- Home
- Technical Products
Enterprise Cloud IT Solutions
Test Measurement
- Solutions
Enterprise Cloud IT Solutions
Test Measurement
Industrial Internet of Things
- Resource Center
- About Us
EN
Hongke Sharing] Using ProfiShark to Build a Portable Network Forensics Toolkit
This article discusses in detail the need to build a portable network forensics toolkit and highlights the ProfiShark 1G - an efficient, pocket-sized network TAP appliance that is ideal for network forensics due to its excellent data capture capabilities, portability and ease of use. This article further explains how to combine ProfiShark 1G with other necessary tools and software, such as Wireshark, to build a complete network forensics solution.
Article Quick Facts:
- Why use a portable web forensics tool?
- Building a Portable Network Forensics Kit
- Forensic Analysis
- Benefits of ProfiShark 1G as a portable splitter
The network security field is increasingly emphasizing the flexible application of portable forensic tools. This paper introduces how to construct a portable network forensics toolkit with ProfiShark 1G as the core to improve the efficiency and effectiveness of network forensics.
Why should I use a portable network forensics tool?
1The company's own needs
Network forensics and network security teams need the ability to intercept network traffic and capture data packets in real-time to prevent threats and real-time attacks. Enterprise organizations need to build network blocking and traffic capture mechanisms based on the size and architecture of their network. For example, a company with a large network of distributed data centers must deploy multiple capture points and send packets to a centralized packet analysis appliance (network analyzer) capable of receiving and analyzing data at speeds of 10 Gbps or even up to 100 Gbps.
2The Difficulties Faced by Enterprises
However, not all companies have multiple data centers in a distributed architecture. Most SMBs host their entire IT infrastructure at a single site. Most of these companies cannot afford to invest in network security analytics. So what can these SMBs do to improve their corporate cybersecurity?
The answer is, a portable network forensics toolkit. Much less expensive, yet still capable of on-demand, real-time forensic analysis of any segment of the network.
Even large, multi-branch organizations can't deny its utility and benefits. In the case of a cyber attack, a branch office is disconnected from headquarters and the local IT team wants to perform forensic analysis on the branch's internal network. Or, what if the network analyzer equipment is isolated in the data center due to internal connectivity issues? In such cases, even large organizations favor portable forensic kits for short investigation times.
II. Construction of a portable network forensics suite
Next, we will introduce the three basic tools for building a portable suite for forensic analysis.
1A laptop computer.
The first thing you need is a laptop.
1) Minimum Specifications: 4GB of RAM, Fast Storage Device (SSD) with a capacity of at least 500GB, 1Gbps NIC, USB 3.0 port, and 3 hours of battery backup.
2) We highly recommend using SSD (Solid State Disk) based storage devices as they are much faster than hard disks and this speed is beneficial for proper capture. Before you can begin forensic analysis of the network, you first need to capture and store the data packets on your laptop. Solid state hard disk storage gives you a significant time advantage if you can store and parse packets as quickly as possible during a security crisis. Hard disks typically have a maximum disk write speed of 100 MB/s, compared to much faster disk write speeds of 500 MB/s for SSDs (and even higher for some SSDs).
3) This laptop should not be a machine used by the IT team on a day-to-day basis, as this would mean that a large number of applications would be installed on it, with significant changes to the registry and an increase in memory load, leading to a reduction in performance. Instead, this laptop should be a specific machine dedicated to a specific purpose, such as forensic analysis or on-site troubleshooting. The next section explains the requirements for USB 3.0 ports.
2Data Packet Analyzer
Next, a packet analyzer (also known as a packet sniffer) is needed, which is a tool (software or hardware) that can record, parse, and analyze traffic passing through a network. As data flows over the network, the packet analyzer receives the captured packets and decodes the raw data of the packets, displaying the values of the fields in the packets (e.g. TCP headers, session details, etc.). You can analyze these values according to the corresponding RFC specification to deduce whether there is any abnormal behavior during the transmission of the packet between network points.
3Portable Network Splitters
For network forensics, a specific packet capture device is required that can intercept and capture packets in real-time traffic. Of the two methods of capturing packets, SPAN (port mirroring) and TAP over the network, the latter is the more reliable and accurate. TAP captures packets over the wire, ensuring that the 100% captures packets in real-time in real-time traffic. TAPs are widely used for security applications because they are non-intrusive and undetectable over the network and have no physical or logical address. As a result, forensic teams can perform their activities in stealth mode.
