Creating a portable data analysis kit

What do you need such a kit for?

Network forensics and cybersecurity (cybersecurity) teams need to be able to capture network traffic and data packets in real time to prevent threats and live attacks. Large companies need to tailor network traffic capture mechanisms to the size and architecture of their networks. For example, companies with large networks with distributed data centers need to deploy multiple interception points, powering a central packet analysis device (network analyzer) capable of receiving and analyzing data at 10 Gbps or even 100 Gbps.

Unfortunately, not all companies have multiple data centers in a distributed architecture. In fact, most small and medium-sized organizations have their entire IT infrastructure hosted in a single location. Most of these companies are not in a position to invest in expensive network security analysis products. We can tell you from experience that management prefers to allocate a larger portion of the budget to IT production equipment than to support equipment, especially expensive network analyzers, the lack of which can lead to security breaches.

Small and medium-sized enterprises can benefit from a portable network forensic analysis kit. At a much lower cost, it still enables real-time, on-demand forensic analysis of any network segment. It's hard to argue with this approach.

Imagine the case of a cyber-attack in which a branch office is disconnected from the headquarters and the local IT team wants to perform a forensic analysis of its branch office's internal network. What if the network analyzer is isolated in the data center because of an internal connectivity problem? In such situations, a portable forensic kit would show its true value in the eyes of the IT support team.

The beauty of such a special-purpose kit lies in its portability, allowing it to be quickly deployed anywhere in the field and instantly connected to any network segment, without the need for a dedicated power source.

How to create such a set?

In order to build a portable kit that can easily extract and analyze network traffic, we need three basic tools:

Laptop

The first thing we need is a laptop. While this seems obvious, you need to make sure you have the right device to meet the requirements. Here are the minimum specifications: A laptop with at least 4 GB of RAM, an SSD with at least 500 GB of storage, a 1 Gbps network card, a USB 3.0 port and battery backup for 3 hours. Most of these requirements are met by current laptops. However, a large proportion of laptops are equipped with a standard hard disk drive (HDD), we strongly recommend SSD (Solid State Drive) based storage, as they are much faster than HDDs, and speed is what you need for proper capture. Before you can perform analysis on the downloaded packets, you need to capture and store them on your laptop.

Having SSD storage would give you a significant time advantage, as you can store and analyze packets as fast as possible during an emergency. Compared to a hard drive, which typically has a maximum disk write speed of 100 MB/s, an SSD writes to disk much faster at 500 MB/s or more (some SSDs, in M.2 format, even write data at over 3,000 MB/s). Remember that you must have at least 250 MB/s of disk write speed, which we will explain in the next section.

In addition, it would be a good idea for your laptop not to be the first better hardware used by the IT team, as this would mean that there are many memory-intensive applications on it, causing significant changes to the registry. Consequently, such a situation results in reduced performance. In an ideal world, a laptop of this type should be a dedicated machine for special purposes, such as forensic analysis or troubleshooting on a customer trip, etc.

The requirement for a USB 3.0 port will also be explained in the next section.

Packet analyzer

The next required tool is a packet analyzer (also known as a packet sniffer), which is a tool (can be either software or hardware) that creates logs, records and analyzes traffic passing through the network. As data flows through the network, the packet analyzer receives the captured data packets and decodes the raw data by discovering the values of various fields in the packet, such as the TCP header, or details about the session. These values can then be analyzed, according to the relevant RFC specifications, to infer whether the packet behaved "abnormally" during transport between network points.

There are various open-source packet analyzers on the market, including the most popular, Wireshark. Although its functionalities are similar to "tcpdump," it distinguishes itself by having a GUI interface, with integrated filtering options that help sort packets, in less time. In addition, Wireshark is available for free.

For more information on how to use this feature, see the next section of this article.

Portable TAP

To effectively and seamlessly perform packet analysis, we need a device that will help us capture packets directly from "live" traffic. Of the two ways to capture packets, port mirroring (SPAN) and the use of TAPs, we choose the latter as it is more reliable and accurate. You can read more about TAPs on our other pages, TU i TU. A TAP allows you to tap into a link and accurately capture all network traffic, without interfering with the reliability of the connection. TAPs are often used in security applications because they are non-invasive and undetectable on the network (they have no logical or physical address).

Of the various types of TAPs on the market today, portable TAPs are rapidly gaining popularity because of their flexibility and ease of portability, as well as their ability to be instantly deployed anywhere. They can be easily plugged into a laptop, and with a tool like Wireshark installed, your laptop turns into a portable kit for network research and analysis.

How to use such a set?

Forensic analysis is a specialized job that requires years of experience to reach a level of proficiency. Like an experienced doctor who diagnoses a disease by quickly reading the symptoms, a network analyst must be able to quickly detect anomalies in the network by looking for the right symptoms. Naturally, such knowledge comes with years of practice and work in the profession. However, there are a few basic steps with which you can start such analysis.

Here is a short list of tips to look out for during forensic analysis.

Review event times

Timings of events (events) are crucial in determining whether something troubling is happening on our network, or a customer's network. Events occurring over a short period of time, say a few hundred milliseconds or even a few seconds, may indicate that they are generated by bots, or malware, rather than humans. The range of such time periods, from milliseconds to seconds, depends on the nature of the activity that the network administrator should know about. For example, receiving dozens of DNS requests for a single site, from the same source IP address, within a few milliseconds, or receiving several DNS requests for the same site, from different source IP addresses, within a few milliseconds, are signs that these requests may be generated artificially by automated scripts initiated by bots or malware.

