Correlating forensic data for enhanced network crime investigations: Techniques for packet sniffing, network forensics, and attack detection

Since nearly the beginning of the Internet, malware has been a significant deterrent to productivity for end users, both personal and business related. Due to the pervasiveness of digital technologies in all aspects of human lives, it is increasingly unlikely that a digital device is involved as goal, medium or simply ‘witness’ of a criminal event. Forensic investigations include collection, recovery, analysis, and presentation of information stored on network devices and related to network crimes. These activities often involve wide range of analysis tools and application of different methods. This work presents methods that helps digital investigators to correlate and present information acquired from forensic data, with the aim to get a more valuable reconstructions of events or action to reach case conclusions. Main aim of network forensic is to gather evidence. Additionally, the evidence obtained during the investigation must be produced through a rigorous investigation procedure in a legal context.

Since nearly the beginning of the Internet, malware has been a significant deterrent to productivity for end users, both personal and business related. Due to the pervasiveness of digital technologies in all aspects of human lives, it is increasingly unlikely that a digital device is involved as goal, medium or simply ‘witness’ of a criminal event. Forensic investigations include collection, recovery, analysis, and presentation of information stored on network devices and related to network crimes. These activities often involve wide range of analysis tools and application of different methods. This work presents methods that helps digital investigators to correlate and present information acquired from forensic data, with the aim to get a more valuable reconstructions of events or action to reach case conclusions. Main aim of network forensic is to gather evidence. Additionally, the evidence obtained during the investigation must be produced through a rigorous investigation procedure in a legal context.

Computer forensics is accompanied by the development of computer technology and the emergence of a new form of crime, network crime. The computer log provides a lot of evidence for the computer system to attack crime. Due to the particularity of information technology, it also brings huge information security risks in the whole information process. There are more and more new types of criminal activities which take computer network information system as criminal object and computer network information system as criminal tool. Therefore, it is of great practical significance to crack down on computer network crimes and ensure information security for national economic development and social stability. Different from the traditional social crime, cyber crime is a typical high‐tech crime. The evidence of network crime is transmitted and stored in the form of binary digital data through computers or related network devices in the network. The network forensics model based on data mining technology proposed in this paper applies data mining technology to the evidence analysis of network forensics, and makes full use of various mining modes of data mining technology.

Information technology systems are attacked by offenders using digital devices and networks to facilitate their crimes and hide their identities, creating new challenges for digital investigators. Malicious programs that exploit vulnerabilities also serve as threats to digital investigators. Since digital devices such as computers and networks are used by organisations and digital investigators, malicious programs and risky practices that may contaminate the integrity of digital evidence can lead to loss of evidence. For some reasons, digital investigators face a major challenge in preserving the integrity of digital evidence. Not only is there no definitive comprehensive model of digital forensic investigation for ensuring the reliability of digital evidence, but there has to date been no intensive research into methods of doing so. To address the issue of preserving the integrity of digital evidence, this research improves upon other digital forensic investigation model by creating a Comprehensive Digital Forensic Investigation Model (CDFIM), a model that results in an improvement in the investigation process, as well as security mechanism and guidelines during investigation. The improvement is also effected by implementing Proxy Mobile Internet Protocol version 6 (PMIPv6) with improved buffering based on Open Air Interface PIMIPv6 (OAI PMIPv6) implementation to provide reliable services during handover in Mobile Node (MN) and improve performance measures to minimize loss of data which this research identified as a factor affecting the integrity of digital evidence. The advantage of this is to present that the integrity of digital evidence can be preserved if loss of data is prevented. This research supports the integration of security mechanism and intelligent software in digital forensic investigation which assist in preserving the integrity of digital evidence by conducting experiments which carried out two different attack experiment to test CDFIM. It found that when CDFIM used security mechanism and guidelines with the investigation process, it was able to identify the attack and also ensured that the integrity of the digital evidence was preserved. It was also found that the security mechanism and guidelines incorporated in the digital investigative process are useless when the security guidelines are ignored by digital investigators, thus posing a threat to the integrity of digital evidence.

