Network Investigation Techniques – A Comprehensive Guide for GIAC GCIH Exam Preparation
Introduction to Network Investigation Techniques
Network investigation techniques are a critical component of incident response and cyber investigations. They encompass the methods, tools, and processes used by security analysts and incident responders to identify, analyze, and attribute malicious activity occurring across computer networks. For GIAC GCIH (GIAC Certified Incident Handler) candidates, mastering these techniques is essential for both real-world incident handling and exam success.
Why Are Network Investigation Techniques Important?
Network investigation techniques are vital for several reasons:
1. Detection of Malicious Activity: Networks are the primary conduit for cyberattacks. Whether an attacker is exfiltrating data, establishing command-and-control (C2) channels, or laterally moving through an environment, network evidence is often the first indicator of compromise.
2. Evidence Preservation: Network artifacts such as packet captures (PCAPs), flow data, DNS logs, and firewall logs serve as critical evidence in investigations and may be required for legal proceedings or regulatory compliance.
3. Root Cause Analysis: Understanding what happened on the network helps investigators determine the attack vector, scope of compromise, and the timeline of events.
4. Containment and Remediation: Without proper network investigation, responders cannot effectively contain threats or prevent recurrence. Identifying C2 infrastructure, compromised hosts, and data exfiltration paths is essential for effective remediation.
5. Attribution: Network evidence can help attribute attacks to specific threat actors, which may be critical for law enforcement, intelligence purposes, or organizational risk assessments.
What Are Network Investigation Techniques?
Network investigation techniques refer to the systematic approaches used to collect, analyze, and interpret network-based evidence during a cybersecurity incident. These techniques span several categories:
1. Packet Capture and Analysis
Packet capture (PCAP) involves recording raw network traffic for detailed examination. Tools like Wireshark, tcpdump, and tshark are commonly used. Analysts can reconstruct sessions, extract files, identify protocols, and detect anomalies at the deepest level of network communication.
2. NetFlow / IPFIX Analysis
NetFlow and IPFIX provide summarized metadata about network connections — source/destination IPs, ports, protocols, byte counts, and timestamps — without capturing full packet payloads. This is invaluable for identifying communication patterns, data exfiltration volumes, and connections to known malicious infrastructure. Tools include nfdump, SiLK, and various SIEM platforms.
3. Log Analysis
Network device logs from firewalls, proxies, IDS/IPS, DNS servers, DHCP servers, VPN concentrators, and routers provide critical context. Investigators correlate these logs to build timelines, identify lateral movement, and detect policy violations.
4. Intrusion Detection/Prevention System (IDS/IPS) Analysis
Tools like Snort, Suricata, and Zeek (formerly Bro) generate alerts and detailed connection logs. Analysts review alerts for true positives, examine signatures that fired, and use metadata logs from Zeek to understand network behavior at scale.
5. DNS Investigation
DNS is frequently abused by attackers for C2 communication, data exfiltration (DNS tunneling), and domain generation algorithms (DGAs). Investigating DNS query logs, passive DNS databases, and anomalous query patterns is a key technique.
6. Proxy and Web Log Analysis
HTTP/HTTPS proxy logs reveal user-agent strings, URLs accessed, referrers, response codes, and content types. These logs are essential for identifying malicious downloads, phishing redirections, and web-based C2.
7. Network Forensic Tools and Frameworks
Specialized tools support network investigations:
- Wireshark: Deep packet analysis and protocol dissection
- tcpdump: Command-line packet capture
- Zeek (Bro): Network security monitoring framework producing rich connection logs
- NetworkMiner: Network forensic analysis tool for file extraction and OS fingerprinting
- Security Onion: A Linux distribution integrating multiple network monitoring tools
- Moloch/Arkime: Large-scale full packet capture and search
8. Wireless Network Investigation
Investigating rogue access points, unauthorized wireless clients, and wireless-based attacks using tools like Kismet and Aircrack-ng.
9. Traffic Baseline and Anomaly Detection
Establishing normal network behavior baselines and identifying deviations — unusual ports, protocols, traffic volumes, or communication patterns — is fundamental to detecting sophisticated threats that evade signature-based detection.
How Do Network Investigation Techniques Work?
The process of network investigation generally follows a structured methodology:
Step 1: Preparation
Before an incident occurs, organizations should have network monitoring infrastructure in place. This includes deploying sensors (IDS, full packet capture, flow collectors), configuring centralized logging, and establishing baselines of normal traffic.
