The demand for inter-networking keeps increasing amongst users and organizations where access to and sharing of data is a daily requirement. As if in resonance, the intention to unlawfully intercept data and the violation of organizational policies on network usage has increased with this upsurge.
As a result, the incidents of unlawful interception of data as well as violation of usage policies at work require the analysis of data that span across not only many organizations within a country but also bodies that cross international borders.
This presents the law enforcement with a challenge to make use of network forensics in combating these increase in violations and interceptions. Even though forensics has been kept in increasing pace with technology, it still faces diverse challenges and issues in terms of the efficiency of digital evidence processing and the related forensic procedures.1 This article will provide a brief insight into the key systems of network forensics, a brief introduction of the monitoring software used for the data collection and how to write a network forensic report and present on it.
Introduction-Defining Network Forensics
Network forensics is categorized as a single branch of digital forensics; This branch of digital forensic may also be classified as secure – as it analyses data from a non-volatile source. It includes the areas of monitoring and analyzing computer network traffic and allows individuals to gather information, compile evidence, and/or detect intrusions.2 Sometimes referred to as packet forensics, this category of forensic makes it possible for the stored network traffic of a user’s activity to be analyzed even after the disk and memory of the computer have been destroyed. The source for this type of analysis, TCP/IP, which is collected by a monitoring software refers to a set of rules which govern the transport of data from one network device to another.
In summary, network forensics deals with the capturing, recording and analysis of events that traverse across a network. These events are presented as evidence which can be submitted to the law courts as information on traffic intrusion or network usage violations.
Categorization of Network Forensics
Network Forensics can be categorised into 2 kinds of data collection methods:
Stop, look and listen
This method allows all activities performed and traffic generated by a user on a network to be captured and written to storage for later analysis. This system usually requires large amount of storage.
Stop, look and listen
This method allows all activities performed and traffic generated by a user on a network to be captured and analysed in real time and only stores key components.
The Monitoring Software – Collection and Analysis of Network Events
Either of the two data collection methods are achieved by a monitoring software polling statistics of data from a network router to which the user is usually connected. Ideally, these statistics leave the user’s pc through the physical network interface then to the monitoring server through the router.
The data polled by the monitoring software is stored on a server making it available for use when strong credentials are provided. The monitoring software may be delivered with menu items giving access to network overviews, devices, filtering options and the ability to edit them, short term and long-term reports, timelines for events and finally a menu feature allowing the administrator to tweak or reconfigure the software.
Network overview and devices menu option record the average and peak traffic rates. This option makes it clear for instance which device within the network is utilising the most network resources.
The filter editor menu option allows a filter to be processed for one to one, one to many, many to one and many to many events that has occurred on the network. This presents an output indicating all IPs and ports a device may have communicated with and vice versa.
These results and many others derived allow the analysis all traffic to be undertaken by the investigator. The analysis allows the establishing of a correlation for individual connections whilst ensuring the source data is not affected. At best, the monitoring server into which all data has been polled should have restricted access to prevent tampering of the evidence.
Computer Forensics Training
Report Writing and Presentation
Observations and trends deduced from the analysis must be organized into a report. These observations must be presented in a simple language without jargons. The report must include at least an introduction, and analysis and a conclusion or opinion from an expert. Standard procedures used to arrive at conclusions must also be explained. The observations and trends must be interpreted to support any conclusions arrived.
The field of network forensics is a very broad one, and the final report which can be derived from it is only defined by the circumstances and the techniques which when used properly can bring out maximum results for the benefit of both individuals and organizations.