Netfox detective: A novel open-source network forensics analysis tool

Abstract Network forensics is a major sub-discipline of digital forensics which becomes more and more important in an age where everything is connected. In order to cope with the amounts of data and other challenges within networks, practitioners require powerful tools that support them. In this paper, we highlight a novel open-source network forensic tool named – Netfox Detective – that outperforms existing tools such as Wireshark or NetworkMiner in certain areas. For instance, it provides a heuristically based engine for traffic processing that can be easily extended. Using robust parsers (we are not solely relying on the RFC description but use heuristics), our application tolerates malformed or missing conversation segments. Besides outlining the tool's architecture and basic processing concepts, we also explain how it can be extended. Lastly, a comparison with other similar tools is presented as well as a real-world scenario is discussed.

[1]  Vassil Roussev,et al.  Approximate Matching: Definition and Terminology , 2014 .

[2]  Edgar R. Weippl,et al.  Who on Earth Is "Mr. Cypher": Automated Friend Injection Attacks on Social Networking Sites , 2010, SEC.

[3]  Andrew W. Moore,et al.  Discriminators for use in flow-based classification , 2013 .

[4]  Michael S. Greenberg,et al.  Network Forensics Analysis , 2002, IEEE Internet Comput..

[5]  Jan Pluskal,et al.  Traffic Classification and Application Identification in Network Forensics , 2018, IFIP Int. Conf. Digital Forensics.

[6]  Simson L. Garfinkel,et al.  Digital forensics research: The next 10 years , 2010, Digit. Investig..

[7]  Tomás Cejka,et al.  Hunting SIP Authentication Attacks Efficiently , 2017, AIMS.

[8]  Erik Hjelmvik,et al.  Statistical Protocol IDentification with SPID: Preliminary Results , 2009 .

[9]  Hana Kubatova,et al.  NEMEA: A framework for network traffic analysis , 2016, 2016 12th International Conference on Network and Service Management (CNSM).

[10]  Eoghan Casey,et al.  Network traffic as a source of evidence: tool strengths, weaknesses, and future needs , 2004, Digit. Investig..

[11]  Ali A. Ghorbani,et al.  An evaluation framework for network security visualizations , 2019, Comput. Secur..

[12]  Michael Cohen,et al.  PyFlag - An advanced network forensic framework , 2008, Digit. Investig..

[13]  Rajdeep Niyogi,et al.  Network forensic frameworks: Survey and research challenges , 2010, Digit. Investig..

[14]  Paul V. Mockapetris,et al.  Domain names - implementation and specification , 1987, RFC.

[15]  Eoghan Casey,et al.  Leveraging CybOX™ to standardize representation and exchange of digital forensic information , 2015, Digit. Investig..

[16]  Tobias Eggendorfer,et al.  Network forensic investigation in OpenFlow networks with ForCon , 2017 .

[17]  Bill Scott,et al.  Designing Web Interfaces - Principles and Patterns for Rich Interactions , 2009 .

[18]  Nicole Beebe,et al.  Digital Forensic Research: The Good, the Bad and the Unaddressed , 2009, IFIP Int. Conf. Digital Forensics.

[19]  Bradley L. Schatz,et al.  Extending the advanced forensic format to accommodate multiple data sources, logical evidence, arbitrary information and forensic workflow , 2009, Digit. Investig..

[20]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.3 , 2018, RFC.

[21]  Ibrahim M. Baggili,et al.  A cyber forensics needs analysis survey: Revisiting the domain's needs a decade later , 2016, Comput. Secur..

[22]  Athanasios V. Vasilakos,et al.  Software Defined Monitoring of Application Protocols , 2016, IEEE Transactions on Computers.

[23]  Dan Farmer,et al.  Forensic Discovery , 2004 .

[24]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.