Add to collection(s) Add to saved
  1. No category
Uploaded by Shaina Ferdous

Final Draft - GCMT Paper

advertisement 
5th Global Conference on Computing & Media Technology (2021)
1
Analysis of a Network Forensic Investigation Technique
Shaina Ferdous1 and Dr. Vinesha Selvarajah3
Asia Pacific University of Innovation & Technology (APU), Malaysia
1
tp053500@mail.apu.edu.my, 2vinesha@apu.edu.my
1,2
Abstract— This paper discusses the topic of Network Forensics,
the issues of Network Forensic techniques, and dives deeper into a
specific Network Forensic Investigation model. The impact that
Network Forensics has on current Digital Forensic trends and the
challenges faced is also covered. Every step of the investigation
model is thoroughly analyzed and based on the analysis a new
investigation model is proposed that could also be used in its stead.
The framework under analysis can work alongside other Network
Forensic tools and techniques, making it quite versatile.
Adaptability is crucial for digital forensic investigation models to
fit into several different scenarios and instances and this
framework has that part covered. There are no major
requirements to utilize either of the investigative frameworks
however since the proposed framework was derived from the
investigative framework discussed earlier on in this paper, there is
still room for improvements in the future for both investigative
models.
Introduction
There is one thing that the current pandemic has taught us which
is that anyone can become a victim to cyberattacks. This can be
further proven by statistics showing that there has been an
increase of 800% in overall cyberattacks in 2020 [1].
Businesses have been facing a large surge of cyber threats,
especially ransomware attacks, now that everyone has started to
work from their home offices rather than the company building
itself. While it is being done to minimize contact people have
with one another, it is putting the attacker at a much larger
advantage. Each company has a dedicated team that makes sure
the office network is as secure as it can be and harder to
penetrate by most cyberattacks and so when an employee has to
work from their office workstation, they do not have to worry
about such things. All they need to focus on are their tasks for
the day or week. But since the majority of people are
encouraged to work from home due to the current pandemic,
there is no one to look after your home network and so it
automatically makes you more vulnerable to cyberattacks. This
is what cybercriminals are taking advantage of and is also one
of the top reasons why there is such an increase in cyberattacks
within the past year.
1.1 Network Forensics
Network Forensics is a subdivision of Digital Forensics which
is a branch of Forensic Science [1]. They are all somehow
related and so it is important to focus on all aspects of the
Forensic Sciences. With that being said, the importance of
Network Forensics is at its peak as it is the part of Digital
Forensics that focuses on the examination of technology and
data to understand the type of evidence that has been collected
and how it is associated with the crime and assist with the
investigation [1]. With this new information, professionals are
also able to build a much stronger security system that will
prevent such types of attacks from happening in the future.
From the name, it is quite obvious that law enforcement will put
more emphasis on network traffic data from the suspected
network that was used for the cyberattack [1]. Some key
information to look for include any form of communication
between individuals, use of any certain keywords, network
events logged, and also manipulations of existing files or
folders [1]. Using this gathered information, it becomes much
easier for cybercrime investigators to create a timeline of events
that might have occurred. This is crucial in tracking down the
source of the attack and also other security-related instances.
1.2 The Gap in Network Forensic Investigation
Techniques
The job of a forensic investigator consists of discovering how a
crime took place, identifying the people involved, and creating
a timeline of all the events that occurred which led to the crime
[7]. With the plethora of techniques developed and used to
assist in such activities, there is always one major issue with
most of them which is the fact that information collected is
always very abstract and avoids a lot of the technical details [7].
This leads to the issue of collecting unnecessary evidence just
because of the “what if this is somehow related” concern most
investigators often suffer from. Going through the piles of
evidence then becomes an extremely strenuous and challenging
task because now they have more data to filter through [7]. It is
almost like a chain reaction.
Another quite complex issue garnered from such techniques
and also a huge issue of Network Forensics is that almost all the
data gathered is in its rawest form which makes it even more
difficult for humans to comprehend and decipher [7]. In
general, Network Forensic investigations tend to involve a large
amount of data that requires analysis which can be quite a
tedious task to accomplish.
