In the past five years internet usage increased rapidly because 90 of the people regardless of whether they are computer or non-computer professionals have computers at home and computer have became a part of their life regardless is personal or business life and therefore the people that have internet access also increase drastically and because of that the numbers of illegal crime also increased. Type of common illegal activities is identity theft and data theft also increased. Computer forensics is basically deal with the collection of data and analysis them from the computer systems and storage media in the proper procedures so that it can uphold in the court of law.
The Need for Forensic
Forensic are introduce to assist law enforcement by using the computer evidence to determine the crime. As a result, network forensics has evolved so as to assure presentation of the crime evidentiary data must be in the proper procedure and process before present to the court. Forensic tools and techniques most often used in the investigations. Forensic tools and techniques used in the event when conducting investigating of the suspect systems, collecting and preserved the evidence.
What is Network Forensic?
Network forensics deals with the capture, recording or analysis of network events in order to discover evidential information about the source of security attacks in a court of law with the rapid growth and use of Internet, network forensics has become an integral part of computer forensics.
Type of Network Forensic
Email Forensic
Web Forensic
Packets Sniffers
Email Forensic
Email is one of the most common ways people communicate, ranging from internal meeting requests, to distribution of documents and general conversation. Emails are now being used for all sorts of communication including providing confidentiality, authentication, non-repudiation and data integrity. Because there is more and more people using email to communicate the usage of email increased and because of the usage increased in email hackers will start to use email to carry out their malicious activities. Spam emails are commonly used by hackers and are a threat in the Internet community. Emails are vulnerable and could be easily intercepted and used by hackers and therefore secret information will leak out to them. Email forensics are refer to the studying of sources and the content of the electronic mail where it will serve as evidence, It investigate and identify who is the actual sender and recipient of the message, the date and time where the messages was send. Malicious viruses frequently contained in the emails and malicious virus could result loss of data, identity theft and the confidential information.
Web Forensic
The common web browsers that are used today are Internet Explorer and the Mozilla Fox. Each of the individual browsers has their own unique format of saves. Internet explorer stored the browsing history of a person in the file called index.dat while Mozilla Firefox saves the web browsing activity in history.dat. The two files mentioned are hidden files. So, in order to view these two files, the browser has to set to show all hidden files and system files. These two files cannot easily delete in any regular way. Web forensics refers to the collecting of critical information related to a crime of exploring the browsing history of the victim. Web forensic collects the information regarding the number of times that a particular website was visited, the duration each time the website was visited, the files that have been downloaded and uploaded from the website and other critical information that are relevant to the crime.
Packet Sniffers
A sniffer a type of software that used to collects traffic flowing in and out of a computer that is attached to a network. Sniffers are commonly used by network engineers to monitor and collect information from different communications that occurred over a network. IDS used sniffers as their main source for collection of data to match packets against a designed rule that are used to identify if there is anything malicious and strange things going on. Sniffer is also used by Law enforcement agencies to collect particular traffic in a network and thus used the data that are collected for investigative analysis.
Tools used in Network Forensic
SmartWhoIs
EMailTrackerPro
Write Blocker
Wireshark
Write Blocker
During the investigation it is possible the investigator accidentally write to the evidence drive. Therefore it will lead the evidence not valid in the court of law. To prevent the evidence from contaminate. The investigator will use write blocker to ensure the evidence will not be compromised. Write blocker allowed the system to read data at high speed from the external drive and they will block any write command to the external drive to prevent modification to the drive during the examination of the drive. Write blocker can also prevent computer from writing to the hard disk’s interface.
SmartWhoIs
SmartWhoIs is a network utility that has the ability to look up all available information including all the necessary information of the network provider such as the name, IP address, the country, and state that the network provider from. The information are contact by the administrator or the technical support. Sometimes, there is a need to use both SmartWhoIs and eMailTrackerPro when the information that is provided by the latter is not the International Journal of Network Security. Once SmartWhoIs is installed on a computer, the button will appear on the Internet Explorer toolbar. With this button, you can use SmartWhoIs anytime you like whenever you need to acquire more information regarding the website that are currently visited.
EMailTrackerPro
EmailTrackerpro are used to analyze email’s header so as to detect the IP address of computer that the sender have received the messages from in order to track down. Every email messages will have a header that is located on top of the email. The source of the email can be found in the header and the header lists down every point the process of the email from the sender to the recipient, the date and time will also indicated at the header. The message header has the ability to do an audit trail of every single machine that the email has sent to. eMailTrackerPro have a built-in location database that are used to track emails to a country, information are shown on a global map. Tracing an email message can be easily done; you just have to copy and paste the header from the email in eMailTrackerPro in order to start using the tool. The trace will show at the Graphical User Interface (GUI) and then the report summary will be obtained. The summary report show the misuse of the particular email address for the administrators of the sender to see the report also show critical information that can be use for the forensic investigation. The report consists of the location where the IP address of the email was sent, if the report does not indicate it at least the report will show the location of the target’s ISP. The report also consists of the domain contact information regarding the network owner. The domain registration details will show the information who is the one that registered the website address and how many emails have been sent out from the address.
