Network Forensics


                The advent of the internet has led to the increment of cyber crimes across various networks and this has necessitated the creation of combating applications to overcome the issue. Network forensics is the latest technological innovation as a preventive mechanism against network violations. Network forensics employs diverse applications in ensuring network safety. The fundamental concept of network forensics is purely mathematical with the probability of success pegged on various calculations. These calculations have to be precise for the effectiveness of the system. A review of various tools namely eMailTracherPro, SmartWhols, Web Historian, Index.dat analyzer, Total Recall, Packet sniffers, and the Ethereal Tool and how they are used in network forensic will be conducted. Additionally, forensic network techniques namely input debugging, controlled flooding, ICMP traceback, packet marking technique, Source Path Isolation Engine Architecture and the honeynet will be discussed. Lastly, there will be a comparative section for these mentioned tools and techniques.


Network Forensics


Forensics is an English term that is acquired from the Latin term, forensis, whose root suggestion is a public discussion. Inferentially, the expression refers to court proceedings where a forum is held in the deliberation of criminal occurrences. Fisher, David and Kolowski offer a profound definition of forensics “as the scientific investigation into matters pertaining to law in the course of a crime,” (1). Forensics as a profession is extensive in nature thereby involving the joint investigation of various professions geared to exposing criminal intents or causative agents of a given investigation. Career lines involved in the field of forensics include engineers, physicians, legal representatives, dentists, genetic specialists, computer programmers, medical aides and botanists. Each professional plays a significant role in the entire or part of the gathering, analysis and reporting phases in the investigations. Civil episodes may also employ the science of forensics.


In the current study, research is done through comparison of secondary and preliminary research finding from previous research projects. Subsequent tabulations are used to point out similarities and differences encountered. Essential definitions regarding communication lines and mathematical views in network forensics encountered in the process of secondary research are additionally discussed.


What is Network Forensics?

As the name suggests and from the introductory part of our discussion, network forensics is simply the analysis of criminal activities performed on a network such as a local area network or wide area network. Vacca asserts that network forensics entails the “science of discovering and retrieving evidential information in a networked environment about a crime in such a way as to make it admissible in court,” (340). This branch of forensics was developed in the advent of the internet age as the world experienced a colossal surge in the number of web users. A more than proportionate increase had been noted in the level of cyber crimes necessitating a superior investigation technique to adequately deal with the situation. Specialists in network forensics employ “traceback and attribution…during and after cyber violations and attacks, to identify where an attack originated from, how it propagated, and what computer(s) and person(s) are responsible and should be held accountable,” (Vacca 339).

Networks often use a path in the communication process commencing from a user and concluding with the end user whom the message is intended. As the process is reiterative in nature, it makes it possible for network forensic specialists to acquire a traceback on the given appliance on the various successive message relay process. Once a traceback is successfully performed, the attribution process is employed in both or either the digital or the physical detection of the offense source. Note that, the information acquired from these detection points should be accurate and concise in a way that can be used in a prosecution room to convince a jury of the illegal performances conducted by the individual in question.

Network Forensics from a Mathematical View

                The evidence graph model is commonly used in network forensics and it is viewed as “a quadruple G = (N, E, LN, LE), where N is the number of nodes, E is the set of edges, LN is the set of labels for attributes of nodes and LE is the set of labels for attributes of edges,” (Wang and Thomas 100). Diffusion and graph spectral mathematical techniques are applied in the mentioned model for evidence analysis in a four-phased process. The initial phase is evidence that pre-processing stage involves the collection and assembly of proof data acquired from various information sources. Numerical abstraction and aggregation is conducted to condense the redundancy level in the data. Upon the completion of the initial phase, the model generation stage sets in where actual creation of an evidence graph takes place. Graphical elements are defined during this level and the computation is enabled by the proof amassed within the first phase. The subsequent stage is referred to as model analysis, which accounts for the critical analysis level. Relevant graphical methods are employed in to “extract information such as cluster importance and flow of suspicion from the evidence graph structure,” (Wang and Thomas 101). Lastly, scenario interpretation occurs where the products of the analysis are acquired for the investigation conclusion. The conclusion is used within the court proceedings.

Techniques and Tools for Network Forensics

Various techniques and tools are employed in network forensics in the combat against cyber crimes.

Tools Used in Network Forensics

Electronic mails (email) are one of the most widespread communication channels in networks. Email usage has been identified as being common among computer users as it offers an enhanced form of information privacy, accuracy, non-refutation and reliability. With the advent of the internet where more consumers joined in the use of the email service, cyber crimes in the form of spam emails were noted. Spam emails may involve the seizure of an electronic mail by a criminal in which the message’s privacy is compromised by the studying of the contents. Network forensic specialists therefore ensure that the source and original data are identified, the exact time of message creation, the interval in which the message is sent and whether it is received by the intended recipient. The eMailTracherPro tool is employed to scrutinize “the header of an email to detect the IP address of the machine that sent the message so that the sender can be tracked down,” (Meghanathan, Sumanth and Loretta 15).