Among the various types of TAPs available today, portable TAPs are rapidly gaining popularity due to their flexibility to be carried in the field and deployed immediately at any location. How to choose a portable TAP? The two necessary conditions are: first, powerful enough to handle all the traffic; second, portable and easy to deploy.
III. Forensic analysis
Here is some additional knowledge about forensic analysis. You can start with a few basic steps in forensic analysis.
1Check the time of the event
Event timings (i.e., the time between events) are critical for recognizing the presence of malicious activity on a network. Events that occur within a short period of time (e.g., hundreds of milliseconds or even seconds) indicate that they were generated by a robot or malware. For example, dozens of DNS requests for a single website received from the same source IP in a few milliseconds, or dozens of DNS requests for a single website received from multiple source IPs in a few milliseconds.
Examples of multiple DNS requests received for a single website suggest that these requests may have been generated by automation. scripts initiated by robots or malware.
2Check DNSflux
Since DNS is the main processor of all requests sent to the Internet, you should check the traffic activity on your DNS server. If there is a rogue system or a web worm on the network and it is possible to establish an outbound connection to the Internet, then you can detect its malicious activity on the DNS server. If you see an unusually high number of connection requests from the same source IP for a short period of time (e.g., a few hundred milliseconds), then this may be malicious activity and you can dig deeper into the packet headers to investigate further. If your DNS server is being bombarded with requests, it is likely under a DoS attack.
3Check for man-in-the-middle attacks.
This is one of the most common attacks in organizational networks. A Man-in-the-Middle (MitM) attack is an attack in which an attacker attempts to infiltrate a network by acting as one of the trusted systems in the network. Use the Filter option to filter all packets to see only ARP packets. If you see a lot of ARP traffic (broadcasts and replies), then this is suspicious. Since all trusted systems on a running network usually have MAC to IP mapping in their caches, you shouldn't see a long string of ARP messages. Dig deeper into the source and destination addresses in the packet headers and investigate further to find out if a MitM attack is taking place.
4CheckDOS (DDOS)Attack
This is one of the most common attacks, and can be carried out within or from outside the network.The purpose of a DoS (Denial of Service) attack is to drain resources from the machine or network, ultimately rendering it unavailable to the actual user. To quickly recognize if a DoS attack has occurred, filter the TCP packets in Wireshark. Use the options on Wireshark to view a packet sequence graph that illustrates the flow of TCP connections through the arrows between the source and target systems. If you see a large number of TCP/SYN packets being bombarded from a single source IP to a target server IP with no reply from the server IP, or only SYN-ACK messages with no ACK reply from the source, then you are most likely watching an actual DoS attack. If you see a long string of TCP/SYN requests bombarding the target server P from multiple source IPs, then this is a DDoS (Distributed Denial of Service) attack, where multiple rogue systems attack the target server and are more lethal than a DoS attack.
Advantages of ProfiShark 1G as a portable splitter
1Compact, truly portable, and not dependent on external power.Can be used in any position.
2,2Gigabit network ports.Two traffic streams can be perfectly combined and transmitted through a single monitoring port.
3UtilizationUSB 3.0The powerful features of this program allow data transfers at speeds of up to5 GbpsTheEasily transfer 2 Gbps aggregated traffic streams over a USB 3.0 link. This means that the buffer memory doesn't need to discard any packets or store them long enough to affect their timing. Because it can be easily connected to a laptop's USB port, it's the best part of plug-and-play.
4ProfiShark 1GEquipped with its own GUI-basedConfiguration Software ProfiShark Manager(math.) genusIt works with any network analyzer (WireShark, Omnipeek, etc.) and is compatible with Windows and Linux platforms.
5,ProfiShark ManagerAllows one-click traffic capture directly on the laptop without requiring a special network analyzer to capture traffic.This is especially useful when you need to capture traffic on a remote segment and want to analyze the traffic on a computer other than your laptop by exporting a PCAP file.The GUI also has a counter section that shows the internal counters for the two network ports A and B. This shows the number of valid/invalid packets, CRC errors and different packet sizes. This shows the number of valid/invalid packets, CRC errors, conflicts and different packet sizes. This is a quick way to see the quality of traffic received on each port without having to open the Network Analyzer.
