Enabling Non-Expert Analysis OF Large Volumes OF Intercepted Network Traffic

  • Erwin van de Wiel
  • Mark ScanlonEmail author
  • Nhien-An Le-Khac
Conference paper
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 532)


Telecommunications wiretaps are commonly used by law enforcement in criminal investigations. While phone-based wiretapping has seen considerable success, the same cannot be said for Internet taps. Large portions of intercepted Internet traffic are often encrypted, making it difficult to obtain useful information. The advent of the Internet of Things further complicates network wiretapping. In fact, the current level of complexity of intercepted network traffic is almost at the point where data cannot be analyzed without the active involvement of experts. Additionally, investigations typically focus on analyzing traffic in chronological order and predominately examine the data content of the intercepted traffic. This approach is overly arduous when the amount of data to be analyzed is very large.

This chapter describes a novel approach for analyzing large amounts of intercepted network traffic based on traffic metadata. The approach significantly reduces the analysis time and provides useful insights and information to non-technical investigators. The approach is evaluated using a large sample of network traffic data.


Internet taps network forensics traffic metadata analysis 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    E. Casey, Network traffic as a source of evidence: Tool strengths, weaknesses and future needs, Digital Investigation, vol. 1(1), pp. 28–43, 2004.Google Scholar
  2. 2.
    D. Clark, IP Datagram Reassembly Algorithms, RFC 815 (, 1982.
  3. 3.
    G. Costa and A. De Franceschi, Xplico: Open Source Network Forensic Analysis Tool (NFAT) (, 2018.
  4. 4.
    duskdriud, tcpick version 0.2.1 (, 2005.
  5. 5.
    J. Farina, M. Scanlon, N. Le-Khac and M. Kechadi, Overview of the forensic investigation of cloud services, Proceedings of the Tenth International Conference on Availability, Reliability and Security, pp. 556–565, 2015.Google Scholar
  6. 6.
    Google, IPv6 Adoption Statistics, Mountain View, California (, 2018.
  7. 7.
    E. Hjelmvik, Passive network security analysis with NetworkMiner, (IN)SECURE Magazine, issue 18, pp. 18–21, October 2008.Google Scholar
  8. 8.
    G. Java, IPTraf: IP Network Monitoring Software (, 2005.
  9. 9.
    T. Lillard, Digital Forensics for Network, Internet and Cloud Computing: A Forensic Evidence Guide for Moving Targets and Data, Syngress, Burlington, Massachusetts, 2010.Google Scholar
  10. 10.
    B. Nelson, A. Phillips and C. Steuart, Guide to Computer Forensics and Investigations, Cengage Learning, Boston, Massachusetts, 2016.Google Scholar
  11. 11.
    V. Nicolls, N. Le-Khac, L. Chen and M. Scanlon, IPv6 security and forensics, Proceedings of the Sixth International Conference on Innovative Computing Technology, pp. 743–748, 2016.Google Scholar
  12. 12.
    O. Notelli, Justniffer, Plecno, Milan, Italy (, 2014.
  13. 13.
    N. Olifer and V. Olifer, Computer Networks: Principles, Technologies and Protocols for Network Design, John Wiley and Sons, Chichester, United Kingdom, 2006.Google Scholar
  14. 14.
    P. Orinius, Pelles C (, 2017.
  15. 15.
    D. Quick and K. Choo, Impacts of increasing volume of digital forensic data: A survey and future research challenges, Digital Investigation, vol. 11(4), pp. 273–294, 2014.Google Scholar
  16. 16.
    M. Scanlon, Battling the digital forensic backlog through data de-duplication, Proceedings of the Sixth International Conference on Innovative Computing Technology, pp. 10–14, 2016.Google Scholar
  17. 17.
    M. Scanlon, J. Farina and M. Kechadi, Network investigation methodology for BitTorrent Sync: A peer-to-peer based file synchronization service, Computers and Security, vol. 54, pp. 27–43, 2015.Google Scholar
  18. 18.
    M. Scanlon, A. Hannaway and M. Kechadi, A week in the life of the most popular BitTorrent swarms, Proceedings of the Fifth Annual Symposium on Information Assurance, pp. 32–36, 2010.Google Scholar
  19. 19.
    H. Schut, M. Scanlon, J. Farina and N. Le-Khac, Towards the forensic identification and investigation of cloud hosted servers through non-invasive wiretaps, Proceedings of the Tenth International Conference on Availability, Reliability and Security, pp. 249–257, 2015.Google Scholar
  20. 20.
    J. Spooren, D. Preuveneers and W. Joosen, Mobile device fingerprinting considered harmful for risk-based authentication, Proceedings of the Eighth European Workshop on System Security, article no. 6, 2015.Google Scholar
  21. 21.
    G. Wagener, A. Dulaunoy and T. Engel, Towards an estimation of the accuracy of TCP reassembly in network forensics, Proceedings of the Second International Conference on Future Generation Communications and Networking, vol. 2, pp. 273–278, 2008.Google Scholar
  22. 22.
    D. Walnycky, I. Baggili, A. Marrington, J. Moore and F. Breitinger, Network and device forensic analysis of Android social-messaging applications, Digital Investigation, vol. 14(S1), pp. S77–S84, 2015.Google Scholar
  23. 23.
    A. Yasinsac and Y. Manzano, Policies to enhance computer and network forensics, Proceedings of the IEEE Workshop on Information Assurance and Security, pp. 289–295, 2001.Google Scholar
  24. 24.
    M. Zalewski, p0f (, 2014.

Copyright information

© IFIP International Federation for Information Processing 2018

Authors and Affiliations

  • Erwin van de Wiel
    • 1
  • Mark Scanlon
    • 2
    Email author
  • Nhien-An Le-Khac
    • 2
  1. 1.Dutch Police in BredaBredaThe Netherlands
  2. 2.University College DublinDublinIreland

Personalised recommendations