Network Forensics
eBook - ePub

Network Forensics

Privacy and Security

  1. 280 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

Network Forensics

Privacy and Security

About this book

This book primarily focuses on providing deep insight into the concepts of network security, network forensics, botnet forensics, ethics and incident response in global perspectives. It also covers the dormant and contentious issues of the subject in most scientific and objective manner. Various case studies addressing contemporary network forensics issues are also included in this book to provide practical know – how of the subject.

Network Forensics: A privacy & Security provides a significance knowledge of network forensics in different functions and spheres of the security. The book gives the complete knowledge of network security, all kind of network attacks, intention of an attacker, identification of attack, detection, its analysis, incident response, ethical issues, botnet and botnet forensics. This book also refer the recent trends that comes under network forensics. It provides in-depth insight to the dormant and latent issues of the acquisition and system live investigation too.

Features:

  • Follows an outcome-based learning approach.

  • A systematic overview of the state-of-the-art in network security, tools, Digital forensics.

  • Differentiation among network security, computer forensics, network forensics and botnet forensics.

  • Discussion on various cybercrimes, attacks and cyber terminologies.

  • Discussion on network forensics process model.

  • Network forensics tools and different techniques

  • Network Forensics analysis through case studies.

  • Discussion on evidence handling and incident response.

  • System Investigations and the ethical issues on network forensics.

This book serves as a reference book for post graduate and research investigators who need to study in cyber forensics. It can also be used as a textbook for a graduate level course in Electronics & Communication, Computer Science and Computer Engineering.

Frequently asked questions

Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription.
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
Perlego offers two plans: Essential and Complete
  • Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
  • Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
Both plans are available with monthly, semester, or annual billing cycles.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes! You can use the Perlego app on both iOS or Android devices to read anytime, anywhere — even offline. Perfect for commutes or when you’re on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Yes, you can access Network Forensics by Anchit Bijalwan in PDF and/or ePUB format, as well as other popular books in Computer Science & Computer Engineering. We have over one million books available in our catalogue for you to explore.

Part C Network Forensics Attribution

8 Network Forensics Analysis

DOI: 10.1201/9781003045908-11
LEARNING OBJECTIVES
This chapter aims at explaining the analysis part of the network forensics. It discusses the process model for network forensics. It also explains the framework for network forensic analysis. It also imparts knowledge through the practical approach by setting up the experiment for the forensic analysis. After reading this chapter, you would
  • Understand the development of the network forensic process.
  • Have knowledge of network forensic process model.
  • Understand how to set up the experiment for the analysis.
  • Understand the analysis through various case studies through different datasets.

8.1 Introduction

Network forensics results in linking the diverse datasets have relevance to activities, habitually correlating the digital traces obtained in the different data sources such as webpages, logs, internet-related group, and online chat rooms. Network forensics process can be developed in two ways:
  1. The first step is the susceptive use of conventional security devices like firewalls and intrusion detection system, analyzing the data, and then investigating it.
  2. The other way is to eagerly trap the attacker by means of honeynets or greynets to observe the attack patterns, thus creating the observable profiles of attackers and their exploitation mechanisms.
In 1987, an intrusion detection model was proposed by Denning and team that lifted research contribution in the same area by the new researchers. After that in 1990, Ranum et al. defined the capture, recording, and analysis of the attacks that occurred. In 2002, Reith et al. proposed a new model referred to as an abstract digital forensic model which is predicated on the DFRW model. This model consists of seven stages which are key components of this model. These include identification, preservation, collection, examination, analysis, presentation, and decision in this given model.
In 2006, McGrath et al. interpreted network forensics after malicious data collection with the help of nonintrusive network traffic record system. Mandia et al. developed robust incident response methodology. His first phase, i.e., initial response, exhibited the formulation of a response and summed them up for an incident. The collection and analysis phase comes under the investigation phase which is defined in previous different models. In 2007, Frelling and Schwittay et al. proposed the model in which computer forensic and incident response processes can be utilized with management-oriented approach in the digital investigations.
In 2008, Abdullah, Mahmod, and Ghani et al. identified the five categories including framework, trustworthiness, data detection, data acquisition, and data recovery. Casey and Palmer et al. developed an investigative process model. It ensures the simplicity on previous tedious investigation processes and evidence handling and minimizes the chances of errors.
Umpteen authors contributed research in the field of network forensics and work done in an application of frequent sequence mining algorithm. The researcher Palomoa showed a novel theory approach for analyzing and visualizing network traffic data. It was predicated on growing hierarchical self-organizing maps (GHSOMs). This GHSOM was basically used to make cluster network traffic data and to present this sequentially. Zhong derived an a priori algorithm that is basically made for a kind of most sturdy mining Boolean association rule algorithm. The analysis of a priori algorithm on the mentioned procedure can improve the efficiency of evidence.
There are also many other researchers, scholars, and authors who have made research on the network forensics. They have presented their work using different tools and techniques. In 2002, Corey had described a network for monitoring the vulnerabilities. It is especially prepared to identify the configuration problem easily. The forensic analysis yields the convenient way to find out security vulnerability. This allows all the best possible scrutiny of security violations. Tools like tcpdump, gnutella, and netintercept have been used for the forensic analysis. In 2008, Wang had developed a novel graph-based approach toward the analysis for network forensics. This is the approach for developing a model related to evidence graph. This model ensures an automated reasoning and the presentation.
In 2012, Raftopoulos investigated the correlation of information based on four security parameters. These four security parameters are namely IDS alerts, examination and vulnerabilities reports, and unwanted filtered traffic through search engine to expedite manual forensics analysis of compromised systems. Tools like Nmap, NIC whois, nessus, and open vas have been used. Techniques like C4.5 decision tree-based algorithm, NIC whois querying, and TCP/UDP port scanning have been used. Comparison among the tree augmented naïve bayes (TAN), Bayesian tree classifier (BTC), and support vector machine (SVM) has been done for the forensics investigation.
In 2014, Shulman had reviewed the strongest procedure preventing cache positioning attacks on DNSSEC. This mechanism enables a posteriori analysis for the purpose of forensics. Detection of the attacks is used with ANYCAST technology, DNS cache poisoning by MiTm (man in the middle), and cache poisoning by subverting hosting infrastructure.
Internetwork is the root cause for distribution of cyber-attacks. But it is something that is much needed in almost every aspect of a country’s economy, i.e., in banking, education, transportation (railways, airways, buses, and taxis), healthcare, business, and many more. With the growth of Internet, there is a need to protect the data. Though traditional protection techniques such as firewalls and antivirus software are not sufficient, it requires enhanced security measures. Protecting alone the system is not sufficient; rather, it is necessary to trace back to the criminals in case of cybercrime. Network forensics provides a mechanism to track the criminals. It also provides a mechanism to trace the malicious traffic and its analysis, thus helping in the investigation process.
Consider the cyber-attack at Giant company LinkedIn in 2012 where the password of nearly 6.5 million user accounts were stolen and again in 2016 about 100 million hashed passwords and email addresses were leaked both from the same source, i.e., Russian Cyber Criminals. There has also been breach in the security of Apple’s iCloud leading to the stealing of 500 private pictures of celebrities in year 2014, though various scenarios and frameworks have been developed to prevent the attacks and identify its origin in case of attack. In spite of many existing virtuous frameworks and techniques for network forensics, there is need for continuous development in this area and to overcome challenges in existing models.
This chapter presents network forensic standard process model, framework for the analysis, analyzing network traffic through a dataset by showing one case study, and its behavior, and finally by another case study, it analyzes network traffic through another dataset. It presents network behavioral features that can be used to accomplish accurate malware detection. By analyzing and comparing known malware and normal processes, it successfully exploited differences in their network activity behavior and produced accurate and effective malware detection with minimal false positives and false negatives. This was accomplished by producing a set of behaviors which occurred most often in our analyzed malware samples during which two novel behaviors frequently used by malware were discovered.

