Research Background

Brief Overview

Where goes the data, so go the investigators. The strong impact of computing on everyday life and criminal life has increased the need for tools that can investigate computer, networks and their data in a communication environment. This fact is particularly relevant to the internet, where the ease and occurrence of data transfer notably facilitates certain types of illegal activity by its users. In the case of small and large networks, the network policy violations may present frequently by users intentionally or unintentionally. The network administrator’s job is the management, control and coordination of the network activities. So we are in need for efficient forensic tools for network session replay and reconstruction based on network protocols, used for reducing the load on network administrators.

Basics of Network Forensics

Network forensics is the science that deals with capture, recording, and analysis of network traffic to retrace the content of the network session, who was involved in session or attack, duration of the session, and pinpointing the source of any network policy violations or breaches. Network forensics is a natural extension of computer forensics. Computer or digital forensics involves preservation, identification, extraction, documentation, and interpretation of computer data. Network forensics involves capture, recording, and analysis of network events in order to discover contents of sessions.

Network forensics is entirely different from the network security. It is an extended phase of network security as the data for forensic analysis are collected from security products like firewalls and intrusion detection systems. The results of this data analysis are utilized for investigating the network sessions. However, there may be certain crimes which do not breach network security policies but may be legally prosecutable. These crimes can be handled only by network forensics.

Definition

Network forensics generally refers to the collection and analysis of network data such as network traffic, firewall logs, IDS logs, etc. Technically, it is a member of the already existing and expanding field of digital forensics. In particular, it is concerned with digital forensics in networked environments. In real life, forensic science refers to the use of scientifically proved techniques to answer questions related to criminal and civil litigation.

Analogously, network forensics is defined as:

“The use of scientifically proved techniques to collect, fuse, identify, examine, correlate, analyze, and document digital evidence from multiple, actively processing and transmitting digital sources for the purpose of uncovering facts related to the planned intent, or measured success of unauthorized activities meant to disrupt, corrupt, and or compromise system components as well as providing information to assist in response to or recovery from these activities (Laurence D. Merkle. 2008)”

Basics of Network Forensics

Network forensics is the science that deals with capture, recording, and analysis of network traffic to retrace the content of the network session, who was involved in session or attack, duration of the session, and pinpointing the source of any network policy violations or breaches. Network forensics is a natural extension of computer forensics. Computer or digital forensics involves preservation, identification, extraction, documentation, and interpretation of computer data. Network forensics involves capture, recording, and analysis of network events in order to discover contents of sessions.

Network forensics is entirely different from the network security. It is an extended phase of network security as the data for forensic analysis are collected from security products like firewalls and intrusion detection systems. The results of this data analysis are utilized for investigating the network sessions. However, there may be certain crimes which do not breach network security policies but may be legally prosecutable. These crimes can be handled only by network forensics.

Overview of My Research Area

My area of research focus in computer engineering lies in the surface of network forensics, cloud forensics and Internet of Things (IoT) forensics. All these areas come under broad title computer forensics or digital forensics. The main objective of my core research in this field focuses on tracing malicious users and regenerating their communicated contents of network session when some network traffic anomalies have been reported pertaining to computing environments. The all-inclusive analysis incorporates network forensic investigation on a particular network session based on nature of service and protocols equipped for communication over internet.

Digital forensics is a science drawn in with the recovery and investigation of material found in digital artifacts, often as part of a criminal investigation. Digital artifacts can include computer systems, storage devices, electronic documents, or even sequences of data packets transmitted across a computer network. Network forensics is a branch of digital forensics that focuses on the monitoring and analysis of network traffic. Unlike other areas of digital forensics that focus on stored or static data, network forensics deals with volatile and dynamic data. It generally has two uses. The first, relating to security, involves detecting anomalous traffic and identifying intrusions. The second use, relating to law enforcement, involves capturing and analysing network traffic and can include tasks such as reassembling transferred files, searching for keywords, and parsing human communication such as emails or chat sessions.

All my research work aims to introduce an integrated forensic technique to be used for inspecting, reordering and reconstructing the contents of packets in a network session for forensic investigation of protocols of Email, Webmail, Chat and Instant Messaging, Video upload and download stream using HTTP, HTTPS/SSL based communication followed by its decryption, Upload and download sessions using encrypted and unencrypted file transfer protocols, Skype Conversation and VoIP environments. Each of these researches covers detailed study and analysis of concerned protocol structures and its communication schemes in regard with forensic analysis. Following figure shows a networked environment with yellow highlighted points at which my forensic investigation tools works to collect packets. These packets are filtered based on a nature of communication to trace malevolent activities in communication stream. It can be effectively customized and used with standalone PC, WiFi enabled PCs and Laptops, Lab servers, Proxy servers etc.

