Logo
RSS Feed

👈🏞 Back to
ðŸ—ģ Evidence Collection And Preservation

Network Traffic

Created: 28.07.2022

Most of the devices keep some sort of logs. As for the network related issues these are switches, routers, firewalls, IDS and IPS, web proxies, DC and authentication servers, DCHP server and application servers.

SIEMs are log aggregators. When configues correctly all logs and events from all systems in the enterprise flows to a cetralized repository where it can then be analysed. Sometimes these SIEM analyse what’s normal and what’s not. However, they are quite costy 💰.

There are several ways to capture the network traffic between machines.

Network tap - a device that’s place between other two or more devices on the network. I presume, hub can be considered a tap.

SPAN port is another option.

Packet sniffer (tcpdump or Wireshark ðŸĶˆ) installed on the host.

Legal Considerations for log acquisition:

  1. There should be a logging policy and users should be well aware of it, what’s being logged. Mind the privacy issues.
  2. Logs should be close to the event, otherwise they migth be rejected in court.
  3. There should be people, who know what devices keep what logs, what structure do they have. These people should also test the software from time to time to make sure the logs are reliable. They might be asked to testify in court.
  4. It’s also preferrable that the logs structure is consistent across the enterprise.
  5. Prolonged failures of logging should be documented and the reason determined as well.
  6. Keep in mind that in case a legal prosecution, these logs will be available to the opposing counsel.
  7. The backups and copies should be kept until the court states that they are no longer needed. For some standards there might be determined periods for keeping the logs. For example, in case of PCI-DSS it’s 1 year.

Logs and pcap files acquired should be documented thoroughly to be admissable. Collect the evidence, send them to a USB drive immediately and then get the hash for each file. Then, for each log and pcap keep the following entry:

  1. File name
  2. Description
  3. Location
  4. Date and time (mind the timezone)
  5. Collected by
  6. MD5 or SHA hash

References

Expand…

1

Digital forensics and Incident Response, G. Johansen