Network Forensic: Packets Reassembly using Free and Open Source Tools

Reliance on the Internet and computer networks is increasing day after day and devices connected to a network or more became scattered everywhere and in all areas, starting  from computers, mobiles and home appliances to Industrial SCADA (Supervisory Control And Data Acquisition) and ICS (Interface Control Systems). This heavy reliance and continuing on networked devices has increased the scope, diversity and complexity of Internet crimes that target these networks, which increased the difficulty of the task assigned to cybercrime incident response teams and digital forensics teams, and led to the emergence of a branch of digital forensics field which focuses on the collection of the digital forensics evidences on the level of information and communication networks known as network forensics, so what is Network Forensics Analysis?

In 2001,  Gary Palmer in a Road Map for Digital Forensic Research, Report from DFRWS 2001 described Network forensics as a sub-branch of digital forensics relating to the monitoring and analysis of computer network traffic for the purposes of information gathering, legal evidence, or intrusion detection, also Marcus Ranum is credited with defining Network forensics as “the capture, recording, and analysis of network events in order to discover the source of security attacks or other problem incidents (Network Flight Recorder: http://www.ranum.com).

In general network forensic could help before and after the happening of the cyber attack incident. Helping  before the incident by detecting and identifying security intrusion, threats and cyber attacks where after the incident, network forensics will be considered a great source of information for the digital forensic investigator in case of erasing logs of compromised systems by attackers.

As the network forensic focuses on network traffic (Wired or Wireless) which is usually transmitted and then lost, so it should be collected and stored for further analysis. Systems used to collect network data for forensic investigation usually use one of two approaches as defined by Simson Garfinkel in (Network Forensics: Tapping the Internet http://www.oreillynet.com/pub/a/network/2002/04/26/nettap.html):

• "Catch-it-as-you-can" - This is where all packets passing through certain traffic point are captured and written to storage with analysis being done subsequently in batch mode. This approach requires large amounts of storage.

• "Stop, look and listen" - This is where each packet is analyzed in a rudimentary way in memory and only certain information saved for future analysis. This approach requires a faster processor to keep up with incoming traffic.

Both previous network forensic approaches require storing captured traffic for a specific period of time according to applied policy, then it is overwritten by a new captured traffic. The main concern regarding the "Catch-it-as-you-can" approach is the privacy as the captured traffic includes confidential and personal users' data, so in some circumstance it may not be legal to capture user's data without explicit permission or court order.

Traffic Capture

The first step in network forensic analysis is capturing and storing the network traffic using a network analyser or a packet sniffer like wireshark or tcpdump. The nature and value of captured traffic depends on the position of the packet sniffer on the monitored network and for best network traffic capture the packet sniffer should be connected to a network tap or to a mirroring (span) port of a switch located at a central point of the network like core switches or preferably at the perimeter between two different networks. Ideally, the forensic investigator should ensure that the packet sniffer machine cannot send network traffic to the network being monitored. Another thing, capturing encrypted traffic will not be useful for forensic investigation, so it should be decrypted before capturing and storing traffic.

Packets Reassembly

After capturing and storing raw network traffic, digital forensic investigator needs to extract data and information from the stored traffic, so investigator can search for keywords, patterns, evidences ... etc. on the extracted data, in addition to the normal extracted network packets metadata, this process needs to reassemble network packets to rebuild the transmitted files, emails, chat sessions, voice calls, attack paterns, exploits ... etc.

Network Forensics Analysis Tool (NFAT) is a product category that used to capture, store and analyse network traffic. There are many commercial and open source tools that fit in this products category. The following demonstrated tools are some of my favorite NFAT applications.

1. Xplico (About Xplico)

Xplico is a multi user open source Network Forensic Analysis Tool (NFAT). The goal of xplico is extract the data contained in a network traffic capture. Xplico supports alot of network protocols and applications: HTTP, SIP, FTP, IMAP, POP, SMTP, TCP, UDP, IPv4, IPv6, ...etc. The UI is a Web User Interface and its backend DB can be SQLite, MySQL or PostgreSQL. Xplico can be used as a Cloud Network Forensic Analysis Tool. Xplico is installed in the major distributions of digital forensics and penetration testing: Kali Linix, BackTrack, DEFT, Security Onion, Matriux, BackBox, CERT Forensics Tools and Pentoo.

The following video demonestrates packets reassembly using Xplico 

2. NetworkMiner (NetworkMiner Link)

 NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files. The purpose of NetworkMiner is to collect data (such as forensic evidence) about hosts on the network rather than to collect data regarding the traffic on the network. The main view is host centric (information grouped per host) rather than packet centric (information showed as a list of packets/frames). NetworkMiner is available both as a free open source tool and as a commercial network forensics tool.

The following video demonestrates packets reassembly NetworkMiner

3. Intercepter-NG (Intercepter-NG Github Link)

Although Intercepter-NG is not categorized as a Network Forensic Analysis Tool (NFAT) and could be considered as a hacking or a penetration testing tool but in the other side it is a very good network toolkit that has the ability to reconstruct transmitted files using multiple protocols like FTP\HTTP\IMAP\POP3\SMTP\SMB protocols. Other than file reconstruction, Intercepter-NG is able to sniff chat messages & passwords hashes, capture raw packets, and perform a few exploits such as Heartbleed, SMB Hijack, HTTP Injection, ARP spoofing and etc. Intercepter-NG comes on three versions, MS Windows version, Console ersion and Android version (Required Root).

The following video demonestrates packets reassembly using Intercepter-NG