Digital forensics is a branch of forensic science mainly focusing on retrieving and investigating the raw data residing in digital devices. The aim of the process is to extract and recover digital data from a digital device without altering the data present on the device. Over the years, the digital forensics domain has grown, along with the rapid development of digital technology. There are various sub-domains of digital forensics based on the type of digital device involved, which include computer forensics, database forensics, network forensics, memory forensics, mobile forensics, and so on. Mobile forensics is a branch of digital forensics related to the recovery of digital evidence from mobile devices. Mobile devices have become an essential part of everyone’s life which makes criminal activities or being a part of a crime. No other computing devices like mobile devices handle a massive amount of sensitive information. Mobile devices hold a huge repository of user data like event logs, messages, contact lists, credit, and debit card numbers, memos, calendars, and so on. These handheld devices are used to communicate with others across the globe, sharing photos and videos, being connected to social blogs, and much more. Since technology is developing, the mobile device becomes data carries as the network is available, they can keep track of all movements. With the rapid development of technology in mobile computing, criminals commit advanced crimes like hacking, malware attacks, phishing, and many more. In the majority of illicit drug peddler’s cases, a mobile device has been used as a medium to contraband across borders. Major criminal organizations and terrorists use mobile devices to coordinate criminal activities and share information to commit the crime in a well-organized manner. Digital investigators can gain valuable insights from their mobile phones. Nowadays, social media networks like Facebook, Instagram, and many more users are selling drugs illegally. This information on mobile phones can help the experts to find out the whole network. The objective of this chapter is to contribute the full introduction, basic fundamentals of mobile forensics, and also the detection technique of suspicious activities from mobile device data with the aim of mobile forensics data analysis. The proposed model works with greater utility when there is a variety of digital evidence that can infer the actions of offenders/victims. This chapter demonstrates a brief study about how digital evidence plays an important role in mobile devices for investigation and also aimed to investigate the applicability of machine learning and deep learning algorithms in identifying digital evidence. Data will be extracted using forensics tools and then feed to various algorithms. The performance of such algorithms was compared based on evaluation metrics. The implementation of ML and DL techniques on mobile forensics artifacts helps to analyze the digital evidence. The classification algorithms are used to train the ML models, which predict whether a given data is potential evidence or not. For implementing the DL model, Keras is used as a framework, TensorFlow as backend, trained with 100 epochs, and Adam as an optimizer. The dataset has been divided into training and testing with 80:20 ratios. The performance measures are calculated by Mean Square Error (MSE) and Root Mean Square Error (RMSE).

Investigation in the field of network forensics involves examining network traffic to identify, capture, preserve, reconstruct, analyze, and document network crimes. Although there are different perspectives on the practical and technical aspects of network forensics, there is still a lack of fundamental guidelines. This paper proposes a new detection and investigation model for capturing and analyzing network crimes, using design science research. The proposed model involves six processes: identification, verification, gathering, preservation, examination, analysis, and documentation. Each process is associated with several activities that provide the investigation team with a clear picture of exactly what needs to be performed. In addition, the proposed model has a unique activity, namely reporting. As a result, this model represents a comprehensive approach to network forensics investigations. It is designed to work in conjunction with established forensic techniques to ensure that forensic evidence from the network is collected and analyzed efficiently and effectively following accepted forensic procedures. The proposed model was compared with existing models in terms of completeness, showing that it is complete and can be adapted to any type of network and legal framework.

Chapter 44 - Network Forensics

Network forensics is a branch of the network security paradigm (a collection of rules and configurations for protecting the integrity, confidentiality, and accessibility of computer networks and data using both software and hardware technologies) that focuses on network attack prevention and detection. It solves the present model's lack of specific investigation tools for probing harmful activities in networks. It also monitors the network for attacks and analyzes the attackers' characteristics. Packet analysis is the most common technique in network forensics, and it may replay the whole network traffic for a given period if the packet characteristics gathered are sufficiently detailed. The data collected can be utilized to track down traces of illegal internet activity, data breaches, unauthorized website access, malware infection, and so on across the network. This article provides a thorough packet analysis approach with extensive network traffic categorization and pattern detection capabilities, as well as a broad examination of the use of packet analysis in network forensics. Because not all network data can be used in court, the categories of digital evidence that may be acceptable are described in depth. The features of both hardware appliances and packet analyzer software are examined in light of their potential applications in network forensics. Keywords: Network Forensics, Computer & Network Security, Digital Forensics, Local and Wide Area Network, Internet BOOK Chapter ǀ Research Nexus in IT, Law, Cyber Security & Forensics. Open Access. Distributed Free Citation: Tsatsu, K. Sabblah (2022): Analysis of Attack Intention Recognition Book Chapter Series on Research Nexus in IT, Law, Cyber Security & Forensics. Pp 263-266 www.isteams.net/ITlawbookchapter2022. dx.doi.org/10.22624/AIMS/CRP-BK3-P42

As an important branch of computer forensics, network forensics technology, whether abroad or at home, is in its infancy. It mainly focuses on the research on the framework of some forensics systems or some local problems, and has not formed a systematic theory, method and system. In order to improve the network forensics sys-tem, have a relatively stable and correct model for refer-ence, ensure the authenticity and credibility of network fo-rensics from the forensics steps, provide professional and non professional personnel with a standard to measure the availability of computer network crime investigation, guide the current network forensics process, and promote the gradual maturity of network forensics theories and methods, This paper presents a fuzzy decision tree reason-ing method for network forensics analysis.

