MIPRO 2015, 25-29 May 2015, Opatija, Croatia

Challenges in Network forensics

J. Buri*, D. Delija **
INsig2 d.o.o., Zagreb, Croatia
[email protected], [email protected]
Abstract - Network forensics is a branch of digital forensics
that focuses on monitoring, capturing, recording, and
analysis of network traffic. More accurately, it is the use of
scientifically proved techniques to collect and analyse
network packets and events for investigative purposes.
Network forensics is an extension of the network security
model which traditionally emphasizes prevention and
detection of network attacks. Current network forensics
approaches are costly and time consuming. However, unlike
other areas of digital forensics, network forensics deals with
volatile and dynamic data. It helps organizations to
investigate attacks that originated from outside and inside of
the company. Its also important for law enforcement
agencies when solving crimes. Paper presents different
challenges that are facing investigators due to the rapid
growth of network and attackers skill, and possible
framework solutions that would help to solve or minimize
problems.

I.

INTRODUCTION

The Internet is constantly changing, where evidences

are located all over the network, there is no enough time
nor staff. Expectations are unrealistic, various differences
within organizations, and above all, mishandling of
evidence. Network forensics investigations can be and is a
very demanding process. With all challenges that
traditional forensic investigators are faced, network
forensic investigators need to work/interact with expert
and non-expert people, learn to handle different types of
equipment, both hardware and software, theirs various
versions, more than often capture evidence that exist only
for a brief moment, and unfortunately, investigative teams
find themselves in situations where it is not clear whos in
charge [1].

II.

NETWORK FORENSICS

Network forensics is an act of capturing, recording,

and analysing network audit trials in order to discover the
source of security breaches or other information assurance
problems [5]. The term network forensics was
introduced by the computer and firewall expert Marcus J.
Ranum in early 90s, but borrowed from legal and
criminology fields where forensics is related to
investigation of crimes.
In 2001 DFRWS (Digital Forensic Research
Workshop) defined network forensics as The use of
scientifically proven techniques to collect, fuse, identify,
examine, correlate, analyse, and document digital
evidence from multiple, actively processing and
transmitting digital sources for the purpose of uncovering
facts related to the planned intent, or measured success of
unauthorized activities meant to disrupt, corrupt, and/or
compromise system components as well as providing
information to assist in response to/or recovery from these
activities [6].
In essence, the concept of network forensics deals with
the data found across a network connection going to and
from one host to another. Network forensics analyses the
traffic data logged through firewalls or intrusion detection
systems or at other network devices such as routers. The
goal is to trace back to the source of the attack in order to
discover perpetrators [9]. One note has to be emphasized;
the traffic or data which is being monitored is live so in
network forensics we are no longer talking about postmortem analysis.
The following table presents network devices and their
value in network forensics.

An organized approach is a key to a successful

investigation. With the continuous growth of the Internet,
cyber-attacks and crimes are happening every day [2],
with addition of increasing intruders skills. Everything
has gone that far, that it raises the fact: Its not IF you are
going to be attacked, its WHEN. Traditional tools used in
investigations, such as firewalls and Intrusion Detection
and Prevention Systems (IDPSs), are no longer enough
since they cant provide all required evidence or data [3].
Current network forensic approaches are costly and
time consuming. In addition, these approaches normally
use active and reactive processes to resolve cyber-crimes,
and such processes start after cyber-crime has been
identified, which makes identifying useful evidence
difficult [4], making network forensic investigation a postmortem incident handling.

1382

Table 1. Network devices and their forensic value

Tool name
Value to Network forensics
Switches

Contain Content Addressable Memory (CAM) determines which port on a switch corresponds to
which MAC address.

Routers

Networking devices that forward data packets

between computer networks. They store routing
tables that maps ports to connected networks. They
can also function as a packet filter.

IDPSs

Network security appliance that monitors network

and/or system activities in real time and alerts for
malicious traffic.