Step 2: Detection and Identification
An alert from an IDS, SIEM, or anomaly detection system triggers the investigation. The responder identifies the scope by examining which hosts, ports, and protocols are involved. Initial triage determines the severity and nature of the activity.
Step 3: Evidence Collection
Relevant network evidence is collected and preserved. This includes:
- Capturing live traffic (if the incident is ongoing)
- Retrieving stored PCAPs from full packet capture systems
- Exporting flow records for the relevant timeframe
- Gathering logs from firewalls, proxies, DNS servers, DHCP, and IDS/IPS
- Documenting chain of custody for forensic integrity
Step 4: Analysis
Analysts examine the collected evidence using various techniques:
Protocol Analysis: Examining packet headers and payloads to understand communication. Analysts look for protocol anomalies (e.g., HTTP traffic on non-standard ports, DNS queries with unusually long subdomains).
Session Reconstruction: Reassembling TCP streams to view the full content of communications, extract transferred files, or read commands exchanged between attacker and compromised host.
Correlation: Cross-referencing multiple data sources (e.g., correlating a firewall log entry with a PCAP and an IDS alert) to build a comprehensive picture of the incident.
IOC Matching: Comparing observed network artifacts (IP addresses, domain names, file hashes, JA3 hashes) against known indicators of compromise from threat intelligence feeds.
Timeline Construction: Building a chronological sequence of events using timestamps from various network sources to understand the attack progression.
Step 5: Containment Actions Based on Findings
Based on the analysis, responders take network-level containment actions such as blocking malicious IPs/domains at the firewall, isolating compromised network segments, disabling compromised accounts, or sinkholing malicious DNS domains.
Step 6: Reporting and Documentation
All findings, evidence, and actions taken are thoroughly documented. This supports post-incident review, lessons learned, legal proceedings, and compliance requirements.
Key Concepts You Must Know for the GCIH Exam
- TCP/IP Fundamentals: Understanding the three-way handshake, TCP flags (SYN, ACK, FIN, RST, PSH, URG), IP addressing, subnetting, and common protocols (HTTP, HTTPS, DNS, SMTP, FTP, SSH, SMB).
- Wireshark Display and Capture Filters: Know the difference between capture filters (BPF syntax, e.g., host 192.168.1.1 and port 80) and display filters (e.g., tcp.flags.syn == 1 && tcp.flags.ack == 0). Be able to follow TCP streams, extract objects, and identify anomalies.
- tcpdump Syntax: Understand common tcpdump flags: -i (interface), -w (write to file), -r (read from file), -n (no DNS resolution), -X (hex and ASCII output), and BPF filter expressions.
- Snort/Suricata Rules: Be able to read and interpret IDS rules. Understand rule headers (action, protocol, source, destination, ports, direction) and rule options (content, sid, rev, msg, flow, pcre).
- Zeek (Bro) Logs: Understand the structure of conn.log, dns.log, http.log, files.log, and ssl.log. Know what fields are available and how to use them for investigation.
- DNS Investigation: Recognize DNS tunneling indicators (high volume of queries, long subdomain strings, TXT record abuse), DGA patterns, and fast-flux DNS techniques.
- NetFlow Analysis: Understand flow records and how to use them to identify large data transfers, beaconing behavior (regular interval connections to C2), and scanning activity.
- Common Attack Signatures on the Network: Recognize network indicators of port scanning (e.g., Nmap SYN scan patterns), ARP spoofing, DNS poisoning, man-in-the-middle attacks, SQL injection in HTTP traffic, and command injection.
- Encryption and Its Impact: Understand how TLS/SSL affects network investigation (payload encryption), and how analysts use JA3/JA3S fingerprints, certificate analysis, and SNI (Server Name Indication) fields to gain visibility into encrypted traffic.
- Network-Based Indicators of Compromise (IOCs): IP addresses, domain names, URLs, user-agent strings, JA3 hashes, SSL certificate hashes, and behavioral patterns (beaconing intervals, data volume anomalies).
Practical Scenarios to Prepare For
1. Analyzing a PCAP file: You may be asked to identify the type of attack (e.g., SYN flood, DNS exfiltration, HTTP-based C2) based on packet details.
2. Reading IDS alerts: Interpreting Snort or Suricata rule syntax and understanding what traffic would trigger a specific rule.
3. Identifying C2 beaconing: Recognizing regular-interval outbound connections in flow data or connection logs as potential C2 activity.