Fig: Model Computing Environment in my Research

The implication of my research contributions can extensively help network forensic or crime investigators and administrators to analyse the network activities offline or online when some unlawful user activity is reported or suspected. All the forensic information about the network stream will be processed to ensure and locate the culprits involved in any illicit activities. These strategic approaches not only collects and organizes the forensic details, but also process the actual digital evidences such as files, videos, voice data and other voice conversations from the targeted communication environments. These forensic approaches will also generate the forensic report which involves forensic details like, IP address of user, port numbers, username of the user, time of network activity with procured digital evidences. At this stage, the suspected user or users undergo investigation by the cybercrime police to evaluate the forensic report. Once cybercrime police confirms proscribed activity and culprits, they will be impeached by local judiciary system as per the IT laws of the specific country.

Motivation Behind Past, Current and Future Research Works

A typical network forensic investigation tool or framework should retain principal features like
1) Collection & filtering(C) – Collects network packets
2) Correlation analysis of multiple raw data sources(R) – Analyze protocol characteristics
3) Log file analysis (L) – Analyze Computer or network log files
4) Stream Reassembly (A) – Reconstruct a network session
5) Application layer viewer (A) – Display reconstructed files and documents
6) Workflow or case management (W) – catalyze prosecution in the court

There exists no forensic tool which possesses all the above mentioned ideal features. Most of them fall into category of packet analysis tool. Tools like Wireshark and tcpdump etc. collects, dissects and displays packet information and do not support session reassembly. Tools like Netminor and Net-witness support reconstruction of network session for a very few protocols and fail when traffic is encrypted and also not open source licensed. Now- a-days, most of the communication protocols are encrypted by TLS/SSL. So unless and until the network session is decrypted, it is difficult to do any forensic activity to retrace the actual content. In all my research works, I have incorporated the above mentioned features in developing distinct forensic framework which not only traces forensic details but also support the trial on the outlawed user by procuring substantial evidences from the network stream. Major mile stone in my research work was the development of TLS/SSL decrypter which would decrypt an encrypted network session captured from any source.

My Past Research

My previous research works for the last eight years broadly targeted the lawful network forensic investigation to introduce an integrated forensic technique for inspecting, reordering and reconstructing the contents of packets in a network session for wide range of internet protocols. I have successfully developed distinct forensic frameworks for investigation of Email (SMTP, POP3 and IMAP), Webmail (Gmail, Hotmail, and Yahoo), Chat and Instant Messaging (MSN, Google Talk and ICQ), Video upload and download stream using HTTP, File transfer environments using FTP and Peer-to Peer (P2P) and secured FTP (SFTP) protocols, Content retrieval from Skype video and audio conversation and VoIP infrastructures. These typical network forensic investigation process observe the stored packet information when a suspicious activity had been reported. These process had bagged adequate supporting evidences from stored packets by recreating the original data, files and messages sent or received by each user. Thus suspicious user activities could be found by monitoring the packets offline as well as online. My research work also targeted in developing an efficient network packet reconstruction algorithm to execute forensic investigation functionalities and to create necessary evidences against any illegal network related events. Hence all these proposed methodologies in the research helped in content level analysis of packets passing through the network and reports any deceptive network activities in computing environments suitable for enterprises and institutions. The expected experimental results of the proposed framework showed improved performance of network forensic investigation in terms of packet reordering and reconstruction time and in handling wide range of protocols.

Major Challenges and Milestones achieved in Past Research works

The prime objective of my research works is to recreate contents of suspected network session from the network packets collected. The recreation of network session is executed to regenerate and segregate the files, documents, websites, videos and voice data present in particular session so that it could be forensically analyzed to trace malevolent users and their contents. This process of regeneration is accomplished by dissecting the packets to get its payload session and combining it to regenerate the content. The various developed forensic frameworks throughout my research works have easily generated recreated such network sessions if the communications are unencrypted. Nowadays a large volume of personal and business transactions is done electronically through secured internet communication with HTTPS Protocol. The internet offers computer users access to a wealth of information and reaches in to the heart of many organizations securely. This is a major hurdle from the forensic investigation point of view. The forensic details cannot be traced if all such communications or network packets are encrypted which prompts malicious users to violate any network policies or indulge in cyber terrorism etc. In this context, there are many possibilities for having different vicious activities or attacks that may occur through network communications using HTTPS protocol. Usually it is very difficult to see or recreate HTTPS network sessions to verify its content as part of the forensic analysis.

Thus I have exclusively developed a forensic HTTPS decrypting framework to conduct investigation and for subsequent regeneration though a series of procedures. I have developed a certificate handler which identifies public and private keys of targeted encrypted communication though series of cryptographic processes. This research work motivated me to extent my research works targeting other secured protocols like SFTP and Skype communications and I succeeded in forensic investigation of such encrypted protocols. The rise of Skype VoIP has also led to challenges for traditional law enforcement interception, since there is no single physical point of interception (like a telephone exchange) where call traffic can be centrally identified and monitored. Now Skype communications infrastructure uses strong encrypted channels for establishing connection between its server through Transport Layer Security (TLS) and with other data exchange through Secure RTP (SRTP) for media streams. As a result, most of the forensic analysis tools and framework fails in getting forensically important credentials and regenerating the actual content to trace out the cyber criminals and policy violators (individuals or users in LAN) that misuse Skype platform to exchange their malicious content. By using or my forensic HTTPS/SSL decrypter, I could conduct a trustworthy forensic analysis over an encrypted network session and to pin point the culprits with their actual contents of communication.

