Network Forensics: A Practical Introduction

Network Forensics: A Practical Introduction

Michael I. Cohen (Australian Federal Police College, Australia)
DOI: 10.4018/978-1-60566-836-9.ch012
OnDemand PDF Download:
No Current Special Offers


Network Forensics is a powerful sub-discipline of digital forensics. This chapter examines innovations in forensic network acquisition, and in particular in attribution of network sources behind network address translated gateways. A novel algorithm for automatically attributing traffic to different sources is presented and then demonstrated. Finally we discuss some innovations in decoding of forensic network captures. We illustrate how web mail can be extracted and rendered and in particular give the example of Gmail as a modern AJAX based webmail provider of forensic significance.
Chapter Preview

Forensic Evidence Acquisition

Network forensics as a field bears many similarities to traditional Network Intrusion Detection Systems (NIDS). In many ways NIDS and network forensics systems appear very similar - they both collect and analyse network traffic. However, typically NIDS are deployed with different goals in mind.

A NIDS is designed to detect intrusions, or breaches of the security policy. On the other hand network forensics is typically interested in traffic which on the face of it looks normal, and complies with the security policy. For example, emails or web browsing activity may be of interest to the network forensics investigator, but would be classed as completely normal by the NIDS.

Complete Chapter List

Search this Book: