Network Forensic Frameworks - Survey and Research Challenges

Download as pdf or txt
Download as pdf or txt
You are on page 1of 14

digital investigation 7 (2010) 14–27

available at www.sciencedirect.com

journal homepage: www.elsevier.com/locate/diin

Network forensic frameworks: Survey and


research challenges

Emmanuel S. Pilli*, R.C. Joshi, Rajdeep Niyogi


Department of Electronics and Computer Engineering, Indian Institute of Technology Roorkee, Roorkee, Uttarakhand 247667, India

article info abstract

Article history: Network forensics is the science that deals with capture, recording, and analysis of
Received 22 December 2009 network traffic for detecting intrusions and investigating them. This paper makes an
Received in revised form exhaustive survey of various network forensic frameworks proposed till date. A generic
13 February 2010 process model for network forensics is proposed which is built on various existing models
Accepted 16 February 2010 of digital forensics. Definition, categorization and motivation for network forensics are
clearly stated. The functionality of various Network Forensic Analysis Tools (NFATs) and
Keywords: network security monitoring tools, available for forensics examiners is discussed. The
Network forensics specific research gaps existing in implementation frameworks, process models and anal-
NFATs ysis tools are identified and major challenges are highlighted. The significance of this work
Distributed systems is that it presents an overview on network forensics covering tools, process models and
Soft computing framework implementations, which will be very much useful for security practitioners and
Honeypots researchers in exploring this upcoming and young discipline.
Data fusion ª 2010 Elsevier Ltd. All rights reserved.
Attribution
Traceback
Incident response

1. Introduction this attack was that Twitter’s network did not have the
defenses in place to mitigate a massive DDoS attack. Most
On August 6, 2009, social networking sites like Twitter, Face- traditional security products aren’t equipped to handle
book and Google blogger were knocked down by distributed massive bombardment of packets that happens in a DDoS
denial of service (DDoS) attacks. Facebook and Google could attack. The lack of solid contingency plan and pro-active
recover within a day while Twitter staff team worked round security mechanism created a fragile platform vulnerable to
the clock in the weekend to deal with the attack as reported in attack as reported in ChannelWeb.
Computer World. Los Angeles Times speculated that perpe- Rosenberg referring to the attack on Twitter, wrote that
trators of the DDoS attack may have been bored teenagers or having appropriate tools in place and following correct proce-
Russian and Georgian political operatives involved in cyber- dures help to eliminate or mitigate the effects of an attack.
space fighting. The newspaper quoted security experts that A network analysis tool can be used to capture all packets in
fingerprints of a sophisticated operation involving botnets a common data format for analysis. It can also raise alerts when
were observed and Twitter website had limited capacity to thresholds are exceeded. Network forensic tools can be used to
handle incoming traffic. The obvious reason for the success of reconstruct the sequence of events that occur at the time of

* Corresponding author. Tel.: þ91 1332 285650/5896; fax: þ91 1332 273560.
E-mail addresses: [email protected], [email protected] (E.S. Pilli), [email protected] (R.C. Joshi), [email protected]
(R. Niyogi).
1742-2876/$ – see front matter ª 2010 Elsevier Ltd. All rights reserved.
doi:10.1016/j.diin.2010.02.003
digital investigation 7 (2010) 14–27 15

attack. Crucial information is gained to prevent a similar attack existing network forensic models. We use the term ‘model’ to
in future even if the present attack could not be prevented. imply a theoretical representation of phases involved in
Habib in his detailed analysis explained that network network forensics. This model may or may not have been
forensics can be used to analyze how the attack occurred, who implemented. We propose a generic process model for
was involved in that attack, duration of the exploit, and the network forensics, considering only the phases applicable to
methodology used in the attack. It also helps in characterizing networked environments, based on the existing models.
zero-day attacks. In addition, network forensics can be used as Section 5 surveys many implementation frameworks of
a tool for monitoring user activity, business transaction analysis these models. They are discussed under various categories
and pinpointing the source of intermittent performance issues. like distributed systems, soft computing, honeypots and
Network forensics is not another term for network secu- aggregation systems. We use the term ‘framework’ to mean
rity. It is an extended phase of network security as the data for practical implementation. The specific research gaps existing
forensic analysis are collected from security products like in these framework implementations and major challenges
firewalls and intrusion detection systems. The results of this are presented in Section 6. Conclusions and future work are
data analysis are utilized for investigating the attacks. given in Section 7.
However, there may be certain crimes which do not breach
network security policies but may be legally prosecutable.
These crimes can be handled only by network forensics 2. Background
(Broucek and Turner, 2001).
Network security protects system against attack while Network forensics is being researched for a decade but it still
network forensics focuses on recording evidence of the attack. seems a very young science and many issues are still not very
Network security products are generalized and look for possible clear and are ambiguous. The definition, categorization and
harmful behaviors. This monitoring is a continuous process and motivation for this upcoming field are given below.
is performed all through the day. But, network forensics
involves post mortem investigation of the attack and is initiated 2.1. Definition
notitia criminis (after crime notification). It is case specific as each
crime scenario is different and the process is time bound. The concept of network forensics deals with data found across
Network forensics is the science that deals with capture, a network connection mostly ingress and egress traffic from
recording, and analysis of network traffic. The network log one host to another. Network forensics tries to analyze traffic
data are collected from existing network security products, data logged through firewalls or intrusion detection systems
analyzed for attack characterization and investigated to or at network devices like routers and switches.
traceback the perpetuators. This process can bring out defi- Network forensics is defined in Palmer (2001) as ‘‘use of
ciencies in security products which can be utilized to guide scientifically proven techniques to collect, fuse, identify,
deployment and improvement of these tools. examine, correlate, analyze, and document digital evidence
Network forensics is a natural extension of computer from multiple, actively processing and transmitting digital
forensics. Computer forensics was introduced by law sources for the purpose of uncovering facts related to the
enforcement and has many guiding principles from the planned intent, or measured success of unauthorized activi-
investigative methodology of judicial system. Computer ties meant to disrupt, corrupt, and or compromise system
forensics involves preservation, identification, extraction, components as well as providing information to assist in
documentation, and interpretation of computer data. response to or recovery from these activities.’’
Network forensics evolved as a response to the hacker Ranum is credited with defining network forensics as
community and involves capture, recording, and analysis of ‘‘capture, recording, and analysis of network events in order
network events in order to discover the source of attacks. to discover the source of security attacks or other problem
In computer forensics, investigator and the hacker being incidents.’’
investigated are at two different levels with investigator at an Network forensics involves monitoring network traffic and
advantage. In network forensics, network investigator and the determining if there is an anomaly in the traffic and ascer-
attacker are at the same skill level. The hacker uses a set of taining whether it indicates an attack. If an attack is detected,
tools to launch the attack and the network forensic specialist then the nature of the attack is also determined. Network
uses similar tools to investigate the attack (Berghel, 2003). forensic techniques enable investigators to track back the
Network forensic investigator is further at disadvantage as attackers. The ultimate goal is to provide sufficient evidence
investigation is one of the many jobs he is involved. The to allow the perpetrator to be prosecuted (Yasinsac and
hacker has all the time at his disposal and will regularly Manzano, 2001).
enhance his skills, motivated by the millions of dollars in
stake. The seriousness of what is involved makes network 2.2. Classification of Network Forensics Systems
forensics an important research field.
The aim of this work is to provide a detailed overview of Network forensic systems are classified into two types each
network forensics. The paper is organized as follows: defini- based on various characteristics like purpose, collection and
tion, categorization and motivation are clearly stated in nature:
Section 2. The various tools available for network forensic
analysis and security tools which can also be used for specific  Purpose: ‘General Network Forensics’ to enhance network
phases are described in Section 3. Section 4 surveys the security and ‘Strict Network Forensics’ to get evidence
16 digital investigation 7 (2010) 14–27

