A user-oriented network forensic analyser: the design of a high-level protocol analyser

D. Joy, F. Li, N. L. Clarke, S. M. Furnell

Research output: Chapter in Book/Report/Conference proceedingConference contribution

229 Downloads (Pure)

Abstract

Network forensics is becoming an increasingly important tool in the investigation of cyber and computer-assisted crimes. Unfortunately, whilst much effort has been undertaken in developing computer forensic file system analysers (e.g. Encase and FTK), such focus has not been given to Network Forensic Analysis Tools (NFATs). The single biggest barrier to effective NFATs is the handling of large volumes of low-level traffic and being able to exact and interpret forensic artefacts and their context - for example, being able extract and render application-level objects (such as emails, web pages and documents) from the low-level TCP/IP traffic but also understand how these applications/artefacts are being used. Whilst some studies and tools are beginning to achieve object extraction, results to date are limited to basic objects. No research has focused upon analysing network traffic to understand the nature of its use - not simply looking at the fact a person requested a webpage, but how long they spend on the application and what interactions did they have with whilst using the service (e.g. posting an image, or engaging in an instant message chat). This additional layer of information can provide an investigator with a far more rich and complete understanding of a suspect's activities. To this end, this paper presents an investigation into the ability to derive high-level application usage characteristics from low-level network traffic meta-data. The paper presents a three application scenarios - web surfing, communications and social networking and demonstrates it is possible to derive the user interactions (e.g. page loading, chatting and file sharing) within these systems. The paper continues to present a framework that builds upon this capability to provide a robust, flexible and user-friendly NFAT that provides access to a greater range of forensic information in a far easier format.

Original languageEnglish
Title of host publicationProceedings of 12th Australian Digital Forensics Conference, ADF 2014
PublisherEdith Cowan University
Pages84-93
Number of pages10
ISBN (Electronic)978-0729807197
DOIs
Publication statusPublished - Dec 2014
Event12th Australian Digital Forensics Conference - Perth, Australia
Duration: 1 Dec 20143 Dec 2014

Conference

Conference12th Australian Digital Forensics Conference
Abbreviated titleADF 2014
Country/TerritoryAustralia
CityPerth
Period1/12/143/12/14

Keywords

  • analysis
  • correlation
  • digital forensics
  • network forensic analysis tool
  • network forensics
  • visualisation

Fingerprint

Dive into the research topics of 'A user-oriented network forensic analyser: the design of a high-level protocol analyser'. Together they form a unique fingerprint.

Cite this