Network-specific evidence collection and analysis during security incidents.
This skill covers network artifacts only: packet captures, flow records
(NetFlow/sFlow/IPFIX), ARP/MAC/CAM tables, routing table state, and device
syslog events. It does not cover general incident response lifecycle (NIST
800-61), endpoint forensics, malware analysis, or organizational
communication plans.
The procedure follows an event-driven lifecycle shaped around forensic
evidence: preserve volatile data → triage scope → detect lateral movement →
verify containment → reconstruct timeline → document findings. All commands
are read-only. Containment verification confirms that previously applied
controls are effective — it does not execute containment actions.
Commands use [Cisco], [JunOS], or [EOS] vendor labels where syntax
diverges. See references/cli-reference.md for the full command reference
and references/forensics-workflow.md for evidence methodology,
chain-of-custody templates, and timeline reconstruction guidance.
(packet captures, flow analysis, device logs)
network after a confirmed security event
internal hosts using flow records, ARP/MAC table changes, and routing
state analysis
internal actor reached target systems via network path analysis
flow record byte counts and packet capture content analysis
routes, or VLAN isolation applied by responders are blocking attacker
traffic effectively
incident scope is sufficient for all evidence collection commands.
No enable/configure privilege is required.
must be receiving exports from network devices. Verify with flow export
commands in references/cli-reference.md. Without flow data, lateral
movement analysis (Step 3) is limited to ARP/MAC/syslog correlation.
SIEM or syslog server. Local device log buffers are small and rotate
quickly. Missing centralized logs create timeline gaps.
with [Cisco] show ntp status, [JunOS] show system ntp,
[EOS] show ntp status. Skewed clocks corrupt timeline correlation.
device configurations from before the incident for comparison. Without
baselines, anomaly detection relies on general heuristics rather than
delta analysis.
Follow these six steps in order. Earlier steps capture volatile evidence
before it ages out; later steps analyze and document. Each step references
specific commands from references/cli-reference.md and methodology from
references/forensics-workflow.md.
Capture volatile network evidence before it ages out or is overwritten.
Follow the volatility ordering from references/forensics-workflow.md —
most volatile first.
1a. ARP / MAC / CAM tables (highest volatility — minutes to hours):
Collect the current ARP and MAC address tables from every device in the
incident scope. These tables map IP addresses to MAC addresses and MAC
addresses to physical switch ports — essential for identifying which hosts
were connected where.
show arp and show mac address-tableshow arp no-resolve and show ethernet-switching tableshow arp and show mac address-tableSave output to files with timestamps. ARP entries typically age out in
4 hours; CAM entries in 5 minutes. Delay here means losing L2 mapping.
1b. Active packet captures (real-time — exists only while traffic flows):
If the incident is active and the investigation requires payload-level
evidence, initiate packet captures on relevant interfaces immediately.
monitor capture CAP1 interface both then monitor capture CAP1 start — export with
monitor capture CAP1 export flash:evidence.pcap
monitor traffic interface write-file /var/tmp/capture.pcap bash tcpdump -i -w /mnt/flash/evidence.pcap -c 10000 > Performance note: On-device packet capture consumes CPU. Monitor
> device health during capture and set packet count or duration limits.
1c. Routing table snapshots (hours — convergence overwrites state):
show ip route and show ip route summaryshow route and show route summaryshow ip route and show ip route summaryAlso capture routing protocol adjacency state (show ip ospf neighbor,
show ip bgp summary or vendor equivalents) to document peering status
at the time of collection.
1d. Flow export verification (hours to days — collector retention):
Confirm that flow data from the incident time window is available in the
flow collector. Verify export is active and records exist:
show flow monitor and show flow exporter statistics show services flow-monitoring version-ipfix template and show services accounting status
show flow tracking and show flow tracking counters1e. Device configuration and comprehensive state:
Save the running configuration and full technical support output for each
device in scope:
show tech-support | redirect flash:tech--.txt request support information | save /var/tmp/tech--.txt show tech-support | redirect flash:tech--.txt Compute SHA-256 hashes immediately after saving evidence files (see
references/forensics-workflow.md for hash verification commands).
Determine the scope of the incident — affected devices, time window,
involved IP addresses — using log and flow data collected in Step 1.
Identify the time window: Find the earliest indicator (first alert,
first anomalous event) and the latest known malicious activity. Add a
buffer of ±2 hours to account for undetected precursor activity.