satisfying legal principles and requirements (Ren and Jin, costly. Network criminals will be more cautious to avoid
2005a). prosecution for their illegal actions. This acts as a deterrent
 Collection of Traffic: ‘Catch-it-as-you-can’ systems where all and reduces network crime rate thus improving security.
packets passing through a particular traffic point are captured The attacker is covering his tracks used to cause attacks,
and analysis is subsequently done requiring large amounts of making it more difficult to traceback. Internet Service
storage and ‘Stop-look-and-listen’ systems where each packet Providers (ISPs) are also being made responsible for what
is analyzed in memory and certain information is saved for passes over their network (Perry, 2006). Companies doing
future analysis requiring a faster processor (Garfinkel). business on Internet cannot hide a security breach and are
 Nature: The network forensic system is an appliance with now expected to prove the state of their security as a compli-
hardware and pre-installed software or exclusively a soft- ance measure for regulatory purposes. The ISO 27001/27002
ware tool. standard (Information technology – security techniques –
information security management) (ISO/IEC 27001, 2005)
2.3. Motivation for network forensics specifies the requirements for establishing, implementing,
operating, monitoring, reviewing, maintaining and improving
The large number of security incidents affecting many orga- a documented Information Security Management System
nizations and increasing sophistication of these cyber attacks (ISMS) within the context of the organization’s overall busi-
is the main driving force behind network forensics. The ness risks. Comprehensive audit data are to be maintained to
defensive approaches of network security like firewalls and meet the compliance requirements of many regulations
intrusion detection systems can address attacks only from (netForensics security compliance management).
prevention, detection and reaction perspectives. The alter- Sarbanes–Oxley (SOX) Act requires organizations to
native approach of network forensics becomes important as it implement controls over the release of information to indi-
involves the investigative component as well (Almulhem and viduals or organizations outside the company’s network, and
Traore, 2005). Network forensics ensures that attacker spends implement policies that define how long, and in what manner,
more time and energy to cover his tracks, making the attack electronic communications should be retained. Gramm–

Table 1 – Description of Network Forensic Analysis Tools (NFATs).


Name of the NFAT Description

NetIntercept Captures network traffic and stores in pcap format, reassembles individual data streams, analyzes them by
parsing to recognize the protocol, detects spoofing and generates a variety of reports from the results
NetWitness Captures all network traffic and reconstructs the network sessions to the application layer for automated alerting,
monitoring, interactive analysis and review.
NetDetector Captures intrusions, integrates signature-based anomaly detection, reconstructs application sessions and
performs multi time-scale analysis on diverse applications and protocols. It has an intuitive management console
and full standards based reporting tools. It imports and exports data in a variety of formats.
Iris Collects network traffic and reassembles it in its native session based format, reconstructs actual text of the
session, replays traffic for audit trial of suspicious activity, provides a variety of statistical measurements and has
advanced search and filtering mechanism for quick identification of data.
Infinistream Utilizes intelligent Deep Packet Capture (iDPC) technology and performs real-time or back-in-time analysis. It
does high-speed capture of rich packet details, statistical analysis of packet or flow based data and recognizes
hundreds of applications. It uses sophisticated indexing and Smart Recording and Data Mining (SRDM) for
optimization.
Solera DS 5150 DS 5150 is an appliance for high-speed data capture, complete indexed record of network traffic, filtering,
regeneration and playback. DeepSee forensic suite has three softwares – Reports, Sonar and Search – to index,
search and reconstruct all network traffic.
OmniPeek Provides real-time visibility into every part of the network. It has high capture capabilities, centralized console,
distributed engines, and expert analysis. Omnipliance is a network recording appliance with a multi-terabyte disk
farm and high-speed capture interfaces. OmniEngine software captures and stores network traffic. OmniPeek
interface searches and mines captured data for specific information.
SilentRunner Captures, analyzes and visualizes network activity by uncovering break-in attempts, abnormal usage, misuse and
anomalies. It generates an interactive graphical representation of the series of events and correlates actual
network traffic. It also plays back and reconstructs security incidents in their exact sequence.
NetworkMiner Captures network traffic by live sniffing, performs host discovery, reassembles transferred files, identifies rogue
hosts and assesses how much data leakage was affected by an attacker.
Xplico Captures Internet traffic, dissects data at the protocol level, reconstructs and normalizes it for use in
manipulators. The manipulators transcode, correlate and aggregate data for analysis and present the results in
a visualized form.
PyFlag An advanced forensic tool to analyze network captures in libpcap format while supporting a number of network
protocols. It has the ability to recursively examine data at multiple levels and is ideally suited for network
protocols which are typically layered. PyFlag parses the pcap files, extracts the packets and dissects them at low
level protocols (IP, TCP or UDP). Related packets are collected into streams using reassembler. These streams are
then dissected with higher level protocol dissectors (HTTP, IRC, etc) (Cohen, 2008).
digital investigation 7 (2010) 14–27 17

Table 2 – Description of network security and monitoring (NSM) tools.


Name of the Description
NSM tool

TCPDump A common packet sniffer and analyzer, runs in command line, intercepts and displays packets being transmitted
over a network. It captures, displays, and stores all forms of network traffic in a variety of output formats. It will print
packet data like timestamp, protocol, source and destination hosts and ports, flags, options, and sequence numbers.
Wireshark Most popular network protocol analyzer. It can perform live capture in libpcap format, inspect and dissect hundreds
of protocols, do offline analysis, and work on multiple platforms. It can read and write files in different file formats of
other tools.
TCPFlow Captures data transmitted as part of TCP connections (flows) and stores it for protocol analysis. It reconstructs actual
data streams and stores in a separate file. TCPFlow understands sequence numbers and will correctly reconstruct
data streams regardless of retransmissions or out-of-order delivery.
Flow-tools Library to collect, send, process and generate reports from NetFlow data. Important tools in the suite are – flow
capture which collects and stores exported flows from a router, flow-cat concatenates flow files, flow report
generates reports for NetFlow data sets, and flow-filter filters flows based on export fields.
NfDump A suite of tools working with NetFlow format: nfcapd – NetFlow capture daemon reads the NetFlow data from the
network and stores it. NfDump – NetFlow dump reads the NetFlow data from these files, displays them and creates
statistics of flows, IP addresses, ports etc. nfprofile – NetFlow profiler filters the NetFlow data according to the
specified filter sets and stores the filtered data. nfreplay – NetFlow replay sends data over the network to another
host.
PADS PADS is a portable, lightweight and intelligent network sniffer. It is a signature-based detection engine used to
passively detect network assets. It can sniff TCP, ARP and ICMP traffic packets. It can move information about unique
assets and services seen on the network into permanent storage, output it in CSV or MySQL format or present an user
friendly report.
Argus Processes packets in capture files are live data and generate detailed status reports of the ‘flows’ detected in the
packet stream. The flow reports capture the semantics of every flow with a great deal of data reduction. The audit
data are good for network forensics, non-repudiation, detecting very slow scans, and supporting zero-day events.
Nessus Vulnerability scanner featuring high-speed discovery, configuration auditing, asset profiling, sensitive data discovery
and vulnerability analysis
Sebek Kernel based data capture tool designed to capture all activity on a Honeypot. It records keystrokes of a session that is
using encryption, recover files copied with SCP, capture passwords used to log in to remote system, and accomplish
many other forensics related tasks.
TCPTrace Produce different types of output containing information, such as elapsed time, bytes/segments which are sent and
received, retransmissions, round trip times, window advertisements, and throughput.
Ntop Used for traffic measurement, network traffic monitoring, optimization, planning, and detection of network security
violations. It provides support for both tracking ongoing attacks and identifying potential security holes including IP
spoofing, network cards in promiscuous mode, denial of service attacks, trojan horses and port scan attacks.
TCPStat Reports network interface statistics like bandwidth, number of packets, packets per second, average packet size,
standard deviation of packet size and interface load by monitoring an interface or reading from libpcap file.
IOS NetFlow Collects and measures IP packet attributes of each packet forwarded through routers or switches, groups similar
packets into a flow, to help understand who, what, when, where and how the traffic is flowing. It also detects network
anomalies and security vulnerabilities
TCPDstat Produces per-protocol breakdown of traffic, for a given libpcap file, like number of packets, average rate and its
standard deviation, number of unique source and destination address pairs. It is also useful in getting a high-level
view of traffic patterns.
Ngrep A pcap-aware tool that allows specifying extended regular or hexadecimal expressions to match against data
payloads. It can debug plaintext protocol interactions to identify and analyze anomalous network communications
and to store, read and reprocess pcap dump files while looking for specific data patterns.
TCPXtract Extracts files from network traffic based on file signatures. It can also be used to intercept files transmitted across
networks.
SiLK Supports efficient capture, storage and analysis of network flow data based on Cisco NetFlow. The tool suite,
consisting of collection and analysis tools, provides analysts with the means to understand, query, and summarize
both recent and historical traffic data in network flow records. SiLK supports network forensics in identifying
artifacts of intrusions, vulnerability exploits, worm behavior, etc. SiLK has performance as a key element and
manages the large volume of traffic by storing only the security-related information.
TCPReplay Suite of tools with ability to classify previously captured traffic as client or server, rewrite layer 2, 3 and 4 headers and
finally replay the traffic back onto the network. TCPPrep is a multi-pass pcap file pre-processor which determines
packets as client or server, TCPRewrite is a pcap file editor which rewrites packet headers, TCPReplay replays pcap
files at arbitrary speeds onto the network and TCPBridge bridges two network segments.
P0f Passive OS fingerprinting by capturing traffic coming from a host to the network. It can also detect the presence of
firewall, use of NAT, existence of a load balancer setup, distance to the remote system and its uptime.
Nmap Utility for network exploration and security auditing. It supports many types of port scans and can be used as on OS
fingerprinting tool. It uses raw IP packets in novel ways to determine hosts available on the network, services being
offered, operating systems running, firewalls in use and many other characteristics.

