couple of minutes to install the program and start capturing traffic after switching from the
default dialup adapter setting. Unfortunately, reporting and remediation are not part of the tool, leaving
these two critical steps to the creativity of the Investigator.
The dashboard is clean, easy to understand and provides usable information right out of the box. Based on
the context of the scenario (threat vectors, critical network traffic types, critical assets), the Investigator
can switch to Voice & Video, Apdex or the general Compass dashboard view for different types of specific,
drillable data. Additional views are easily accessible from the Dashboards list on the left side of the
program they are very intuitive.
Packet level view under the Capture category provides excellent communications details, including VLAN,
packet type and name resolution, all of which are click-drillable for deeper analysis. This functionality helps
an Investigator visualize the topology during an investigation. Other options available include wireless and
SSL decryption, as well as WAN trace conversion of Frame Relay, PPP, and X.25. These options can assist an
Investigator with identifying potential attack vectors outside the traditional Internet to internal LAN.
Similar to the Windows nomenclature, an Investigator has the ability to categorize network generated
event messages. Each event type has customizable alarm triggers based on the conditional values. For
example, the Wireless Encryption Disabled alarm can be set to notify the Investigator with an Informational
message if the condition is detected more than once over the period of one second. This can be a real time
saver when looking for a specific type of event occurrence.
Dashboard view of OmniPeek
Corporate Headquarters 1710 Walnut St. Kansas City, MO 64108 • 888.732.9406
ID# 11WP0005 Last Modified 11.03.2011
© 2011 FishNet Security. All rights reserved.
Forensic Packet Analysis
By Tim Dillman, Security Consultant
CISSP, CHP
Securely Enabling Business
NetworkMiner 1.0
First released in 2007, NetworkMiner is described as a network forensic analysis tool (NFAT) for use in a
wide variety of scenarios. Setup and use is quick and straight-forward. Several minutes after downloading
the program, the author was capturing and viewing traffic using the default setup options. Traffic capture
and parsing is the basic premise of the tool, but the option to capture using raw sockets (lower-level
communication protocols) is unique. Unfortunately, NetworkMiner will need to be installed on a Windows
server box to reap the benefits of raw sockets.
The dashboard groups traffic by host instead of traffic type, allowing the Investigator to profile each device
during an incident. When a capture is closed, the software automatically creates an MD5 hash of the pcap
file, a function that strengthens admissibility if the incident goes to court. Remediation is not part of the
free or paid version, but several other features can be unlocked with the full version (around $680). Full
version features include Port Independent Protocol Identification (PIPI), export results to Excel, Geo IP
localization, host coloring support, command line scripting and improved PCAP parsing speed, according to
the program’s creator, Netresec.
Overall, this is a good tool for complete packet capture when running it from a server. However, the lack
of remediation and reporting cause, NetworkMiner to fall short of being a comprehensive forensic packet
analysis tool.
Dashboard view of NetworkMiner
Corporate Headquarters 1710 Walnut St. Kansas City, MO 64108 • 888.732.9406
ID# 11WP0005 Last Modified 11.03.2011
© 2011 FishNet Security. All rights reserved.
Forensic Packet Analysis
By Tim Dillman, Security Consultant
CISSP, CHP
Securely Enabling Business
NetWitness Investigator 9.5
NetWitness Investigator is a robust forensic packet analysis program that supports a full gamut of incident
response requirements. Each type of data captured can be analyzed through the collection navigation
window (shown below) or by any of the individual categories. Clicking on a category or category element
reorders all collected information based on the report view option selected. This on-the-fly reporting
of information gives the investigator 15 different ways to view 13 different categories of information in
seconds. Highlighting a specific span of time in the traffic graphic provides a focused view of activity like
the “6 sessions” shown below.
