Assignment
Network Forensics relies on the ability of Investigators, inclusive of internal Cybersecurity Investigators, Civil Investigators, and Criminal Investigators, to collect and analyze network traffic. These types of investigations occur when an outside threat attacks a system, when an outside threat continues to access a system without authorization, or when an inside threat actor is utilizing their system access to perpetrate a criminal act.
The network traffic evidence utilized in these investigations can arise from both stored data logs, such as firewall, network, and routing logs, or from packet collection efforts, which typically occur when a persistent threat actor is identified. Network packet collection can be completed from any device on a network, meaning you can run a program such as WireShark on a single computer in order to monitor all network traffic which originates from or is delivered to that system, or it can be completed from a network based system, such as a Server, and allow the investigator to collect all traffic flowing through a specific network. In many ways, you can think of these to concepts in terms of Host Based Packet Collection and Network Based Packet Collection.
In terms of specific network intrusion, collection of traffic from the entire network is preferred, as it allows for the investigator to collect all the data which may be needed to identify the source of the threat; however, we must always be mindful of the legal considerations of our investigations. With that in mind, please read the scenario and answer the following questions.
Scenario:
You are working for a Civil Digital Forensics firm and have been hired by the Buy n Large Aerospace firm to identify a threat actor who is leaking future project plans and concepts to a competitor. Over the last month, Buy n Large has suspected someone has gained access to their systems, and released their future development and other intellectual property documents to their biggest competitors. Although they are not certain, the Chief Executive Officer believes the perpetrator is a disgruntle employee, because the company recently began dumping large amounts of garbage and other toxins into landfills because it allowed them to reap a higher profit margin. The CEO notified you that 80 percent of the employees went on a week long strike when the decision was first made a little more than a month ago, and that the data leaks started right after the employees returned to work.
Buy n Large does not have a sophisticated Cybersecurity team, and the only data they can provide is 48-hours worth of Network Router Logs. The few members of the Cybersecurity team which does exist, has recommended the company capture all network packets from all computers which are logged onto the network for a period of two weeks. Through questioning of the Cybersecurity team, you have learned that Buy n Large provides computers for all staff, and allows the staff to utilize their computers to conduct personal business. You also learned that the computers must connect to the internal network via VPN, in order to have access to an internet website. Therefore, if you conduct a network based packet collection, you will potentially collect information on any and everything the employees utilize their computers for.
Task
A. Do you have a potential Fourth Amendment Issue when collecting ALL of the packets on the Network? Why or why not?
B. Should you recommend any specific filters on the type of traffic which is captured? (IE Specific Protocols, packets, etc) If yes, what information would you include/exclude from collection.
C. If you were looking for an Internal Threat Actor, what types of network traffic would you look for? What about an external Threat Actor?
D. Is there an alternative means for you to prove the identity of the threat actor, without completing a total network traffic collection?