This book presents a comprehensive study of different tools and
techniques available to perform network forensics. Also, various aspects
of network forensics are reviewed as well as related technologies and
their limitations. This helps security practitioners and researchers in
better understanding of the problem, current solution space, and future
research scope to detect and investigate various network intrusions
against such attacks efficiently.
Forensic computing is rapidly gaining importance since the amount of
crime involving digital systems is steadily increasing. Furthermore, the
area is still underdeveloped and poses many technical and legal
challenges. The rapid development of the Internet over the past decade
appeared to have facilitated an increase in the incidents of online
attacks. There are many reasons which are motivating the attackers to be
fearless in carrying out the attacks. For example, the speed with which
an attack can be carried out, the anonymity provided by the medium,
nature of medium where digital information is stolen without actually
removing it, increased availability of potential victims and the global
impact of the attacks are some of the aspects. Forensic analysis is
performed at two different levels: Computer Forensics and Network
Forensics. Computer forensics deals with the collection and analysis of
data from computer systems, networks, communication streams and storage
media in a manner admissible in a court of law. Network forensics deals
with the capture, recording or analysis of network events in order to
discover evidential information about the source of security attacks in
a court of law.
Network forensics is not another term for network security. It is an
extended phase of network security as the data for forensic analysis are
collected from security products like firewalls and intrusion detection
systems. The results of this data analysis are utilized for
investigating the attacks. Network forensics generally refers to the
collection and analysis of network data such as network traffic,
firewall logs, IDS logs, etc. Technically, it is a member of the
already-existing and expanding the field of digital forensics.
Analogously, network forensics is defined as "The use of scientifically
proved techniques to collect, fuses, identifies, examine, correlate,
analyze, and document digital evidence from multiple, actively
processing and transmitting digital sources for the purpose of
uncovering facts related to the planned intent, or measured success of
unauthorized activities meant to disrupt, corrupt, and or compromise
system components as well as providing information to assist in response
to or recovery from these activities." Network forensics plays a
significant role in the security of today's organizations.
On the one hand, it helps to learn the details of external attacks
ensuring similar future attacks are thwarted. Additionally, network
forensics is essential for investigating insiders' abuses that
constitute the second costliest type of attack within organizations.
Finally, law enforcement requires network forensics for crimes in which
a computer or digital system is either being the target of a crime or
being used as a tool in carrying a crime.
Network security protects the system against attack while network
forensics focuses on recording evidence of the attack. Network security
products are generalized and look for possible harmful behaviors. This
monitoring is a continuous process and is performed all through the day.
However, network forensics involves post mortem investigation of the
attack and is initiated after crime notification. There are many tools
which assist in capturing data transferred over the networks so that an
attack or the malicious intent of the intrusions may be investigated.
Similarly, various network forensic frameworks are proposed in the
literature.
