Deep Packet Inspection and Reconstruction for Network Forensics and Lawful Interception
By Samuel Amoah CCE, CEH, CEI, MCT, NPFAT
President, CFG Computer Forensics Inc.
Brampton. Ontario. Canada
I am back as promised, to talk about Deep Packet Inspection and Reconstruction for the purpose of Network Forensics and Security.
Deep packet inspection technology is based on packet sniffing of network traffic, utilizing a network adapter card set in promiscuous mode, on the network being monitored. The packets sniffed and captured during this process are not interpreted from the header information alone. The data payload is analyzed simultaneously to gather information about session establishment, presentation layer information as well as the application layer information.
The promiscuous mode allows the network interface card to accept and send broadcast messages traversing the network, just as what happens across the ports of a hub serving as the central connection point of all nodes interconnected on the network. These days, hubs have been replaced with switches, which defeat the purpose of sniffing traffic on the entire network, but only traffic emanating from a port on a switch, which has its own broadcast domain. Mac flooding is a way to make the switch act in the same manner as a hub, hence enabling sniffing of packets across all its ports.
The process of deep packet inspection begins with packet capturing, which occurs at the outgoing connection to the internet. Depending on which sections of the network to be monitored, a switch could be carefully configured into a mirror mode, where packets leaving the network are mirrored back to the packet capturing appliance. The other alternative is to do an inline capturing, where cable from the internal network is connected to one port of the capturing appliance, and the other cable connects to another port of the capturing device to the internet interface.
The packets captured are then organized to their various data formats from the inspection and capturing carried out. This data is then decoded by the appliance to allow playback of the data. This playback present the data in the same format it entered the network. This is good, as it presents the data to the viewer in exactly the same way. There are 3 appliances engineered by Decision Group Inc. which carry out the capturing, decoding and playback. The E-detective or Wireless-detective product does real time decoding and plays back data. There is also the E-detective Decoding Center appliance that does both real time decoding and playback of data, or offline decoding of data, either captured by the device or captured from offsite utilizing a network packet sniffing device.
All data decoded is stored in a database on the appliance. This allows investigators the chance to sift through to find evidence should the need ever arise, with less difficulty.
Note of caution: First and foremost, every reader must know that packet sniffing is illegal. Corporations, in protecting their intellectual property, integrity of network traffic, fighting off malware and viruses, can use the sniffing technology with caution. The employees must be made aware of such a process going on, and must be duly informed of that. Secondly, employees must also be given a central location with internet ready computers where they can transact their personal business and check their mails. This network must not be included in the segment being sniffed.
For the purpose of computer forensics, as cloud computing has changed the way data can be stored, the surest way to be able to track back emails and other means of communication via computers, which are mostly used in committing corporate crimes, is to have such a system in place. This will eliminate the need to figure out how to execute search warrants on cloud computing storage sites, which might be thousands of kilometers away, because a replica of the communication is stored onsite.
As national security is on the minds of every government in the world and deemed very important, I believe the art of Lawful packet interception will be very instrumental in tracking down criminals and terrorists, as most of their means of communication is via the internet. Deep packet inspection technology should be instrumental in dealing with such acts. Law enforcement agencies in Taiwan have used this technology from Decision Group to their success.
This is the moment to think seriously about adoption of this technology for lawful usage. Privacy must be considered when having this brain storming section. Just as we are now going through virtual strip searches at airports, privacy must be carefully defined when dealing with national security. There are ways to prevent abuse of this technology.
1: Only sworn law enforcement officials- Corporate Security must have access to the Management interface of the appliance to search for information. In terms of Government investigations, search warrants must be obtained before access to data is granted.
2: Data captured must also be preserved in a manner that follows proper chain of custody procedures.
3: Officers running the appliances must be well trained to carry out their work.
Security, as I always say, is 85% common sense application, and 15% technology. And with the 15%, 90% of it depends on people, and 10% on the equipment.
I will be back.
Certified Computer Examiner, Network Packet Forensics Examiner, Private Investigator.
Partner of Decision Group