I had developed distinct forensic framework handling above mentioned protocols in association with Research Center for Cyber Forensics (RCCF) at CDAC Trivandrum and support from Information Security Research Lab (ISRL) at National Institute of Technology, Karnataka Surthkal, India. I started my forensic research works as part of bachelor degree in engineering and information security by developing a forensic tool for HTTP protocol and continued same research in master degree in engineering by developing a forensic framework for P2P protocol analysis. Since then I had been in the research of developing forensic framework pertaining to various other commonly used internet protocols besides my academic profession and guiding master students in engineering.

Current Research

Scope of Current Research

Cloud computing is estimated to be one of the most transformative technologies in the history of computing. Cloud Computing is becoming so popular among organizations, promising simplicity and delivering utilities based on virtualization technologies. Convenience, availability, elasticity, large storage capacity, speed, scalability, and on- demand network access are some of the   attractions of the cloud computing. Majority of users of cloud computing services make use of cloud storage services as it is publically and freely available with low cost compared to other classy cloud services like SaaS, PaaS and IaaS etc.

My current research, focuses on analyzing security issues of cloud storage services and present a forensic framework solution to beat any cybercrime related to cloud storage by using the concept of retrospective network analysis or network forensics. Cloud forensics is thus an application of digital forensics. My target research idea is to develop a cloud forensic framework for extensive content level examination of network packets as part of cloud based network forensic investigations. This helps in locating malicious cloud storage users in any computing fraternity such as corporate, institutions or individuals when such case reported followed by the acquiring evidence for prosecution by the court.

Background

At the present time a large amount of personal and business transactions is done electronically through internet significantly with help of cloud computing. The cloud offers computer users access to a wealth of information and reaches in to the heart of many organizations. The Internet continues to evolve and offer digital criminals increased opportunity through communication capabilities that did not exist previously. In response to this continuous increase in digital crimes in cloud environment, research is being conducted into ways of improving the quality and efficiency of digital investigation in cloud environment. Cloud computing provides convenience, availability, elasticity, large storage capacity, speed, scalability, and on-demand network access to a shared pool of configurable computing resources while reducing the cost based on pay-as-you-go basis for consumers. Companies are realizing that cloud computing is offering a fast access to best-of breed business applications and drastically boost their infrastructure resources however, there are some concerns about how security and compliance integrity can be maintained in this new environment. The main security concerns can be listed as follows: the location of data, the ownership of data, access control, regulatory requirements, right to audit, the Service Level Agreement (SLA), liability and accountability in a case of security breach, investigative support, data segregation, long-term viability of the provider, and disaster recovery and continuity plans. The adoption of cloud computing solutions is increasing rapidly and this makes it inevitable for digital cloud forensics not to follow since major potential security risks are surrounded this new technology. My current digital forensic cloud forensic framework guarantees a proper presentation of computer crimes evidentiary data in court while operates in a domain where system components are within physical reach and deliver a strategic approach to face new problem such as accessibility of multi-replicas of the stored data, tracing the crimes evidence in multi-jurisdictions, reliability of the evidence, ownership of the evidence, and more important maintaining the chain of custody throughout the investigation.

Cloud Forensic Investigation 

I have been in the research of cloud forensic investigation for about last 2 years and in the development of cloud forensic tool that permits network administrators and investigators to monitor use of cloud storage services through available computer networks, gather all information about anomalous traffic, assist in cloud crime investigation and help in generating a suitable incident response. My current Investigation techniques also provide support in analyzing the inside illegal cloud based network event and misuse of resources, predict network pattern in near future, executes risk assessment processes, judging the cloud performance, and thus help in protecting the intellectual propriety. These processes are complex in nature for real time implementation and execution.

My topical research mainly aims to develop a fully armed open source forensic analysis and investigation framework based on retrospective network analysis or network forensics for reconstructive cloud network traffics. Any cloud storage can be devised or negotiated for cloud forensic investigation to define the scope of research work. My strategic approach processes offline or online cloud based network packet sessions in pcap format to understand the nature of the sessions by comparing it with desirable cloud protocol characteristics. In current research approach, I have designed and developed an efficient rescheduling algorithm for network packet reordering and reconstruction to collect supporting evidences against any unauthorized cloud based network usage. Currently I am in process of refining and rectifying certain issues related to packet latency and handling huge number of re-transmitted and duplicate packets. My current strategic approach so far incorporates important cloud forensic steps like collection of network traffic, preservation of network details, examination of network data and related elements, analysis of packets of forensic interest, investigation with help of replaying or regenerating any session and presentation of evidence in the court for prosecution against any unauthorized network activity. The ultimate goal is to provide sufficient evidences to allow the perpetrator to be prosecuted.

Future Research Plan