Firewalls

Control incoming and outgoing network traffic based

on predefined rules. Analyse and log the source and
destination addresses, packet payloads, and port
numbers to make decision about certain traffic to help
forensics in process of investigation.

Web proxies

Act as an intermediary server for requests from

clients seeking resources from other servers. Can be

configured to maintain special logs for extended

period of time. Such logs store the web surfing for an
entire organization.
Special type
servers

The main types are DHCP, Name, Authentication,

Application, and Central log servers. Data stored on
each of these servers can be of the great value and
can provide help in forensic investigations.

Back in 2002, Simon Garfinkel introduced two

network forensic systems called Catch it as you can and
Stop, look and listen [7]. Catch it as you can system
captures and writes all the packets passing through a
particular traffic point. This approach requires large
amounts of data storage. On the other hand, stop, look
and listen system, analyses each packet in a rudimentary
way in memory and only certain information is saved for
future analysis. This requires a faster processor to keep up
with incoming traffic [2]. Network forensic systems are
designed to identify unauthorized use, misuse, and attacks
on information systems which were previously identified
manually or in most cases, unidentified [8]. Most network
forensic systems are based on audit trails. System relying
on audit trails try to detect known attack patterns,
deviations from normal behaviour, or security policy
violations. They also try to reduce large volumes of audit
trail data to small volumes of interesting data. Most of the
current techniques are passive monitors, which heavily
rely on network traffic, CPU usage, or I/O usage with
human intervention [8]. The main focus in the area of
cyber and network forensics is to automate the process of
detecting the attacks and to prevent the damage caused by
future security breaches.

x
x

Exploit attempt detection

Data aggregation from multiple sources,
including firewalls, IDSs, and sniffers
x Incident recovery
x Prediction of future attacks
x Anomaly detection
x Network traffic recording and analysis
x Network performance
Some of the commercial NFATs available in the
market are: NetIntercept, NetDetector, NetFlow,
SilentRunner, EnCase, and VisualRoute [11].
The open source NFATs are: TCPDump, Libpcap,
WinDump, Wireshark, Snort, Nmap, P0f, Tcpstat,
Tcptrace, and Tcpflow [11].
Following commands are inbuilt in many modern OSs
and are very useful for Network forensics: nslookup,
traceroute, netstat, nbtstat, whois, ping, wget, dig [11].
B. Network forensic Process (Generic) Model
In the paper called A survey about network forensic
tools [2], the authors propose a generic framework for
network forensic investigation. The proposed framework
consists of many phases which are already imprinted in
digital forensic model, on which they built new phases
specific to network forensics. As illustrated on figure 1,
generic framework consists of nine phases, which are
going to be closely explained.

Network forensics is not another term for network

security, but it is an important part in network forensics.
Data for forensic analysis can be collected from various
security products which are placed onto the network to
detect and prevent intrusions. Network forensics ensures
that the attacker spends more time and energy to cover his
tracks making the attack costly and time consuming [9].
The IT industry's ever-growing concern with security
is the primary motivation for network forensics [10].
A. Network Forensic Analysis Tools (NFATs)
Although not the final-solution for security
administration, NFAT is capable of saving both time and
money and help administrator watch everything in the
network, gather all information about suspicious traffic,
and help in network forensics. Basically, NFATs capture
network traffic and send data to the engine, which
analyses that data and shows results. NFATs correlates
with IDSs and firewalls making preservation of network
traffic in long period of time possible and allows quick
analysis of concerning points in the network identified by
IDSs and firewalls [11, 12]. Some of the NFATs
functions are:
x Intellectual property protection
x Detection of employee misuse/abuse of
company networks
x Risk assessment
x Network forensics and security investigation

Figure 1. Network forensics Process Model [13]

1383

Preparation phase since many tools need to be

deployed (IDPSs, firewalls, packet analysers) on
various points on the network, the prime duty is
to obtain required authorization and legal
warrants to ensure privacy.