4. DNS tunneling detection: Spotting abnormally long DNS queries, unusual record types, or high query volumes to a single domain.
5. Log correlation: Combining evidence from multiple sources (e.g., firewall deny logs + DNS query logs + proxy logs) to identify the full scope of an incident.
6. Extracting artifacts from network traffic: Using Wireshark to export HTTP objects, reconstruct file transfers, or identify credentials sent in cleartext.
Exam Tips: Answering Questions on Network Investigation Techniques
1. Know Your Tools Cold: The exam frequently tests your knowledge of specific tools and their capabilities. Understand when to use Wireshark vs. tcpdump vs. Zeek vs. NetFlow analyzers. Know the strengths and limitations of each.
2. Master Filter Syntax: Be comfortable writing and interpreting both BPF capture filters and Wireshark display filters. Exam questions may present a filter and ask what traffic it captures, or describe a scenario and ask which filter would be appropriate.
3. Read Snort Rules Carefully: Break down Snort rules into their components. Pay close attention to the content keyword, flow directives (established, to_server, to_client), and logical operators. The exam tests whether you can determine what a rule detects.
4. Understand Protocol Behavior: Many questions test whether you understand how protocols normally behave so you can identify anomalies. Know what a normal DNS query looks like versus a tunneling query. Know what normal HTTP headers contain versus C2 beaconing traffic.
5. Think Like an Analyst, Not Just a Technician: Some questions require you to determine the best next step in an investigation or the most appropriate data source to examine. Consider what evidence would be most useful for answering the specific investigative question.
6. Pay Attention to Timestamps and Timelines: Questions may present log entries from different sources with different timestamps. Be prepared to correlate events across sources and construct accurate timelines. Watch for time zone differences.
7. Distinguish Between Full Packet Capture and Flow Data: Understand that full packet capture provides complete content but requires massive storage, while flow data provides metadata about connections and is much more scalable. Know which questions require payload inspection (PCAP) versus connection pattern analysis (flows).
8. Know the Indicators of Common Attacks: Be able to recognize network-level indicators of reconnaissance (port scans, service enumeration), exploitation (exploit payloads, shellcode patterns), C2 (beaconing, DNS tunneling, encrypted channels to unusual destinations), and data exfiltration (large outbound transfers, encoding in DNS or ICMP).
9. Understand Evidence Integrity: Questions may address how to properly preserve network evidence. Know that PCAPs should be hashed for integrity, chain of custody must be maintained, and live capture should be started immediately during an active incident.
10. Use Process of Elimination: When facing scenario-based questions, eliminate answers that contradict fundamental network concepts. For example, if a question asks about identifying the content of encrypted HTTPS traffic, eliminate answers suggesting direct payload inspection without decryption keys — focus on metadata analysis techniques instead.
11. Remember the Investigation Workflow: Questions may test the proper order of investigation steps. Remember: detect → identify → collect evidence → analyze → contain → remediate → document. Skipping steps or performing them out of order is usually the wrong answer.
12. Practice with Real PCAPs: Before the exam, practice analyzing sample PCAPs from resources like Malware Traffic Analysis (malware-traffic-analysis.net) and SANS holiday challenges. Hands-on experience translates directly to exam performance, especially on practical scenario questions.
13. Index Your Course Materials: The GCIH exam is open book. Create a detailed index of network investigation topics in your course materials, including tool syntax, protocol details, and analysis procedures. Tab and label key sections for quick reference during the exam.
14. Focus on Zeek Log Fields: Know the key fields in Zeek conn.log (uid, id.orig_h, id.resp_h, id.orig_p, id.resp_p, proto, service, duration, orig_bytes, resp_bytes, conn_state) and how to interpret connection states (S0, S1, SF, REJ, RSTO, etc.).
15. Don't Overthink: Network investigation questions on the GCIH exam test practical knowledge. If a question presents a network scenario, focus on what the evidence clearly shows rather than speculating about edge cases. The most straightforward interpretation is usually correct.
Summary
Network investigation techniques form the backbone of effective incident response. They enable analysts to detect threats, understand attack scope, collect evidence, and support containment decisions. For GCIH exam success, focus on understanding core protocols, mastering key tools (Wireshark, tcpdump, Snort/Suricata, Zeek), recognizing common attack patterns in network traffic, and applying a structured investigation methodology. Combine theoretical knowledge with hands-on practice, build a solid index, and approach exam questions methodically to achieve the best results.
