Network Forensic Process Model

and Framework: An Alternative Scenario

Prabhjot Kaur, Anchit Bijalwan, R.C. Joshi and Amit Awasthi

Abstract Network forensic provides a way to trail the cyber criminals through
analysis and trace back of collected network evidence. The prerequisite is the
deployment of various network traffic collection tools such as Iris, NetIntercept,
NetWitness, SoleraDS5150, Xplico. Network forensic analysis involves examina-
tion of network traffic to detect invasion and exploring how the crime took place,
i.e., setting up crime scene for investigation and replays. In this paper, we have
proposed the process model and compared with the existing network forensic
process models and frameworks. Along with highlighting the research challenges at
various stages, authors propose a high-level description of standard process model
and framework.

Keywords Framework
Network forensic
Process model

1 Introduction

Internet is the medium for distribution of cyber-attacks. But it is something which is

much needed in almost every aspect of a country’s economy, i.e., in banking,
education, transportation (railways, airways, buses, and taxis), healthcare, business,
and many more. With the growth of Internet there is a need to protect the data.

P. Kaur
A. Bijalwan
Department of Computer Science & Engineering, Uttaranchal University, Dehradun, India
e-mail: [email protected]
A. Bijalwan
e-mail: [email protected]
R.C. Joshi
Graphic Era University, Dehradun, India
e-mail: [email protected]
A. Awasthi (&)
University of Petroleum and Energy Studies, Dehradun, India
e-mail: [email protected]

© Springer Nature Singapore Pte Ltd. 2018 493

R. Singh et al. (eds.), Intelligent Communication, Control and Devices,
Advances in Intelligent Systems and Computing 624,
https://doi.org/10.1007/978-981-10-5903-2_50
494 P. Kaur et al.

Though traditional protection techniques such as firewalls, antivirus software are

not sufficient enough, so it requires enhanced security measures. Protecting alone
the system is not sufficient rather; it is necessary to trace back to the criminals in
case of cybercrime. Network forensic provides a mechanism to track the criminals.
It also provides a mechanism to trace the malicious traffic, and its analysis thus
helps in investigation process.
Consider the cyber-attack at giant company LinkedIn in 2012 where password of
nearly 6.5 million user accounts were stolen, and again in 2016 about 100 million
hashed passwords and email addresses were leaked both from the same source, i.e.,
Russian cyber criminals. There has also been breach in the security of Apple’s
iCloud leading to the stealing of 500 private pictures of celebrities in year 2014.
Various scenarios and frameworks have been developed so far to prevent the
attacks and identify its origin in case of attack. In spite of many existing virtuous
frameworks and techniques for network forensics, there is need for continuous
development in this area and to overcome challenges in existing models. This paper
reviews existing process models, frameworks and presents a high-level description
of the design of process model and framework. Also research challenges at various
stages of framework implementations are highlighted. Further sections of this paper
include: related work in Sect. 2, proposed standard process model and suggested
framework in Sect. 3, various research challenges at different stages of imple-
mentation in Sect. 4, and concluding remarks are given in Sect. 5.

2 Related Work

The existing process models are based on the steps involved during digital forensic
investigation process. Pilli et al. designed the generic network forensic process
model by extracting the key features from the existing digital forensic process
models and tried to incorporate in their proposed model [1]. Likewise, the incident
response phase provided by Mandia and Procise is included in their model with
two-way link between detection and presentation phases [2]. Their model involves
phases in the order of preparation phase [3], detection phase (newly introduced
phase), incident response phase [2], collection phase, preservation phase, exami-
nation phase, analysis phase, investigation phase [4, 5], and presentation phase [6].
Kohn et al. defined a generic digital forensic process model to support the
investigation process by following the standardized steps [7]. Liu et al. employed a
logic-based network forensic process model using PROLOG in order to analyze the
collected data evidence and remove other unrelated data [8]. This technique could
be used to reconstruct the attack scenario and can be presented as a proof in the
court of law. Lutui focused attention on design science, which involved the
extensive study of multidisciplinary digital forensic investigation process model to
give more emphasis on efficacy and coherence of the design phase [9].
There are numerous frameworks given by authors such as: ForNet stands for forensic
network is a distributed system-based framework given by Shanmugasundaram et al.
Network Forensic Process Model and Framework: An Alternative … 495

that can identify extreme network events [10]. Similarly, another category is based on
fuzzy decision tree-based network which is a soft computing-based framework [11].
Bijalwan and Pilli engrossed the psychology of criminals while breaching the network
security framework and requirements associated with network forensic [12].

