The evidences may be acquired from the crime location or may be captured with various tools and processes as discussed below. The integrity and nature of the evidence collected should be maintained as mentioned in chain of custody; for that various hash calculations, preservation process during data/hardware transfer and transport should be strictly followed. The analysis of the acquired evidence and data plays a key role in the investigation process; as the case mainly depends on the produced on the basis of the analysis. Thus, the analysis process should be fast, efficient, easy-to-use and standard; which should comply with the international standards and
parameters as set by the court of law. The tools and processes used to analyse should be able to provide optimum and valid results which can be produced conclusively. Following processes describes the types of evidences which are examined majorly during investigation to obtain the artefacts and data relevant to the case.
1.1. LIVE SYSTEMS
The basic systems and devices seized during a raid are the hardware components which are live and contain volatile data. Now, for a network forensic analyst; devices like manageable switches, router, broadband routers, CPU, Network Interface Cards, Hard Disks, Digital Video Recorders and other devices connected in network as hardware evidences are seized and examined to get evidence data using various tools and methods.
The following table describes the data that can be fetched from the listed hardware systems:
Table-II: Data obtained from live systems
Here, windows based system and broadband router as evidence are examined primarily to obtain the basic network artefacts:
1.1.1. WINDOWS BASED SYSTEM
Windows operating system based evidences can be easy to examine if the log files are accessible during primary investigation. Event viewer of windows based systems can help investigators a lot to examine the network connections, profiles, sessions, system logon-logoff, wireless and bluetooth connections and almost every event occuring in front and back end of the system by assigning specific code(numeric) of that event. The events can be used to find evidences of the connections and event occuring or occured in the system; which can also be helpfull for auditing or troubleshooting the network or device. These events can also be exported as logs and viewd later with tools.Event
Viewer can be found at: C: \ ProgramData \Microsoft \ Windows \ Start Menu \ Programs \ Administrative Tools. Here are few images of those artefacts and logs which can be helpful in the investigation of a
Fig 1: Log of Network Profile generated in the system
windows based system which can show Service Set Identifier names and connection time and details:
Fig 2: Network Profile generated in the system
Fig 3: WLAN configuration event
1.1.2. COMMAND LINE UTILITY
ifconfig (interface configuration) windows based command is used to setup and analyse network interfaces. It can also be used at boot time to configure network as per requirement. It is majorly used for network debugging or listing out all the connected network active connections on the systems. Thus being a good command for primary investigation of local systems. Here an image is showed containing a sample demo output of Wi-Fi adapter and their physical and logical addresses.
Fig 4: output of ifconfig /all command
Netstat (Network Statistics) is a command line based tool for displaying network connection on a particular system used to find live network associated interfaces, IP addresses, ports which are being utilized, routing tables etc. Here, a snapshot of the same is taken from an evidence which can detect if any backdoor is enabled leaking any data.
Fig 5: output of netstat command
1.1.3. ADVANCED IP SCANNER
Advanced IP Scanner is a free tool for windows system that scans your network connection over LAN, W- LAN, or Wi-Fi and listing down the computers and devices connected in the network. It work with Radmin; an
administration software which works remotely, enhancing its results and capabilities. This software is war far easy capable and easy-to-use as a network scanner for all network domain people and agencies.
It has many features which makes it a great tool to use for network scanning other than forensics. If a system supports Wake-On-Lan; IP scanner can remotely shutdown computers and can wake them as per admin request. Lists can be made for your selected systems on your network. It can scan for open ports which helps the investigation team to find out the possible mode of intrusion or attack carried out on the network. A sample scan based on IP pool provided by the user is shown here.carried out on the network. A sample scan based on IP pool provided by the user is shown here.
Fig 6: Live scan of the network using Advance IP Scanner
1.1.4. BROADBAND ROUTER
Most common and usefull evidence can be obtained from the network broadband router which acts as a gateway between WAN and LAN to access the world wide web or internet. Data such as WAN IP, ON/OFF time, DHCP connections, IP allotments, Errors, Forwarding ports and other such data can be found from the admin panel of the broadband routers. Here, DHCP allotment and PPP data information of IP address and DNS are obtained from a TP- Link Broadband router form the path** : 192.168.0.1/system tools/logs/ [**The path may change depending on router manucfacture]
Fig 7: DHCP information obtained
Fig 8: PPP information obtained
📷
Fig 9: Options of log type available to fetch and examine
The above file with IP is found using following method:
Fig 11: Evidence examination in EnCase
The EnScript snippet code used in EnCase to filter out and find the evidences:
The evidences may be acquired from the crime location or may be captured with various tools and processes as discussed below. The integrity and nature of the evidence collected should be maintained as mentioned in chain of custody; for that various hash calculations, preservation process during data/hardware transfer and transport should be strictly followed. The analysis of the acquired evidence and data plays a key role in the investigation process; as the case mainly depends on the produced on the basis of the analysis. Thus, the analysis process should be fast, efficient, easy-to-use and standard; which should comply with the international standards and
parameters as set by the court of law. The tools and processes used to analyse should be able to provide optimum and valid results which can be produced conclusively. Following processes describes the types of evidences which are examined majorly during investigation to obtain the artefacts and data relevant to the case.
