Tom Olzak

Archive for the ‘Forensics’ Category

The Internet is Broken, Part II: NetFlow Analysis

In Application Security, Computers and Internet, Cybercrime, Data Leak Prevention, Data Security, Forensics, Insider risk, Log Management, NetFlow, Network Security, Policy-based access control, Risk Management, Security Management on January 13, 2013 at 21:52

Last week, I introduced the broken Internet, with SIEM technology as a way to help identify bad things happening on your network.  This week, I continue this theme by looking at a technology often deployed with SIEM: NetFlow analysis.

NetFlow is a protocol developed by Cisco.  Its original purpose was to provide transparency into traffic flow for network performance and design analysis.  Today, however, NetFlow has become a de facto industry standard for both performance and security analysis.

Over time, security analysts found that event correlation alone might not be enough to quickly detect anomalous behavior.  NetFlow, in addition to a SIEM portal, allows quick insight into traffic flow.   It helps detect network behavior outside expected norms for a specific network.

NetFlow compatible devices, as shown in Figure 1, collect information about packets traveling through one or more ports.  The collected information is aggregated and analyzed.  If supported, alerts are sent to security personnel when traffic flow through a switch port, for example, exceeds a defined threshold.  (See Figure 2 for a portal example.) This is a good way to detect large data transfers or transfers between a database server and a system with which the server doesn’t usually communicate.

Figure 1: Cisco NetFlow Configuration

Figure 1: Cisco NetFlow Configuration

Figure 2: NfSen Screen Shot (Retrieved from

Figure 2: NfSen Screen Shot (Retrieved from

For example, assume an attacker gains control of a database administrator’s (DBA) desktop computer.  All access by the DBA’s system will likely look normal: until a NetFlow analysis alert reports large amounts of data passing from a database production server, through the DBA system, and to the Internet.  (Granted, other controls might prevent this altogether… humor me.)  The alert allows us to react quickly to mitigate business impact by simply shutting down the DBA computer.

It isn’t just external attackers NetFlow helps detect.  The infamous disgruntled employee is also detectable when large numbers of intellectual property documents begin making their way from the storage area network to an engineer’s laptop located in his or her home office.  NetFlow analysis can be particularly useful when two or more employees collude to steal company information.

NetFlow analysis is a good detection tool.  It helps support prevention controls we rely on to prevent connections to unknown external systems.   In addition, NetFlow alerting can call our attention to an employee defecting from policy compliance and violating management trust.

Next week, I conclude this series by examining incident response in support of SIEM and NetFlow analysis.

Digital Forensics: Blowing a Case in Five Minutes or Less

In Cybercrime, Forensics, Uncategorized on July 31, 2009 at 09:51

Digital forensics is an important function performed by experienced investigators.  However, most security incidents are not considered serious enough—at least not at first—to justify engaging a forensics professional for hundreds of dollars per hour.  So in-house security teams must have processes in place to ensure initial investigation activities don’t compromise evidence that might eventually end up in criminal or civil court.

Internal resources don’t have to be certified forensics investigators.  Most organizations can’t afford to keep someone with those qualifications on the payroll.  However, your security team should understand basic evidence preservation and handling techniques.  Even actions which seem reasonable and insignificant can render potential evidence useless.  Some examples of things to avoid when initiating an internal investigation include:

  • Using or analyzing a target computer before creating a forensics copy of all attached storage
  • Arbitrarily pulling cables from target computers before recording cable connections, preferably via a digital camera
  • Pulling the power plug on a running computer without recording what is on the screen, preferably via a digital camera
  • Turning on a computer which is powered off upon arrival
  • Failure to initiate a written chain of custody for all items collected as evidence
  • Failure to comply with local, state, and federal laws governing seizure of evidence

The United States Secret Service published a pocket guide for first responders, Best Practices for Seizing Electronic Evidence (  It contains lists of guidelines for standalone PCs as well as servers and PCs connected to home or business networks.  In addition, the guide lists items you should include in your investigation reports.

The guide alone won’t make anyone on your team a forensics expert; you’ll still want to call in certified digital forensics analysts when presentation of evidence in court is a real possibility.  However, familiarity and use of the guide can help prevent spoliation during the first minutes of an incident response.

Anti-Forensics: Challenges for the Forensics Investigator

In Forensics on March 13, 2009 at 19:24

Paul Henry video from 2006 in which he discusses encryption, steganography, disk wiping, and other methods used to thwart forensics methods.

(Video is a little rough, but the information is valuable.)

Quickly make forensics disk copies with hardware device

In Drive Duplication, Forensics on March 9, 2009 at 11:59

The VOOM HardCopy 3 provides investigators with everthing needed to prepare drives to receive a copy of a seized drive and quickly transfer data to two copy-drives at the same time.

VOOM HardCopy 3

VOOM HardCopy 3


Creating forensics copies

Creating forensics copies

%d bloggers like this: