Enabling Non-Expert Analysis OF Large Volumes OF Intercepted Network Traffic
Telecommunications wiretaps are commonly used by law enforcement in criminal investigations. While phone-based wiretapping has seen considerable success, the same cannot be said for Internet taps. Large portions of intercepted Internet traffic are often encrypted, making it difficult to obtain useful information. The advent of the Internet of Things further complicates network wiretapping. In fact, the current level of complexity of intercepted network traffic is almost at the point where data cannot be analyzed without the active involvement of experts. Additionally, investigations typically focus on analyzing traffic in chronological order and predominately examine the data content of the intercepted traffic. This approach is overly arduous when the amount of data to be analyzed is very large.
This chapter describes a novel approach for analyzing large amounts of intercepted network traffic based on traffic metadata. The approach significantly reduces the analysis time and provides useful insights and information to non-technical investigators. The approach is evaluated using a large sample of network traffic data.
KeywordsInternet taps network forensics traffic metadata analysis
Unable to display preview. Download preview PDF.
- 1.E. Casey, Network traffic as a source of evidence: Tool strengths, weaknesses and future needs, Digital Investigation, vol. 1(1), pp. 28–43, 2004.Google Scholar
- 2.D. Clark, IP Datagram Reassembly Algorithms, RFC 815 (tools.ietf.org/html/rfc815), 1982.
- 3.G. Costa and A. De Franceschi, Xplico: Open Source Network Forensic Analysis Tool (NFAT) (www.xplico.org), 2018.
- 4.duskdriud, tcpick version 0.2.1 (tcpick.sourceforge.net), 2005.
- 5.J. Farina, M. Scanlon, N. Le-Khac and M. Kechadi, Overview of the forensic investigation of cloud services, Proceedings of the Tenth International Conference on Availability, Reliability and Security, pp. 556–565, 2015.Google Scholar
- 6.Google, IPv6 Adoption Statistics, Mountain View, California (www.google.com/intl/en/ipv6/statistics.html), 2018.
- 7.E. Hjelmvik, Passive network security analysis with NetworkMiner, (IN)SECURE Magazine, issue 18, pp. 18–21, October 2008.Google Scholar
- 8.G. Java, IPTraf: IP Network Monitoring Software (iptraf.seul.org), 2005.
- 9.T. Lillard, Digital Forensics for Network, Internet and Cloud Computing: A Forensic Evidence Guide for Moving Targets and Data, Syngress, Burlington, Massachusetts, 2010.Google Scholar
- 10.B. Nelson, A. Phillips and C. Steuart, Guide to Computer Forensics and Investigations, Cengage Learning, Boston, Massachusetts, 2016.Google Scholar
- 11.V. Nicolls, N. Le-Khac, L. Chen and M. Scanlon, IPv6 security and forensics, Proceedings of the Sixth International Conference on Innovative Computing Technology, pp. 743–748, 2016.Google Scholar
- 12.O. Notelli, Justniffer, Plecno, Milan, Italy (justniffer.sourceforge.net), 2014.
- 13.N. Olifer and V. Olifer, Computer Networks: Principles, Technologies and Protocols for Network Design, John Wiley and Sons, Chichester, United Kingdom, 2006.Google Scholar
- 14.P. Orinius, Pelles C (www.smorgasbordet.com/pellesc), 2017.
- 15.D. Quick and K. Choo, Impacts of increasing volume of digital forensic data: A survey and future research challenges, Digital Investigation, vol. 11(4), pp. 273–294, 2014.Google Scholar
- 16.M. Scanlon, Battling the digital forensic backlog through data de-duplication, Proceedings of the Sixth International Conference on Innovative Computing Technology, pp. 10–14, 2016.Google Scholar
- 17.M. Scanlon, J. Farina and M. Kechadi, Network investigation methodology for BitTorrent Sync: A peer-to-peer based file synchronization service, Computers and Security, vol. 54, pp. 27–43, 2015.Google Scholar
- 18.M. Scanlon, A. Hannaway and M. Kechadi, A week in the life of the most popular BitTorrent swarms, Proceedings of the Fifth Annual Symposium on Information Assurance, pp. 32–36, 2010.Google Scholar
- 19.H. Schut, M. Scanlon, J. Farina and N. Le-Khac, Towards the forensic identification and investigation of cloud hosted servers through non-invasive wiretaps, Proceedings of the Tenth International Conference on Availability, Reliability and Security, pp. 249–257, 2015.Google Scholar
- 20.J. Spooren, D. Preuveneers and W. Joosen, Mobile device fingerprinting considered harmful for risk-based authentication, Proceedings of the Eighth European Workshop on System Security, article no. 6, 2015.Google Scholar
- 21.G. Wagener, A. Dulaunoy and T. Engel, Towards an estimation of the accuracy of TCP reassembly in network forensics, Proceedings of the Second International Conference on Future Generation Communications and Networking, vol. 2, pp. 273–278, 2008.Google Scholar
- 22.D. Walnycky, I. Baggili, A. Marrington, J. Moore and F. Breitinger, Network and device forensic analysis of Android social-messaging applications, Digital Investigation, vol. 14(S1), pp. S77–S84, 2015.Google Scholar
- 23.A. Yasinsac and Y. Manzano, Policies to enhance computer and network forensics, Proceedings of the IEEE Workshop on Information Assurance and Security, pp. 289–295, 2001.Google Scholar
- 24.M. Zalewski, p0f (lcamtuf.coredump.cx/p0f3), 2014.