Impact of Network Forensics
Cyber Security can be simply defined as the act of protecting
electronic devices and data from attacks of ill intent. The
involvement of Forensic Investigations assists with collecting
evidence to catch the attackers. Multiple methods have been
constructed over the years to combat such malicious attacks and
Network Forensics has played a huge role in it by broadening
the horizons and opportunities for Digital Forensic
Investigations.
5th Global Conference on Computing & Media Technology (2021)
2.1 Detection and Prevention
One of the first steps for any Digital Forensic Investigation is
the detection of the attack and with the help of Network
Forensics, it has now become much easier to do since it allows
us to monitor the network traffic of attack hotspots and analyze
the attack using tools like Wireshark, Splunk, Snort, Network
Miner, etc. By analyzing the attack, you can then take further
precautions on how to prevent such attacks from happening in
the future since you can predict the attack patterns through
Network Forensic tools and techniques.
2.2 Simplified and Added Security
The implementation of Network Forensic techniques has not
only simplified the investigation of attacks but also the
identification process of weaknesses within a network has
become an extra layer of security for most. Network Forensics
has proved to us multiple times that having weaknesses or
vulnerabilities within one’s system or network can be used to
one’s advantage. Now that it has been established what could
potentially be exploited by a cybercriminal in the future, we can
work on rectifying this vulnerability or even use it to create a
honeypot. Luring attackers into a situation where they think
they are in control, even if that is not the case at all, is defined
as a honeypot and is a common tactic used by law enforcement
to catch cybercriminals. This just shows that Network Forensics
is quite versatile and has changed the game for both cyber
professionals and law enforcement.
2.3 Troubleshooting Performance Issues
When working in a corporate environment, often there will be
scenarios where the network is facing some performance issues.
With the help of Network Forensics, you are not only able to
identify the problem but also troubleshoot the issue into
optimizing the performance quality of the network which goes
to show that there is a need for Network Forensics, not only in
cybercrime investigations but also in the corporate world which
further proves its versatility.
2.4 Identify Source of Data Leaks
Data leaks are a very common trend lately as with the
advancement of technology, data is becoming just as valuable
as money. Whether it be an outsider trying to gain access or an
insider that already has access to the data but would like to leak
it for ulterior motives, there is always a need for data protection
and monitoring especially with the recent rise in ransomware
attacks. Since all information is transferred through a network,
it makes sense that Network Forensics would also play a key
role in this and assist with finding out information like where
the leak occurred, how it occurred, and who might be
responsible for it.
A Review of Network Forensic Technique
This section discusses the Multi-layer Multi-model Traffic
Analysis (MMTA) forensic technique which is commonly used
in the industry because of its attention to detail which is missed
by most other Network Forensic techniques. The focus of the
area in this investigation model is not only the network itself
but also servers and other assets and devices the information is
2
flowing through. Analysis of abnormal behavioural patterns
and how this model correlates with the data gathered is what
piqued my interest in it.
3.1 Multi-layer Multi-model Traffic Analysis (MMTA)
All devices that are exposed to the internet are at risk of being
compromised and attacked especially in this day and age where
technology just keeps advancing at an exponential rate.
Advancement in technology calls for advancement in forensic
investigation methodologies with various areas of focus,
especially in Network Forensics. Since traffic analysis of a
network for a very common method of approaching the topic of
Network Forensics, Dinil Mon Divakaran decided to develop
the Multi-layer Multi-model Traffic Analysis (MMTA) model,
in 2017, which consists of three main phases (Divankaran,
2017). The diagram below is a depiction of the investigative
model.
Fig. 1 MMTA framework [5]
Phase 1 is modelling and analyzing network sessions to detect
anomalous or suspicious patterns [5]. This is the phase where
the network in question is thoroughly examined. Every TCP
connection is monitored, every session created by other devices
is analyzed, every single movement within the traffic of the
network is tracked.
Phase 2 is detecting scans and illegitimate TCP state sequences
[5]. The first step before performing any attack is to scan the
networks and servers used by the target to find any open ports
that can be exploited to find out the services running in the
target machine as well as the versions. This is where security
breaches begin [5]. In the stage of the analysis, instead of only
detecting scans, illegitimate TCP state sequences are observed.