Check DNS traffic

Since DNS is the main protocol for handling all outgoing requests to the Internet, you need to monitor traffic activity on the DNS server. If there is any unauthorized system or program on your network that is interested in making outbound connections from your network to the outside world, you are able to detect its malicious activities on the DNS server. As mentioned earlier, one of the key advantages Wireshark has over other analyzers is the ability to filter packets by protocol or IP address. Using this feature, you can filter out all packets that go to your DNS server's IP address and take a look at the received requests, within specific time windows. If you find something disturbing (such as an unusual number of connection requests), you can assume in advance that your DNS server is under DoS attack.

Look for MAN-IN-THE-MIDDLE attacks.

One of the more popular attacks on an organization's network, is the Man-in-the-Middle (MitM) attack, in which an attacker tries to get into a network by pretending to be one of the network's trusted systems. In a MitM attack, the attacker enters the connection between two trusted systems, takes it over and redirects all traffic to himself. While the two trusted members believe they have a direct connection to each other, they are actually communicating through an intermediary that intercepts their data. This allows not only listening in on the conversation between the devices, but also modifying it. The most common method of carrying out an attack of this type is ARP spoofing, also known as ARP cache poisoning. During such an attack, the attacker broadcasts fake ARP messages on the LAN to associate its MAC address with the IP address of one of the trusted systems on the LAN, such as a default gateway, DNS server or DHCP server, depending on what the attack plan is.

Using the filtering function, we can find all ARP packets, and if we encounter a large amount of ARP traffic (headers and replies), it could mean that we are a victim of fraud. In an infrastructure that has been in operation for some time, each device should have a map of all trusted devices in its cache, so you shouldn't find a long list of ARP messages. Discover the source and destination address in the packet headers and investigate if an attack of this type is underway.

Detect DOS/DDOS (Denial of Service) attacks.

It is also one of the most popular attacks carried out from inside or outside the network. The goal of such an attack is to cause the resources of a machine or network to be consumed in such a way that they eventually become unavailable to its actual users. DoS attacks are often carried out against Web servers, with the aim of suspending network services while the server is connected to the Internet. During a DoS attack, the attacker bombards the target server with TCP/SYN requests, asking it to open a connection, but the source address is either fake or forged. If the source does not exist, the server is unable to respond with a TCP/SYN-ACK message because it cannot discover the source's MAC address. If the source is fake, the server responds with a TCP/SYN-ACK message and waits for the final ACK message to complete the TCP connection. However, by the fact that the real source never initiated such a connection, the server never received a final response and waits with a half-open connection. In both cases, the server is "flooded" (SYN Flooding) with TCP/SYN requests, resulting in an unusually high number of uncompleted connections, which can limit server performance.

To quickly identify whether our network is the victim of a DoS attack, filter out TCP packets using Wireshark. Then use the option to display a packet sequence graph that illustrates the flow of TCP connections, with arrows connecting the source and destination systems. If you see a large number of TCP/SYN packets going from one source IP address to the destination IP address of a server that is either not responding or responding with SYN-ACK requests that have no ACK response from the source, you are most likely witnessing a DoS attack.

However, if you see a stream of TCP/SYN requests attacking your target server, from multiple source addresses, it could be a DDoS (Distributed Denial of Service) attack, in which more than one attacker device is used for the attack, which can be acquired by, for example, spreading a crafted file across a computer network and infecting it, making its users into so-called zombies.

Which portable TAP will best meet such requirements?

To meet the above requirements, you need a TAP that will not limit your network in any way, is truly mobile and portable, and should be pocket-sized. It should also be easily connectable to a laptop and at the same time powerful enough to capture 100% of traffic without packet loss or packet time delays.

If this is the case, we suggest the ProfiShark 1G, a portable TAP with two 1Gbps ports that can easily handle the transmission of traffic from two paths to a monitoring port. However, what makes it different from the competition is the lack of a standard RJ45 monitoring port. Instead, it uses a high-speed USB 3.0 port transferring up to 5Gbps of data, which serves as a power supply, by the way. 5Gbps is enough to seamlessly transmit aggregated network traffic, with two 1G ports each way over a USB 3.0 connection.

This means that the memory in the buffer doesn't have to skip any packets or keep them so long as to affect their synchronization. As mentioned earlier, the ProfiShark 1G is connected to a laptop/PC via a USB port, making it plug&play by drawing power from the computer's USB port. Combined with a laptop, this creates a truly portable and powerful packet capture and analysis kit, ready to be used anywhere without dependence on a power source.

ProfiShark 1G can capture and transmit packets directly to your laptop at full speed - 2Gb/s, provided your computer has an SSD as recommended in the previous paragraphs ("to capture and write packets at 2Gb/s a disk write speed of 250 MB/s is required"). Such functionality makes it possible to implement timestamping with nanosecond accuracy. ProfiShark 1G comes with its own software and GUI - ProfiShark Manager, which can run in parallel with other analyzers such as WireShark or Omnipeek. The software is compatible with Windows and Linux platforms.

One of the advantages of ProfiShark Manager is that it allows you to capture traffic directly on your laptop, with 1 click, without the need for a network analyzer. This is particularly useful in situations where you need to capture traffic, on a remote network segment, and analyze it on a computer other than your laptop, exporting a PCAP file. In the GUI you will also find a "Counters" section, which displays the internal counters for both network ports, A and B. It shows the number of correct/incorrect packets, CRC errors, collisions and various packet sizes. This is a quick way to check the quality of incoming traffic on each port, without having to open the network analyzer.