Abstract
One of the critical success factors of the cybercrime investigation is exact tracing back of hacker’s origin. However, criminals can easily modify or delete log files on victim machines. In addition, criminals can easily modify the source IP address so that network packet cannot be a strong evidence because it is easily spoofed. This study suggests a scheme for network forensic evidence generation and verification. This proposed scheme can show the attacker’s source location and guarantee the integrity of address fields. This scheme also can minimize the performance degradation of routers when generating forensic evidence via flow-based evidence traffic analysis.
Similar content being viewed by others
References
Casey, E. (2004). Network traffic as a source of evidence: tool strengths, weaknesses, and future needs. Digital Investigation, 1(1), 28–43.
Meghanathan, N., Allam, S. R., & Moore, L. A. (2009). Tools and techniques for Network Forensics. International Journal of Network Security and its Applications, 1(1), 14–25.
Kim, H. S., & Kim, H. K. (2011). Network forensic evidence acquisition (NFEA) with packet marking. In 2011 Ninth IEEE International Symposium on Parallel and Distributed Processing with Applications Workshops (ISPAW) (pp. 388–393).
MANDIANT Web Historian. http://www.mandiant.com/products/free_software/web_historian.
Greeks, M. Index.dat Analyzer. http://majorgeeks.com/Index.dat_Analyzer_d5259.html.
Visualware eMailTrackerPro. http://www.emailtrackerpro.com/.
TCPDUMP. http://www.tcpdump.org.
Wireshark. http://www.wireshark.org.
Belenky, A., & Ansari, N. (2003). IP traceback with deterministic packet marking. IEEE Communications Letters, 7(4), 162–164.
Gao, Z., & Ansari, N. (2005). Tracing cyber attacks from the practical perspective. IEEE Communications Magazine, 43(5), 123–131.
Stone, R. (2000). CenterTrack: An IP overlay network for tracking DoS floods. In Proceedings of the Ninth USENIX Security Symposium.
Bellovin, S. M., Leech, M., & Taylor, T. (2000). ICMP traceback messages. Internet draft: draft-bellovin-itrace-00.txt, Network Working Group.
Snoeren, A. C. et al. (2001). Hash-based IP traceback. In Proceedings of the 2001 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications.
Savage, S., et al. (2001). Network support for IP traceback. ACM/IEEE Transactions on Networking, 9(3), 226–237.
Song, D. X., & Perrig, A. (2001). Advanced and authenticated marking schemes for IP traceback. In Proceedings of IEEE INFOCOM.
Xiang, Y., Zhou, W., & Guo, M. (2009). Flexible deterministic packet marking: An ip traceback system to find the real source of attacks. IEEE Transactions on Parallel and Distributed Systems, 20(4), 567–580.
Tsirtsis, G. & Srisuresh. P. (2000). RFC 2766: Network address translation-protocol translation (NAT-PT).
Chen, W., & Yeung, D. Y. (2006). Throttling spoofed SYN flooding traffic at the source. Telecommunication Systems, 33(1), 47–65.
Krawczyk, H., Bellare, M., & Canetti, R. (1997). RFC 2104: HMAC: Keyed-hashing for message authentication.
Forouzan, B. A. (2002). TCP/IP protocol suite. Boston: McGraw-Hill Inc.
John, W., & Tafvelin, S. (2007). Analysis of internet backbone traffic and header anomalies observed. In Proceedings of Internet Measurement Conference, ACM.
Postel, J. (1981). RFC 791: Internet protocol.
Uhlig, S. (2010). On the complexity of Internet traffic dynamics on its topology. Telecommunication Systems, 43(3), 167–180.
Zhang, C., et al. (2008). Integrating heterogeneous network monitoring data. Telecommunication Systems, 37(1), 71–84.
netfilter libipq. http://www.netfilter.org/projects/index.html.
OpenSSL OpenSSL. http://www.openssl.org.
TCPDUMP libpcap. http://www.tcpdump.org.
Acknowledgments
This research was supported by the MSIP(Ministry of Science, ICT and Future Planning), Korea, under the ITRC(Information Technology Research Center) support program (NIPA-2014-H0301-14-1004) supervised by the NIPA(National IT Industry Promotion Agency).
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Kim, H., Kim, E., Kang, S. et al. Network Forensic Evidence Generation and Verification Scheme (NFEGVS). Telecommun Syst 60, 261–273 (2015). https://doi.org/10.1007/s11235-015-0028-3
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11235-015-0028-3