The growth in networking connectivity, complexity and activity has been accompanied by an increase in the number of crimes committed within networks, forcing both enterprises and law enforcement to undertake highly specialized investigations. Forensic analysis, the methodical investigation of a crime scene, presents special difficulties in the virtual world. What is problematic for an investigator to do within a computer, making sense out of fragile digital data arranged in obscure and complex ways, can be very difficulty within the significantly larger digital context of the network.
Network forensics is the capture, recording, and analysis of network events in order to discover the source of security attacks or other problem incidents. It helps in identifying unauthorized access to computer system, and searches for evidence in case of such an occurrence. Network forensics is the ability to investigate, at a network level, things taking place or that have taken place across an IT system. There are three parts to network forensics:
- Intrusion detection
- Logging (the best way to track down a hacker is to keep vast records of activity on a network with the help of an intrusion detection system)
- Correlating intrusion detection and logging
The ultimate goal of network forensics is to provide sufficient evidence to allow the criminal perpetrator to be successfully prosecuted. The practical application of Network Forensics could be in areas such as hacking, fraud, insurance companies, data theft—industrial espionage, defamation, narcotics trafficking, credit card cloning, software piracy, electoral law, obscene publication, perjury, murder, sexual harassment, and discrimination.
|
|
|
Challenges
The biggest challenge in conducting network forensics is the sheer amount of data generated by the network, often comprising gigabytes a day. It is very tedious to search for evidence and is nearly impossible to find it, if the incident is discovered after a very long time. The second challenge of network forensics lies in the inherent anonymity of the Internet protocols. Each network layer uses some form of addressing for the 'to' and 'from' points, such as MAC addresses, IP addresses and e-mail addresses, all of which can be spoofed. Fortunately, the wide range of powerful software, including products purpose-built for forensic analysis, makes it practical to solve cases through the analysis of network activity.
Network forensic tasks that can be facilitated through software include the collection, normalizing, filtering, labeling, stream reassembly, correlation and analysis of multiple sources of traffic data. Although there are single-purpose tools aimed at each of these tasks, feature creep is blurring the distinction between categories, resulting in tools that are useful in addressing a growing number of things that can go wrong on the network. However, before an investigator can perform any other forensic task, suitable network activity data must be collected. Raw network packets, which contain the highest possible level of traffic detail, supplement the often-sparse log data available from applications, authentication systems, routers and firewalls. Sniffing collects such network data.
Stream reassembly or sessioning is the collation and packaging of raw network traffic from a single source such that all the data within a connection session is presented as a complete stream. Sessioning is performed by protocol analysis tools, which isolate the specific communications that took place between two or more of the apparent endpoints or relay points. Such an analysis is the first step in determining who communicated when and what was transmitted. Most protocol analysis tools provide a tree-oriented view of sessions and protocols used within the sessions. Such a visual presentation of network traffic makes it easier to understand exactly what happened on the network.
|