Wireshark (was previously known as Ethereal) is a well known network protocol analyser that used in many industries, the packet of information in the network uses wireshark to decode it. Besides decoding of information, wireshark can also captured live network traffic, and have the ability to read the data from a particular file that you want and translate the data to a format where users can understand. Wireshark is tools that are used by administrators to do diagnose and troubleshoot problems, but wireshark can also used by intruders to gather confidential information.
What kind of illegal activities intruders can use wireshark for?
Obtain usernames and passwords
Obtain unauthorised information
Network mapping
INCIDENT RESPONSE PROCESS
The incident response is well known in the information security because it is well understood for investigator. In the forensic process it consist a few important stages which is a common practice using the chain of custody so that the evidence could stand up in the court. These stages not only can apply in the network forensic it can also apply in the traditional forensics. The four primary steps used in the forensic process are as below:
Preparation- In this stage, the evidence that is gathered must make sense and that has value for the investigation or the evidence is collected from the compromised system.
Acquiring the evidence- In this stage, the investigator will make duplicate copies of the disks, reports and also the access logs that are needed to support the criminal activity, the investigator will also have to provide the law enforcement the authenticated copies of the full logs when they request for it.
Analysing the data for the evidence- In this stage, the evidence that collected will have to review and validate so as to determine whether the crime was indeed committed by the suspect and whether the evidence is enough to stand up in court.
Documentation- In this Stage, the investigator has to document all the finding during the investigation so that the result can be presented in the court of law to prevent the data from being thrown out of the court because in the end of the day the data is the suspect.
Data Sources in Network Traffic
All Organizations consists of information sources that concern network traffic which is very useful for network forensics. These sources contained data from the four TCP/IP layers. The major components in the network traffic data sources are firewalls and routers, protocol analysers, Intrusion detection system, remote access etc and several other types of data sources. The purpose of each major component will be explained later on.
Firewalls and Routers
Firewalls and router are one of the network devices, it has a set of rules when examine the network traffic such as permit or deny features. Network based firewalls that are used to perform NAT; it might contain data regarding the network traffic. NAT are used to map the address of one network to the address of another network, in a single external address will have multiple internal addresses mapped to it and NAT can be used to differentiate those multiple internal addresses by simply assign different source port numbers to the external address for each individual internal address. The main purpose of using NAT device is to do port mapping and records each individual NAT address.
Networking Intrusion Detection Systems
Intrusion detection systems (IDS) are used to detect malicious/ suspicious activities taking place within the network environments. Such activities may involve hacking, by examining network traffic to check if there are any unauthorized users attempted to hack into the computers. A network intrusion detection system is a device to detect activities on your network. IDS only monitor on the host which is installed, NIDS allow you to monitor flow of data and monitor network traffic.
NIDSs not only can monitor flow of data but also can filter and detect every single incoming packet for signatures, or any patterns that is suspicious. For example you detect numerous TCP connection sent requests to different ports. First things come to your mind will be an unauthorized person are conducting port scan on the computes in the network. NIDS not only can detect intrusions from the incoming network traffic it can also detect outgoing traffic as well. If an attack was launched within your network segment, it will not be consider as an incoming traffic.
Remote Access
Remote access servers are a type of devices such as modem servers that are used to facilitate the connections between different networks and when external systems need to connect to the internal systems, external systems have to go through remote access server in order to connect or vice versa. One of the main purpose of using remote access servers is to record down the origin of each individual and also indicate the users account that are authorize for each session. When an IP address was assigned to a remote user through remote access server, is likely to be logged. Remote access servers are created to work in a network level, to support the use of different type of applications.
Security Event Management Software
Security Event management (SEM) is a Software that gathered and analyses data from the servers in order to find correlations that can lead to threats and vulnerabilities. SEM software is able to import information regarding security event from network traffic. Data sources related to security event are IDS logs and firewall logs. It works by received copies of logs from data sources from the secured channel; transform the logs to a standard format, and then it will identify all related events by matching the IP addresses and timestamps. SEM products usually generate meta-events on the imported event data rather than generate it from the original event data. Many SEM products can used to identify all malicious activity, such as virus attack, beside identify the virus threat SEM can also used to detect if there is any misuse usage in the networks.
Network Forensic Analysis Tools
Network forensic analysis tools (NFAT) are designed to help administrator on collecting, examining, analysing network traffic and reduce the time of analysing the usual process of the network, show a general picture of what had happen to the network and moreover NFAT software also has additional features that further facilitate network forensics, such as visualizing the traffic flows and also visualizing the relationships of the hosts, using keywords to search for application contents
Conclusion
There are many tools and technique used in network forensic as mentioned above network forensic are used in many organisation, by using network data for investigation the investigation will be more accurate. And there are many more different technique and tools that are not mentioned such as cloud computing. The technique above might be complicated and troublesome to some users but technology evolves and advanced every single days we will not know what kind of technology will evolved to help investigator to gather information through the network for now we can only know the type technique and tools that are available currently and the use of each type of technique and tools. Let hope more advanced techniques and tools evolves in the near future.
