Summary: A Generic Framework for Network Forensics

This is the Summary of the Research paper published in International Journal of Computer Applications.

Today internet is everywhere and we cannot think of living without internet. This popularity and usage of internet also brought some difficulties especially about theft of digital data from network, monitoring the network traffic and modifying, interpreting the communication on network. Network forensics is a science that is related to the capture, record and analyze the network traffic to investigate the digital crime. There is need of a generic framework in order to analyze the network traffic.

There are two types of Network forensics systems. Catch it as you can in which you monitor and store each packet of traffic and analysis is done subsequently. This requires huge storage and eventually slows down the whole process. Stop look and listen systems in which random packet is selected and analyzed and so the processing is fast enough.

There is difference between network security and network forensics. Network security protect the network from possible attack while network forensics is post mortem of that attack that how it occurs and who is guilty with respect to legal system.

Different Forensics analysis tools are used to analyze, monitor and control the network traffic. Network forensics tools help monitor and find the guilty who committed the crime over network. Network forensics analysis tools synergize with intrusion detection system and firewalls and make preservation of network data possible for future quick analysis. Some of popular Network forensics tools are illustrated in the following chart.

We can also different commands to manipulate the network traffic like nslookup, netstat, traceroute etc. PyFlage is another Network forensic tools that not only monitors the network traffic but also analyze large volumes of log files. Pyflage is used mostly in disk forensics, memory forensics, file carving, log analysis, and network forensics. It can also analyze tcpdump files (.pcap files). Silk is another Network forensics tools that is mainly used to analyzed, capture and record the Network data flow based on Cisco net flow. It has multiple components to work with in order to deeply analyze the data.

In June 2001, Digital Forensic Research Workshop (DFRW) proposed a framework consisting following steps identification, preservation, collection, analysis, presentation and decision. Ren and Jem Proposed general process model for network forensics consisting of steps: capture, copy, transfer, analysis, investigation and presentation.

As models for digital forensic do not cover the important and crucial aspects of network forensics, we propose the generic framework for network forensics consisting of following nine steps:
Preparation and authorization,Detection of incidence, Indecent Response, Collection of Network Trace, Protection and Preservation, Examination, Investigation and Attribution, Presentation and Review.