A systematic framework for network forensics based on graph theory

  • Chuck Easttom

Student thesis: Doctoral Thesis


Network forensics is a field that is growing. As new technologies for communication are introduced, there are new challenges for forensic investigators. There is a large body of research concerning how to use various tools for packet capture and analysis. There is also a substantial amount of research in new network technologies such as Internet of Things (IoT) and virtual networks.
What is missing from the field network forensics is a mathematical framework for network forensics. The current thesis addresses this issue. The current research will bring a mathematical framework providing a level of scientific rigor not previously present in the field of network forensics. This will provide a solid framework that can be implemented by forensic analyst.
There have been a few nascent attempts to utilize graph theory in network forensics. However, those previous studies only used a very small subset of graph theory and only applied them in a very specific and limited manner. Most previous studies in this area have merely used graph theory to describe networks and network incidents. However, graph theory has a rich set of mathematical tools that can be used for network forensics. These tools facilitate a robust analysis and attack attribution. The current research applies a broad range of graph theory techniques to the issues of network forensics.
The current research creates an entire framework for applying graph theory to network forensics. Various elements of graph theory are applied to experimental network forensics scenarios to validate their efficacy. Additionally, a complete process for applying graph theory to any network forensics examination is delineated. This research provides a framework that is validated and can be applied by forensics practitioners. In addition to the novel application of existing graph theory to network forensics, a new element is introduced in graph theory. A formula for calculating partial isomorphisms was created as part of the current research. Thus the current study brings the full power of graph theory to the process of network forensics and expands graph theory into partial isomorphisms. Prior to this current research there has not been a mathematically rigorous framework for network forensics. The creation and validation of such a framework represents a substantial contribution to the field of network forensics.
Date of Award2021
Original languageEnglish
Awarding Institution
  • University of Portsmouth

Cite this