Network Forensics & Analysis

Network Forensics & Analysis

IRC Protocol Analysis and Traffic Reconstruction

Problem

When investigating network traffic, analysts need to extract and reconstruct IRC conversations from packet captures to understand communication patterns, identify participants, and analyze message content. Raw packet captures contain fragmented TCP streams that must be reassembled and parsed according to IRC protocol specifications.

Solution

Use Wireshark's protocol analysis capabilities to filter, follow, and extract IRC traffic. Apply display filters to isolate IRC traffic, use TCP stream following to reconstruct complete conversations, and parse IRC protocol commands (JOIN, PRIVMSG, NICK, MODE) to identify participants and message content.

Implementation

# Standard IRC ports
tcp.port == 6667

# SSL/TLS IRC
tcp.port == 6697

# Follow TCP stream for complete conversation
Right-click packet → Follow → TCP Stream

# IRC user format: :nickname!username@hostname
:user!~user@host.example.com JOIN #channel
:user!~user@host.example.com PRIVMSG #channel :message content

Python Script for IRC Log Parsing:

import re

def parse_irc_messages(log_content):
    messages = []
    for line in log_content.split('\n'):
        if 'PRIVMSG' in line:
            match = re.match(r':([^!]+)!.*PRIVMSG ([^ ]+) :(.*)', line)
            if match:
                messages.append({
                    'sender': match.group(1),
                    'target': match.group(2),
                    'message': match.group(3)
                })
    return messages

Encrypted Traffic Analysis and Decryption

Problem

Network traffic often contains encrypted messages using PGP/GPG, SSL/TLS, or other cryptographic protocols. During security investigations or forensic analysis, encrypted content must be identified, extracted, and potentially decrypted.

Solution

Identify encrypted content by recognizing PGP message headers and certificate exchanges. Extract encrypted message blocks from network streams. Use GPG/OpenPGP tools to decrypt messages when private keys are available. For SSL/TLS traffic, use session keys or private certificates to decrypt HTTPS communications in Wireshark.

Implementation

# Wireshark search for PGP content
frame contains "BEGIN PGP"

# Extract and decrypt PGP message
gpg --import private_key.asc
gpg --decrypt encrypted.asc > decrypted.txt

# SSL/TLS Decryption in Wireshark (modern approach):
# Set SSLKEYLOGFILE env var before running browser
# Edit → Preferences → Protocols → TLS
# Set "(Pre)-Master-Secret log filename"

# Using RSA private key (legacy):
# Edit → Preferences → Protocols → TLS → RSA keys list

DNS Analysis and Domain Investigation

Problem

DNS queries and responses contain critical infrastructure information including domain-to-IP mappings, nameserver configurations, and service discovery details. DNS traffic analysis reveals communication patterns, identifies malicious domains, and maps network infrastructure.

Solution

Use Wireshark to filter and analyze DNS traffic, examining queries and responses. Extract A records, NS records, SOA records, and other DNS record types. Correlate DNS responses with subsequent network connections.

Implementation

# All DNS traffic
dns

# Queries only / responses only
dns.flags.response == 0
dns.flags.response == 1

# Specific record types
dns.qry.type == 1   # A record (IPv4)
dns.qry.type == 2   # NS record
dns.qry.type == 6   # SOA record
dns.qry.type == 28  # AAAA record (IPv6)

# Export domain-to-IP mappings
tshark -r capture.pcap -Y "dns" -T fields \
  -e dns.qry.name -e dns.a -e dns.aaaa \
  | sort -u

# External verification
dig example.com SOA
dig +trace example.com

Network Connection Pattern Analysis

Problem

Understanding which hosts communicated with each other, traffic volumes, and connection patterns is essential for network forensics. Raw packet captures contain thousands of individual packets that must be aggregated into meaningful conversations and statistics.

Solution

Use Wireshark's Statistics features to aggregate packet data into conversation summaries, protocol hierarchies, and endpoint statistics. Export conversation data for additional analysis. Apply GeoIP databases to identify geographic locations.

Implementation

# Wireshark: Statistics → Conversations
# Shows source-destination pairs with packet/byte counts and duration

# Filter specific conversation
ip.addr == 192.168.1.100 && ip.addr == 10.0.0.1

# Export unique destination IPs from specific source
tshark -r capture.pcap \
  -Y "ip.src == 10.0.0.7" \
  -T fields -e ip.dst \
  | sort -u > destination_ips.txt

# Statistics → Protocol Hierarchy
# Statistics → Endpoints → IPv4
# Statistics → I/O Graph  (traffic over time)

File Extraction from Network Traffic

Problem

Network traffic often includes file transfers via HTTP, FTP, SMB, or other protocols. During forensic investigations, analysts need to extract these files from packet captures to analyze their content, identify malware, or reconstruct incident timelines.

Solution

Use Wireshark's "Export Objects" feature for automatic file extraction from HTTP traffic. Follow TCP streams to manually extract file content from FTP data connections. Verify extracted files using hash values and file headers.

Implementation

# Extract HTTP Objects
File → Export Objects → HTTP

# FTP data
ftp-data
# Follow TCP stream of data connection, save as Raw

# Extract files from SMB
File → Export Objects → SMB

# Verify extracted files
sha256sum extracted_file.bin
file extracted_file.bin
hexdump -C extracted_file.bin | head -20

# Common file signatures
# PDF: %PDF
# PNG: 89 50 4E 47
# ZIP: 50 4B 03 04
# JPEG: FF D8 FF