(continued on next page)


18 digital investigation 7 (2010) 14–27

Table 2 (continued ).
Name of the Description
NSM tool

Bro NIDS that passively monitors network traffic for suspicious activity. It detects intrusions by first parsing network
traffic to extract its application-level semantics and then executing event-oriented analyzers that compare this
activity with patterns deemed troublesome. It is primarily a research platform for IDS, traffic analysis and network
forensics.
Snort Network intrusion prevention/detection system capable of performing packet logging, sniffing and real-time traffic
analysis. It can perform protocol analysis, content searching, matching and application-level analysis. It can capture
the traffic in libpcap format.

Leach–Bliley Act (GLBA) requires financial institutions to be viewed as individual transport layer connections between
develop, implement, and maintain a comprehensive written machines, which enable the user to analyze protocol layers,
information security program that protects the privacy and packet content, retransmitted data, and extract traffic
integrity of customer records. patterns between various machines.
Health Insurance Portability and Accountability Act (HIPAA) There are some NFATs available that provide reliable data
was established to improve health insurance accessibility for acquisition and powerful analysis capabilities. There are many
individuals changing employers or leaving the workforce and other open source network security and monitoring tools, which
protect the electronic transmission of health-related data. were developed to provide network security. They were not
Federal Information Security Management Act (FISMA) recog- designed with evidence gathering and processing in mind.
nized the need to define a comprehensive framework for These tools do not have a forensic standing (Casey, 2004).
establishing and monitoring security programs for federal However they can be used to help in specific activities of forensic
agencies. It has minimum security requirements covering 17 analysis. A description about a partial list of the NFATs and
security-related areas for protecting the confidentiality, integ- network security tools is given in Tables 1 and 2 respectively.
rity, and availability of federal information and systems. The various classifications of tools are visualized in Fig. 1.
By adhering to the Payment Card Industry (PCI) Data
Security Standard (DSS), retailers, service providers and allied
3.1. Commands in modern operating systems
organizations can dramatically reduce the vulnerabilities that
are easily exploited for the purpose of compromising corpo-
Many commands are available inbuilt in modern operating
rate data. PCI DSS applies to merchants, acquiring banks,
systems which can be used for assisting network forensics
issuing banks, payment processors and other allied service
(Clarke, 2006). A few of them are described below.
providers that process, store, transmit and/or dispose of
consumer card information. All the above mentioned regula-
 nslookup (name server lookup) is a command used to query
tory acts require adherence to strict security measures and
Domain Name System (DNS) servers to find DNS details and
maintaining comprehensive audit data. An integrated
IP addresses of a particular computer.
network forensic process will facilitate meeting compliance
requirements for organizations and ISPs, while recording
evidence for investigation and helping in understanding the
NetDetector
attacker’s methodology.
InfiniStream
NetIntercept
Iris
NetWitness DeepSee
3. Network Forensic Analysis Tools
NetworkMiner OpenPeek
Network Forensic Analysis Tools (NFATs) (Sira, 2003) allow
Proprietary
Xplico
administrators to monitor networks, gather all information
Open SilentRunner
about anomalous traffic, assist in network crime investigation
PyFlag Source
and help in generating a suitable incident response. NFATs NFATS
also help in analyzing the insider theft and misuse of TCPDump NSM Tools IDS Bro Snort
resources, predict attack targets in near future, perform risk Wireshark Packet Finger-
Capture printing
assessment, evaluate network performance, and help to TCPFlow P0f
Manipu-
protect intellectual propriety. flow-tools Pattern lation
Nmap
Statistic
NFATs capture the entire network traffic, allow users to NfDump Matching
SiLK
PADS
analyze network traffic according to their needs and discover Argus Nessus
significant features about the traffic. NFATs synergize with TCPTrace Ngrep TCPReplay
Sebek Ntop
intrusion detection systems and firewalls and make long term TCPStat
NetFlow TCPXtract
preservation of network traffic records for quick analysis. The
TCPDstat
attack traffic can be replayed and attackers’ moves can be
analyzed for malicious intent (Corey et al., 2002). NFATs
facilitate organization of captured network traffic packets to Fig. 1 – Classification of NFATs and NSM tools.
digital investigation 7 (2010) 14–27 19

 traceroute or tracert is a command used to determine the the techniques used for physical investigations. Readiness
route taken by packets across an IP network. phase ensures operations infrastructure is ready. Survey,
 tcpslice is a program for extracting portions of packet-trace search and collection phases gather and process the data.
files generated by TCPDump. Reconstruction phase is similar to analysis phase and the
 netstat (network statistics) is a command tool that displays documentation phase records all the evidence.
network connections (incoming/outgoing), routing tables, Ciardhuain (2004) combined existing models and proposed
and other network interface statistics. an extended model of cyber crime investigations which
 nbtstat displays protocol statistics and current TCP/IP represents the information flow and performs full investiga-
connections using NBT (NetBIOS over TCP/IP). tion. Awareness is the first step which announces investiga-
 whois is a query/response protocol command used to tion. Authorization is taken from internal and external
determine the owner of a domain name, an IP address, or an entities. Planning involves strategies and policies. Dissemi-
autonomous system number on the Internet. nation is also done for guiding future investigations and
 ping is a command used to test whether a particular host is procedures.
reachable across a network. Baryamureeba and Tushabe (2004) proposed an enhanced
 dig (domain information groper) is a network tool that digital investigation process model by reorganizing the
queries DNS name servers. various phases in Carrier and Spafford (2003). Two new pha-
ses, traceback and dynamite are included. Sub-phases like
investigation, authorization, reconstruction and communi-
4. Network forensic process models cation give clarity and granularity to the major phases. Beebe
and Clark (2005) propose a hierarchical, objectives based
Proven investigative techniques and methods exist for the framework for digital investigative process in contrast to the
traditional computer forensic discipline. However as we become single tier higher order process models. Their model consists
more and more networked and mobile in home and business, of common phases in first tier. These phases consist of sub-
there is a need to expand our forensic view from disk level to the phases, placed in lower tiers, to provide specificity and gran-
network level. There is a need to factor this transition into ularity, guided by principles and objectives.
concepts, designs and prototypes. Various digital forensic All models mentioned above are applicable to digital
models were proposed to handle the networked environments investigation and include network forensics in a generalized
since 2001. A generic process model for network forensics is form. Ren and Jin (2005a) were the first to propose a general
proposed after a brief survey of the existing models. process model for network forensics with following steps:
capture, copy, transfer, analysis, investigation and
4.1. Survey of existing models presentation.