3 Process Model and Framework

3.1 Proposed Network Forensic Standard Process Model

After Ren and Jin [6] proposed the standard network forensic process model, then
Pilli et al. [1] also proposed a generic process model for network forensics incor-
porating the new phase of detection where fast evaluation is done to check the
alleged outbreak of crime. The proposed process model aims to first authorize the
investigator to perform the investigation process. It is important to preserve the
evidence while making an initial assessment. Here, there is an option to abort the
investigation if in case certain prerequisites are not fulfilled such as pre-installed
sensor and network traffic collector tools such as NetIntercept, Xplico, etc. In case
of further investigation is to be carried out, then a strategy is planned to reduce the
network traffic collected and document them. Further analysis is done, and review is
made through to check for further improvement. The proposed standard network
forensic process model is shown in Fig. 1. A brief detail of work performed at each
phase is highlighted in this section.
Authorization: This phase involves obtaining legal permissions from the con-
cerned authority to initiate the investigation process as shown in Fig. 1. Ciardhuain
proposed the authorization phase to take consent from the internal and external
organizations [13].
Preservation: Preservation phase implicates the avoidance of tempering of
network evidence [1]. For example in case a mobile device is involved in the crime,
then it must be switched off to avoid mitigating of call and network logs. This is the
second phase as shown in Fig. 1.
Initial Assessment: In this stage, an initial judgment is made whether to con-
tinue or abort investigation. If there are not pre-installed tools for network traffic
collection, then the investigation is terminated [4]. This phase has two outward
links, out of which only one is selected as displayed in Fig. 1.
Strategy Planning: This phase comprises to jot down the strategy to carry out
further investigation, i.e., team members, duration of investigation, cost involved,
and software use. This phase involves to construct a design strategy using design
science given by Lutui [9], giving more stress on efficacy and coherence.
Evidence Collection: Evidence is collected at this stage which may either
involve automatic or manual network traffic collection. Further, the huge data
collected from the network can be reduced by eliminating superfluous data [14].
Documentation: Documentation is the process of writing all the relevant
information required during the investigation process [4].
496 P. Kaur et al.

Fig. 1 Standard network

forensic process model

Analysis: Analysis phase involves determination of attack patterns by

employing various machine learning techniques. This phase involves the techniques
such as PROLOG logic techniques to analyze the data as given by Liu et al. [8].
Investigation: Further investigation is done to reconstruct the attack scenario,
and replay it at the investigator’s end [15].
Decision and Reporting: A decision is made at this stage about the type of
attack and concerned authorities are informed to take appropriate actions.
Review: A review is done to check it for further improvement. In case of any
improvement is required then strategy is rescheduled by taking the novel
parameters.
Network Forensic Process Model and Framework: An Alternative … 497

3.2 Proposed Network Forensic Framework

The amalgamations of standard network forensic framework phases with the phases
of network forensic process model are explained in this section. In this framework
Fig. 2, the network traffic is collected automatically and reduced to an extent by
eliminating the superfluous data and useful features are extracted which are
transferred to the next phase. The analysis of the derived features is carried through
to obtain a pattern. The newly derived pattern can be matched with the patterns
stored in the knowledge base. If a match is found, then an initial quick response is
made to the criminals stating warning to abort the attack. Further analysis is done to
constantly derive new patterns in case no match is found. The reconstruction phase
involves design of attack scenario which is then replayed by the investigator in the
next phase.
Network Traffic Collector: The vast amount of traffic flows from the Internet.
The network traffic can be collected in one of the following three manners:
(1) automatic network traffic collection [16]; (2) collecting traffic on change in
frequency at different intervals; and (3) manual network traffic collection Casey [4].
This phase involves taking permissions from the concerned authority to perform
forensics in the concerned intruded network and thus collect network traffic. After
obtaining the authorization, the network traffic is collected and the preservation
phase involves keeping the data unaltered while examining the crime scenario. The
three phases of process model acting at the network traffic collector phase is shown
in Fig. 3. Nagesh proposed automatic network data collection using distributed
mobile agents [16]. Initial assessment is done in order to check the feasibility of the