Phase 3 is evidence correlation and decision making [5]. In this
phase, based on all the evidence gathered from phase 1 and
phase 2, it can be revealed what sort of attack occurred or what
might have happened and how the attacker gained access to the
system from the network. If the attack is still active then
methods of stopping the attack need to be implemented and if it
has already been affected then future precautions must be taken.
5th Global Conference on Computing & Media Technology (2021)
This can lead to how this type of attack can be prevented from
happening again in the future.
Multi-Layer Multi-model Traffic Analysis
4.1 Phase 1: Model, Analyze, and Detect Anomalous
Patterns
As mentioned earlier the MMTA framework consists of three
major phases which were briefly discussed in the previous
section. Now the details of each phase will be elaborated on.
Before we begin, we must first establish what exactly is a flow
and a session. A flow is a set of packets consisting of five tuples
which are the source and destination ports, source and
destination IP addresses, and protocol [5]. If two flows have the
same five tuples but have a period of inactivity between them
then they are considered to be two separate flows [5]. So, with
this theory, every TCP connection is a different flow. Based on
the arrival time between packets, inter-arrival time, it can be
determined whether a set of flows can be considered a session
or not [5]. A session needs to have the inter-arrival time
between flows to be less than a certain value [5]. Hence, if there
is a sufficient period of inactivity detected between two similar
sessions, then they are considered to be two separate sessions.
Often, it can be a little more efficient to filter through the
sessions by analyzing three tuples instead of five so the main
focus would be on the destination port, destination IP address,
and protocol [5]. In this way, a session can be sifted through by
identifying the same IP addresses. This is a common way to
analyze traffic from a popular website but in the case of bots or
DDOS attacks, it would be more helpful to look for the source
IP address rather than the destination IP address [5]. And so,
these are some ways to complete the first step of the MMTA
framework.
3
This entire process starts when the client does an active open
which is when the client creates a connection to a listening port.
It is followed by a SYN_RCVD from the server which tells us
that the server has received a synchronized request and is
currently waiting for an acknowledgement from the client. The
client then acknowledges the request from the server and they
establish a connection between the client and the server. Once
all the necessary activity between the client and server is done,
the client then proceeds to actively close the connection which
the server follows with a passive close. A FIN is sent to the
client along with an acknowledgement request for that FIN
request and the server waits for it to be acknowledged by the
client for the connection to be completely closed.
The next diagram which is called the TCP state transition
diagram which is a little more intricate than the previous TCP
state sequence diagram but applies the same concept.
4.2 Phase 2: Detect Scans and Illegitimate TCP
Sequences
Moving on to the next phase of detecting and scanning
illegitimate TCP state sequence behaviour, we must first
understand the regular TCP states of establishing and
terminating a connection between the client and the server. This
is well depicted in the diagram below
Fig. 3 TCP State Transition Diagram [4]
Fig. 2 TCP State Sequence [4]
The hard black arrow represents the normal client transition
behaviour and the dashed arrow represents the server
transitions. Connection establishment between the client and
the server begins at the CLOSED state at the top of the diagram
and the arrows facing the ESTABLISHED state show the
opening of a connection while the arrows leaving the
ESTABLISHED state show the closing of that connection. The
ESTABLISHED state represents an open connection and this is
where all the data transferring happens between the client and
the server. On the bottom left of the diagram inside the dashed
box labelled active close, this is showing the states of the client
trying to initiate the closing of a connection to the server. The
dashed box on the bottom right labelled passive close is the state
of the server acknowledging the connection closing request of
5th Global Conference on Computing & Media Technology (2021)
the client and eventually leading to the CLOSED state back at
the top where the connection has finally ended.
These two diagrams must be something that all Network
Forensic experts should as they can be very useful in
determining whether there is any suspicious activity happening
inside of a network. Phase 2 of the MMTA framework is all
about the TCP states and the behavioural analysis of these
states. This is also where most of the illegitimate TCP state
sequences can be found and investigated further and so is a very
crucial part of the MMTA framework.
