DFIR Playbook - Network Forensics

2 minute read

Introduction

This post aims to replicate my physical playbook on Networking and includes the following tools

- tshark
- capinfos
- Network Miner
- editcap
- nfdummp
- bro
- passivedns
- zcat

Future editions will include Snort and Live Monitoring

Contents

Converting PCAPs

From To Command
pcap netflow nfcapd -r <pcapfile> -S 1 -z -l <Outputdirectory>
pcap zeek bro <profile> -r <pcapfile> profiles listed in /opt/bro/share/bro/site/<name>.bro
pcap dns passivedns -r <pcapfile> -l dnslog.txt -L nxdomain.txt Not included in SIFT, see repo
pcapng pcap tcpdump -r <pcapngfile> -w pcap.pcap
gz grep’able text zcat <gzfile>
LargePCAP FilteredPCAP tcpdump port 80 -r in.pcap -w out.pcap
LargePCAP PlainTextWebPCAP tshark -r Capture.pcap -Y "http.request or http.response or dns" -w Capture-Web.pcap Note:tshark will ONLY capture port 80, if HTTP traffic is on other ports, use TCPDump with port numbers

Back to table of contents

Analysing PCAPs

Description Command  
HTTP Packet Counter tshark -r <pcapfile> -z http,tree -q  
Info capinfos <pcapfile>  
Basic filter output tshark -r <pcapfile> -Y '<filters>' See Wireshark wiki or Unit42 for filter examples
Note:tshark uses wireshark filters
 
Get files from pcap tcpflow -r <pcapfile> -o <outputdirectory> or networkminer
*Note: see Netresec for network miner installation instructions
 
Splice PCAP by before time editcap -B "<YYYY-MM-DD HH:MM:SS Before Time>" <pcapfile> spliced.pcap  
Splice PCAP by after time editcap -A "<YYYY-MM-DD HH:MM:SS After Time>" <pcapfile> spliced.pcap  
Forensics Analysis tshark -r <pcap file> -Y <display filters> -T fields -e <Fields To display>
Can be combined with |sort|uniq -c | sort -nr for statistical analysis
Fields Use one -e for each field, examples include ip.addr udp frame.number or to show protocol fields from wireshark use _ws.col for example _ws.col.info or _ws.col.dns.query. To print all available fields use tshark -G fields or see Wireshark documentation
 
Filter pcaps (Reduce them down) tcpdump -n -r <pcapfile> -w out.pcap <filter>
filter could be udp and port 53 for DNS traffic see TCP Dump filters for more examples
 
Yet Another Filter pcaps (Reduce them down) .\tshark.exe -r <input pcap> -Y <display filters> -w out.pcap  
Dump netflow nfdump -R <inputdirectory> <options> <filter> -o fmt.<format string>
see 572 Poster for usage
 
Convert PCAP to http.log, files.log, conn.log
Not nativley included in SIFT, download from zeek-packages
zeek -r <filename>  
Filter zeek columns cat http.log | zeek-cut column_name  
DNS Quick Wins tshark -r <pcap file> -z dns,tree grep

Extracting Certificates for TLS Traffic

  1. Open Wireshark
  2. Find the relevant certificate with the following wireshark filter tls.handshake.type == 11 and an identifier such as IP or domain name that resolves to that endpoint. You can also use tls.handshake.extensions_server_name contains <name> if you know the domain name then follow the stream.
  3. Right click the certificate entry and selct “Export Packet Bytes” image
  4. Save the file as a .der certificate
  5. Convert to pem with openssl x509 -inform der -in hotjar.der -out hotjar.pem

Netflow

  1. WIP

Snort

  1. WIP

Back to table of contents