Identify involved IPs: Extract unique source and destination IP
addresses from alerts, SIEM events, and flow records within the time
window. Classify each as internal, external, or infrastructure.
Identify affected devices: Determine which network devices handled
traffic to/from involved IPs. Use routing tables to trace the forwarding
path and identify all transit devices.
Scope assessment output: A list of (1) affected time window, (2)
involved IP addresses with classification, (3) affected network devices,
and (4) evidence types available for each device. This scoping drives
the depth of Steps 3–5.
Trace internal-to-internal connections that indicate attacker movement
between hosts. Lateral movement leaves evidence in flow records (new
internal connections), ARP/MAC tables (new L2 entries), and syslog
(authentication events, new sessions).
Flow record analysis: Query the flow collector for internal-to-internal
connections involving known compromised IPs during the incident time
window. Look for:
RDP/3389, SSH/22, WinRM/5985, WMI/135)
before (new destination analysis)
window (scanning behavior)
ARP/MAC table analysis: Compare current ARP/MAC tables against
baseline captures. Look for:
or MAC spoofing)
MITM)
Syslog correlation: Review authentication events on network devices
during the incident window. Attacker lateral movement often involves:
device management interfaces
Verify that containment measures applied by the incident response team
are functioning as intended. This step is strictly read-only — it
confirms effectiveness, it does not apply containment.
ACL hit count verification: Confirm that blocking ACLs are matching
the attacker's traffic. Rising hit counters on deny rules confirm the
ACL is intercepting traffic.
show access-lists — check hitcounters on deny entries
show firewall filter — checkterm counters for deny actions
show access-lists — checkper-entry match counts
Routing containment verification: If null routes or route
modifications were applied for containment, verify they are present and
effective:
are not being overridden by dynamic protocols
Network isolation verification: If VLAN isolation was applied, verify
that the isolated segment has no unintended paths:
on uplinks
Build a unified chronological sequence of network events from all
evidence sources. This timeline is the primary deliverable of network
forensics investigation.
Source integration: Merge events from syslog, flow records, routing
changes, and ARP/MAC transitions into a single timeline sorted by UTC
timestamp. Follow the full timeline reconstruction methodology in
references/forensics-workflow.md.
Key timeline elements:
(first alert, interface state changes, BGP/OSPF adjacency changes)
timestamps, or session identifiers across multiple devices
have been active (document explicitly as uncertainty)
reconnaissance to access, access to lateral movement, lateral
movement to objective or exfiltration
Timeline validation: Cross-reference the reconstructed timeline
against multiple evidence sources. Events confirmed by two or more
independent sources (e.g., firewall deny in syslog + flow record for
same session) are high confidence. Single-source events are medium
confidence.
Compile investigation findings into a structured evidence package. This
documentation supports organizational incident response and any
subsequent legal or compliance review.
Required documentation artifacts:
in references/forensics-workflow.md)
(from Step 3, if lateral movement was detected)
| Priority | Evidence Type | Condition | Rationale |
|---|---|---|---|
| ---------- | -------------- | ----------- | ----------- |
| Critical | Active packet captures | Incident is active, payload evidence required | Live traffic cannot be recovered after the fact |
| Critical | ARP/MAC/CAM tables | Any incident within the last 4 hours | Aging timers overwrite entries — shortest evidence lifespan |
| High | Flow records | Incident time window within collector retention | Reveals communication patterns and lateral movement paths |
| High | Syslog events | Incident time window within log retention | Provides the event narrative — auth, config, state changes |
| Medium | Routing table snapshots | Suspected route manipulation or path analysis needed | Shows forwarding state but only captures current point-in-time |
| Medium | SNMP trap history | Corroborating physical or threshold events | Supplements syslog but with less detail |
| Low | Historical config archives | Baseline comparison or configuration drift analysis | Persistent data — available for later retrieval if needed |
| Check | Expected Result | Failure Indicator |
|---|---|---|
| ------- | ---------------- | ------------------- |
| ACL deny counters | Incrementing on containment rules | Zero or static counters — ACL not matching traffic |
| Null route presence | Attacker prefix routes to Null0/discard | Route missing or overridden by dynamic protocol |
| VLAN isolation | No L3 routes to/from isolated segment | Routes exist, providing bypass path |
| Flow records post-containment | No new flows from/to attacker IPs | Continuing flows indicate containment bypass |
Incident reported
├── Is the incident currently active?
│ ├── Yes — Active threat
│ │ ├── Is payload-level evidence needed?
