Monday, August 8, 2011

Can I get a Witness…. A NetWitness

I am at GFIRST this week, my first security conference and defiantly not my last. After one day of pre-conference training session of Network Forensics and Analysis, I have learned more in this one day in how to find evil then I have in the last few Incidents I have had to help respond to.
According to the Overview of the class this is what we are covering:

This class will optimize your Network Forensics arsenal. Get exposure to several types of software, along with the methodology of being a Forensics Analyst. We'll help put you in the right frame of mind to find interesting activity on the network. Several use cases will be examined with a lot of labs to identify malicious software and suspicious network communications. And what do you do once you've found something suspicious? Reversing for Network Analysts will be taught-- a drink-from-the-hose approach to Java, JavaScript and PDF reversing. In addition to NetWitness Investigator, students will use freely available Internet-based tools throughout the labs.
Part 1 Agenda:
  • Warm-up exercises
  • Forensic theory
  • Lab – Finding suspicious network sessions
  • Lab – Internet research General Security Fundamentals
  • Lab – Finding suspicious application sessions
  • Lab – Hunting botnet traffic

My original philosophy was attempting to hunt the proverbial needle in the haystack, was to look at each individual strand of hay, and trying to figure out if it was a needle or if it was just junk. That was until Michael Sconzo showed the utility of NetWitness Investigator and how it interacts with WireShark. Being new to the whole DFIR aspect, this is the quote that summed up what I wanted to believe that Forensics was all about – (the following snippets are from the NetWitness training.)
“Network forensics is the process of capturing information that moves over a network and trying to make sense of it in some kind of forensics capacity.”

In reality a forensicator removes hay until only needles remain. We do this by looking at all the traffic that we receive.
·         We collect all traffic
·         We look at a subset of that traffic
·         We pick out items that are interesting in that smaller subset
·         Hopefully then we act on the new intelligence we found.

One of the biggest things I pulled from this training session was this slide:

The entire purpose to becoming a lethal forensicator is to generate new intelligence.
·         Forensics is tedious.
·         You should NOT be repeating the same process to find the same things.
·         New intelligence is used to automate finding those (now) known threats in the future.
·         This allows you to continue focusing on finding new, unknown threats!

I also picked up these gems when investigating incidents, we have plenty of signatures and applications that can alert us to what is there and known.
”Identify malicious activity by looking for what’s NOT there.”

I will walk through the 4th lab from this training session, and show the WOW factor that I realized would be useful in Network Forensics, Incident Response for finding the EVIL that resides in the network.

The Goal of the 4th Lab, is Finding Covert Communications from a host.
FAfter we have created a collection and loaded the PCAP files, we can open the interface and look at the Keys and if there are any values included in them.

Since we are looking at a Remote Administration Tool, and they are usually utilizing a proprietary protocol or some type of encryption, or other technology in order to hide from us. Since we are not sure what we are looking for, we will navigate to:

As you can see we have 594 items in Other value. Since we have so many items under Other, we need to think like a hacker, and look at IP Protocol, we want to make sure we have reliable connection, so we are looking for TCP connection. As you can see in the IP Protocol Key we have 66 hits.

I clicked on the Blue TCP to drill into the values that are there. I can now either look at Destination Countries if I think I can comment one out or view all the sessions.

For me the ones I would look at first would be Russian Federation or China, although anyone could be an issue, so I will view all the sessions to be safe. If you right click on any of the white section  you can select view all sessions. This will bring up the following view:

I can then select the view option and start cycling through these until I find something interesting.
I finally find something on port 8080.

Opening the highlighted one I see the following response:

 Hrrmmm why do I have a web request for an exe outside of my HTTP?
With this information I can now search other logs to find out traffic to the site and who else might be compromised. 


  1. Very interesting! I'd really like to take some network forensics training. I'm studying right now for the Network+ exam, but want to start learning the forensics angle of networking as soon after that as I can.


  2. Great job, Ken! And like you, Ken (ow, my head hurts), I want to learn more about network forensics. I've been playing with Netwitness in my free time to dig into this area.