NetIntercept: The Network Forensics Investigator

Sandstorm Enterprises' network forensics appliance, NetIntercept, is a powerful ally when you need to investigate and document the misuse of networked resources. NetIntercept's capabilities detect illicit use of information in ways that other tools cannot. Mark Spencer of EvidentData uses NetIntercept to gather evidence of wrongdoing from company networks to present to his clients and in court.

EvidentData's Mission

Mark Spencer is EvidentData's Director of Computer Forensics and Investigations for the Northeast Region. EvidentData, headquartered in California, uses a variety of computer forensics tools and techniques to provide in-depth litigation support to corporations and public organizations. A majority of their work addresses employee wrongdoing (including IT employees' misdeeds). The company has provided court-admissible evidence in a variety of cases: theft of intellectual property, piracy, and extortion, to name a few.

Spencer, whose degree is in criminal justice, reconstructs problematic incidents that have taken place on corporate networks. "Our task at EvidentData is focused on collecting and analyzing electronic evidence, using methods acceptable in a court of law," he says.

The Value of Network Forensics

To accomplish this task, Spencer extracts, reconstructs, and analyzes human-recognizable data from the bits that have gone across the network, that is, "the data on the wire." His expertise enables him to zero in on not only how much data was sent and when, but also, what data was sent - and by whom.

Painstakingly sifting through raw network packet dumps, piecing together data streams and undoing transfer encoding can require a huge number of man-hours. But in the case of computer security breaches, time is at a premium. A network that has been penetrated can keep bleeding data until that leak is tracked down and stopped. This can cost millions of dollars in lost revenue and cause thousands of lawsuits. NetIntercept aids Mark in his network forensics tasks -- saving time and highlighting valuable evidence in an understandable way.

Of his investigations, Mark says, "After working with our clients to get an understanding of what their concerns are, we then begin to identify the 'universe of data' that interests us. Once we have an idea of where electronic evidence may exist, we acquire it in a forensically sound manner."

His NetIntercept system is ready to be silently plugged into the network. NetIntercept captures whole-packet data from the network (not just packet headers, like many network monitoring products), and analyzes it to quickly zero in on the desired information. After NetIntercept's analysis is complete, Mark can inspect reassembled files (including images, web pages, spreadsheets, and more), email traffic, compressed data, and other content sent over the network.

"While an investigator can recover a great deal of evidence from a computer system's hard drive," says Mark, "there is a significant amount of evidence that may only be captured by monitoring network traffic. For example, instant messaging conversations and Trojan horse remote control activity may not leave useful remnants on a computer hard drive -- for those, you need network forensics."

"Users often attempt to circumvent corporate control and monitoring by using out-of-band applications, like web mail and instant messaging. These applications can be used to transmit sensitive and confidential data outside corporate networks. NetIntercept can capture this traffic and has the necessary tools to close in on desired information in huge amounts of packet data, much like finding a specific grain of sand in the desert."

Sometimes network abuse is startlingly brazen. For example, an employee at one company was investigated for engaging in software piracy. Not only did he distribute pirated software using his workstation, but he also used his company's FTP server. One of the tip-offs included over a terabyte of network traffic being generated from his workstation over a couple of months.

Undercover Operations

When Spencer deploys NetIntercept, it is often in an undercover capacity. If a company suspects a problem with an employee, management calls their lawyers, who in turn call EvidentData. It is important that ongoing investigations be kept confidential, even from executives and technical people within the company. EvidentData becomes a more independent and qualified investigative party than the company's own personnel. Depending on what is uncovered during the investigation, EvidentData may write a declaration containing the findings and testify in court.

For undercover monitoring, Spencer says, "NetIntercept's covert capability is extremely important." Some IT personnel are vigilent enough to pay attention to unusual traffic on the network, and some are outright paranoid about it. NetIntercept can be set up in a stealth mode that generates no traffic at all on the monitored network; and the rogues are none the wiser. Meanwhile, NetIntercept is collecting every shred of data going by on the wire.