│ │ │ ├── Yes → Start packet capture immediately (Step 1b)
│ │ │ └── No → Proceed to ARP/MAC collection (Step 1a)
│ │ └── Simultaneously: collect ARP/MAC tables (Step 1a)
│ │ └── Then: routing snapshots (Step 1c) → flow verification (Step 1d)
│ │
│ └── No — Post-incident investigation
│ ├── How long ago did the incident occur?
│ │ ├── < 4 hours → ARP/MAC tables may still have entries (Step 1a)
│ │ ├── 4–24 hours → ARP tables likely aged out; start with flow data
│ │ └── > 24 hours → Rely on syslog and flow collector retention
│ └── Verify flow data and syslog coverage for incident window (Steps 1d, 1e)
│
├── Has containment been applied?
│ ├── Yes → Add containment verification (Step 4) after triage
│ │ └── Check ACL counters, null routes, VLAN isolation
│ └── No → Skip Step 4, proceed through Steps 1–3, 5–6
│
└── Proceed to initial triage (Step 2)
NETWORK FORENSICS EVIDENCE SUMMARY
=====================================
Incident Reference: [ticket/tracking number]
Investigation Period: [start] — [end] (UTC)
Network Scope: [number] devices across [number] sites
Analyst: [name/identifier]
Collection Date: [date evidence collection began]
EVIDENCE INVENTORY:
| # | Device | Evidence Type | File | SHA-256 | Collected At |
|---|--------|--------------|------|---------|-------------|
| 1 | [host] | [type] | [file] | [hash] | [time UTC] |
INCIDENT TIMELINE:
| # | Time (UTC) | Device | Event | Details | Confidence |
|---|-----------|--------|-------|---------|------------|
| 1 | [time] | [host] | [event] | [details] | [H/M/L] |
LATERAL MOVEMENT MAP (if detected):
- Source host → destination host : port (first seen, last seen, byte count)
- [list all observed internal-to-internal attacker paths]
CONTAINMENT VERIFICATION:
| Control | Device | Status | Evidence |
|---------|--------|--------|----------|
| [ACL/route/VLAN] | [host] | [Effective/Bypassed] | [counter values] |
EVIDENCE GAPS:
- [device/time period with missing evidence and impact on conclusions]
RECOMMENDATIONS:
1. [network-level remediation or monitoring improvement]
Symptom: Flow records do not exist for devices or time windows
critical to the investigation.
Diagnosis: Verify flow export configuration on each device using
commands in references/cli-reference.md. Check collector storage —
retention may have expired for the incident time window.
Workaround: Substitute with syslog events (lower fidelity but covers
event timestamps) and ARP/MAC table correlation. Document the flow gap
and its impact on lateral movement analysis completeness.
Symptom: Events from different devices appear out of order or
correlation produces implausible sequences.
Diagnosis: Check NTP status on each device. Compare timestamps of
events that should be near-simultaneous (e.g., both ends of a link-down
event logged by adjacent devices).
Workaround: Calculate clock offset per device and apply correction
to the timeline. Note the correction in evidence documentation. Reduce
correlation confidence for events involving desynchronized devices.
Symptom: Syslog events from the incident time window no longer exist
on the device or in the SIEM.
Diagnosis: Check device log buffer size (show logging to see
buffer capacity and oldest retained message). Check SIEM retention
policy for the relevant index.
Workaround: Use flow records or SNMP trap history as alternative
event sources. Note the syslog gap in the timeline with an explicit
confidence reduction for that time period.
Symptom: Device CPU spikes or forwarding performance degrades during
on-device packet capture.
Diagnosis: Monitor CPU utilization during capture. On-device
capture processes packets in software, bypassing hardware forwarding.
Workaround: Limit captures with ACL filters (capture only relevant
traffic), set packet count limits (-c flag), use span/mirror sessions
to an external capture appliance instead of on-device capture, or
reduce capture duration. If performance impact is unacceptable, stop
capture and rely on flow records for metadata-level analysis.
Symptom: ARP or MAC address tables are mostly empty — entries have
already aged out by the time evidence collection begins.
Diagnosis: Default ARP aging is 4 hours; default CAM aging is
5 minutes. If more than 4 hours have elapsed since the incident,
ARP entries for inactive hosts will be gone.
Workaround: Cross-reference DHCP lease logs for IP-to-MAC mappings
during the incident window. Use flow records to identify involved
IP addresses without L2 mapping. Check if any NMS polled ARP/MAC
tables via SNMP during the incident window.
共 1 个版本