4 Cheap Options to Monitor Networks for Evidence

Computer forensics don't have to solely focus on recovering and searching for evidence on storage devices.

Computer forensics don't have to solely focus on recovering and searching for evidence on storage devices. Although programs like Encase and FTK 3.0 are excellent tools to help find documents, photographs and other files for your investigation, they cut short on collecting network traffic your suspect sends and receives.

Viewing stored URL visits and local cache only paint a limited picture of the suspect's Internet usage and sometimes amount to the same as reading tea leaves. A document opened online, an incriminating instant message or even a VOIP call can and should be forensically captured and reviewed for your investigations.

Below are four free or low-cost options to monitor your target's network connection, capture forensic traffic and review the data for evidence. Consult with your company's legal and IT departments before monitoring Internet connections. This may be illegal in some areas or against company policy.

Before getting started you have to decide which of the four monitoring options best work for your investigation. Each option has its own unique function that works for different scenarios that are rated below based on Level of Expertise to setup it up, Covert Application (risk of getting caught) and Network Type (wireless vs. LAN):

1. SPAN port monitoring. Level of Expertise: 1 of 5, Covert: 3 of 5, Network: LAN and WLAN.

Monitoring this way is probably the easiest to do and best option for the corporate environment. Although your target will have no clue he or she is being monitored, you need to trust your IT department because they will need to plug a computer into the SPAN port.

No additional tools are needed other than an extra Ethernet cable and your computer. And because the system is monitoring near the end point of the system, Wi-Fi traffic of your suspect can be captured as it leaves the network and returns. Your IT department will know what a SPAN port is and how to do this. It is a very common procedure for uses other than monitoring.

2. Hub router. Level of Expertise: 2 of 5, Covert: 3 of 5, Network: LAN only.

Without getting too technical, a hub router (not a switched router, which is common at most stores) is an easy and effective way to split the suspect's network so you see a mirror image of their traffic. These routers can be ordered online for $30, but your IT department probably has a few extra lying around. Simply connect the hub between the suspect's wall port or in the network room and into your computer to start monitoring. As long as you hide the hub and third Ethernet cable this can be very covert and easy to do without even tipping off IT.

3. AirpCap card. Level of Expertise: 3 of 5, Covert: 5 of 5, Network: WLAN only.

I'm placing this option on here for more of an educational purpose. In the corporate setup the SPAN port will be your best setup for monitoring Wi-Fi connections but you never know. The AirpCard is a USB-based tool that works much like a police scanner. Instead of receiving police traffic it can capture and view network traffic traveling between the target's laptop and the Wi-Fi router.

This tool is very useful in TSCM, penetration testing and other not-so-legal exploits, making hackers in love with it. Another negative is its price. It will cost you about $350.

4. ARP poisoning. Level of Expertise: 5 of 5, Covert: 3 of 5, Network: LAN and WLAN.

ARP poisoning is a handy exploit that allows you to confuse a LAN- or WLAN-networked computer connected on your network into believing you are the router and letting you capture the target's data as it passes through your computer to the real router.

This is often called a man-in-the-middle attack and is often used by hackers at coffee shops to steal your information. Although this can be fairly easy to set up without IT support, there is a chance of crashing your corporate network if done wrong. If you are willing to take the risk head over to www.oxid.it and down the powerful program "Cain and Abel."

There are plenty of short YouTube videos that can get you running in minutes.

Now that you have picked your tool to access the network information between your target and the Internet you need to capture and save the data. The best way to forensically capture the data packets of information is using the open source program Wireshark.

Wireshark is the most unsurpassed network tool on the market. After installing Wireshark you are only a few steps away from capturing data. Start by selecting capture/interfaces and depending on the type of monitoring you are doing above you should see your network card already transmitting and receiving packets. Before proceeding, press the options button and select the browse button to name the captured Internet traffic and its saved location. I recommend saving the file to an external drive because Internet traffic can add up fast. Also select "use multiple files" and "next file every 250 megabytes." This prevents errors from destroying days of captured data and helps in reviewing it later.

Once you are good to go press start and watch the data scroll across your screen. For practice you can also skip the first step of monitoring and capture your own Internet traffic to get comfortable with Wireshark and the next few tools.

While you are watching Wireshark you will see a wealth of random data and colors streaming across your screen. Although you might see a website domain you recognize scroll by, the data contains everything your target is sending/receiving, making it next to impossible to decipher any evidence on your own. That's where open source program Network Miner and Freeware Netwitness Investigator 9.0 come into play. Both tools have an import option to pull information from your 250-mb files (known as pcap files) and can recreate the information into searchable and viewable data.

Network Miner exports all files found, including a quick image viewer making it great for pornography investigations, while Investigator is your one-stop shop to recreate websites, e-mails, instant messages, VOIP calls and other types of data you captured in the pcap files. You can literally see your target entering in search fields, downloading YouTube videos and even unknown viruses communicating to bot servers in China. Unfortunately, Investigator is licensed to view only 1GB (or four 250MB files) at a time vs. their unlimited enterprise solution. So if you have lots of data, searching might have to be done in time blocks, but honestly the network traffic captured on one computer is fairly small.

As stated above, there is no reason why you can't record your own Internet activity and practice searching for data you know you were looking at moments ago. Also, Netwitness offers a free forum to share search ideas and troubleshoot any issues you might run into.

Once you get comfortable with the monitoring tools, saving the data and exploring with Network Miner and Investigator you can search or create alerts to help find that smoking gun you might not see doing basic forensics.

Brandon Gregg is a corporate investigations manager.

Join the PC World newsletter!

Error: Please check your email address.

Tags Networkingsecurity

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Brandon Gregg

CSO (US)
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?