The first attempt to apply digital forensic science to net-


worked environments was taken up as one of the objectives in
the first Digital Forensic Research Workshop (DFRWS) (Palmer, 4.2. Proposed generic process model
2001) and a framework was proposed. The framework
includes the following steps: identification, preservation, We propose a generic process model for network forensic
collection, examination, analysis, presentation, and decision. analysis based on various existing digital forensics models
Reith et al. (2002) improvised the above model and discussed above. We formalize a methodology specifically for
produced an abstract digital forensic model that is not network based investigation. The various process steps in the
dependant on a particular technology or crime. Authors have model are shown in Fig. 2.
added preparation and approach strategy phases and The first phase involves placing of the network security
included returning the evidence in place of decision. Mandia and monitoring tools at strategic places for collecting
and Procise (2003) develop an incident response method- evidence. The NFATs (NetIntercept; NetWitness; NetDetector;
ology which is simple and accurate. An initial response phase Iris; Infinistream; Solera DS 5150; OmniPeek; SilentRunner;
to ascertain the incident and formulation of a response NetworkMiner; Xplico) work in all the other phases, except
strategy phase are added. The investigation phase includes a few which are not applicable to preservation and investi-
collection and analysis phases as in the earlier models. gation phases. PyFlag does not involve packet capture and
Presentation is called reporting and resolution phase suggests starts with the examination phase. The network security tools
improvements, changes, and long term fixes. which are applicable to individual phases are also listed in
Casey and Palmer (2004) proposed an investigative process each phase. The various phases in the model are explained
model to encourage a complete rigorous investigation, ensure below.
proper evidence handling and reduce chance of mistakes.
Apart from the common phases, assessment phase validates 4.2.1. Preparation
the incident and a decision is taken whether or not to continue Network forensics is applicable only to environments where
the investigation. Harvesting, reduction, organization and network security tools (sensors) like intrusion detection
search phases arrange data so that it is the smallest set with systems, packet analyzers, firewalls, traffic flow measurement
high potential evidence. Persuasion and testimony phases software are deployed at various strategic points on the
present the case in layman terms. Carrier and Spafford (2003) network. The required authorizations and legal warrants are
proposed an integrated digital investigation process based on obtained so that privacy is not violated.
20 digital investigation 7 (2010) 14–27

amount of data logged will be enormous requiring huge


Preparation
memory space and the system must be able to handle
Improvement of Security Tools

different log data formats appropriately. The tools which


Incident assist in this phase are TCPDump, Wireshark, TCPFlow,
Detection
Response NfDump, PADS, Sebek, SiLK, TCPReplay, Snort, Bro.

Collection 4.2.5. Preservation


The original data obtained in the form of traces and logs are
stored on a backup device like read only media. A hash of all
Preservation the trace data is preserved. A copy of the data will be analyzed
and the original network traffic data are untouched. This is
done to facilitate legal requirements which may expect that
Examination the results obtained by the investigation are proved same
when the process is repeated on the original data. The tools
which assist in this phase are TCPDump, Wireshark, TCPFlow,
Analysis
NfDump, PADS, Sebek, SiLK, TCPReplay, Bro, Snort.

Iterative
Process Investigation 4.2.6. Examination
The traces obtained from various security sensors are inte-
grated and fused to form one large data set on which analysis
Presentation can be performed. There are some issues like redundant
information and overlapping time zones which need appro-
Fig. 2 – Generic process model for network forensics. priation. There may be cases where alerts from various
sources are contradictory. However this process needs to be
done so that crucial information from important sources is
not lost. The evidence collected is searched methodically to
4.2.2. Detection extract specific indicators of the crime. Minimum attack
The alerts generated by various security tools, indicating attributes are identified so that the least information recorded
a security breach or policy violation, are observed. Unautho- contains the highest probable evidence. A feedback is given to
rized events and anomalies noticed will be analyzed. The improve the security tools. The tools which assist in this
presence and nature of the attack are determined from phase are TCPDump, Wireshark, TCPFlow, Flow-tools,
various parameters. A quick validation is done to assess and NfDump, PADS, Argus, Nessus, Sebek, TCPTrace, Ntop,
confirm the suspected attack. This will facilitate the impor- TCPStat, NetFlow, TCPDstat, Ngrep, TCPXtract, SiLK, TCPRe-
tant decision whether to continue investigation or ignore the play, P0f, Nmap, Bro, Snort.
alert as a false alarm. Precaution should be taken in order that
the evidence is not altered in the process. The tools which 4.2.7. Analysis
assist in this phase are TCPDump, Wireshark, PADS, Sebek, The indicators are classified and correlated to deduce impor-
Ntop, P0f, Bro, Snort. This phase branches in two directions - tant observations using the existing attack patterns. Statis-
incident response and collection. tical, soft computing and data mining approaches are used to
search the data and match attack patterns. Some of the
4.2.3. Incident response important parameters are related to network connection
The response to crime or intrusion detected is initiated based establishment, DNS queries, packet fragmentation, protocol
on the information gathered to validate and assess the inci- and operating system fingerprinting. The attack patterns are
dent. The response initiated depends on the type of attack put together, reconstructed and replayed to understand the
identified and is guided by organization policy, legal and intention and methodology of the attacker. A feedback is
business constraints. An action plan on how to defend future given to improve the security tools. The tools which assist in
attacks and recover from the existing damage is initiated. At this phase are TCPDump, Wireshark, TCPFlow, Flow-tools,
the same time, the decision whether to continue the investi- NfDump, PADS, Argus, Nessus, Sebek, TCPTrace, Ntop,
gation and gather more information is also taken. A similar TCPStat, NetFlow, TCPDstat, Ngrep, TCPXtract, SiLK, TCPRe-
response is to be initiated after the investigation phase (dis- play, P0f, Nmap, Bro, Snort.
cussed below) where the information obtained may require
certain actions to control and mitigate the attack. 4.2.8. Investigation
The goal is to determine the path from a victim network or
4.2.4. Collection system through any intermediate systems and communica-
Data are acquired from the sensors used to collect the traffic tion pathways, back to the point of attack origination. The
data. A well defined procedure using reliable hardware and packet captures and statistics obtained are used for attribu-
software tools, must be in place to gather maximum evidence tion of the attack. This phase may require some additional
causing minimum impact to the victim. This phase is very features from the analysis phase and hence these two phases
significant as the traffic data change at a rapid pace and it is are iteratively performed to arrive at the conclusion. Attribu-
not possible to generate the same trace at a later time. The tion is establishing the identity of the attacker and is the most
digital investigation 7 (2010) 14–27 21

difficult part of the network forensic process. The two simple


strategies of the attacker to hide himself, IP spoofing and
stepping stone attack, are still open problems (Guan, 2009). Internet
The investigation phase provides data for incident response
and prosecution of the attacker.

