When performing an internal network investigation what limit

When performing an internal network investigation, what limitations do you have if you do not have full packet available?

Solution

First of all packet datais great it provides many benifits but instead it also hav many limitations.

let us list some of those limitations:

No matter how good the tools are, they can only see network traffic. More so, they can only see network traffic crossing the data lines that they are connected into. At a minimum, sniffers are placed at the edge of the network to capture the data ingressing and egressing the organization. This is good but may be inadequate. If capture only takes place at the edge, you are missing a lot going on within of the network. There are many advanced indicators you will not be privy to if you only capture on the edge.
To provide forensic level information and details, the capturing system needs to be application aware, meaning it recognizes how applications communicate with a network protocol so it can provide context around what the application is doing and determine if it is uncharacteristic activity. It also needs to be able to create metadata about the packets and flows at the time of capture for use in analysis and correlation. If the system does not create the metadata, searching is far more difficult and the analyst will have to do much of the data analysis/crunching by hand prior to rendering a decision.

Just because you can capture it doesn’t mean you should keep it forever. Though most organizations have corporate use and privacy policies, capturing and storing personal data is a precarious practice. Many countries and state governments in the U.S. have strict privacy laws that can be broken by full packet capture, especially if access and use are not closely controlled. Personnel having access to the data must be highly trustworthy and should be vetted to ensure they maintain the highest standards possible in order to avoid misusing the data to which they have access and to not incur legitimate lawsuits from monitored personnel.

When pondering packet capture for use in forensics investigations, make sure that you are getting full packet capture, not just summary data. Many packages can only deliver summary data, which means not only parts of data but entire conversations can be missed between sampling. This has many side effects including shutting down the ability to do data reconstruction.

No matter how good your packet capture is or where it is placed, it can’t tell you what has happened on the endpoint in its entirety. Yes, it can tell you remotely issued commands that were not encrypted in transit, but in the scenario where an attacker encrypts transmission, it is totally blind. Additionally, in a similar scenario where personnel are using web mail, most of those transmissions are encrypted now, so it is blind. Also, if malware is introduced to a system via a USB stick, there is no network traffic. Then that malware may be detected as it goes to the Internet, but if no sniffers are placed internally, it could spread to every system in the environment before being detected. If it is designed to cause problems not to exfiltrate data, it could totally compromise the environment before being identified. There are a lot of “ifs” here, but they are all relevant. The scenario that hasn’t been discussed yet is the trusted insider who logs on to a system locally and removes data or makes changes to the system. That is never seen by the network sniffer.