Telnet Network News

Telnet Network News - We'll keep you up to date with what's happening in the industry.

8 minutes reading time (1525 words)

What Should a Portable Network Forensics Kit Look Like?

Network Management

Monday, 19 November 2018

2915 Hits

0 Comments

Whether you are a network forensics expert or part of a cyber-security team, you need to have the ability to intercept network traffic, and capture data packets in real-time to prevent threats and live attacks.

Corporate organizations should opt for network interception and traffic capture tools according to the size and architecture of their network. For example, companies with large networks and distributed data centers should deploy multiple capture points (like network TAPs or NPBs) that feed the data to a central packet analysis appliance (network analyzer) which should be able to receive and analyze data at 10 Gbps or even up to 40 Gbps up to 100G.

However, not all companies have multiple data centers in a distributed architecture. In fact, most small-to-medium organisations have their entire IT infrastructure hosted at a single site. These companies choose not to invest heavily in costly network capture and analysis products.

The management usually prefers to spend their budget on IT production equipment, rather than on IT support equipment, as is an expensive network packet capture tool. This could always lead to security breaches occurring.

Why a Portable Network Kit?

At a much lower cost, a portable network analysis kit enables small-to-medium IT teams to perform real-time forensic analysis on any segment of their network at an on-demand basis. Even large multi-branch organizations cannot deny its usability and benefit. Imagine a cyberattack case in which a branch gets disconnected from the head office, and the local IT team wants to conduct a forensic analysis on their branch's internal network.

Or, what if the network analyzer appliance gets isolated within a data center due to an issue in the internal connectivity? For situations like these, the IT team in even a large enterprise would find a portable forensics kit highly valuable during that window.

The beauty of a portable network forensics kit is the flexibility to carry it on to any field location with the ability to instantly plug it on any network segment, without needing a power source.

For forensics analysis on an on-demand basis, you can build a portable kit with the following essential tools.

A Laptop

The first thing you need is a laptop. While this sounds obvious, you must make sure you have the right laptop ready for a network forensic job. The laptop has to include the following minimum specifications: a memory of 4GB, a storage capacity (SSD) of at least 500GB, a network card of 1Gbps, a USB 3.0 port, and a battery backup of 3 hours.

Most modern laptops today already come with those specs. While HDD is shipped more commonly, we highly recommend having an SSD (Solid State Drive) based storage since they have much higher writing and reading speeds than a HDD, and speed is what you need. Before you begin to perform a forensic analysis on your network, you would first need to capture and store packets on it.

Having SSD storage would give a significant time advantage if you can store and parse the packets as quickly as possible during a security crisis. Compared to an HDD, which has a maximum disk-write speed of 150 MB/sec, an SSD writes to disk much faster at 500 MB/sec (even more for some SSDs). This is critical because you need to have at least 250 MB/sec of disk-write speed, as we will explain in the next paragraphs.

A key point to remember is that this laptop should not be a common machine under routine used by the IT team, as that would mean lots of applications installed on it, with significant registry changes and memory load, resulting in slower performance. Rather, this laptop should be a specific machine dedicated for special purposes, such as forensic analysis or field troubleshooting.

A Packet Analyzer

Next, you need a packet analyzer (also known as a packet sniffer), which is a tool (software or hardware) that can log, parse, and analyze traffic passing through a network.

As data flows over the network, the packet analyzer receives the captured data packets and decodes the packet's raw data, revealing the values of various fields in the packet (e.g. TCP header, Session details, etc).

You can analyze these values according to the appropriate RFC specifications to deduce whether the packet underwent any abnormal behavior during its transportation between the network points.

There are also various open-source packet analyzers available, out of which Wireshark is the most popular. While its functionality is similar to the "tcpdump" tool, the best part is that it has a GUI front-end with integrated filtering options which are really useful to sort through the packets in less time.

A Portable Network TAP

In order to pursue network forensics, you need to have a specific device for packet capture that intercepts and captures packets from live traffic. Out of the two ways to capture packets, port mirroring (SPAN) and network TAP, the latter is more reliable, and accurate. Find more about TAP vs SPAN here.

As a TAP copies packets on the wire, it can guarantee capture of 100% of packets from live traffic in real-time. TAPs are being used extensively in security applications because they are non-intrusive and are undetectable on the network, having no physical or logical address. Thus, the forensics team can execute their activity in complete stealth mode.

Amongst the various types of TAPs available today, portable TAPs are quickly gaining popularity due to the flexibility to carry them in the field and deploy them instantly, at any location.

They easily connect to your device, and with a tool like Wireshark installed, your laptop turns into a portable kit ready to commit to any troubleshooting or forensic task at hand. Most manufacturers have their own variety of portable TAPs.

However, not all of them are as good as they sound. Some of them are powerful yet difficult to handle without being truly portable. Some of them are easy to deploy but not powerful enough to fully capture the traffic. A portable TAP that is powerful enough to take on the full traffic, and yet easy and fast to deploy on the field, is the necessary tool to possess.

You need a portable network TAP that does not create any bottlenecks or any of issues described above. A portable TAP that is truly portable, should be pocket-sized, easily connected to a laptop, and yet powerful enough to fully capture 100% of the traffic, without any loss of packets or lag in packet-timing.

Full Portability with ProfiShark

ProfiShark 1G is our best-selling portable network TAP for packet capture in any field location. Pocket-sized and power-packed, it works as an all-in-one packet capture tool without the bottlenecks of any packet drop or time delay.

With the 2 x Gigabit network ports, it flawlessly combines the two traffic streams to transport over a single monitoring port. It does not require an external NIC, as the capturing is done on the ProfiShark, which forwards the capture files directly to the laptop over USB 3.0.

Hence it can easily transport 2 Gbps of aggregated traffic stream (1G from each direction) over a USB 3.0 link. This means that the buffer memory doesn't need to drop any packets and does not have to store packets long enough to impact their timing. Because it can easily connect to your laptop's USB port, the best part of the plug-&-play ProfiShark 1G is that it's not dependent on an external power source.

Combined with a laptop, you have a fully portable and powerful packet capture & analysis kit, ready to use at any location without depending on a power source.

ProfiShark 1G can capture and transfer packets directly to your laptop at full line-rate, provided you have SSD in your laptop, as we recommended in the previous paragraphs. In order to capture and store packets at full-line rate, a disk-write speed of 250 MB/sec is required.

On top of full line rate traffic capture, the ProfiShark also features highly accurate timestamps at hardware level on each packet as it enters the TAP.

The ProfiShark 1G comes with its own GUI-based configuration software, called the ProfiShark Manager, which works in parallel with any network analyzer (Wireshark, Omnipeek, etc.) and is compatible with both Windows and Linux platforms. You can configure the ProfiShark 1G using the various features shown on the GUI.

One of the benefits of the ProfiShark Manager is that it also allows traffic capture directly to your laptop in one click, without particularly needing a network analyzer to capture the traffic.

This is especially helpful in situations where you need to capture traffic on a remote network segment and want to analyze it on a different computer other than your laptop, by exporting the PCAP file. The GUI also has a 'Counters' section which displays the internal counters for both network ports, A and B. This validates that no packets are dropped and shows the number of valid/invalid packets, CRC errors, collisions, and different packet sizes. It's a quick way to see the quality of traffic being received on each port without having to open a network analyzer.

Therefore, the ProfiShark series are handy tools every cybersecurity team can rely on for any kind of on-demand network forensic analysis task, on network segments within a data center or out in the field.

Thank you to ProfiTap for the article.