Captured data is organized into collections, which can be saved, reloaded or even added later. “Collection”
allows an investigator to capture, save and analyze a traffic flow, take corrective action and then add
additional packet capture to the original collection for comparative analysis. Another powerful viewing
option is hex level analysis of each packet in a given session. This helps an investigator identify who is
talking to whom and what they are talking about. Also, SSL sessions can be automatically decrypted by
mapping NetWitness to the appropriate RSA key folder.
Email, Web, IM and audio files can each be replayed/reconstructed with the click of a button and the
captured PCAP file can be saved and opened with WireShark with another click of the button. To filter out
noise, the Investigator can write custom traffic rules to keep, filter or truncate traffic by type. This can be
very valuable when the malicious traffic type is known.
On its own, NetWitness Investigator is very close to being a complete solution to network-based incident
response. One need not look far to build a comprehensive incident response framework. Although beyond
the scope of this paper, NetWitness offers a suite of solutions to address in-depth reporting, remediation
and interoperability with other tools.
Session-level view of NetWitness
Corporate Headquarters 1710 Walnut St. Kansas City, MO 64108 • 888.732.9406
ID# 11WP0005 Last Modified 11.03.2011
© 2011 FishNet Security. All rights reserved.
Forensic Packet Analysis
By Tim Dillman, Security Consultant
CISSP, CHP
Securely Enabling Business
Conclusion
Summary
In general, each tool provides a good amount of actionable intelligence, but no single tool can be
considered a one-stop shop. A good investigator will be armed with a variety of tools for obtaining an
accurate assessment of the situation and providing an appropriate response.
SSL Decryption
Wireless Capture
Hex Viewer
Remediation
Reporting
Send Packets
Custom Capture Filter
PCAP Replay
Configure Alerts
Name Resolution
Data Export
Raw Sockets
Capsa
ü
ü
ü
ü
ü
ü
ü
ü
-
OmniPeek
ü
ü
ü
ü
ü
ü
ü
ü
ü
-
NetworkMiner
ü
ü
ü
ü
ü
ü
ü
NetWitness
ü
ü
ü
ü
ü
ü
ü
ü
ü
-
FishNet Security’s Recommendations
While each of the tools reviewed have unique benefits, NetWitness Investigator appears to be the most
complete solution. Having the ability to arrange and sort information in real time can be worth its weight in
gold during an incident response situation.
Throughout this paper, advantages and variations between tools have been discussed. An overall winner
has not been declared, since the goal of this paper is to expose the reader to current technological
capabilities of forensic packet analysis. Be mindful that this research is a snapshot in time and should
supplement, not replace, the reader’s own research.
About FishNet Security
FishNet Security is the No. 1 provider of information security solutions that combine technology, services,
support and training. Since 1996, the company has enabled clients to manage risk, meet compliance
requirements and reduce costs while maximizing security effectiveness and operational efficiency. FishNet
Security is committed to information security excellence and has a track record of delivering quality solutions
to over 5,000 clients nationwide. For more information about FishNet Security, visit www.fishnetsecurity.com,
www.facebook.com/fishnetsecurity and www.twitter.com/fishnetsecurity.
Corporate Headquarters 1710 Walnut St. Kansas City, MO 64108 • 888.732.9406
ID# 11WP0005 Last Modified 11.03.2011
© 2011 FishNet Security. All rights reserved.
Related documents
Algebra 1 Preparing for Success Packet
Algebra 1 Preparing for Success Packet
Summer Review Packet for Students Entering Algebra 2 Honors
Summer Review Packet for Students Entering Algebra 2 Honors
Short Story Packet
Short Story Packet
Reaction Papers
Reaction Papers
8th Grade STAR Review Packet for Science
8th Grade STAR Review Packet for Science
Preliminary Application Form
Preliminary Application Form
Investigator Compliance Form 2015
Investigator Compliance Form 2015
Optimizing the Extraction of Flow Features through
Optimizing the Extraction of Flow Features through
8th Grade Math Summer Packet Please Note: www.webmath.com
8th Grade Math Summer Packet Please Note: www.webmath.com
Download