This document provides an overview of network forensics, highlighting its importance in analyzing network traffic and monitoring intrusions. It discusses various methods and tools used in network forensics, the challenges faced in capturing and analyzing data, and the future directions for the development of more intelligent forensic tools. The conclusion emphasizes the need for advancements in network forensics to enhance investigation efficiency and adapt to evolving network environments.

1. PRESENTATION
NETWORK FORENSICS
SUJEET KUMAR
31703218
October 29, 2017
SUJEET KUMAR (31703218) PRESENTATION October 29, 2017 1 / 34

2. Table of Contents Table
Table of Contents
Motivation
Introduction
Network Forensics
Issues
Network forensics Analysis Tools
Conclusion and future directions
SUJEET KUMAR (31703218) PRESENTATION October 29, 2017 2 / 34

3. Table of Contents Motivation
Motivation
Nowadays network grow explosively and crime related to the network
is increasing.
Network Forensics is a sub-division of digital forensics and it mainly
focus on the analysis of network traffic and monitors the intrusion.
Network Forensics can focus on volatile and dynamic data but digital
forensics is focus on stored and static data. Whenever intrusions are
detected on network,then network forensics capture and record that
activity for investigation process after the collection of intrusion
activity analysis, perform on the network traffic
SUJEET KUMAR (31703218) PRESENTATION October 29, 2017 3 / 34

4. Introduction Basics
Forensics?
The art of gathering evidence during or after a crime
Reconstructing the criminals actions
Providing evidence for prosecution
Digital Forensics
The scientific examination and analysis of digital evidence in such a
way that the information can be used as evidence in a court of law.
Network Forensic
Network forensics is a sub-branch of digital forensics relating to the
monitoring and analysis of computer network traffic for the purposes of
information gathering, legal evidence, or intrusion detection. Unlike
other areas of digital forensics, network investigations deal with volatile
and dynamic information.
SUJEET KUMAR (31703218) PRESENTATION October 29, 2017 4 / 34

5. Introduction Basics
SUJEET KUMAR (31703218) PRESENTATION October 29, 2017 5 / 34

6. Introduction Fundamental
Basics of Network Forensic
SUJEET KUMAR (31703218) PRESENTATION October 29, 2017 6 / 34

7. Introduction Fundamental
Fundamental
Catch-it-as-you-can
All packets are sends through a traffic point and all these packets are
stored into database.
Analysis is performed on stored data analysis data are also stored into
database so it required larger storage and these data are saved for
future analysis.
Stop-look-and-listen
This system is very different from first system, in this system only
those data are saved into database that required for future analysis.
SUJEET KUMAR (31703218) PRESENTATION October 29, 2017 7 / 34

8. Network Forensics Model
Model
SUJEET KUMAR (31703218) PRESENTATION October 29, 2017 8 / 34

9. Network Forensics Network Forensics Methods
Network Forensics Methods
Ethernet
TCP/IP
Internets
Wireless Forensics
SUJEET KUMAR (31703218) PRESENTATION October 29, 2017 9 / 34

10. Network Forensics Ethernet
Ethernet
Methods are achieved with eavesdropping bit streams (on the
Ethernet layer)
Uses monitoring tools or sniffers
Wireshark
Then protocols can be consulted, such as the Address Resolution
Protocol (ARP)
Network Interface Card (NIC), but can be averted with encryption
SUJEET KUMAR (31703218) PRESENTATION October 29, 2017 10 / 34

11. Network Forensics TCP/IP
TCP/IP
Methods are achieved with router information investigations (on the
Network layer).
Each router includes routing tables to pass along packets
These are some of the best information sources for data tracking
Follow compromised packets, reverse route, ID the source
Network layer also provides authentication log evidence
SUJEET KUMAR (31703218) PRESENTATION October 29, 2017 11 / 34

12. Network Forensics Internet
Internet
Methods are achieved by identifying server logs (on the Internet).
Includes web-browsing, email, chat, and other types of traffic
communication
Server logs collect information
Email accounts have useful information except when email headers are
faked
User account information associated with a particular user
SUJEET KUMAR (31703218) PRESENTATION October 29, 2017 12 / 34

