What is Network Forensics?

Network Forensics is a specific subdomain of the Forensics domain, and it focuses on network traffic investigation. Network Forensics discipline covers the work done to access information transmitted by listening and investigating live and recorded traffic, gathering evidence/artefacts and understanding potential problems.
Briefly, it is the action of recording packets of network traffic and creating investigatable sources and establishing a root–cause analysis of an event. The ultimate goal is to provide sufficient information to detect malicious activities, security breaches, policy/regulation compliance, system health and user behaviour.
The investigation process identifies communicated hosts in terms of time, frequency, protocol, application and data.
The investigation tries to answer the 5W;

• Who (Source IP and port)

• What (Data/payload)

• Where (Destination IP and port)

• When (Time and data)

• Why (How/What happened)

What is Network Analysis

Network analysis is the process of capturing and examining both historical and active network activity on a host, which can provide a wealth of information, such as:

• IP Addresses (such as source and destination)

• Ports

• URLs

• Correlating processes and network traffic.

PowerShell is an extremely powerful and extensive command shell for Windows with its own scripting language. It can be used to automate tasks, audit and configure the Windows operating system, and it is already provided on the machine.

We can use PowerShell to retrieve a lot of the same information that other tools can. Knowing how to retrieve network activity using PowerShell is a great “first step” in triaging a machine, especially when you can’t immediately throw your toolset at it.

Data Subject to Network Forensic Investigation

• Live Traffic

• Traffic Captures (full packet captures and network flows)

• Log Files

Network Forensics with Powershell

Show TCP Connections and Associated Processes

Get-NetTCPConnection | select LocalAddress,localport,remoteaddress,remoteport,state,@{name="process";Expression={(get-process -id $_.OwningProcess).ProcessName}}, @{Name="cmdline";Expression={(Get-WmiObject Win32_Process -filter "ProcessId = $($_.OwningProcess)").commandline}} | sort Remoteaddress -Descending | ft -wrap -autosize

Show UDP Connections

Get-NetUDPEndpoint | select local*,creationtime, remote* | ft -autosize

Extract IPs with active connections

(Get-NetTCPConnection).remoteaddress | Sort-Object -Unique

Investigate specific IP address for information such as the connection status, the date and time it was initiated, the local port (local host) and a remote port (remote host), and the process causing that connection.

Get-NetTCPConnection -remoteaddress 51.15.43.212 | select state, creationtime, localport,remoteport | ft -autosize

Inspecting DNS cache

Get-DnsClientCache | ? Entry -NotMatch "workst|servst|memes|kerb|ws|ocsp" | out-string -width 1000

Inspecting the hosts file

gc -tail 4 "C:\Windows\System32\Drivers\etc\hosts"

Query RDP Logs

qwinsta

Inspecting SMB shares

Get-SmbConnection

Inspecting Windows firewall logs located at C:\Windows\System32\LogFiles\Firewall

gc C:\Windows\System32\LogFiles\Firewall\pfirewall.log | more

Room Answers | TryHackMe Windows Network Analysis

Room answers can be found here.

Video Walkthrough | TryHackMe Windows Network Analysis