ESSAY BODY - NETWORK FORENSICS

To begin with, as the name applies network forensic investigators are experts who go into a network and collect data of an attack which was either ongoing or occurred long-ago. They basically observe and piece together the artefacts they see from various sources which include firewall, app-logs and antivirus logs ; an artefact in the digital forensics context meaning an object of interest or evidence(Messier, 2017). Most of this evidence must be handled well and proven to be unaltered to be admissible in a law of court. 

One of the most common methods used by investigators include cryptographic hashing, which is a good method used to show that an evidence has not changed. Any file obtained must be immediately hashed, that includes packet captures and log files. According to Messier(2017, p. 5) : “The best way to demonstrate that evidence has not changed from the point of acquisition is to use a cryptographic hash.”

Cryptographic Hashing is a mathematical process that is easy to perform but difficult to reverse, in other words it is a method of cryptography which converts any form of input into a unique string of text(Ray,2017).

For instance, if there was a file containing network information of a particular time, generating a cryptographic hash for that file would output a fixed length value which then could be used as a form of authenticity in a court of law as if the hash value remains the same, it is an indicator that the file hasn’t been altered(Messier,2017).

Message Digest 5, or MD5 in short is an example of a widely used cryptographic hash function. Developed in 1991 by Ronald Rivest, MD5 algorithm generates a 128-bit hash value.(Techopedia, n.d.) 

Another common hash function would be the Secure Hash Algorithm(SHA). The first version of SHA is SHA-1 which generates a 160-bit hash while SHA-256 which is a variant of SHA-2 returns a value of 256-bits(Lowery, 2020).

To avoid collisions, which in this context means the creation of same hashes for two separate data sets; an algorithm which generates longer values is preferred, which is why the MD5 has been replaced by the SHA algorithm(Messier,2017).

An example of a tool used to generate such values would be the File Checksum Identity Verifier(FCIV) which is a utility provided by Windows.

 

Another technique that is used by network forensic experts is packet capture and analysis. Whatever happens in a wire is accurate as you are reading electrical signals of a cable seeing what occurs precisely(Messier,2017). A network packet is a unit of data that flows from a sender to a receiver, or an origin to a destination address within an internet or a packet-switched network(Liveaction, n.d.). Most packets are split into three parts which includes a header, payload and a trailer. Headers include sender and receiver IP addresses, protocol and packet number. Payloads include data and the trailer includes error checking(HowStuffWorks, n.d.)

When it comes to network traffic analysis, Wireshark is the world’s leading network traffic analyser which is free and allows the analysis of network traffic in real-time(Porup, 2018).

While using Wireshark, you could provide a capture filter on the capture header area which will allow the narrowing of packets that will be captured. Next, a network interface must be selected which will then show 3 different analysis windows, top window being the packet list pane, middle one being the packet details pane which shows the header information of the packet selected in the packet list pane(Hackers-arise, 2018). Finally, the third window being the Packet Bytes Pane will be showing the payload information in hexadecimal and ASCII format(Hackers-arise, 2018).

Moreover, according to Messier(2017, p.98) : “Wireshark keeps track of a lot of information as it gathers each frame and it also does a lot of the decoding and dissection for us. Additionally, it will provide a lot of statistics about the capture, which can be very useful for certain types of investigations.” Which simply states that it lessens the load on the investigators as it keep track of the information it gathers from each frame without the need for them to decode and dissect it and provides statistics which could help with the investigation.