13. Network Forensics Wireless Forensics
Wireless Forensics
Methods are achieved by collecting & analyzing wireless traffic
(Wireless Networks).
A sub-discipline of the field
To get that which is considered valid digital evidence
This can be normal data OR voice communications via VoIP
Analysis is similar to wired network situations, with different security
issues
SUJEET KUMAR (31703218) PRESENTATION October 29, 2017 13 / 34

14. Network Forensics Monitor
Network Monitor
SUJEET KUMAR (31703218) PRESENTATION October 29, 2017 14 / 34

15. Issues
Basic Issues
Internet worm
Phishing
Spam
Bots
Distributed Denial of Service (DDoS) and Denial of service (DoS)
ZERO-Day Attack
Random-UDP Flooding Attack
Stealth Port Scanning Attack
SUJEET KUMAR (31703218) PRESENTATION October 29, 2017 15 / 34

16. Network forensics analysis tools
Network forensics analysis tools
Network forensics analysis tools are used to analyze the collected
data, aggregated data from multiple security tools.
Network forensics analysis tools functions are provide
IP security,
Detect inside and outside attack in the system, risk analysis,
Data recovery,
Anomaly detection,
Prediction of future attacks,
Detect attack pattern ,
Data aggregation from IDS and firewall logs etc.
SUJEET KUMAR (31703218) PRESENTATION October 29, 2017 16 / 34

17. Network forensics analysis tools NetIntercept
NetIntercept
It collects network traffic and analyzed bundle of traffic.
It detects spoofing and generates a variety of report from their result.
It store large amount of data at a time.
We can also say it is an example of catchit-as-you-can system.
Netintercept tool allow to its log files are analyzed and inspected by
different tools
SUJEET KUMAR (31703218) PRESENTATION October 29, 2017 17 / 34

18. Network forensics analysis tools NetIntercept
NetIntercept Continued
SUJEET KUMAR (31703218) PRESENTATION October 29, 2017 18 / 34

19. Network forensics analysis tools Iris
Iris
It collects data packets from the internet, then reassembles it, and
reconstructs the actual text from the session.
Replay the network traffic for audit trail of suspicious activity.
SUJEET KUMAR (31703218) PRESENTATION October 29, 2017 19 / 34

20. Network forensics analysis tools Iris
Iris Continued
SUJEET KUMAR (31703218) PRESENTATION October 29, 2017 20 / 34

21. Network forensics analysis tools NetworkMiner
NetworkMiner
By using the live sniffer it, capture the network traffic that discover
host name, reassemble the network data.
It detects how much an attacker leaks data.
SUJEET KUMAR (31703218) PRESENTATION October 29, 2017 21 / 34

22. Network forensics analysis tools NetworkMiner
NetworkMiner Continued
SUJEET KUMAR (31703218) PRESENTATION October 29, 2017 22 / 34

23. Network forensics analysis tools Other Tools
Other Tools
NetDetector
It captures the attack, integrate all signature based anomaly detection,
and reconstruct the session.
This tool performs import and export of data through HTTP, FTP and
SCP.
It support network interfaces like T1, FDDI and support protocol like
TCP/IP.
NetDetctor tool capture, analyzed and report on the network traffic.
SilentRunner
This tools is focus on inside threats, it capture analyzed and visualized
in 3-dimension on the network to monitor every packets passing
through network.
If any abnormally occurred on the internet then it alerts.
It also reconstruct security incident in their exact sequence.
SUJEET KUMAR (31703218) PRESENTATION October 29, 2017 23 / 34

24. Network forensics analysis tools Network security and monitor network traffic onlin tool
Network security and monitor network traffic online
TCPDump
It run in command line, it analyzed, capture, display, and store the
network data. Main function of this tool is filter and collects the data.
Wireshark and savant
This tool is used for analyzed the network packet. It perform live
capturing the data, offline analysis, it read and write data in different
formats by using other tools.
Ngrep
It is used for debugging the low level network traffic in UNIX. Function
of this tool is filter and collects the data.
SUJEET KUMAR (31703218) PRESENTATION October 29, 2017 24 / 34