Fig. 2 Standard network forensic framework

498 P. Kaur et al.

Fig. 3 Three phases of

process model acting at
network traffic collector phase
of framework

assessment. If the initial judgment seems to be infeasible, then investigation process

is aborted.
Reduction and Feature Extraction: There are enormous data available on the
network. Storing each and every bit of network traffic involves huge secondary
storage media. This phase involves strategy planning to make the steps to reduce
the data by eliminating the extraneous attributes. Similar kind of data can be rep-
resented using encoding techniques, for example, all http packets using run-length
encoding scheme, i.e., 100 http packets can be represented as 100 http. After
reducing the data wherever possible, the important features can be extracted using
various machine learning techniques. Relevant points are documented such as what
kind of features to extract, who is responsible for this, and what algorithms to
employ. Chen et al. used a scalable network forensic method to reduce 97% of
attack irrelevant traffic of network resulting in reduced overhead and better accu-
racy for self-propagating stealth attacks [17]. The strategy planning phase of
standard network forensic process model acts at reduction and feature extraction
phase of network forensic framework and is shown in Fig. 4.
Analysis and Pattern Matching: In analysis and pattern matching phase, the
reduced network traffic is further examined to determine the attack pattern [1, 3, 4,
6, 9, 13, 17, 18]. Dependency graphs can be used to show the order of occurrence of
events. Attack patterns are obtained which can then be matched with the existing
patterns if any stored in the database. If the current attack pattern matches with the
prevailing pattern stored in the knowledge base, then the investigator can move to
the next phase. Thus, this helps in saving the investigator’s time and fastens the
examination process. If new attack pattern is obtained during analysis phase, then it
is stored in the knowledge base for future reference and further analysis is done to
obtain additional attack patterns. The analysis phase of process model as shown in
Network Forensic Process Model and Framework: An Alternative … 499

Fig. 4 Three phases of

process model acting at
reduction and feature
extraction phase of framework

Fig. 5 Analysis phase of

process model acting at
analysis and pattern matching
phase of framework

Fig. 1 acts at the analysis phase of framework Fig. 2, and the amalgamation is
shown in Fig. 5.
Reconstruction: The pattern obtained from the analysis phase is reconstructed
to generate the sequence of events [4]. The patterns are scrutinized according to the
flow of packet stream. A proper investigation is done of TCP connection in order to
obtain knowledge about the inflow and outflow of packets via which ports. The
investigation phase of process model acts at the reconstruction phase of framework
to obtain the attack patterns as shown in Fig. 6.
500 P. Kaur et al.

Fig. 6 Investigation phase of

process model acting at
reconstruction phase of
framework

Fig. 7 Two phases of

process model acting at replay
phase of framework

Replay: In this phase, the pattern created in the previous phase is replayed in
order to obtain the crime scenario. The replay of the attack scenario is done on the
investigator end without harming the actual network. This is done using simulators
to replay the constructed attack situation. The outcome of the simulation is com-
pared with the actual attack scene, and reporting is done. Based on reporting, a
decision is made whether to include more parameters and after exhaustive review of
the replay process, the control goes back to the strategy planning phase if further
improvements are required which is shown in Fig. 7.
Network Forensic Process Model and Framework: An Alternative … 501

4 Challenges

The authorization phase may sometimes face challenge of taking permission from
external bodies located overseas, who may not permit due to their country’s legal
perspectives. The challenge arises in analysis of enormous network traffic; it is
therefore suggested in this paper to reduce the network traffic by eliminating the
irrelevant traffic based on some criteria. Before actually initiating the preservation
phase, the intruder may clear its attack traces which could act as a base for
investigation. While collecting evidence, it is necessary to reduce the network traffic
data by using substantial data reduction techniques leading to the availability of
only relevant data. Sometimes, it is difficult to understand the methodology and
intension of the attacker while analyzing large volume of data. If the evidence
collected cannot be presented in court of law, then that investigation is not con-
sidered fruitful. Liu et al. proposed techniques using which network evidence could
be shown in the court of law whenever required [8].