4
how to use the tool itself to gather data. Once the data on the
network traffic has been gathered, the three phases of the
MMTA framework can be applied to reconstruct the attack and
derive a conclusion based on the evidence gathered.
Challenges Faced
With any new technique or tool developed, there will always be
advantages and disadvantages to them and challenges will be
faced both in the development process as well as in the usage
of the tool and technique. The following are some of the
challenges encountered during the use of the MMTA
framework and also in the field of Network Forensics.
4.3 Phase 3: Evidence Correlation and Decision Making
The final stage of the MMTA framework, the evidence
correlation phase, is where the relationship between the
anomalous patterns detected in phase 1 and the illegitimate TCP
state behaviour in phase 2 can be put together to derive a
conclusion on the attack. There are few different methods to
proceed in this phase, a common one being the in-depth analysis
of IP addresses as they can be targeted by time and destination.
Often, the same IP addresses indicate anomalous behaviour
which could lead to illegitimate flows and so it is best to start
your investigation from there [5]. Although the time of the
flows recorded can be utilized, not all related anomalies occur
within the same time frame [5]. They can be hours or even days
apart. On the other hand, it can also be helpful to analyze the
Round Trip Times (RTTs) of the packets involved and find
similarities between those packets [5].
Correlating information based on IP addresses is a much safer
and reliable option as it produces optimal results. For example,
if a bot scans multiple machines before selecting one to
establish a session with its master, there would be two sessions
with the same source IP address which would make it easier to
identify the suspicious sessions to analyze [5].
General Requirements
The use of this framework is not defined by any certain task that
must be completed to be able to use the MMTA framework.
This implies that there are no specific requirements that need to
be fulfilled for the MMTA framework to be utilized. With that
being said, this investigational methodology can be
implemented on any type of network forensic tool. Some of the
most popular and commonly used network forensic tools in the
current market are the following:
• Network Miner
• Wireshark
• Tcpdump
• Splunk
• Snort
The only basic requirement that is quite crucial to have is the
understanding of the different states of TCP sessions between
the client and server because that is what this entire
investigational framework is mostly dependent on. Being well
versed with an intensive network forensic tool can be quite
handy as well since not much time will be wasted in learning
6.1 Detection of False Positives
During the use of the MMTA framework, there have been
multiple cases of detecting false positives in the first and second
phase of evidence collection and anomalous pattern detection
[5]. False-positive is defined as when a test result turns out to
be positive, even if that is not the case. In this scenario, the
detection of a false positive would imply that there has been
some suspicious activity, or an anomalous pattern or an
illegitimate session has been discovered [5]. Even if that is not
the case, this would hinder the final stage of the evidence
correlation and decision-making process and could lead the
investigation and network traffic analysis process in the wrong
direction. Hence, it is important to be cautious of these types of
results and perform a thorough analysis of the evidence
gathered to avoid such scenarios as a lot of manpower and
resources could be affected by this.
6.2 Data Lost After Transmission
Network Forensics can be a bit more tricky than common
Digital Forensics practices as there is a possibility of the data
carried out within a network being lost after transmission,
which is usually not the case for the latter. Surprisingly, this
happens quite often and most of the time the cause of data
disappearing is unknown. This provides an extra challenge for
most Network Forensic Investigators to hunt for evidence and
dig deeper for information that has the potential to be valuable
in finding the culprit in an attack.
6.3 Privacy Laws
There is also the existence of data protection and privacy laws
that might restrict some network forensic investigational
methods and tools [1]. Hence, before using a network forensic
tool, it is always best to make sure it does not violate any
privacy laws. If you are acting as a third-party investigator and
have been hired by a company to analyze their network then it
is always best to make sure that you have the right permissions
and authorizations achieved before beginning the examination
and analysis using your tool and methodology of choice. These
are just some extra precautionary steps that people who are
trying to pursue a career in the digital forensic and network
forensic field should be aware of.
