Network Forensics

  • R. C. Joshi
  • Emmanuel S. Pilli
Part of the Computer Communications and Networks book series (CCN)


This chapter discusses about the various terms used in the network forensics. The background of network forensics and difference with the network security is discussed. Classification of network forensics based on purpose, capture of packet, time of analysis, and data source is discussed. Definitions, applications, and motivation behind them are discussed. The recent trends of network forensics based on steganography, honeypot forensics, IP version 6, botnet forensics, wireless network, application layer forensics, etc., are elaborated. Challenges in packet identification, preservation, collection, examination, analysis, preservation, and decision-making and associated research areas with respect to network forensics are also discussed.


Intrusion Detection System Network Security Security Expert Information Security Management Organize Criminal Group 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    LA Times. Hack at Sony Pictures shuts computer system. Available: [31 Mar 2016]
  2. 2.
    Sony breach linked to Romania. Available: [31 Mar 2016]
  3. 3.
    Schneier B. Attributing the Sony Attack. Available: [31 Mar 2016]
  4. 4.
    NY Times. Chinese army unit is seen as tied to hacking against U.S. Available: [31 Mar 2016]
  5. 5.
    NY Times. Hackers from China resume attacks on U.S. targets. Available: [31 Mar 2016]
  6. 6.
    Desk TTP (2011va) New cyber attack targets Iran. Available: [31 Mar 2016]
  7. 7.
    Falliere N, Murchu LO, Chien E (2011) W32. Stuxnet Dossier. Available: [31 Mar 2016]
  8. 8.
    deSouza F (2011) Safeguarding critical infrastructure from the next Stuxnet. Available: [31 Mar 2016]
  9. 9.
    Mills E, Langner R (2011) Ralph Langner on Stuxnet, copycat threats (Q&A). Available: [31 Mar 2016]
  10. 10.
    Kessler G (2010) Stuxnet worm possibly made to cripple Iran centrifuges. Available: [31 Mar 2016]
  11. 11.
    Matrosov A, Rodionov E, Harley D, Malcho J (2011) Stuxnet under the microscope. Available: [31 Mar 2016]
  12. 12.
    Infosecurity (2010) Network forensics helps bolsters confidence in cloud computing security. Available: [31 Mar 2016]
  13. 13.
    Networks S (2010) Unveiling the security illusion. Available: [31 Mar 2016]
  14. 14.
    Axelsson S (2000) Intrusion detection systems: a survey and taxonomy. Department of Computer Engineering, Chalmers University, Gothenburg, Technical Report 99–15, March 14, 2000Google Scholar
  15. 15.
    Broucek V, Turner P (2001) Forensic computing: developing a conceptual approach for an emerging academic discipline, In: 5th Australian Security Research symposium, Perth, Australia, pp 55–68Google Scholar
  16. 16.
    Guan Y (2009) Network forensics. In: John RV (ed) Computer and information security handbook. Morgan Kaufmann, Boston, pp 339–347CrossRefGoogle Scholar
  17. 17.
    Berghel H (2003) The discipline of internet forensics. Commun ACM 46(8):15–20CrossRefGoogle Scholar
  18. 18.
    Palmer G (2001) Digital Forensic Science in Networked Environments (Network Forensics). In: 1st Digital Forensic Research Workshop (DFRWS’ 01), Utica, New York, USA, pp 27–30Google Scholar
  19. 19.
    Ranum MJ (1999) Intrusion detection and network forensics. In: 2nd USENIX symposium on Internet Technologies and Systems, Colorado, USAGoogle Scholar
  20. 20.
    Yasinsac A, Manzano Y (2001) Policies to Enhance Computer and Network Forensics. In: IEEE workshop on Information Assurance and Security, New York, USA, pp 289–295Google Scholar
  21. 21.
    Ren W, Jin H (2005) Modeling the network forensics behaviors. In: Workshop of the 1st international conference on Security and Privacy for Emerging Areas in Communication Networks (SecureComm’ 05), Athens, Greece, pp 1–8Google Scholar
  22. 22.
    Garfinkel S (2002) Network forensics: tapping the internet, Available: [31 Mar 2016]
  23. 23.
    Almulhem A, Traore I (2005) Experience with engineering a network forensics system. In: International conference on Information Networking, Convergence in Broadband and Mobile Networking (ICOIN 05), Jeju Island, Korea, pp 62–71Google Scholar
  24. 24.
    Laurie B (2004) Network forensics. ACM Queue 2(4):50–56CrossRefGoogle Scholar
  25. 25.
    Perry S (2006) Network forensics and the inside job. Netw Secur 2006(12):11–13CrossRefGoogle Scholar
  26. 26.
    ISO (2005) ISO/IEC 27001:2005 information technology – security techniques – information security management systems – requirements. Available: [31 Mar 2016]
  27. 27.
    Haugdahl JS (2007) Network forensics: methods, requirements, and tools. Available: [31 Mar 2016]
  28. 28.
    netForensics (2010) Security compliance management. Available: [31 Mar 2016]
  29. 29.
    Forte D (2002) The future of computer and network forensics. Netw Secur 2002(10):13–15CrossRefGoogle Scholar