Detection phase deployed tools generate an

alert or a warning which indicates a security

breach or policy violation. A quick validation is

done to assess and confirm the suspected attack.
x

Incident response phase the response initiated

in this phase depends on the type of attack
identified and also by organizational and legal
policy. This phase is applicable only when
investigation is initiated during the attack.

Collection phase the most difficult part because

data that flows over a network changes rapidly
and it is not possible to generate the same trace at
later stages. It is crucial to have reliable hardware
and software, along with well-defined procedures
to collect maximum evidence with minimum
impact on the network.

Preservation phase
along with computed
data will be used for
ensure that there is
tampering.

Examination phase this phase examines

previous phase. This is done in a methodical way
so no key information is lost. All hidden or
altered data done by attacker needs to be
uncovered. Reduction of high volume data is
necessary in order to identify the least
information holding the highest probable
evidence.

original data is kept safe

hashes. Another copy of
analysis. This is done to
no unauthorized use or

III.

When conducting network forensics, investigators

frequently work with live systems that cannot be taken
offline. These systems can include routers, switches,
firewalls and other equipment all the way to critical
servers. In network forensics, investigators also work to
minimize effect on system modification due to forensic
activity. However, in those cases investigators do not have
luxury of an online copy. Furthermore, network-based
evidence is more than often highly volatile2 and must be
collected through active means that essentially modify the
system which holds necessary evidence. This impact on
the system can be minimized through careful selection of
appropriate tools and acquisition techniques, but it can
never be eliminated entirely [1].
Network-based evidence poses special challenge in
several areas [1]:

Analysis phase collected evidence is analysed

in order to find specific indicator of an intrusion.
Also, statistical analysis and data mining is
performed to search for data and to match it to
attacking model. The attacking patterns are put
together and reconstructed to understand the
purpose and methodology of the attack.
Investigation phase this phase uses information
gathered
through
analysis
phase,
and
concentrates on identifying attacker, which is the
most difficult part of analysis phase. Attacker
may use many different techniques to hide their
intentions or their identity, such as IP spoofing or
stepping stone attack 1 . Actual approach in
investigation phase depends on attack type.
Presentation is the final stage in processing
model. Systematic documentation, along with
observation with explanations are presented in
readable and understandable format. Everything
that has been performed needs to be presented in
accordance to applicable legislation and security
policy, along with recommendations on how to
prevent future attacks.

This framework for network forensics shows how

methodical and precise approach an investigator needs to
take in order to have valuable, legally acceptable and
forensically sound evidence to present.

Stepping stone attack technique used by attackers to attain

anonymity and complicate their apprehension [15]

NETWORK FORENSIC CHALLENGES

The main idea of network forensics is to identify all

possible security violations and threats, and build the
signatures into IDPS mechanisms to prevent further losses
[8]. Many tools allow network administrators or forensic
investigators to observe network traffic in real-time, but
real-time monitoring at any level requires significant
human and hardware resources, and doesnt scale to
networks larger than a single workgroup. It is generally
more practical to archive all collected traffic and then
analyse it per needs [10].

Acquisition it can be difficult to locate specific

evidence in a network environment. But, even
when you know where a specific piece of
evidence is located, you may have difficulty
gaining access to it for various reasons.

Content unlike file systems, which are designed

to contain all the files and their metadata,
network devices may not store evidence with that
level of diversity.

Storage network devices normally do not

employ secondary or persistent storage, and often
have very limited storage capacity

Privacy depending on jurisdiction, there may

be legal issues involving personal privacy that
are unique to network-based acquisition
techniques.

Seizure seizing a hard drive can inconvenience

an individual or organization. Seizing a network
device can be much more disruptive. In the most
extreme cases, an entire network segment may be
brought down indefinitely.

Admissibility file system-based evidence is now

regularly admitted in both criminal and civil
proceedings. In contrast, network forensics is a
newer approach to digital investigations. There
are sometimes conflicting or non-existing legal
procedures for admission on various types of
network based digital evidence.

