15.4 Filtering and Data Reduction

15.4 Filtering and Data Reduction

Investigations involving computers often result in a large amount of data, much of it unrelated to the crime under investigation. Also, when dealing with files containing captured network traffic, there may be privileged or confidential information that forensic examiners are required to ignore or remove. Therefore, data filtering and reduction are an essential part of any investigation involving networks, enabling a more efficient and thorough forensic analysis of the digital evidence.

Filtering out irrelevant data from log files may be as simple as extracting entries that match certain criteria such as a certain time period, an IP address, or failed logon events. For instance, the following output shows only failed logon events relating to the user "eco" extracted from a Windows NT Event Log using ntlast utility.^[5]

    C:\>ntlast -f -u eco -file e:\case1\dc2\sec.evt    eco        WORKSTN13              MY-DOMAIN           Sun Jan 19 11:00:11 am 2003    eco        WORKSTN10              MY-DOMAIN           Wed Jan 15 05:39:39 pm 2003 

When examining established connections through a Cisco PIX firewall, it may be desirable to focus on one host rather than review every connection;

    pix01# show conn foreign 192.168.0.232 255.255.255.255    7354 in use, 24529 most used    TCP out 192.168.0.232:3129 in 172.16.1.23:80 idle 0:12:04 Bytes 45235 flags UIO    TCP out 192.168.0.232:3130 in 172.16.1.23:22 idle 0:00:01 Bytes 4395 flags UIO    TCP out 192.168.0.232:3131 in 172.16.1.23:443 idle 0:00:54 Bytes 9935 flags UIO 

However, this approach to collecting evidence from a firewall violates the recommendation provided in the previous sections - collect first and filter and analyze later. Therefore, it is advisable to display all connections, logging the results into a file, and then searching these results for the entries of interest. As another example of data reduction, the following output shows windump being used to extract data relating to one IP address from a file containing network traffic relating to many computers.

    E:\case1\networktraffic>windump -r monitor1-01192003.dmp host 64.4.45.7    00:08:07.534671 64.4.45.7.80 > 192.168.1.102.1037: S 1378721726:1378721726(0)    ack 250897286 win 17316 <mss 1322,nop,nop,sackOK>    00:08:07.688663 64.4.45.7.80 > 192.168.1.102.1037: P 1:155(154) ack 338 win 16979    00:08:07.689768 64.4.45.7.80 > 192.168.1.102.1037: F 155:155(0) ack 338 win 16979    00:08:07.839232 64.4.45.7.80 > 192.168.1.102.1037: . ack 339 win 16979    00:08:07.942829 204.60.0.2.53 > 192.168.1.102.1038: 6 1/4/4 A 64.4.45.7 (208) (DF)    00:08:08.067639 64.4.45.7.80 > 192.168.1.102.1039: S 2707800119:2707800119(0)    ack 251070441 win 17316 <mss 1322,nop,nop,sackOK>    00:08:08.240567 64.4.45.7.80 > 192.168.1.102.1039: P 1:435(434) ack 410 win 16907    00:08:08.244832 64,4.45.7.80 >192.168.1.102.1039: .435:971(536) ack 410 win 16907    00:08:08.245727 64.4.45.7.80 >192.168.1.102.1039:.971:1073(102) ack 410 win 16907    00:08:08.371354 64.4.45.7.80 > 192.168.1.102.1039: . 1073:1609(536) ack 410 win    <cut for brevity> 

Most commercial sniffers have the ability to create filters, only displaying packets that match certain criteria. Alternatively, ranking hosts based on the amount of data that they are sending and receiving can reveal one host that is involved in a suspiciously large amount of data transfer as shown in Table 15.2.

Similarly, viewing the number of connections between hosts may be useful for traffic analysis as shown in Table 15.3.

^[5]http://www.foundstone.com