25. Network forensics challenges Network forensics challenges
Network forensics challenges
SUJEET KUMAR (31703218) PRESENTATION October 29, 2017 25 / 34

26. Network forensics challenges High speed data transmission
High speed data transmission
High data rate of network traffic creates difficulties for network
forensics in capturing and preserving all network packets . Millions of
packets are transmitted over the network in no time, which passes
through thousands of interconnected network devices
To overcome the aforementioned problems, three different solution
are proposed including hardware based ,software based and
distributive based solution.
SUJEET KUMAR (31703218) PRESENTATION October 29, 2017 26 / 34

27. Network forensics challenges Data storage on the network devices
Data storage on the network devices
A huge amount of data is transmitted over the network which is
captured and analyzed for investigation. However, such data
complicates the situation for network forensics to retrieve evidence
from the network. For instance, the captured data needs to be stored
on devices with large storage capacity; whereas the storage capacity
of the network interconnectivity devices is limited
SUJEET KUMAR (31703218) PRESENTATION October 29, 2017 27 / 34

28. Network forensics challenges Data integrity
Data integrity
Data integrity plays a vital role in the process of network forensics
which has to be tackled. Data integrity in the network is an ability to
keep accurate, complete, and consistent data in the network.
SUJEET KUMAR (31703218) PRESENTATION October 29, 2017 28 / 34

29. Network forensics challenges Data privacy
Data privacy
Data privacy is an important factor in the investigation process of
network forensics. A forensic attribution solution is proposed to solve
the aforementioned problem related to user privacy . A forensic
investigator can view the data of interest by verifying the packet
signature to enforce forensic attribution in the network
SUJEET KUMAR (31703218) PRESENTATION October 29, 2017 29 / 34

30. Network forensics challenges Access to IP addresses
Access to IP addresses
The access of source IP address of an intruder is an important step in
network forensics. Source IP address indicates origin of the attack
that assists in the identification of the intruder and stopping the
attacks
SUJEET KUMAR (31703218) PRESENTATION October 29, 2017 30 / 34

31. Network forensics challenges Data extraction location
Data extraction location
Distributive nature and virtualized characteristics of networks
complicate network forensics in identifying appropriate location and
device for extracting the data. A network with thousands of devices
connected with each other through high speed data links, which
transmit millions of packets per second is difficult to be handled for
its each link and device.
SUJEET KUMAR (31703218) PRESENTATION October 29, 2017 31 / 34

32. Network forensics challenges Intelligent network forensic tools
Intelligent network forensic tools
Current network forensic analysis tools capture and record network
traffic by targeting complete packets.
Such tools incorporate problems regarding storing huge volume of
data with more time delays.
An intelligent and smart network forensic tool is required to capture
network traffic of choice depending on the investigational situation.
For instance, capturing specific session data with a domain of
interest, which further records, analyzes, and visualizes the data. This
will reduce problem of storage, computational resources for
investigation, bandwidth utilization, time delays, and result in quick
incident response in real-time situation.
SUJEET KUMAR (31703218) PRESENTATION October 29, 2017 32 / 34

33. Conclusion and future directions
Conclusion and future directions
The development of intelligent network forensic tools to focus on
specific type of network traffic analysis is a challenge in terms of
future perspective. This will reduce time delays, less computational
resources requirement; minimize attacks, providing reliable and
secured evidences, and efficient investigation with minimum efforts.
Moreover, network forensics at distributed networks of the cloud
computing and mobile cloud computing needs to be explored.
SUJEET KUMAR (31703218) PRESENTATION October 29, 2017 33 / 34

34. References
References
Suleman Khan,A Gani, A W A Wahab: Network forensics:
Review,taxonomy,and open challenge [2016]
Gulshan Shrivastava :Network Forensics: Methodical Literature
Review [IEEE-2016]
Sherri Davido & Jonathan Ham: Network Forensics Tracking Hackers
through Cyberspace [BOOK]
SUJEET KUMAR (31703218) PRESENTATION October 29, 2017 34 / 34