  30. 30.
    Raynal F, Berthier Y, Biondi P, Kaminsky D (2004) Honeypot forensics, Part 1: analyzing the network. IEEE Secur Priv 2(4):72–78CrossRefGoogle Scholar
  31. 31.
    Raynal F, Berthier Y, Biondi P, Kaminsky D (2004) Honeypot forensics, Part II: analyzing the compromised host. IEEE Secur Priv 2(5):77–80CrossRefGoogle Scholar
  32. 32.
    Nikkel BJ (2007) An introduction to investigating IPv6 networks. Digit Investig 4(2):59–67CrossRefGoogle Scholar
  33. 33.
    Govil J, Govil J, Kaur N, Kaur H (2008) An examination of IPv4 and IPv6 networks: constraints and various transition mechanisms, In: IEEE Southeastcon 08, Huntsville, Alabama, USA, pp 178–185Google Scholar
  34. 34.
    Vural I, Venter H (2010) Mobile botnet detection using network forensics. In: Berre A, Gómez-Pérez A, Tutschku K, Fensel D (eds) Future internet – FIS 2010, vol 6369. Springer, Berlin/Heidelberg, pp 57–67CrossRefGoogle Scholar
  35. 35.
    Vural I, Venter HS (2010) Using network forensics and artificial intelligence techniques to detect bot-nets on an organizational network. In: Seventh international conference on Information Technology: New Generations (ITNG’ 10), Las Vegas, Nevada, USA, pp 725–731Google Scholar
  36. 36.
    Qureshi A (2009) 802.11 Network forensic analysis. Available: [31 Mar 2016]
  37. 37.
    Turnbull B, Slay J (2008) Wi-Fi network signals as a source of digital evidence: wireless network forensics. In: Third international conference on Availability, Reliability and Security (ARES 08), Barcelona, Spain, pp 1355–1360Google Scholar
  38. 38.
    Pelaez JC, Fernandez EB (2006) Wireless VoIP network forensics. In: Fourth LACCEI international Latin American and Caribbean conference for Engineering and Technology (LACCET’ 06), Mayagüez, Puerto Rico, pp 1–12Google Scholar
  39. 39.
    Otaka A, Takagi T, Takahashi O (2008) Network forensics on mobile Ad-Hoc networks. In: Lovrek I, Howlett R, Jain L (eds) Knowledge-based intelligent information and engineering systems, vol 5179. Springer, Berlin/Heidelberg, pp 175–182Google Scholar
  40. 40.
    Yinghua G, Simon M (2010) Network forensics in MANET: traffic analysis of source spoofed DoS attacks. In: 4th international conference on Network and System Security (NSS’ 10), Melbourne, Australia, pp 128–135Google Scholar
  41. 41.
    Guo R, Cao T, Luo X (2010) Application layer information forensics based on packet analysis. In: International conference of Information Science and Management Engineering (ISME’ 10), Xian, China, pp 206–209Google Scholar
  42. 42.
    Nikkel BJ (2004) Domain name forensics: a systematic approach to investigating an internet presence. Digit Investig 1(4):247–255CrossRefGoogle Scholar
  43. 43.
    Kilpatrick T, Gonzalez J, Chandia R, Papa M, Shenoi S (2008) Forensic analysis of SCADA systems and networks. Int J Secur Netw 3(2):95–102CrossRefGoogle Scholar
  44. 44.
    Kilpatrick T, Gonzalez J, Chandia R, Papa M, Shenoi S (2006) An architecture for SCADA network forensics. In: Olivier M, Shenoi S (eds) Advances in digital forensics II, vol 222. Springer, Boston, pp 273–285Google Scholar
  45. 45.
    Naqvi S, Massonet P, Arenas A (2006) Scope of forensics in grid computing – vision and perspectives. In: Min G, Di Martino B, Yang L, Guo M, Rünger G (eds) ISPA’ 06 workshop on frontiers of high performance computing and networking, vol 4331. Springer, Berlin/Heidelberg, pp 964–970Google Scholar
  46. 46.
    Garfinkel SL (2010) Digital forensics research: the next 10 years. Digit Investig 7(Supplement 1):S64–S73Google Scholar
  47. 47.
    Lillard TV, Garrison CP, Schiller CA, Steele J (2010) What is network forensics?. In: Digital forensics for network, internet, and cloud computing. Syngress, Boston, pp 3–20Google Scholar
  48. 48.
    Saad S, Traore I (2010) Method ontology for intelligent network forensics analysis. In: Eighth annual international conference on Privacy Security and Trust (PST’ 10), Ottawa, Ontario, Canada, pp 7–14Google Scholar
  49. 49.
    Almulhem A (2009) Network forensics: notions and challenges. In: IEEE International Symposium on Signal Processing and Information Technology (ISSPIT’ 09), Ajman, UAE, pp 463–466Google Scholar
  50. 50.
    Ren W (2004) On a network forensics model for information security. In: 3rd international conference on Information Systems Technology and its Applications (ISTA 2004), Utah, USA, pp 229–234Google Scholar
  51. 51.
    Lillard TV, Garrison CP, Schiller CA, Steele J (2010) The future of network forensics. In: Digital forensics for network, internet, and cloud computing. Syngress, Boston, pp 341–347 Google Scholar

Copyright information

© Springer-Verlag London 2016

Authors and Affiliations

  • R. C. Joshi
    • 1
  • Emmanuel S. Pilli
    • 2
  1. 1.Graphic Era UniversityDehradunIndia
  2. 2.Malaviya National Institute of TechnologyJaipurIndia

Personalised recommendations