The email header holds both the sender and intended end user of a given message respectively given by the sections from and received. The latter section records the routes, time and dates taken by the data before the final delivery. To perform a trace for a given data, forensic analyst enters the header information in the eMailTracherPro where upon activation the route is traced on a Graphical User Interface (GUI). Alternatively, when the physical address cannot be established, the tool will offer information on the Internet Service Provider (ISP) from whence the information is sent. For higher efficiency, the eMailTracherPro is used with a complementary tool known as the SmartWhols in the identification of Internet Protocol addresses, domain name, ISP, and nation of origin. Web browsers act as another source of information for forensic experts in cyber crime control. During browsing activity, browsers stock up the addresses of the visited sites by a particular individual. The internet explorer records this information as index.dat while for other browsers like Mozilla the same is documented as history.dat (Meghanathan, et al 16). The Web Historian tool is used to acquire the relevant information needed for criminal investigations on a certain web user.

The tool allows forensic experts to monitor the browsing patterns indicated by an individual in terms of the number of website visitations to a particular site, the intervals spent on the site during the different visitations, materials accessed and upgraded within the same site and the cookies related to a given visit. Criminalist forensics is therefore able to gain a lot of knowledge concerning the individual under investigation from such an analysis. For in depth network cookies investigation, the Index.dat analyzer tool can be used. The Total Recall tool is also very significant to forensic analysts in web browser information as they aid the investigators in computing the number of times a particular site has been accessed by a given individual (Meghanathan, et al 16). Packet sniffers are the other mode of technology used in networks for supervision purposes. As they are appended within a given network, these sniffers observe data traffic flowing away and inside the network. As the process is automated, detection of peculiar data generates an immediate report to the network specialists who then investigate on the matter.

The Ethereal tool is an example of a network sniffer that “captures packets live from a network…displays the information in the headers of all the protocols used in the transmission of the packets captured…filters the packets depending on user needs,” (Meghanathan, et al 16). The interval spent in given packets, the intended end location, time taken, senders identity information and the internet protocol used in given data transfers are easily identified by the rows generated by an Ethereal program. Other packet sniffers include the WinPcap and AirPcap tools. The former is “used to capture the packets intercepted at the network interface of a system running the Windows Operating System,” (Meghanathan, et al 17) while the latter is used for wireless local area network interfaces.

Source: Meghanathan, Natarajan, Sumanth Allam and Loretta Moore. “Tools and Techniques for Network Forensics,” International Journal of Network Security & Its Applications 1.1 (2009): 14-25, Print, Fig 1.


Techniques Used in Network Forensics

Techniques used in network forensics employ the use of IP addresses for the traceback option and various methods can be used for this function. Input debugging is a technique employed by the preyed site against the malicious sites. The site overcomes the victimization moves by deploying combating packets that share a common signature recognized by the router system. The router then stimulates the initiation of a filter system to act against the malicious attack. As this preventive phase is a recurring occurrence, the filters act on the given information to compute the entry point of the attacker and the origin is located and deactivated. Controlled flooding is the second technique applied in network forensics. It involves a forced but temporary overloading of inward bound links connected to the routers within the top network layer. As these links are connected with packets being received into the network, the unanticipated surge forces the malicious packets to be dropped and each is tested for the probable location of the attacker (Meghanathan, et al 18).

The third technique is the ICMP traceback, which involves the analysis of the traceback message automatically generated during the information flow within the routing system. These trace backs are generated and forwarded to the target point and they contain extra information about the neighboring routers. Once the malicious hit is detected, the prey system forms its own traceback messages to baffle the real ones that are rounded and assembled for the source information. The packet marking technique serves as the fourth technique that employs the mathematical concept of probability in the computation of the malicious source. As opposed to the former techniques that dwell on the analysis of an entire router, this method isolates single nodes that are used in the calculations (Meghanathan, et al 20).

Source: Meghanathan, Natarajan, Sumanth Allam and Loretta Moore. “Tools and Techniques for Network Forensics,” International Journal of Network Security & Its Applications 1.1 (2009): 14-25, Print, Fig 8.


The fifth technique known as the Source Path Isolation Engine Architecture works within the same precepts as packet marking only that as opposed to the use of probability, it employs log in the calculation of the entry point. The last technique involves the application of the honeynet that is defined as “a network specifically designed to be compromised,” (Meghanathan, et al 22). The main rationale behind this is that, as the attacker launches into the simulation system, viable information concerning the procedures and items employed towards the compromise of the prey system are captured for further analysis. A complementary appliance that is usually combined with this technique is the honeypot that offers grounds for the investigators to “attract traffic by acting as a decoy system, posing itself to the internet as a legitimate system offering services. Any outbound connection…implies someone has compromised the Honeypot,” (Meghanathan, et al 22). Network forensics analysts are therefore able to acquire implicating information from the examination of these out bounds.