5 Conclusion

In spite of much research is made on network forensic process models and

frameworks, it still seems to be a young field. Many challenges faced at various
stages are in the process of continuous improvement. The proposed model and
framework have been constructed by taking the best features from the existing
models and frameworks. This work aims to eliminate the above challenges faced at
various stages of the process model to a fair extent. The future work aims at
practical implementation of the proposed standard network forensic process model
and standard network forensic framework design.

References

1. Pilli, E. S., Joshi, R.C., Niyogi, R.: Network forensic frameworks: Survey and research
challenges. Digital Investigation 7, 14–27, (2010).
2. Mandia, K., Procise, C.: Incident Response and Computer Forensics. Osborne McGraw-Hill,
New York, (2003).
3. Reith, M., Carr, C., Gunsch, G.: An Examination of Digital Forensic Models. International
Journal of Digital Evidence 1(3), (2002).
4. Casey, E.: Network traffic as a source of evidence: tool strengths, weakness, and future
needs,” Digital Investigation 1, 28–43 (2004).
5. Palmer, G. L.: Forensic analysis in digital world. International Journal of Digital Evidence, 1
(1), 1–6 (2002).
6. Ren, W., Jin, H.: Distributed Agent-based Real Time Network Intrusion Forensics System
Architecture Design. Proceedings of the International Conference on Advanced Information
Networking and Applications, pp. 177–182, IEEE Press, New York (2005).
502 P. Kaur et al.

7. Kohn, M. D., Eloff, M. M., Eloff, J. H. P.: Integrated digital forensic process model.
Computer & Security 38, 103–115 (2013).
8. Liu, C., Singhal, A., Wijesekera, D.: A logic-based network forensic model for evidence
analysis. IFIP Advances in Information and Communication Technology 462, 129–145
(2015).
9. Lutui, R.: A multidisciplinary digital forensic investigation process model. Business Horizons
59, 593–604 (2016).
10. Shanmugasundaram, K., Memon, N., Savant, A., Bronnimann, H.: ForNet: A Distributed
Forensics Network. Digital Investigation 7, 14–27 (2010).
11. Liu, Z., Feng, D.: Incremental fuzzy decision tree-based network forensic system. Conference
on Computational and Information Science 3802, 995–1002 (2005).
12. Bijalwan, A., Pilli, E. S.: Crime psychology using network forensics. Journal of Computer
Engineering & Information Technology, 3, (2014). doi: 10.4172/2324-9307.1000120.
13. Ciardhuain, S. O.: An extended model of cybercrime investigations. International Journal of
Digital Evidence, 3(2), 1–22 (2004).
14. Tang, Y., Daniels, T. E.: A Simple Framework for Distributed Forensics. Proceedings of the
25th IEEE International Conference on Distributed Computing Systems Workshops, February
2005.
15. Selamat, S. R., Yusof, R., Sahib, S.: Mapping Process of Digital Forensic Investigation
Framework. International Journal of Computer Science and Network Security 8, 163–169,
(2008).
16. Nagesh, A.: Distributed network forensics using JADE mobile agent framework. Master’s
thesis, Arizona State University (2007).
17. Chen, L. M., Chen, M. C., Liao, W., Sun, Y. S.: A Scalable network forensics mechanism for
stealthy self-propagating attacks. Computer Communications, 36, 1471–1484, (2013).
18. Ndatinya, V., Xiao, Z., Manepalli, V. R., Meng, K., Xiao, Y.: Network forensic analysis using
Wireshark. International Journal of Sensor Networks, 10, 91–106, (2015).