5th Global Conference on Computing & Media Technology (2021)
Critical Discussion of Analysis Process
There are two ways to approach the art of Network Forensics,
the first being “catch it as you can” and the second being “stop,
look and listen” [6]. With the first method, the investigator
captures all network traffic for further analysis and is
considered to be quite a time-consuming process and requires a
lot of storage space [6]. The second method allows the
investigator to analyze and examine every single data packet
flowing through the suspected network and only capture the
data packets that seem suspicious and need further examination
[6]. This method is equally time-consuming as the first and
needs a lot of processing power but does not require as much
storage space.
Although the investigator does have the liberty to capture all
network traffic by using the “catch it as you can” approach, the
MMTA framework works better with the “stop, look and listen”
approach. The reason for that being is that when conducting a
forensic analysis on the traffic of a network, time is usually of
the essence and it is important to be as efficient as possible as
information passed on through packets can be easily lost over
time. In case of a network that is facing heavy traffic due to
multiple reasons, capturing all packet information and going
through every packet one by one might turn out to be ineffective
as a lot of the times these investigations are done on a hunch
and there might not even be any malicious activity happening
in that network. This also proves that the “catch as you can”
approach is best suited for networks that are confirmed to have
malicious activity happening by other sources or if the network
traffic is not very heavy.
When performing the first phase of the MMTA framework
where the investigator needs to focus on finding anomalous
patterns within the traffic, the process would move along much
smoothly if only the suspicious-looking packets were captured
to have a further examination done. In this way, a lot of space
is saved but the issue of taking up a significant amount of
processing power remains as scanning through each packet
before capturing only the suspicious ones will require a much
larger computational capacity. There is also the issue of false
positives being detected using this method so it is very crucial
to be thorough and make sure the right packets are being
analyzed.
It is quite obvious by now that both of these methods are in no
way time-efficient and are quite tedious activities, however,
that is just a part of any investigational process. Whether it be a
physical crime investigation or a cybercrime investigation, the
analysis and examination part of the investigation is always the
most laborious, extensive, and slow. There have been several
professionals who have studied the different existing
investigational methodologies, techniques, and tools to find a
faster way to accomplish and gather results. Quite a few of them
have succeeded in shortening the entire investigational process
based on the situation of the crime. However, the analysis and
examination step is still the longest portion of the investigation
because it is all part of the process and must be followed to
gather the best results.
5
Standard Operating Procedure
As someone who is trying to pursue a career in the field of
digital forensics, it has become mandatory to know the steps of
performing a forensic investigation by heart. The steps consist
of Authorization, Identification, Evidence Collection, Analysis
and Examination, Reconstruction, and lastly Documentation
and Presentation. It has become evident over the years that all
of these steps, although necessary, cannot be applied at every
single digital crime scene and so several different types of
methodologies based on various scenarios have been
developed. This goes to show that even if those 6 steps can be
referred to as a standard forensic investigation procedure, there
is still room for change within those steps. With that being said,
the Multi-layer Multi-model Traffic Analysis framework,
however much versatile and effective in network forensic
investigations, still has room for improvement and suggestion.
The sole focus of this entire investigational model is on network
traffic, which is very important in network forensics, however,
other areas of the topic need to be brought to focus as well. By
studying the TCP state sequences, a lot can be discovered about
one’s network activity. Nevertheless, TCP is not the only
network communication protocol out there that should be
highlighted. Although it is the most frequently used protocol,
the focus should be directed to UDP as well since it is also a
protocol used in the transport layer of the OSI model. Other
protocols like UDP, DHCP, DNS, FTP, HTTP, IMAP, POP,
SMTP, and so on should also be highlighted based on the type
of network activity being tracked. Each of these protocols has
different uses like for example, SMTP, IMAP, and POP are
used for sending emails and FTP is used for transferring files
and so on [3].
8.1 Proposed Network Forensic Technique
Keeping in mind the discussion from the previous section,
below are some steps that could be followed that could benefit
and improve the current MMTA framework.
Step 1 Gain Authorization
This step can be very easily overlooked but could really
determine whether the evidence collected is admissible in court
and so it is crucial to gain the right legal authorizations before
starting the investigation. The tools being used for the
investigation should also be checked at this point and verified
whether they follow privacy and data protection laws
Step 2 Identification of Layer
To my knowledge, this step was completely overlooked by the
MMTA framework. This is the step where the attack is
thorough to find out which layers of the OSI model should be
targeted in the investigation. The OSI model has 7 different
layers and the diagram below represents the process of
communication between two network devices.