Volatile information that changes frequently and is often lost upon

powering down the PC [16]

1384

As the main idea of network forensics being to identify

all possible violations and threats, a key challenge in
network forensics is to ensure that network is forensically
sound. That means that network needs to be properly
configured, maintained, and updated by network
administrator, and possibly have infrastructure that
supports network forensic tools - hardware and software.
When conducting network forensic investigation on a
network infrastructure, following challenges should be
taken in considerations:
x

Data sources typical network has several

possible data sources, ranging from raw data to
logs from network devices. The best situation
would be to collect all data from all sources but
this is very often not possible, especially when
dealing with large networks. Therefore, selection
of proper source of data is of the essence.

Data granularity as related challenge to data

sources, deciding how much details we want to
collect is another problem. While in smaller
networks we can collect whole packets that
contain packets headers, IP addresses, port
numbers, protocols, TTL, etc., collecting that
much data in larger network doesnt seem to be
practical or manageable.

Data integrity probably the crucial part or

challenge in network forensics. The whole
forensic process can be dismissed or court
disproved if data collected from a network is
altered or changed in any way, deliberately or
accidently. Therefore, forensic investigator needs
to ensure and guaranty data integrity during and
after collection and analysis.

challenges occur almost every time when a network

forensic analysis is taking place:
x

Time - whether is it a deadline they must honour,

or to find what actions were taken at a specific
time, or just to synchronize date and time
information with events being analysed, time is
very important aspect in every forensic
investigation.

Performance speed and accuracy are one of

key
components
of
network
forensic
investigations. Its all about how fast an
investigator can react on alert of a security
breach, and/or policy violation, and how punctual
is he in his assignment. Of course, it is not all
about human competence and skill; both
hardware and software need to be capable of
performing at top level.

Complexity bigger network, bigger problems;

bigger complexity. Although not a general rule,
since sometimes smaller networks can cause
large problems in numerous ways, bigger
networks tend to have more network devices,
more end users, more IDPSs and firewalls and
very large infrastructure, where investigator or
team of forensic investigators can be
overwhelmed by the size of data they need to
process and analyse. In addition, servers can be
located in different geographical areas which
increases complexity and makes the job more
difficult to perform.

Collection in correlation with complexity, it is

true skill of an investigator to separate valuable
data from terabytes of normal network traffic.

Data as legal evidence Data collected

internally for different purposes within
organization differs from data collected for court
of law. Data/evidence as it is needs to pass strict
legal procedures needs to be acceptable in the
court.

Law as being a young area of expertise,

network forensics tends to have legal and court
issues. They could be related to the lack of
applicable legislature, a countrys internal
decision-making organization associated with
law.

Privacy issues data collected during an

investigation always contains some form of
personal information, whether it is an email,
personal files, or metadata of a person. Collateral
intrusion can also be a privacy issues, when
investigators discover personal information about
people who are not subject of an investigation.

Data analysis a huge challenge in an

investigations due to complexity of network
environment and data involved during collection
process. It is quite difficult to find, analyse and
present useful information or data. Therefore,
investigators use variety of tools and techniques
to make job easier and more accurate.

Hiding a breach many companies try to

minimize exposure to the public regarding their
network breaches, and ask for help only when
they see that there is no other option. This is
another major challenge in network forensics
simply because, if an attack or security breach
has occurred, a skilful attacker is long gone and
has successfully covered his tracks.

Network systems - as already mentioned, network

forensic systems are based on audit trails. One of
the main setbacks with these systems is their
price, which can be extremely high. In order to
analyse logs, system must keep information,
which results in large amount of data requiring
even larger amounts of disk space with very
powerful CPU resources.