4.2.9. Presentation
The observations are presented in an understandable
language for legal personnel while providing explanation of
Gateway
the various procedures used to arrive at the conclusion. The
systematic documentation is also included to meet the legal
requirements. The conclusions are also presented using
Monitored LAN
visualization so that they can be easily grasped. This process
concludes the network forensic analysis as the information Forensic
presented results in the prosecution of the attacker. The entire Server
case is documented to influence future investigations and to
provide feedback to guide the deployment and improvement
of security products.
Hosts
The proposed model is generic as it handles network
forensics both in real-time and post attack scenarios. The first Forensic LAN / VPN
five phases (including incident response) handle real-time
Fig. 3 – A general scheme for distributed frameworks.
network traffic. The preparation phase ensures the monitoring
tools are in place. Detection phase helps in attack discovery
and collection phase captures network packets ensuring
a period of time and a Forensic Server, which is a centralized
integrity of data. A suitable incident response is generated
authority for a domain that manages a set of SynApps in that
based on the nature of attacks. A hash of the data is created and
domain. A forensic server receives queries from outside its
a copy is made in the preservation phase. The next four phases
domain, processes them in co-operation with SynApps and
are common for real-time and post attack scenarios.
returns query results back to the senders after authentication
The post attack investigation begins at the examination
and certification. The overall architecture involves a network
phase, where a copy of the packet capture (libpcap) file is given
filter, synopsis engine, synopsis controller, configuration
for investigation. The examination phase fuses inputs from
manager, security manager, storage management and query
various sources and identifies attack indicators. The analysis
processor. Evidence of crimes can be found in packet headers
phase classifies attack patterns using data mining, soft
or application dependent payloads. ForNet can identify
computing or statistical approaches. The investigation phase
network events like TCP connection establishment, port
involves traceback and attribution. The final presentation
scanning, connection record details and uses bloom filters to
phase results in the prosecution of the attacker.
track other events.
Ren (2004a) proposed a reference model of distributed
cooperative network forensic system. It is based on client–
5. Network forensic frameworks server architecture. The server captures network traffic,
builds mapping topology database, filters, dumps and trans-
DFRWS proposed the first process model for digital forensics forms the network traffic stream into database values, mines
in the networked environments. Many variant models were forensic database, and replays network behavior. It also does
proposed with different phases as discussed in the previous network surveying, attack statistic analysis and visualization.
section. Researchers developed many frameworks which The distributed agent clients integrate data from firewall, IDS,
implement these phases and an exhaustive survey is pre- Honeynet and remote traffic. The goal of this model is
sented category wise to highlight the specific gaps and iden- dumping misbehavior packets based on adaptive filter rules,
tify the research challenges. analyzing the overall cooperative database to discover the
potential misbehavior, and replaying the misbehavior for
5.1. Distributed systems based frameworks forensic analysis. It can discover the profile of the attacker and
obtain clues for further investigation.
Internet and LANs are distributed in nature and networks Ren and Jin (2005b) further extended their previous model
attack events are logged in clients at various locations. There is as distributed agent-based real-time network intrusion
a need to collect these logs, fuse them and analyze on a central forensics system. The goals of this framework include log
server. A general scheme for the frameworks is shown in Fig. 3. system information gathering, adaptive capture of network
The following implementations were proposed: traffic, active response for investigational forensics, integra-
Shanmugasundaram et al. (2003) propose ForNet, a distrib- tion of forensics data and storing the historical network
uted network logging mechanism to aid digital forensics over misuse pattern. The four elements in the system are network
wide area networks. It has two functional components – Syn- forensics server, network forensics-agents, network monitor,
App, designed to summarize and remember network events for and network investigator. Network forensic agents are
22 digital investigation 7 (2010) 14–27

engines of the data gathering, data extraction and data secure The implementations discussed above use client–server/
transportation. Network monitor is a packet capture machine agent–proxy architectures to collect the attack features and
which adaptively captures the network traffic. Network analyze them. They are limited in identifying the features
investigator is the network survey machine. Network foren- correctly and some components are still being developed.
sics server integrates the forensics data, analyzes it and
launches an investigation program on the network investi- 5.2. Soft computing based frameworks
gator. The model can expedite the investigation of an incident
and improve the ability of emergence response. The soft computing implementations are used to analyze
Tang and Daniels (2005) proposed a simple framework for captured data and classify the attack data. Neural network and
distributed forensics. It is based on distributed techniques Fuzzy tools are used for validation of attack occurrence.
providing an integrated platform for automatic evidence A general scheme for the fuzzy logic based frameworks is
collection and efficient data storage, easy integration of shown in Fig. 4. The following implementations were proposed:
known attribution methods and an attack attribution graph Kim et al. (2004) develop a fuzzy logic based expert system
generation mechanism. The model is based on proxy and for network forensics to aid the decision making processes
agent architecture. Agents collect, store, reduce, process and involving sources of imprecision that are non-statistical in
analyze data. Proxies generate the attack attribution graph nature. The system can analyze computer crime in networked
and perform stepping stone analysis. This model aims at environments and make digital evidences automatically. It
providing a method to collect, store and analyze forensic can provide analyzed information for a forensic expert and
information. It also provides automatic evidence and quick reduce the time and cost of forensic analysis. The framework
response to attacks. consists of six components. Traffic analyzer captures network
Nagesh (2007) implemented a distributed network forensics traffic and analyses it using sessionizing. Knowledge base
framework using JADE mobile agent architecture. A node stores rules which are used by the fuzzy inference engine. The
acting as a server, hosting the network forensics-agent, rules are written for various attacks using linguistic variables
dispatches mobile agents to monitored heterogeneous loca- and terms. Membership functions are defined for each fuzzy
tions. They gather network traffic logs, examine them and set and a crisp value of degree of membership is determined.
return the results which will be displayed on a user interface. Each input variables crisp value is first fuzzified into linguistic
The interface enables the analyst to specify data to be collected values. Fuzzy inference engine derives output linguistic
and analyze the resultant network events displayed. The values using aggregation and composition. Defuzzification
solution automates collection of network data from distributed defuzzifies the output values into crisp values and the forensic
heterogeneous systems using mobile agents. The imple- analyzer decides whether the captured packets indicate an
mentation is scalable, reduces network traffic, addresses single attack.
point of failure and provides real-time monitoring. Liu and Feng (2005) proposed the Incremental Fuzzy Deci-
Wang et al. (2007) developed a dynamical network foren- sion Tree-Based Network Forensic System (IFDTNFS). This is
sics (DNF) model based on the artificial immune theory and an efficient way to create a classification model by extracting
the multi-agent theory. The system provides a real-time key features from network traffic by providing the resulting
method to collect and store data logs simultaneously, fuzzy decision tree with better noise immunity and increasing
provide automatic evidence collection and quick response to applicability in uncertain or inexact contexts. IFDTNFS
network criminals. The system includes a Forensic Server and consists of three components: network traffic separator,
three agents namely Detector-Agent, Forensics-Agent and traffic detector, and forensic analyzer. The network traffic
Response-Agent. The Detector-Agent captures real-time separator component is responsible for capturing network
network data, matches it with intrusion behavior and sends traffic and separating it according to the service type, and
a forensics request message to the Forensics-Agent. The directing the separated traffic to corresponding traffic
Forensics-Agent collects the digital evidence, creates a digital detector. The traffic detector consists of four components:
signature using a hash function and transmits the evidence to feature extractor extracts features from network traffic, fuzzy
the Forensic Server. The Forensic Server analyzes evidence rule base is the knowledge base using which fuzzy decision
and replays the attack procedure. The Response-Agent is trees are built, rule base updater adds new samples to the
being developed. fuzzy decision tree that has been constructed and also adjusts

Network Traffic
Analyzer / Fuzzification
Traffic
Feature
Capture Extractor

Fuzzy Inference Knowledge


Engine Base

Forensic /
Evidence Digital
Defuzzification Evidence
Analyzer

Fig. 4 – A general scheme for fuzzy based frameworks.