8.2 Network Forensic Standard Process Model

A generic process model for network forensics incorporates the new phase of detection where fast evaluation is done to check the alleged outbreak of crime. This model aims to first authorize the investigator to perform the investigation process. It is important to preserve the evidence while making an initial assessment. Here, there is an option to abort the investigation if certain prerequisites are not fulfilled such as preinstalled sensor and network traffic collector tools such as NetIntercept or Xplico or others. In case further investigation is to be carried out, then a strategy is planned to reduce the network traffic collected and document them. Further analysis is done, and review is made through to check for further improvement. This standard network forensic process model is shown in Figure 8.1.
FIGURE 8.1 Standard network forensic process model.
The detailed description of the standard network forensics model is as follows.

8.2.1 Authorization

This phase involves obtaining legal permissions from the concerned authority to initiate the investigation process as shown in Figure 8.1. Herein,Ciardhuain proposed the authorization phase to take consent from the internal and external organizations. The authorization phase may sometimes face the challenge of taking permission from external bodies located overseas,who may not permit due to their country’s legal perspectives.

8.2.2 Preservation

Preservation phase implicates the avoidance of tempering of network evidence. For example,in case a mobile device is involved in the crime, then it must be switched off to avoid mitigating of call and network logs. This is the second phase as shown in Figure 8.1.

8.2.3 Initial Assessment

In this stage, an initial judgment is made whether to continue or abort investigation. If there aren’t preinstalled tools for network traffic collection, then the investigation is terminated. This phase has two outward links, out of which only one is selected as displayed in Figure 8.1.

8.2.4 Strategy Planning

This phase comprises to jot down the strategy to carry out further investigation, i.e., team members, duration of investigation, cost involved, and software use. This phase involves constructing a design strategy using design science that is given by Lutui giving more stress on efficacy and coherence.

8.2.5 Evidence Collection

Evidence is collected at this stage which may either involve automatic or manual network traffic collection. Further, the huge amount of data collected from the network can be reduced by eliminating superfluous data.

8.2.6 Documentation

Documentation is the process of writing all the relevant information required during the investigation process.

8.2.7 Analysis

Analysis phase involves determination of attack patterns by employing various machine learning techniques. This phase involves techniques such as PROLOG logic techniques to analyze the data.

8.2.8 Investigation

Further investigation is done to recons...

Table of contents

  1. Cover
  2. Half Title
  3. Title Page
  4. Copyright Page
  5. Table of Contents
  6. Preface
  7. Organization of This Book
  8. Author
  9. Acknowledgments
  10. Part A Network Forensics Concepts
  11. Part B Network Forensics Acquisition
  12. Part C Network Forensics Attribution
  13. Index