Challenges regarding network-based evidences and

network infrastructure have been presented in relation to
network forensic investigation. Network forensic
investigators are searching for a clue or piece of evidence
buried deep in a pile of data, something like searching a
needle in a haystack. Keeping that in mind, following

Even after you have collected everything necessary for

network forensic investigation, the next step is processing
and converting logs in manageable format, and then
comparing them with known attacks patterns and misuses,

1385

to possibly identify security breaches can be extremely

demanding. Furthermore, stored patters of attacks need to
be regularly updated, which requires a lot of human
expertise. A network tool that is capable of performing
this automatically is the goal of a researches in
cyber/network forensics.

[3]

[4]

[5]

IV.

CONCLUSION

[6]

Network forensics is an art and skill. It takes a lot of

knowledge and patience to learn networking, how it
operates and functions, networks flaws which skilful
attacker can use, as well as advantages which forensic
investigator can turn into his favour. Network forensics
gives an investigator an ability to trace the source of the
attack to its origin and possibly to identify the perpetrator.
This paper presented only some challenges concerning
network forensics. Attackers, and their rivals, network
investigator/administrators, constantly battle around
dominance over the network. That battle is what
challenges are all about: time, speed, accuracy,
complexity, integrity, performance, etc. Paper also
presented NFATs, collection of network tools, which
investigators can use to monitor, maintain, and trace back
attackers if needed. A generic framework was also
presented, which provided a visual overview how network
forensic procedure should look like and what are the key
stones and challenges.

[7]
[8]

[9]

[10]

[11]

[12]
[13]
[14]

[15]

LITERATURE
[1]
[2]

S. Davidoff, J. Ham, Network Forensics Tracking hackers

through cyberspace, Pearson Education, Inc., New Jersey, 2012.
A. Lazzez, A Survey about Network Forensics Tools,
International Journal of Computer and Information Technology,
vol. 2, issue 1, pp. 74-81, January 2013 .

[16]

1386

Q. Al-Mousa, Z. A. Al-Mousa, Honeypots Aiding Network

Forensics: Challenges and Notins, Journal of Communication
Vol. 8, No. 11, pp. 700-707, November 2013.
M. Rasmi, A. Jantan, H. Al-Mimi, A new approach for resolving
cyber crime in network forensics based on generic process
model, The 6th International Conference on Information
Technology, May 8th 2013.
M. Rouse, http://searchsecurity.techtarget.com/definition/networkforensics
Report From the First Digital Forensic Research Workshop
(DFRWS), November 6th 2001.
S. Garfinkel, Network Forensics: Tapping the Internet, OReilly
Network, April 26th 2002.
S. Mukkamala, A. H. Sung, Identifiying Significant Features for
Network Forensic Analysis Using Artificial Intelligent
Techniques, Internatinal Journal of Digital Evidence, vol. 1, issue
4, winter 2003.
E. S. Pilli, R.C. Joshi, R. Niyogi, A Generic Framework for
Network Forensics, Internatinal Journal of Computer
Applications, vol. 1, No. 11, 2010.
V. Corey, C. Peterman, S. Shearin, M. S. Greenber, J. Van
Bokkelen, Network Forensics Analysis, Journal IEEE Internet
Computing, vol. 6, issue 6, pp. 60-66, November 2002.
B. Patel, S. M. Shah, S. S. Chauhan, Comparative Analysis of
Network Forensic Systems, International Journal of Computer
Applications, Special issues on IP Multimedia Communications,
vol. 1, pp. 80-83, October 2011.
SANS Institute, Global Information Assurance Certification
Paper, 2003.
A. Chennaka, Network Forensics: A survey, Electrical and
Computer Engineering, Iowa State University, Spring 2013.
A. Almulhem, Network forensics: Notions and challenges,
Signal Processing and Information Technology (ISSPIT), pp 463466, December 2009.
Y. Zhank, V. Paxson, Detecting Stepping Stones, 9th conference
on USENIX Security Symposium, vol 9, 2000.
SynJunkie,
Forensics

Volatile
data,
http://synjunkie.blogspot.com/2007/10/forensics-volatiledata.html, date published: 6th October 2007, last accessed: 2nd
February, 2015.