Spencer uses a variety of tools, but NetIntercept is a favorite of his because of its unique capabilities. NetIntercept allows him to collect electronic evidence in a way that allows for complete data stream analysis. Computer-savvy abusers, whether engaged in remote control activity via applications like Back Orifice, or chatting with others about their illegal actions over instant messenger, may regularly wipe evidence of such acts from their hard drives. However, captured network traffic analyzed by NetIntercept provides a clear picture of what abusers have been doing on the network.

NetIntercept's powerful ability to sort huge amounts of data is very useful. For example, if Spencer needs to look for one type of connection amid several gigabytes of data, he can "drill down to particular FTP connections with just a few clicks."

Return on Investment

Network abuse can wreak havoc in an organization through loss of productivity, expensive litigation, and budget and schedule setbacks due to corrective measures. Thorough investigation may significantly reduce the total cost of these incidents, as well as reducing ongoing employee misuse of network resources.

Employees going rogue can be an expensive situation. In one case, employees in the IT department installed Trojan horse remote control software on an executive's workstation, captured the executive's emails and sent them to workstations in public areas. Mark Spencer utilized NetIntercept to not only track the suspicious traffic but also to determine which computers were infected. Spencer explains, "The suspects were essentially conducting a wiretap and committing a felony."

Was a recently terminated IT director still accessing sensitive information on the the company network? The company faced with this possibility realized that due diligence called for a professional investigation. EvidentData sent Spencer in; he set up monitoring of all network communications at the corporate router for several weeks to determine if any machines were exhibiting unusual outbound or inbound connections. Though no unauthorized access was found, the company exercised sound judgment by taking the time to verify business-as-usual.

Even more disturbing was the departure of multiple people from a department at another company within a two-week time span -- was it merely dissatisfaction, or were they fleeing before some illicit activity came to light? In these litigious times, firing employees (even ones found guilty of wrongdoing) is no longer as simple as it was. Many ex-employees choose to sue for unjust cause. Spencer's work effectively halted pending unfounded litigation against the company through documenting evidence of employee wrongdoing.

In a crisis, the information you need to know has often gone across your network. Thorough investigation of computers and networks is increasingly becoming part of corporate due diligence in these cases.

As the incidents above show, network forensics is also dependent upon having records of past activity available when network misuse is discovered, which may be some time after transgressions occurred. "As far as I'm concerned, you can never collect too much evidence," says Spencer. "By bringing network forensics into an investigation and collecting more evidence, you are digging a deeper hole for your suspect, and may even break a case you wouldn't have been able to otherwise....Archiving network data should factor into a company's incident response plans." His point is well-taken, especially considering the recent changes to the Rules of Federal Civil Procedure regarding electronic discovery issues. Emails and instant messaging data can contain important evidence, and need to be archived in the event of legal action. The NetIntercept appliance can be configured with several different storage capacities, depending on the volume of network traffic being monitored and saved.

The Power of NetIntercept

NetIntercept allows its users to get an inside view of the specific network activity of interest. Its graphical user interface presents the information in a readily accessible manner, including providing thorough packet analysis for conclusive results. For example, many tools automatically label any traffic over port 80 as web traffic (a dangerous assumption). NetIntercept's heuristic analysis engine analyzes the data stream and identifies it based on the contents. If someone is sending FTP traffic over port 80 (for example), NetIntercept will call it FTP traffic, and provide an alert to potential malicious behavior.

The more sophisticated the investigator, the more powerful NetIntercept can be. It provides scripting and scheduling components to automatically save, analyze, export and report on traffic from the monitored network. For the less-technically savvy, NetIntercept provides an easy-to-understand user interface and user-configurable reports, which make understanding investigative findings easier. As Mark Spencer and many of our other customers have found, NetIntercept is a powerful, valuable tool for network forensics investigation.