Comparison between Tools and Techniques Showing the Advantages and Disadvantages

                The eMailTracherPro tool offers the reporting, erasing and filter options to the user for any mail that is detected to be a spam. These options are enhanced by the Post Office Protocol within the program. The main demerit attached to this method relates with malicious ware encryption by the attacker as this makes it impossible for the system to identify the attack source. The web browser overcomes is detailed and enables a wider tracking level as it transverses across nations and continents for the physical location of the attacker. However, the malicious user can be able to expunge the browsing history and this makes it harder for the forensics to reconstruct the relevant information from the menial clues. The same applies for the total recall and index.dat analyzer tools as complementary devices for web forensics. Ethereal analysis tends to be more comprehensive and detailed then the preceding tools but the task tends to be time consuming. The WinPcap and AirPcap tools are also very comprehensive analysis tools but they also suffer time and cost constraints.

Input debugging is a very costly process as enhanced by the various successive traceback stages that must be undertaken in the institution of the firewalls until the intruder is identified. Controlled flooding is very creative and realistic in terms of implementation and management and this is a comparative advantage over the other tools. However, it involves a colossal amount of money for the implementation phase. Additionally, the tools efficiency depends on the router as it only works best with the upstream types. ICMP traceback suffers constraints on the rate of data filtration in that it possesses a higher probability of being filtered as compared to data conveyed as a normal type (Meghanathan, Sumanth and Loretta 19). Furthermore, routers used in the counter-attack scheme require a compound identity signature that when not given to a particular router forces the system to multiple reconstructions.

Packet marking techniques are very time consuming, as each router requires the assigning of a probability weight before further computations that would enable the attack source to be acquired. Note that, as the technique applies probability, a possibility exists that the result may suffer from errors. A Source Path Isolation Engine Architecture auger well with the internet as it overcomes the challenge of incessant trace backs and its timely alerts. Honeypots offer the client a bit of flexibility unlike the other techniques as they can be deployed against the attacker a real system or as a virtual one.

Tool Merit Demerit
eMailTracherPro tool -supports reporting, erasing and filter options for email spam -unable to decipher encrypted sources
Web Historian tool -wider tracking levels -ability for attacker to expunge history details
Total Recall tool -expansive tracking ability -browsing history can be deleted
index.dat analyzer tool -expansive tracking ability -deletion of browsing history
Ethereal tool -precise comprehensive and detailed tracking ability -time consuming
WinPcap and AirPcap tools – comprehensive and detailed tracking capability -very expensive and time consuming
Technique Merit Demerit
Input debugging -easy usability -very costly
Controlled flooding – creative and realistic in terms of implementation and management -very expensive due to its limited compatibility with network systems
ICMP traceback -ease of management – higher probability of data being filtered as compared to data conveyed as a normal type

-need for compound signatures

Packet Marking Technique -high precision due to mathematical compilations -time consuming

-errors infused by probability calculations

Source Path Isolation Path -timely alerts

-overcomes incessant tracebacks

-time consuming
Honeynet -flexible usage -expensive to maintain



                Network forensics has marked a milestone in cyber crime control as it has proven that individual perpetuating in criminal activities may be identified and sued for their actions. The challenge however remains to network forensic specialists in the refinement and enhancement of the tools and techniques used in the field as a way of countering new attacks by malicious users. It is true that as time lapses, cyber criminals are now using more sophisticated ways in their illegal endeavors and in turn, this has necessitated superior tools and techniques from the forensics if the war against cyber crime is to be maintained at a significant level.



Works Cited

Fischer, Barry, David Fischer and Jason Kolowski. Forensics Demystified. New York, NY: McGraw-Hill Professional, 2006. Print.

Meghanathan, Natarajan, Sumanth Allam and Loretta Moore. “Tools and Techniques for Network Forensics.” International Journal of Network Security & Its Applications 1.1 (2009): 14-25. Print.

Vacca, John. Computer and Information Security Handbook. San Francisco: Morgan Kaufmann, 2009. Print.

Wang, Wei and Thomas Daniels. NSPW ’06 Proceedings of the 2006 workshop on New security paradigms. New York, NY: ACM, 2007. Print.



Are you looking for a similar paper or any other quality academic essay? Then look no further. Our research paper writing service is what you require. Our team of experienced writers is on standby to deliver to you an original paper as per your specified instructions with zero plagiarism guaranteed. This is the perfect way you can prepare your own unique academic paper and score the grades you deserve.

Use the order calculator below and get started! Contact our live support team for any assistance or inquiry.