Forensic science is the combination of technology, crime investigation methodologies, and establishing facts and interest in bringing light to a criminal investigation. Why forensic investigation? Digital Forensic investigation is about collecting and preserving evidence. The Investigation process includes interviewing, interrogating, collecting, and preserving evidence. It is essential for the evidence to be relevant and handle in a lawful manner. The forensic evidence gives a full view of the investigation. It can determine the result of a judgment; Digital evidence, by its very nature, is fragile and can be altered, damaged, or destroyed by improper handling or examination. For these reasons, special precautions should be taken to preserve this type of evidence. Failure to do so may render it unusable or lead to an inaccurate conclusion.” (UMUC, n.d.).
One must ask the question of why the network forensic analyst wants to investigate a network attack when there are IDS and IPS tools? The reason is that even though IDS/IPS looks for suspicion activities, they are imperfect at times. Also, these tools generate false positives. False positives and false negatives are caused by many reasons, such as imprecise and nonexistent detection methods. To determine whether an alert was genuine, it required an analyst to associate the packet content with the rule that triggers the alert. This analysis required acquaintance of the composition of individual and connected packets. When analyzing the packet, the analyst needs to determine the attacker’s motivations and skills. Usually, the characteristics and the method of the attack help the analyst determine whether an attack and attacker are considered harmful or annoying.
After the IDS alert on fraudulent activity, the log generated by the PCAP file needs to be investigated. A right diagnosis will examine the capture associated with the alert. After completing the analysis, the signature related to the alert can be examined, then correlate other potential logs.
Wireshark is a useful tool in decomposing the file into packets, layers and allows us to have a clear view of the protocols and layers involved in the attack. Why, indeed, packets? Packet help restructures activity linked with the alert and activities before and after the alert. To understand the packet, you need to understand how the network communication model works. The network is composed of packets, Frames, headers, and data. There is two network model called the OSI network model (Open Systems Interconnection), composed of seven layers. The other network layer is composed of four layers called TCP/IP. The TCP/IP model is decomposed into the Application layer (HTTP, SMTP, DNS), Transportation layer (TCP, UDP), the Internet layer (IP), and the Network Layer (Network access). The packet traveled from the application layer to the Network layer. This process is called encapsulation. When the destination host receives the packet, it must decapsulate the packet by doing the reverse cycle of the encapsulation.
Alice Ouedraogo, MS Cyber Forensic