Enhanced neural network-based attack investigation framework for network forensics: Identification, detection, and analysis of the attack

Network forensics is a branch of digital forensics that focuses on monitoring, capturing, recording, and analysis of network traffic. More accurately, it is the use of scientifically proved techniques to collect and analyse network packets and events for investigative purposes. Network forensics is an extension of the network security model which traditionally emphasizes prevention and detection of network attacks. Current network forensics approaches are costly and time consuming. However, unlike other areas of digital forensics, network forensics deals with volatile and dynamic data. It helps organizations to investigate attacks that originated from outside and inside of the company. It's also important for law enforcement agencies when solving crimes. Paper presents different challenges that are facing investigators due to the rapid growth of network and attacker's skill, and possible framework solutions that would help to solve or minimize problems.

Network forensics is addressed to deal with cybercrime. The main purpose of a network forensics system is reconstructing evidences of network attacks. In order to reconstruct evidence, the network attack is firstly identified. Therefore, network attack detection solutions play an important role in network forensics. There are two main types of network attacks: network level and application level. Network level attack detection solutions focus on the information in the headers of network packets. While, application level attack detection solutions investigate the data fragments carried out in the packet payloads. We propose an approach based on Shannon entropy and machine learning techniques to identify executable content for anomaly-based network attack detection in network forensics systems. Experimental results show that the proposed approach provides very high detection rate.

Network forensics is the capture, recording, and analysis of network events in order to discover the source of security attacks or other problem incidents. Network forensics is a sub-branch of digital forensics. Network device forensics is also a sub-branch of network digital forensics. Forensic IT applications and examination of suspicious users` personal computers to be copied to all of the data alone is not sufficient for the determination of guilt or innocence. Users before the event and during the event is logged on the network traffic to be carried out is important. These records are necessary to preserve the security measures on the network devices, the devices required by the user on the network can not use, the internet user`s IP address and MAC address of the output to be significant, the user attempts to disrupt the functioning of the network is very important in minimizing. Users, network devices must not interfere with the records. In this study, as well as to facilitate network forensics investigations on network devices to improve network security configuration settings to be discussed.

ABSTRACT-PT Kodinglab Integrasi Indonesia's Virtual Private Server (VPS) product requires good quality standards, including security. The challenge that arises is still frequent disruptions to the protection of PT Kodinglab's VPS customers, where it is difficult to identify the source of the attack. Network forensics in the form of dead forensics and live forensics using the NIST method with the stages of collection, examination, Analysis, and reporting are used to find the source of the attack. Data for dead forensics comes from snort tools, and data for live forensics comes from capture Wireshark. The collection stage involves collecting attack data from snort logs and wireshark for life forensics. While the examination dataset stages are further analyzed and mapped. Advanced check on the server via syslog snort. From the attack testing carried out to obtain information in the form of the attacker's IP address, destination IP address, date of the attack, server time, and type of attack from testing the TCP Flooding and UDP Flooding attacks, all attacks on the customer's VPS can be identified. The information obtained regarding the attacker is in the form of the date and time the attack occurred, the attacker's IP address and the victim's IP address, and the protocol used. Kata kunci : Network Forensic, Dead Forensic, Live Forensic, Virtual Private Server, DDos, TCP Flooding, UDP Flooding.

Establishing facts on cyber crime is gradually gaining wider relevance in prosecuting cyber criminals. The branch of cyber policing saddled with this responsibility is the network forensic community (researchers, developer, and investigator). However, the recurring rate of advances in cybercrime poses greater challenge to the available improvements in network forensics analysis tools (NFAT) as well as to investigators, and ultimately, researchers. The need for an efficient cutting-edge research finding in curbing network crimes therefore is undeniably critical. This paper describes the distinction between network security and network forensics. In addition, the authors identify factors that militate against most network forensic techniques as well as the research challenges in network forensics. Furthermore, the paper discusses on the current research works on network forensics analysis. This research is useful to the research community of network forensics, for knowledge on existing research techniques, and direction on further research in network forensics.