digital investigation 7 (2010) 14–27 23

the optimal tree size, and fuzzy inferencer fuzzifies input Honeytraps (Yasinsac and Manzano, 2002) were proposed
values and processes them with the rule base. Forensic as a deception tool to collect information about blackhat
analyzer includes collecting relative event data, analyzing activities and learn their techniques so that protection and
correlated information relating with the event, and estab- defense mechanisms can be formulated. Honeytraps are
lishing digital evidences. Honeypot or Honeynet systems which attract intruders to
Zhang et al. (2007) propose network forensic computing enter a host by emulating a known vulnerability. Once an
based on Artificial Neural Network and Principal Component attacker penetrates a honeytrap, data are captured to detect
Analysis (ANN–PCA). The major challenge faced in network and record his actions. This data can be used to profile the
forensics is massive information to be stored and analyzed. tools and tactics used by the attackers putting the investiga-
Extraction of key features reduces storage by correlating the tors in an offensive mode. Two architectures, serial and
features with attacks. ANN–PCA techniques are used to parallel, facilitate the forensic investigation. The serial archi-
identify all possible violations, extract features and build tecture places honeytrap between the Internet and the
signatures for new attacks. Classification is done using FAAR production system. Recognized users are filtered to the
algorithm to mine association rules and calculate the PCA production systems and blackhats are contained in the hon-
values. Classification accuracy increases and information eytrap. The parallel architecture allows honeytrap to be
storage size decreases after feature extraction is performed independent of the production system. Once the system
using ANN–PCA. detects the presence of blackhat, the forensic alert system is
Neurofuzzy Techniques (Anaya et al., 2009) were used by activated. If the attack is detected, forensic processes are
Anaya et al., to address the challenges of enormous data to be activated on the honeytrap and production systems. Once the
logged and analyzed for network forensic computing. The attack is contained, the investigation process is begun to
Neurofuzzy solution is based on Artificial Neural Network determine the identity of the intruder on the production
(ANN) and fuzzy logic and is used for evidence differentiation system.
into normal and abnormal flows. ANNs are used in informa- Thonnard and Dacier (2008) propose a framework for
tion processing to learn from the data and generalize a solu- attack patterns’ discovery in Honeynet data. Their work aims
tion. Fuzzy logic is used to generate a grade of membership to at finding groups of network traces sharing various kinds of
different behaviors so that attacks are determined. The model highly similar patterns within an attack data set. They design
consists of four modules. The Monitor control module stores a flexible clustering tool and analyze one specific aspect of the
all the network information. Information preprocessing Honeynet data, time series of attacks. Malicious network
module is made up of syntax sub module and correlation sub traffic is obtained from the distributed set of Honeynet
module. Syntax module is responsible for normalizing the responders. Time signature is used as a primary clustering
inputs and correlation sub module aggregates the different feature and attack patterns are discovered using attack trace
flow formats and groups the PDUs into a flow. Dependencies similarity. Attacks are detected as a series of connections,
module relates all network element logs and takes decision zero-day and polymorphic attacks are detected based on
about the flows. The decider module distinguishes between similarity to other attacks and knowledge from the Honeynet
normal and abnormal flows. data is used in intrusion detection efforts. The clustering
Liao et al. (2009) propose a Network Forensic System based method does feature selection and extraction, defines
Fuzzy Logic and Expert System (NFS-FLES), an effective and a pattern proximity measure and groups similar patterns. The
automated analysis system, which guarantees evidence reli- result of clustering applied to time series analysis enables
ability by collecting information from different sensors. It also detection of worms and botnets in the traffic collected by
analyzes computer crimes and makes automatic digital Honeypots.
evidence using the approach of fuzzy logic and expert Merkle (2008) investigates automated analysis of
systems. The NFS-FLES consists of the following components network based evidence in response to cyberspace attacks.
– traffic capture, feature extractor, fuzzification, fuzzy infer- The two major challenges of network forensics, namely
ence engine, knowledge base, defuzzification and forensic ‘complexity’ problem of analyzing raw traffic data and
analyzer. The whole operation is done in four parts – real-time ‘quantity’ problem of amount of data to analyze are
forensic data acquisition and preprocessing, knowledge base addressed in his solution. The model integrates results of
construction and dynamic rule generation, fuzzy linguistic data logged by various tools into a single system that
operation of input attack data and computing aggregation exploits computational intelligence to reduce human
fuzzy value and total fuzzy score of every kind of attack. The intervention. This integrated tool is referred as ‘automated
forensic result is then output in time. network forensic’ tool. An isolated network of virtual
The soft computing tools give desirable results provided machines is built into a Honeynet. Open source forensic
the rules to differentiate attack and legitimate traffic can be tools are used for collecting data. The information produced
generated. Detecting zero-day attacks is also a challenge. by various tools in one stage is characterized and trans-
formed for use by other tools in the succeeding stages. Time
5.3. Honeypot based frameworks consuming and error prone processes are identified and
automated. The data sets are partitioned, system is trained
Honeypot frameworks are used to attract the attackers so that and then tested.
their process methodology can be observed and analyzed to Honeynets meet the expectations of forensic analyzers but
improve defense mechanisms. The following implementa- they cannot be used for investigative purposes as evidence
tions were proposed: generated is not valid in legal system.
24 digital investigation 7 (2010) 14–27

5.4. Attack graph-based framework packets. They arrange to reliably transport them to the logging
module for archival. Logging module is a system repository
Wang and Daniels (2008) developed a graph-based approach where the attack data are being stored. It uses three types of
toward network forensics analysis. An evidence graph model loggers – host logger stores data sent by capture module,
facilitates evidence presentation and automated reasoning. sensor logger stores sensors’ alerts and raw logger is optional
The basic architecture has six modules: evidence collection and is used when other loggers fail. The capture module was
module collecting digital evidence from heterogeneous implemented using Sebek, marking module used Snort IDS,
sensors deployed, evidence preprocessing module transforms and logging module used server-side Sebek, Snort’s barnyard
evidence into standardized format, attack knowledge base tool, ACID Lab and TCPDump.
provides knowledge of known exploits, assets knowledge base Nikkel (2006) proposed a Portable Network Forensic
provides knowledge of the networks and hosts under inves- Evidence Collector (PNFEC) which was built using inexpensive
tigation, evidence graph manipulation module generates the embedded hardware and open source software. The compact
evidence graph and attack reasoning module performs semi- and portable device has been designed for traffic collection
automated reasoning based on the evidence graph. A hierar- between a network and a single node, having specific modes
chical reasoning framework consisting of two levels – local of operation, rapid deployment and stealthy inline operation.
reasoning (functional analysis) aims to infer the functional The traffic on the Ethernet Bridge is promiscuously captured
states of network entities from local observations and global using various pcap based capture tools and stored on a hard
reasoning (structural analysis) aims to identify important disk. The operating system, additional software, configuration
entities from the graph structure and extract groups of files and investigator activity logs are stored on a compact
densely correlated participants in the attack scenario. The flash. Administrative access controls various aspects of the
results from both levels are combined and attacks further device like startup, scheduling, configuration of capturing
analyzed. filters, forensic functions such as preserving and transferring
the evidence. The PNFEC is easy to deploy and operate (plug-
5.5. Formal method based framework and-play). The network traffic collected can be stored in
encrypted form. PNFEC also controls filtering of captured data
Rekhis et al. (2008) develop a system for Digital Forensic in using TCPDump to ensure there are no privacy violations.
Networking (DigForNet) which is useful to analyze security A script is used to create a cryptographic hash of the packet
incidents and explain steps taken by the attackers. DigForNet capture files and preserved. OpenBSD is the operating system
uses the expertise of intrusion response teams and formal used, as many of the functionalities like secure access, packet
reasoning tools (I-TLA and I-TLC) to reconstruct potential capture, encrypted file system, evidence preservation, disk
attack scenarios. They integrate analysis performed by the IRT wiping and formatting tools, are included by default. Tools for
on a compromised system through the use of Incident trouble shooting (TCPFlow) and pcap management (tcpslice)
Response Probabilistic Cognitive Maps (IRPCMs). They provide are also added. PNFEC operates in three modes – investigator,
a formal method framework to identify potential attack server and user.
scenarios using Investigation-based Temporal Logic of Vandenberghe (2008) proposed a Network Traffic Explora-
Actions (I-TLA). They generate executable potential attack tion (NTE) Application being developed by Defense Research
scenarios and show progress of the attack using Investigation- and Development Canada (DRDC) for security event and
based Temporal Logic Model Checker (I-TLC), automatic veri- packet analysis. This tool combines six key functional areas
fication tool. Unknown attacks are handled by generating into a single package. They are intrusion detection (signature
hypothetical actions. The generated executable potential and anomaly based), traffic analysis, scripting tools, packet
attack scenarios are used to identify risk scenarios that have playback, visualization features and impact assessment. NTE
compromised the system, entities which originated the has three layers with MATLAB as development environment,
attacks, different steps taken to conduct the attacks and to low level packet analysis library and unified application front
confirm the investigation. end. It provides an environment where statistical analysis,
session analysis and protocol analysis can exchange data.
5.6. Aggregation framework

