Article Preview
TopIntroduction
Forensic science is the methodological and correct application of broad spectrum of scientific discipline to answer questions significant to legal system; an interception between technology, methodology and application (Greitzer & Frincke, 2010). Digital forensics is that branch of forensic science that deals with the nitty-gritty of 0s and 1s, otherwise known as digital values, of a computer system with the view to establishing hidden, lost or covered facts. The act of establishing a forensic paradigm in digital world involves interpreting digital processes in such a way that it explains ‘what’ event /action/process was carried out by/with/against a particular digital device under examination.
Network forensics has received various definitions since its inception by Marcus J. (Ranum, 2012) and its research community has greatly expanded since then. However, the generally accepted, but not encompassing definition was proposed at the 2001 DFRWS (Palmer, 2001). Palmer (2001), defines network forensics as “the use of scientifically proven techniques to collect, fuse, identify, examine, correlate, analyze, and document digital evidence from multiple, actively processing and transmitting digital sources for the purpose of uncovering facts related to the planned intent, or measured success of unauthorized activities meant to disrupt, corrupt, and or compromise system components as well as providing information to assist in response to or recovery from these activities”.
Schwartz (2010) describes network forensics as the reconstruction of network event to provide definitive insight into action and behavior of users, applications as well as devices. In other words, network forensics involves the use of scientifically proven techniques to collect, identify, corroborate, examine, analyze and document digital information from live network session. However, these processes must be in conformance with forensically sound manner. Network forensics evidence source includes the capture of network traffic, and other relevant information from multiple devices, active processes, and digitally transmitting sources. Such device includes audit trails, Logs, routers, firewalls, servers, browsers, honey pot and network security device in general.
Uncovering facts related to planned intent, measurement of success of unauthorized activities, investigation of the source of an intrusion and the reasons for the success of such intrusion as well as the possible reason for such as intrusion are some of the vast needs for network forensics. Additionally, network forensics provides information to assist in response to/or recovery from an intrusion. Thus, network forensics can be termed as a proactive, as well as a retrospective approach to both law enforcement, and security hardening perspective. Network forensics can therefore be defined as the act (scientific process) of, measuring level of intrusion; investigating source of intrusion, deciphering intrusion intent and vulnerability exploited; or information provision to recover from an intrusion as well as the process of discovering planned intent of network traffic for the purpose of strengthening system security, and culpable evidence presentation. Network forensics can be classified into three classes: which are; based on purpose, process of collection, and nature of technology used. This classification forms the distinction between network forensics and network security. The rest of this paper is organized thus: The next section discusses the distinction between network forensics and network security. The following section elucidates on the research challenges on network forensics and details the premises on which network forensics challenges emanates. The various research works on network forensics are then presented. This paper also discusses the research works, challenges solved and lingering challenges still facing the research community. Conclusion is presented in the last section.