5th Global Conference on Computing & Media Technology (2021)
6
also a deep dive on TCP sequences and session analysis within
network traffics which can be used in future investigations
involving Network Forensics and be useful in other types of
Digital Forensic Investigations. The framework proposed is
quite basic as it currently focuses on collecting data from traffic
and later doing analysis on it but with enhancements, the
framework can be utilized on live traffic which is why both
MMTA and proposed frameworks have room for improvement.
Fig. 4 Data transfer from one device to another through OSI model
[3]
Usually, the main focus is given to the Transport, Network, and
Data-link layers of the model. Once it has been identified which
layer or layers should be focused on, we can move on to the
next step.
Step 3 Identification of Network Protocol
Based on the layer selection from the previous step, the network
protocol of focus can be decided upon. If for example, both the
Network and Transport layers have been targeted, then it can be
narrowed down to what protocols need more focus. Each
protocol has its functionality so it can be easily determined
which protocols to keep a lookout for once it has been
established what exactly you need to be looking for.
Step 4 Model, Analyze, Detect Anomalous Patterns
(continuation of MMTA framework)
Now that it has been identified which protocols to focus on
most, it can narrow down the search and examination of packets
and anomalous behaviour.
Step 5 Detect Scans and Illegitimate Network Protocol
Behavior
Based on the sequences of the network protocol in the
examination, it can be determined whether illegitimate activity
or sequences are being sent across the network in question.
References
[1] Afifi-Sabet, K. (2021). What is network forensics?
Retrieved
May
2021,
from
https://www.itpro.co.uk/cyber-attacks/31660/what-isnetwork-forensics
[2]
Anon. (2021). Tcp State Transition Diagram. Retrieved
May 2021, from https://www.fishercom.xyz/digitaltransmission/tcp-state-transitiondiagram.html#:~:text=A%20TCP%20connection%20goe
s%20through,indicates%20associated%20events%20and
%20actions.&text=Connection%20termination%20goes
%20from%20the%20ESTABLISHED%20state%20to%
20
[3]
Anon. (n.d.). Network protocols. Retrieved May 2021,
from
https://www.manageengine.com/networkmonitoring/network-protocols.html
[4]
Anon. (n.d.). TCP State Transition Diagram. Retrieved
2021, from https://flylib.com/books/en/3.223.1.188/1/
[5] Divankaran, D. M. (2017). Evidence gathering for network
security and forensics. DFRWS 2017 Europe —
Proceedings of the Fourth Annual DFRWS Europe, 20,
S56-S65.
[6]
Kostadinov, D. (2020). Network Forensic Overview.
Retrieved
May
2021,
from
https://resources.infosecinstitute.com/topic/networkforensicsoverview/#:~:text=According%20to%20%E2%80%9CC
omputer%20Forensics%3A%20Network,be%20used%2
0for%20network%20forensics.
[7]
Nishikant R. Khaire, 2. V. (2015). Recent Trends and
Challenges Of Network Forensic. International Journal of
Advanced Computational Engineering and Networking,
ISSN: 2320-210, 3(12), 7.
Step 6 Evidence Correlation and Decision Making
In the final step, it is helpful to reconstruct the attack with the
evidence collected and use that data to proceed with the
decision making and respond to the attack.
Conclusions
In this paper, analysis was done on the MMTA Network
Forensic investigation framework that was created for gathering
evidence and detecting malicious activity or attacks in traffic
sessions. Based on the analysis a standard operating procedure
and a new investigative procedure was proposed. There was
Related documents
Intro Review - Forensics
Intro Review - Forensics
What is the “New Forensic Science”? Introduction to Forensic Criminology:
What is the “New Forensic Science”? Introduction to Forensic Criminology:
The History of Forensics - The Center For Creative Scholars
The History of Forensics - The Center For Creative Scholars
CSI Simulation Questions
CSI Simulation Questions
Qualifying Digital Forensic Practitioners as Expert
Qualifying Digital Forensic Practitioners as Expert
Download
advertisement