Network forensic analysis involves many phases. We have 6. Research challenges


discussed the various security tools in Section 3, which can be
used for specific phases. The aggregation frameworks harness The frameworks and implementations for network forensic
the strength of these tools to facilitate forensic investigation analysis have been surveyed in the previous section. The
rather than building a new tool from scratch. The following limitations and specific research gaps associated with
implementations were proposed: different phases in each implementation are given below.
Almulhem and Traore (2005) propose a Network Forensics
System (NFS) that records data at the host level and network 6.1. Collection and detection
level. The system consists of three main modules – marking,
capture and logging. Marking module decides whether The first step in network forensic analysis involves collection
a passing packet is malicious. One or more sensors (like IDS) of network traces and detection of attacks. The traces involve
report suspicious IP addresses. Capture module is a collection IDS and firewall logs, logs generated by network services and
of lightweight capture modules which wait for the marked applications, packet captures by sniffers and NFATs (Nikkel,
digital investigation 7 (2010) 14–27 25

2005). The challenge is to identify useful network events and


record minimum representative attributes for each event so 7. Conclusions and future work
that the least amount of information with highest probable
evidence is stored (Mukkamala and Sung, 2003). This results in Network forensics ensures investigation of the attacks by
reduction of data storage requirements. A data digest will be tracing the attack back to the source and attributing the crime
sufficient for discovery of malicious behavior and a full to a person, host or a network. It has the ability to predict
capture is required for reconstruction of attack behavior. future attacks by constructing attack patterns from existing
traces of intrusion data. The incident response to an attack is
6.2. Data fusion and examination much faster. The preparation of authentic evidence, admis-
sible into a legal system, is also facilitated.
The data captured from various tools must be aggregated and We made an extensive survey on various network forensic
examined to ascertain whether investigation should be framework implementations. We also made a study on digital
commenced. Data fusion of all the logs collected from various forensic models and propose a generic model. The function-
security tools deployed in each hosts on the entire network is ality of NFATs and NSM tools is also discussed. The specific
a crucial problem (Ren, 2004b). The dependencies of packet research gaps in these models (existing and proposed) and
attributes from various tools and reconnaissance of attributes implementation techniques are identified. The challenges in
from different hosts validate an attack. Characterization of network forensics as an alternate approach to security are
anomalous network events and distinguishing attack traffic also presented.
from legitimate traffic by searching for patterns of anomalies We are currently developing a network forensic analysis
is a major challenge. framework ‘Network Forensics System’ which is being built
using an aggregation of various open source tools. The
6.3. Analysis objective of this framework is to overcome research gaps
mentioned above. It will focus on the following phases of our
The critical step in the entire process of network forensics is to proposed generic framework: traffic collection, detection of
analyze attack data and arrive at a conclusion, pointing at the attack features, data fusion, examination of network traces,
source. Classification and clustering of network events need analysis using soft computing and data mining approaches,
to be done so that scrutiny of large volumes of data to attack investigation, attribution and incident response.
understand their relationship with attacks becomes easy. Future work is to urgently address the limitations and
Parsing and analysis of complex protocols also needs focus. challenges in various tools and framework implementations
Pattern recognition of anomalies using soft computing and so that perpetuators of cyber crime are traced back and
data mining techniques can be applied for classification, prosecuted. This will act as a deterrent, resulting in drastic
correlation and link analysis. The categorization of attack decrease in network crime rate, thereby improving security.
patterns and attack reconstruction methods used to under-
stand the intention and methodology of the attacker needs
research focus (Almulhem, 2009). references

6.4. Investigation
Almulhem A. Network forensics: notions and challenges. In:
The investigation must enable attribution of an attack to Proceedings of the ninth IEEE international symposium on
a host or a network. The results must meet the admissibility signal processing and information technology (ISSPIT 2009),
criteria in a court of law. The analysis of logs and other UAE; Dec. 2009.
network traces must lead to the source of attacks. IP traceback Almulhem A, Traore I. Experience with engineering a network
forensics system. In: Proceedings of the international
involves tracing back to the source address of the attacker by
conference on information networking (ICOIN 2005), Korea,
overcoming IP spoofing (Mitropoulos et al., 2005). Detecting LNCS 3391. Berlin, Heidelberg: Springer-Verlag; 2005. p. 62–71.
and profiling TCP connection chains can bring out the step- Anaya EA, Nakano-Miyatake M, Meana HMP. Network forensics
ping stones used to launch an attack. Creating a topology with neurofuzzy techniques. In: Proceedings of the 52nd IEEE
database and IP location mapping to locate an attacker international Midwest symposium on circuits and systems
geographically is a major challenge. As new protocols like (MWSCAS 2009); 2–5 Aug. 2009, p. 848–52.
IPv6, become operational and popular, there will be a great Argus, http://www.qosient.com/argus.
Baryamureeba V, Tushabe F. The enhanced digital investigation
need to resolve incidents involving these protocols (Nikkel,
process model. In: Proceedings of the fourth digital forensic
2007). research workshop (DFRWS); 2004.
Beebe NL, Clark JG. A hierarchical, objectives-based framework
6.5. Incident response for the digital investigations process. Digital Investigation
(The International Journal of Digital Forensics & Incident
Active real-time response to the network misuse is to be Response) Jun 2005;2(2):147–67.
Berghel H. The discipline of Internet forensics. Communications
performed so that important data are not lost by the time
of the ACM 2003;46(8):15–20.
response is initiated. The response processes are to be
Bro, http://www.bro-ids.org.
launched immediately when alerts begin. The key issue to be Broucek V, Turner P. Forensic computing: developing
maintained is that the attacker must not be aware of the a conceptual approach for an emerging academic discipline.
response (Khurana et al., 2009). In: Fifth Australian Security Research Symposium; July 2001.
26 digital investigation 7 (2010) 14–27