1.1. LIVE SYSTEMS
The basic systems and devices seized during a raid are the hardware components which are live and contain volatile data. Now, for a network forensic analyst; devices like manageable switches, router, broadband routers, CPU, Network Interface Cards, Hard Disks, Digital Video Recorders and other devices connected in network as hardware evidences are seized and examined to get evidence data using various tools and methods.
The following table describes the data that can be fetched from the listed hardware systems:
Table-II: Data obtained from live systems
Here, windows based system and broadband router as evidence are examined primarily to obtain the basic network artefacts:
1.1.1. WINDOWS BASED SYSTEM
Windows operating system based evidences can be easy to examine if the log files are accessible during primary investigation. Event viewer of windows based systems can help investigators a lot to examine the network connections, profiles, sessions, system logon-logoff, wireless and bluetooth connections and almost every event occuring in front and back end of the system by assigning specific code(numeric) of that event. The events can be used to find evidences of the connections and event occuring or occured in the system; which can also be helpfull for auditing or troubleshooting the network or device. These events can also be exported as logs and viewd later with tools.Event
Viewer can be found at: C: \ ProgramData \Microsoft \ Windows \ Start Menu \ Programs \ Administrative Tools. Here are few images of those artefacts and logs which can be helpful in the investigation of a
Fig 1: Log of Network Profile generated in the system
windows based system which can show Service Set Identifier names and connection time and details:
Fig 2: Network Profile generated in the system
Fig 3: WLAN configuration event
1.1.2. COMMAND LINE UTILITY
ifconfig (interface configuration) windows based command is used to setup and analyse network interfaces. It can also be used at boot time to configure network as per requirement. It is majorly used for network debugging or listing out all the connected network active connections on the systems. Thus being a good command for primary investigation of local systems. Here an image is showed containing a sample demo output of Wi-Fi adapter and their physical and logical addresses.
Fig 4: output of ifconfig /all command
Netstat (Network Statistics) is a command line based tool for displaying network connection on a particular system used to find live network associated interfaces, IP addresses, ports which are being utilized, routing tables etc. Here, a snapshot of the same is taken from an evidence which can detect if any backdoor is enabled leaking any data.
Fig 5: output of netstat command
1.1.3. ADVANCED IP SCANNER
Advanced IP Scanner is a free tool for windows system that scans your network connection over LAN, W- LAN, or Wi-Fi and listing down the computers and devices connected in the network. It work with Radmin; an
administration software which works remotely, enhancing its results and capabilities. This software is war far easy capable and easy-to-use as a network scanner for all network domain people and agencies.
It has many features which makes it a great tool to use for network scanning other than forensics. If a system supports Wake-On-Lan; IP scanner can remotely shutdown computers and can wake them as per admin request. Lists can be made for your selected systems on your network. It can scan for open ports which helps the investigation team to find out the possible mode of intrusion or attack carried out on the network. A sample scan based on IP pool provided by the user is shown here.carried out on the network. A sample scan based on IP pool provided by the user is shown here.
Fig 6: Live scan of the network using Advance IP Scanner
1.1.4. BROADBAND ROUTER
Most common and usefull evidence can be obtained from the network broadband router which acts as a gateway between WAN and LAN to access the world wide web or internet. Data such as WAN IP, ON/OFF time, DHCP connections, IP allotments, Errors, Forwarding ports and other such data can be found from the admin panel of the broadband routers. Here, DHCP allotment and PPP data information of IP address and DNS are obtained from a TP- Link Broadband router form the path** : 192.168.0.1/system tools/logs/ [**The path may change depending on router manucfacture]
Fig 7: DHCP information obtained
Fig 8: PPP information obtained
Fig 9: Options of log type available to fetch and examine
The above file with IP is found using following method:
Fig 11: Evidence examination in EnCase
The EnScript snippet code used in EnCase to filter out and find the evidences:
include "GSI_Basic" class MainClass
{