NETWORK AND INTERNET FORENSICS

QUESTION

Conduct practical research and literature review into the network protocol IPv4. Prepare a report (as an academic paper) describing how to extract evidence in relation to this protocol. You should consider all potential sources of evidence, for example: applications, servers and network captures.

 

The paper should develop an argument about practical research using support from highly related latest references in the field of network and internet forensics.

Each section of the paper must be numbered, paper must be provided with a contents page, title page and references (minimum of 8).

SOLUTION

1.    Network and Internet Forensics

Network Forensics usually includes the collection of network packets, analyse and recover the information in the packets, and report them in presentable order. The collection of network packets may comprise different service categories like email, instant messaging, webmail, Telnet, file transfer (FTP and P2P), web browsing (HTTP), etc.

Internet is the most influential medium as on date, providing various services to numerous users. It has furthermore become the upbringing for cyber warfare where attacks of several types like ideological, financial, are being launched. The use of e-commerce transactions carried from online are of main attention to cybercriminals. The Internet desires to be protected from such attacks and a suitable reaction has to be generated to grip them to minimize the impact. Network forensics is the science and investigation which deals with analysis, capture, recording of network traffic for investigative use and incident response. [ (Pilli, Joshi , & Niyogi, February)]

2.    Types of Network and Internet Forensics Systems

Network and internet forensics systems can be divided in two categories [ (Habib, 2009)]:

2.1.        Catch it as you can Systems

 In this type of system all packets, that are passing through certain traffic point, are captured and written to storage, with analysis being done successively in batch mode. This methodology requires huge amount of storage, generally comprising a RAID system.

2.2.        Stop, look and listen Systems

In these types of systems each packet is analysed in a rudimentary manner in memory. These systems weed out some juicy bits of information and save them for future analysis. However, these systems require less storage but need a faster processor in order to stay well-informed of the incoming traffic’s volumes.

Both network forensic systems require the capacity to store great amount of data and the need to create more space for new information by discarding out-dated pieces of data. These days, many software programs are available that are designed specifically for capturing and analysing data for network forensics.

 

 

3.     Computer and Internet Forensics Differences

Impetus for computer forensics originated from law enforcement a community that   investigates arrest, locks up, seizes and stores physical objects. The computer forensics specialist’s antagonist, likelihood is a computer using criminal having no specific skill level beyond that of a usual end user. This is not the same case with Internet Forensics.

A quick review of the prior list of computer forensics applications suggests they are not in well-known use by the usual computer villain. The computer forensics specialist works on a different plane from the person being investigated while in other contrast, the Internet Forensics specialist utilizes most of the similar applications and involves in the similar set of practices as the person being investigated. The computer forensics specialist can seize and investigate some physical things but Internet Forensics specialist can only investigate if the firewalls, packet filters and intrusion detection systems were set up to anticipate the breach of security. [ (Berghel , 2003)]

4.    Network Capture

Today many organizations are following consistently recording a number of or all of the traffic on their external Internet connections. Slight of this information is in point of fact is analyzed. Mostly it’s collected in anticipation that it might be helpful at some future point. To capturing the whole thing stirring over the network seems simple in theory, but quite complex in practice. A further approach to monitor this is to inspect all of the traffic that run over the network, but only verify and record information deemed valuable of further analysis. The principal advantage of this approach is that systems can monitor far more information than they can archive. Therefore instead of being enforced to monitor the fairly small amount of network traffic at the boundary connecting the internal and external network; you can dynamically monitor a busy LAN or backbone. If such data is never saved to a computer’s disk, then probability of it being unbecomingly disclosed are significantly reduced. In many case, it is even not legal to record information unless there is a convincing reason or court order. This is called as “stop, look, and listen” approach. With the sensitive concern in computer security these days, several organizations have started to buying monitoring appliances or pursing set up their own monitoring systems, by means of either commercial or open source software.

5.    Introduction to Network Packets

On the Internet, the network fragments internet contents into parts. For instance, it breaks email message into parts of a certain size’s bytes. These are known as packets. Each packet contains the information in order to reach its destination. This information includes the sender’s IP address, the proposed receiver’s IP address, and other important information that lets the network total number of packets an email message has been fragmented into and the amount of a particular packet. A typical packet contains possibly 1,000 or 1,500 bytes. Each packet includes chunk of the body of your message. Packets may be denoted by another name based on the network type: cell, segment block or frame.  Most of the network packets can be fragmented into following three parts:

  • Header
  • Payload
  • Trailer

5.1          Header

The header part of a packet contains instructions about the data carried by a packet. These instructions may comprise the following [ (Fairhurst, 2008)]:

  • Length of packet: However, some networks include fixed length packets. But many networks rely on the header to hold this information.
  • Packet number: It includes the packet number to identify a packet in a sequence of packets.
  • Synchronization: These are the bits that help the packet to match the network.
  • Protocol: The protocol defines specific type of packet that is being transmitted. For example: email, page, web, streaming video, etc.
  • Destination address: It is the address where the packet is going.
  • Originating address: The address where the packet came from.

5.2          Payload

This part is also as data or body of a packet. This is actual data the packet is going to be delivered to the destination. If it is a fixed length packet, then the payload may be padded it with blank information in order to make it correct size.

5.3          Trailer

The trailer, also known as the footer, comprises a couple of bits that informs the receiving device that it has reached the end of the packet. Trailer may also perform some sort of error checking. Cyclic Redundancy Check or CRC is the most common type of error checking used in packets. CRC is very well ordered. Let’s see how it works in computer networks: First, it adds all the 1s in the payload and stores the result as a hexadecimal value in the trailer. The receiving device adds all the 1s in the payload and then compares the result with value stored in the trailer. If the values match, the packet is good. On other hand, if the values do not match, a request is send by receiving device to the originating device to resend the packet.

