Network Forensic

Despite all the network security measures taken, unforeseen scenarios are encountered. This is inherent in the nature of the job and is quite normal. Detecting and taking precautions when such an event occurs is a critical process. In the absence of network forensic devices, the detection of incidents can take a very long time (1-6 months) and become very costly.

April 17, 2024

• Quick action in case of data breaches, pinpointing infected systems. • Detection of malicious activities on the network with identifiable external IOCs (such as Usom, Sans, etc.). • Detection of network traffic anomalies. • Analysis of network performance status. • Continuous detection of undesired situations from a security perspective (such as simple password usage, tunneling traffic, weak algorithm accesses, etc.). • Integration through Pivot Integrations with Api and Icap and Universal Sandbox.

These devices essentially record a copy of network traffic, allowing for real-time analysis. They are passive devices, providing no active protection but are necessary for quick issue resolution.

Data is stored in two ways, Meta and Raw. The Meta section contains various data that can be parsed from a pcap file. These data can be retained for long periods (1-12 months), whereas Raw data is naturally kept for shorter durations (1-2 weeks), which are ideal values.

For traffic analysis, the data sent to these devices should be in clear text (http, ftp, smb, etc.). If it arrives encrypted (https, ftps, smtps, etc.), it cannot be analyzed. Therefore, it is crucial to ensure traffic is taken from the correct source, and devices in the network are correctly positioned. For instance, in the case of an LTM device positioned in a One arm configuration, if the http traffic is copied from behind the LTM, unfortunately, the source IP shows as the LTM IP. Searching for the relevant IP on Xff can be done, but if the source is an attacker and analysis of this traffic is needed, the correlation becomes nearly impossible or very time-consuming.