Network Intell: Enabling the Non-Expert Analysis of Large Volumes of Intercepted Network Traffic

In criminal investigations, telecommunication wiretaps have become a common technique used by law enforcement. While phone-based wiretapping is well documented and the procedure for their execution are well known, the same cannot be said for Internet taps. Lawfully intercepted network traffic often contains a lot of encrypted traffic making it increasingly difficult to find useful information inside the traffic captured. The advent of Internet-of-Things further complicates the process for non-technical investigators. The current level of complexity of intercepted network traffic is close to a point where data cannot be analysed without supervision of a digital investigator with advanced network knowledge. Current investigations focus on analysing all traffic in a chronological manner and are predominately conducted on the data contents of the intercepted traffic. This approach often becomes overly arduous when the amount of data to be analysed becomes very large. In this paper, we propose a novel approach to analyse large amounts of intercepted network traffic based on network metadata. Our approach significantly reduces the duration of the analysis and also produces an insight view of analysing results for the non-technical investigator. We also test our approach with a large sample of network traffic data.

[1]  Mark Scanlon Battling the digital forensic backlog through data deduplication , 2016, 2016 Sixth International Conference on Innovative Computing Technology (INTECH).

[2]  Wouter Joosen,et al.  Mobile device fingerprinting considered harmful for risk-based authentication , 2015, EUROSEC.

[3]  Victor Olifer,et al.  Computer Networks: Principles, Technologies and Protocols for Network Design , 2006 .

[4]  M. Tahar Kechadi,et al.  Network investigation methodology for BitTorrent Sync: A Peer-to-Peer based file synchronisation service , 2015, Comput. Secur..

[5]  Jason Moore,et al.  Network and device forensic analysis of Android social-messaging applications , 2015, Digit. Investig..

[6]  Bill Nelson,et al.  Guide to Computer Forensics and Investigations , 2003 .

[7]  Eoghan Casey,et al.  Network traffic as a source of evidence: tool strengths, weaknesses, and future needs , 2004, Digit. Investig..

[8]  Alec Yasinsac,et al.  Policies to Enhance Computer and Network Forensics , 2001 .

[9]  Kim-Kwang Raymond Choo,et al.  Impacts of increasing volume of digital forensic data: A survey and future research challenges , 2014, Digit. Investig..

[10]  Thomas Engel,et al.  Towards an Estimation of the Accuracy of TCP Reassembly in Network Forensics , 2008, 2008 Second International Conference on Future Generation Communication and Networking.

[11]  M. Tahar Kechadi,et al.  Overview of the Forensic Investigation of Cloud Services , 2015, 2015 10th International Conference on Availability, Reliability and Security.

[12]  Mark Scanlon,et al.  A Week in the Life of the Most Popular BitTorrent Swarms , 2010 .

[13]  Nhien-An Le-Khac,et al.  Towards the Forensic Identification and Investigation of Cloud Hosted Servers through Non-Invasive Wiretaps , 2015, 2015 10th International Conference on Availability, Reliability and Security.

[14]  Terrence V. Lillard Digital Forensics for Network, Internet, and Cloud Computing: A Forensic Evidence Guide for Moving Targets and Data , 2010 .

[15]  Lei Chen,et al.  IPv6 security and forensics , 2016, 2016 Sixth International Conference on Innovative Computing Technology (INTECH).