6.    Example of IP Packet (IPV4)

Internet Protocol version 4 or IPv4 is a connectionless, unreliable protocol which is used for packet switched link layer networks like Ethernet. It is the component of internet suite’s communications protocols that presents globally unique addresses, contains control information to facilitate packets being routed in network and sends data in packets. Connectionless signifies that a session does not establish before date exchange. Unreliable implies that delivery is not assured. However, it makes best effort to deliver a packet but IP packets might be lost, duplicated, delivered out of order, or delayed. It is equally well suitable for both LAN and WAN communications. IPv4 provides the following [ (InetDaemon, 2012)]:

  • Connectionless communication
  • Unique addresses
  • Routing

6.1          Connectionless Communication

IPV4 supports a connectionless communication that means it does not bother to establish dedicated back-to-back connections for communication. Instead of setting up end-to-end connections, upper layer protocols like TCP are used for establishing connections and managing lost data recovery and other errors.

6.2          Unique Addresses

Internet contains a unique numerical address for everything connected to it. These addresses are displayed in form of dotted-decimal notation. That means there are numbers with dots in between them. For example:  204.24.183.4. These addresses are not permanent, and can be changed when required.

6.3          Routing

Routing is an essential part of IP that lets specialized and intelligent routing devices to identify that information that is not the piece of local group of machines, and needs to be forwarded to the destination. These devices can easily figure out how to reach the destinations they are not directly connected to. The method of forwarding the information is known as routing.

7.    Packet Forensics Analysis Tools

There are numerous tools that can help in tracking data transferred over the networks so that an attack or the malevolent intent of the intrusions may be investigated.

7.1          Xplico

It is a network forensic investigation application.  Xplico extracts whole application data information from a network capture.  Like, it is capable to investigate all e-mails processed by the POP or SMTP protocols from a PCAP file. Following are the features of Xplico a network forensic analysis tool (NFAT) [ (Lakhoua, 2011)]:

  • It supports most of the protocols such as HTTP, FTP, TCP, IPv4, IPv6, IMAP, SIP, UDP, etc.
  • It provides port independent protocol identification for every application protocol.
  • It provides real time information which depends on types of protocol, number of flows, and performance of computer.

7.2          Tcpdump

Tcpdump is a well-known packet sniffer command line application. It provides the user to capture and display TCP/IP along with other packets that are being transmitted or received over a network. It can run on various Unix-like operating systems such as BSD, Linux, HP-UX, Mac OS X, etc. Tcpdump is usually used to debug applications which can receive and transmit network traffic. [ (Styn, 2011)]

7.3          Wireshark

Wireshark is a packet sniffer computer tool. It provides analysis, network troubleshooting and communications protocol development. It is quite same to tcpdump tool, but has some differences such as graphical front-end, information sorting and filtering options, etc. It provides user to check traffic being passed over the network. Wireshark understands the structure of various networking protocols. So, it is capable to demonstrate the fields with their meanings of various packets given by different networking protocols. Let’s see the features of Wireshark [ (Amdekar, 2010)]:

  • It can capture data “from the wire” from an active network connection or from a file that already-captured packets.
  • Active data can be accessed and read from various types of network such as IEEE 802. 11, Ethernet, PPP etc.
  • Its GUI displays information captured from network

8.    Reference

Amdekar, A 2010, Capturing network communication packets with Wireshark Utility, Viewed May 18, 2012,<http://www.symantec.com/connect/videos/capturing-network-communication-packets-wireshark-utility>.

Berghel , H 2003, The Discipline of Internet Forensics, Viewed May 18, 2012, <http://berghel.net/col-edit/digital_village/aug-03/dv_8-03.php>.

Fairhurst, G 2008, IPv4 Packet Header, Viewed May 18, 2012, <http://www.erg.abdn.ac.uk/~gorry/eg3561/inet-pages/ip-packet.html>.

Habib, J 2009, Network Forensics and Digital Time Travel, Viewed May 18, 2012, < http://www.technewsworld.com/story/68651.html?wlc=1258392310&wlc=1258395479>.

InetDaemon. (2012, May 11). What is Internet Protocol (IP)? Retrieved May 18, 2012, from http://www.inetdaemon.com/tutorials/internet/ip/whatis_ip.shtml

Lakhoua, B 2011, XPLICO Tool for Network Forensic, Viewed May 18, 2012, <http://www.sectechno.com/2011/06/10/xplico-tool-for-network-forensic-tool/>.

Pilli, S, Joshi , R C, & Niyogi, R, 2010, A Generic Framework for Network Forensics,  Viewed May 18, 2012, <http://www.ijcaonline.org/archives/number11/251-408>.

Styn, H 2011, tcpdump fu, Viewed May 18, 2012, <http://www.linuxjournal.com/content/tcpdump-fu>

LD15

“The presented piece of writing is a good example how the academic paper should be written. However, the text can’t be used as a part of your own and submitted to your professor – it will be considered as plagiarism.

But you can order it from our service and receive complete high-quality custom paper.  Our service offers Technology essay sample that was written by professional writer. If you like one, you have an opportunity to buy a similar paper. Any of the academic papers will be written from scratch, according to all customers’ specifications, expectations and highest standards.”

Please  Click on the  below links to Chat Now  or fill the Order Form !
order-now-new                         chat-new (1)