Carrier, Spafford EH. Getting physical with the digital NetDetector, http://www.niksun.com.
investigation process. International Journal of Digital Evidence NetFlow, http://www.cisco.com/web/go/netflow.
2003;2(2):1–20. Network forensics and digital time travel, http://www.
Casey E. Network traffic as a source of evidence: tool strengths, technewsworld.com/story/68651.html.
weaknesses, and future needs. Digital Investigation (The netForensics security compliance management, http://www.
International Journal of Digital Forensics & Incident Response) netforensics.com/compliance.
Feb. 2004;1(1):28–43. NetIntercept, http://www.sandstorm.net.
Casey E, Palmer G. The investigative process. In: Casey E, editor. NetWitness, http://www.netwitness.com.
Digital evidence and computer crime. Elsevier Academic NetworkMiner, http://networkminer.sourceforge.net.
Press; 2004. NfDump, http://nfdump.sourceforge.net/.
Ciardhuain SO. An extended model of cybercrime investigations. Ngrep, http://ngrep.sourceforge.net.
International Journal of Digital Evidence 2004;3(1). Nikkel BJ. Generalizing sources of live network evidence. Digital
Clarke GE. Networkþ certification study guide. 3rd ed. Osborne Investigation (The International Journal of Digital Forensics &
McGraw-Hill; 2006. p. 339–89. Incident Response) Sept. 2005;2(3):193–200.
Cohen MI. PyFlag – an advanced network forensic platform. Nikkel BJ. A portable network forensic evidence collector. Digital
Digital Investigation (The International Journal of Digital Investigation (The International Journal of Digital Forensics &
Forensics & Incident Response) Sept. 2008;5(1):112–20. Incident Response) Sept. 2006;3(3):127–35.
Corey V, Peterman C, Shearin S, Greenberg MS, Bokkelen JV. Nikkel BJ. An introduction to investigating IPv6 networks. Digital
Network forensics analysis. IEEE Internet Computing 2002;6(6): Investigation (The International Journal of Digital Forensics &
60–6. Incident Response) June, 2007;4(2):59–67.
DDOS attackers continue hitting Twitter, Facebook, Google, Nmap, http://www.nmap.org.
http://www.computerworld.com/s/article/9136402/. Ntop, http://www.ntop.org.
Denial-of-service got Twitter. Is your network next?, http://news. OmniPeek, http://www.wildpackets.com.
cnet.com/8301–13846_3–10305241–62.html. P0f, http://www.lcamtuf.coredump.cx/p0f.shtml.
Flow-tools, http://www.splintered.net/sw/flow-tools. PADS, http://passive.sourceforge.net.
Garfinkel S. Network forensics: tapping the Internet, http://www. Palmer G. A road map for digital forensic research. In: First digital
oreillynet.com/pub/a/network/2002/04/26/nettap.html. forensic research workshop (DFRWS 2001); 2001, p. 27–30.
Guan Y. Network forensics. In: Computer and information Security Perry S. Network forensics and the inside job. Network Security
handbook. Morgan Kaufmann Publishers; 2009. p. 339–47. 2006;2006:11–3.
Infinistream, http://www.netscout.com/Products/infinistream.asp. PyFlag,http://www.pyflag.net
Iris, http://www.eeye.com/Iris. Ranum M. Network flight recorder, http://www.ranum.com/.
ISO/IEC 27001. Information technology (security techniques, Reith M, Carr C, Gunsch G. An examination of digital forensic
information security management, requirements), http://www. models. International Journal of Digital Evidence 2002;1:
iso.org/iso/catalogue_detail.htm?csnumber¼42103; 2005. 1–12.
Khurana H, Basney J, Bakht M, Freemon M, Welch V, Butler R. Rekhis S, Krichene J, Boudriga N. DigForNet: digital forensic in
Palantir: a framework for collaborative incident response and networking. In: Proceedings of the IFIP TC-11 23rd
investigation. In: Proceedings of the eighth symposium on international information security conference, IFIP, vol. 278.
identity and trust on the Internet, Maryland; April 2009, p. 38–51. Springer; Sept. 2008. 637–651.
Kim J, Kim M, Noh BN. A fuzzy expert system for network Ren W, Jin H. Modeling the network forensics behaviors. In:
forensics. In: Proceedings of the international conference on Proceedings of the first international conference on security
computational science applications (ICCSA 2004), LNCS 3043. and privacy for emerging areas in communication networks
Springer; 2004. p. 175–82. (SecureComm 2005); Sept. 2005a, p. 1–8.
Liao N, Tian S, Wang T. Network forensics based on fuzzy logic Ren W, Jin H. Distributed agent-based real time network intrusion
and expert system. Computer Communications Nov. 2009; forensics system architecture design. In: Proceedings of the
32(17):1881–92. IEEE 19th international conference on advanced information
Liu Z, Feng D. Incremental fuzzy decision tree-based network networking applications (AINA 2005), p. 177–82.
forensic system. In: Proceedings of the international Ren W. On the reference model of distributed cooperative
conference on computational intelligence and security (CIS network forensics system. In: Proceedings of the sixth
2005), LNAI 3802. Springer; 2005. p. 995–1002. international conference on information integration and web-
Mandia K, Procise C. Incident response and computer forensics. based application & services (iiWAS2004), Jakarta, Indonesia;
New York: Osborne McGraw-Hill; 2003. 2004a, p. 771–5.
Merkle LD. Automated network forensics. In: Proceedings of the Ren W. On a network forensics model for information security. In:
conference on genetic and evolutionary computation (GECCO Proceedings of the third international conference on
2008); 2008, p. 1929–32 information systems technology and its applications (ISTA
Mitropoulos S, Patsos D, Douligeris C. Network forensics: towards 2004), June 15–17, 2004, Utah, USA, p. 229–34.
a classification of traceback mechanisms. In: Proceedings of Sebek, http://projects.honeynet.org/sebek/.
the first international conference on security and privacy for Shanmugasundaram K, Memon N, Savant A, Bronnimann H.
emerging areas in communications networks (SecureComm ForNet: a distributed forensics network. In: Proceedings of
2005); Sept. 2005, p. 9–16. the second international workshop on mathematical
Mukkamala S, Sung AH. Identifying significant features for methods models and architectures for computer networks
network forensic analysis using artificial intelligent security (MMM–ACNS 2003), LNCS 2776. Springer; 2003. p.
techniques. International Journal of Digital Evidence 2003;1(4). 1–16.
Nagesh A. Distributed network forensics using JADE mobile agent SilentRunner, http://www.accessdata.com/silentrunner.html.
framework. Master’s thesis. Department of Computing SiLK, http://tools.netsa.cert.org/silk/.
Studies, Arizona State University; 2007, http://www. Sira R. Network forensics analysis tools: an overview of an
technology.asu.edu/files/documents/tradeshow/Dec06/asha_ emerging technology, GSEC, version 1.4; Jan. 2003.
nagesh_report.pdf Snort, http://www.snort.org.
Nessus, http://www.nessus.org. Solera DS 5150, DeepSee, http://www.soleranetworks.com.
digital investigation 7 (2010) 14–27 27

Tang Y, Daniels TE. A simple framework for distributed forensics. Wang W, Daniels TE. A graph based approach towards network
In: Proceedings of the 25th IEEE international conference on forensics analysis. ACM Transactions on Information and
distributed computing systems (ICDCS 2005); June 2005, System Security (TISSEC) Oct. 2008;12(1).
p.163–9. Wang D, Li T, Liu S, Zhang J, Liu C. Dynamical network forensics
TCPDstat, http://staff.washington.edu/dittrich/talks/core02/tools. based on immune agent. In: Proceedings of the international
TCPDump, http://www.tcpdump.org. conference on natural computation (ICNC 2007), vol. 3; Aug.
TCPFlow, http://www.circlemud.org/jelson/software/tcpflow. 2007. 651–656.
TCPReplay, http://tcpreplay.synfin.net/trac/. Why is Twitter so vulnerable to DDoS attack?, http://www.crn.
TCPStat, http://www.frenchfries.net/paul/tcpstat. com/security/219300104.
TCPTrace, http://www.tcptrace.org. Wireshark, http://www.wireshark.org.
TCPXtract, http://tcpxtract.sourceforge.net. Xplico, http://www.xplico.org.
Thonnard O, Dacier M. A framework for attack patterns’ Yasinsac A, Manzano Y. Policies to enhance computer and network
discovery in honeynet data. Digital Investigation (The forensics. In: Proceedings of the IEEE workshop on information
International Journal of Digital Forensics & Incident Response) assurance and security, New York; 2001, p. 289–95.
Sept. 2008;5(1):128–39. Yasinsac A, Manzano Y. Honeytraps, a network forensic tool. In:
Tweets fall silent as Twitter goes down for hours, http://articles. Proceedings of the sixth multi-conference on systemics,
latimes.com/2009/aug/07/business/fi–twitter7. cybernetics and informatics, Florida, USA; 2002.
Vandenberghe G. Network traffic exploration application: a tool Zhang Y, Ren Y, Wang J, Fang L. Network forensic computing
to assess, visualize, and analyze network security events. In: based on ANN–PCA. In: Proceedings of the international
Proceedings of the fifth international workshop on conference on computational intelligence and security
visualization for computer security; 2008 workshops (CISW 2007); 2007, p. 942–5.

You might also like