Skip to main content

Advertisement

SpringerLink
Log in

Network Forensic Evidence Generation and Verification Scheme (NFEGVS)

  • Published:
Telecommunication Systems Aims and scope Submit manuscript

Abstract

One of the critical success factors of the cybercrime investigation is exact tracing back of hacker’s origin. However, criminals can easily modify or delete log files on victim machines. In addition, criminals can easily modify the source IP address so that network packet cannot be a strong evidence because it is easily spoofed. This study suggests a scheme for network forensic evidence generation and verification. This proposed scheme can show the attacker’s source location and guarantee the integrity of address fields. This scheme also can minimize the performance degradation of routers when generating forensic evidence via flow-based evidence traffic analysis.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13

Similar content being viewed by others

References

  1. Casey, E. (2004). Network traffic as a source of evidence: tool strengths, weaknesses, and future needs. Digital Investigation, 1(1), 28–43.

    Article  Google Scholar 

  2. Meghanathan, N., Allam, S. R., & Moore, L. A. (2009). Tools and techniques for Network Forensics. International Journal of Network Security and its Applications, 1(1), 14–25.

    Google Scholar 

  3. Kim, H. S., & Kim, H. K. (2011). Network forensic evidence acquisition (NFEA) with packet marking. In 2011 Ninth IEEE International Symposium on Parallel and Distributed Processing with Applications Workshops (ISPAW) (pp. 388–393).

  4. MANDIANT Web Historian. http://www.mandiant.com/products/free_software/web_historian.

  5. Greeks, M. Index.dat Analyzer. http://majorgeeks.com/Index.dat_Analyzer_d5259.html.

  6. Visualware eMailTrackerPro. http://www.emailtrackerpro.com/.

  7. TCPDUMP. http://www.tcpdump.org.

  8. Wireshark. http://www.wireshark.org.

  9. Belenky, A., & Ansari, N. (2003). IP traceback with deterministic packet marking. IEEE Communications Letters, 7(4), 162–164.

    Article  Google Scholar 

  10. Gao, Z., & Ansari, N. (2005). Tracing cyber attacks from the practical perspective. IEEE Communications Magazine, 43(5), 123–131.

    Article  Google Scholar 

  11. Stone, R. (2000). CenterTrack: An IP overlay network for tracking DoS floods. In Proceedings of the Ninth USENIX Security Symposium.

  12. Bellovin, S. M., Leech, M., & Taylor, T. (2000). ICMP traceback messages. Internet draft: draft-bellovin-itrace-00.txt, Network Working Group.

  13. Snoeren, A. C. et al. (2001). Hash-based IP traceback. In Proceedings of the 2001 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications.

  14. Savage, S., et al. (2001). Network support for IP traceback. ACM/IEEE Transactions on Networking, 9(3), 226–237.

    Article  Google Scholar 

  15. Song, D. X., & Perrig, A. (2001). Advanced and authenticated marking schemes for IP traceback. In Proceedings of IEEE INFOCOM.

  16. Xiang, Y., Zhou, W., & Guo, M. (2009). Flexible deterministic packet marking: An ip traceback system to find the real source of attacks. IEEE Transactions on Parallel and Distributed Systems, 20(4), 567–580.

    Article  Google Scholar 

  17. Tsirtsis, G. & Srisuresh. P. (2000). RFC 2766: Network address translation-protocol translation (NAT-PT).

  18. Chen, W., & Yeung, D. Y. (2006). Throttling spoofed SYN flooding traffic at the source. Telecommunication Systems, 33(1), 47–65.

    Article  Google Scholar 

  19. Krawczyk, H., Bellare, M., & Canetti, R. (1997). RFC 2104: HMAC: Keyed-hashing for message authentication.

  20. Forouzan, B. A. (2002). TCP/IP protocol suite. Boston: McGraw-Hill Inc.

    Google Scholar 

  21. John, W., & Tafvelin, S. (2007). Analysis of internet backbone traffic and header anomalies observed. In Proceedings of Internet Measurement Conference, ACM.

  22. Postel, J. (1981). RFC 791: Internet protocol.

  23. Uhlig, S. (2010). On the complexity of Internet traffic dynamics on its topology. Telecommunication Systems, 43(3), 167–180.

    Article  Google Scholar 

  24. Zhang, C., et al. (2008). Integrating heterogeneous network monitoring data. Telecommunication Systems, 37(1), 71–84.

    Article  Google Scholar 

  25. netfilter libipq. http://www.netfilter.org/projects/index.html.

  26. OpenSSL OpenSSL. http://www.openssl.org.

  27. TCPDUMP libpcap. http://www.tcpdump.org.

Download references

Acknowledgments

This research was supported by the MSIP(Ministry of Science, ICT and Future Planning), Korea, under the ITRC(Information Technology Research Center) support program (NIPA-2014-H0301-14-1004) supervised by the NIPA(National IT Industry Promotion Agency).

Author information

Authors and Affiliations

  1. Graduate School of Information Security, Korea University, Seoul, Korea

    Hyungseok Kim & Huy Kang Kim

  2. Department of International Industrial Management, Kyonggi University, Suwon, Korea

    Eunjin Kim

  3. School of Civil, Environmental and Architectural Engineering, Korea University, Seoul, Korea

    Seungmo Kang

Authors
  1. Hyungseok Kim
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Eunjin Kim
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Seungmo Kang
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Huy Kang Kim
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Huy Kang Kim.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Kim, H., Kim, E., Kang, S. et al. Network Forensic Evidence Generation and Verification Scheme (NFEGVS). Telecommun Syst 60, 261–273 (2015). https://doi.org/10.1007/s11235-015-0028-3

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11235-015-0028-3

Keywords

Search

Navigation