a subsection of digital forensics is the focus of this blog post —

network forensics, which IGI Global defines as “relating to the

monitoring and analysis of computer network traffic.”
“Network forensics is a science that centers on the discovery and
retrieval of information surrounding a cybercrime within a networked
environment. Common forensic activities include the capture,
recording and analysis of events that occurred on a network in order
to establish the source of cyberattacks.”
The word “forensics” means the use of science and technology to investigate
and establish facts in criminal or civil courts of law. Forensics is the procedure
of applying scientific knowledge for the purpose of analyzing the evidence and
presenting them in court.
Network forensics is a subcategory of digital forensics that essentially deals
with the examination of the network and its traffic going across a network that is
suspected to be involved in malicious activities, and its investigation for
example a network that is spreading malware for stealing credentials or for the
purpose analyzing the cyber-attacks. As the internet grew cybercrimes also
grew along with it and so did the significance of network forensics, with the
development and acceptance of network-based services such as the World
Wide Web, e-mails, and others.
With the help of network forensics, the entire data can be retrieved including
messages, file transfers, e-mails, and, web browsing history, and reconstructed
to expose the original transaction. It is also possible that the payload in the
uppermost layer packet might wind up on the disc, but the envelopes used for
delivering it are only captured in network traffic. Hence, the network protocol
data that enclose each dialog is often very valuable.
For identifying the attacks investigators must understand the network protocols
and applications such as web protocols, Email protocols, Network protocols, file
transfer protocols, etc.
Investigators use network forensics to examine network traffic data gathered
from the networks that are involved or suspected of being involved in cyber-
crime or any type of cyber-attack. After that, the experts will look for data that
points in the direction of any file manipulation, human communication, etc. With
the help of network forensics, generally, investigators and cybercrime experts
can track down all the communications and establish timelines based on
network events logs logged by the NCS.
Processes Involved in Network Forensics:
Some processes involved in network forensics are given below:
 Identification: In this process, investigators identify and evaluate the
incident based on the network pointers.
 Safeguarding: In this process, the investigators preserve and secure the
data so that the tempering can be prevented.
 Accumulation: In this step, a detailed report of the crime scene is
documented and all the collected digital shreds of evidence are duplicated.
 Observation: In this process, all the visible data is tracked along with the
metadata.
 Investigation: In this process, a final conclusion is drawn from the collected
shreds of evidence.
 Documentation: In this process, all the shreds of evidence, reports,
conclusions are documented and presented in court.
Challenges in Network Forensics:
 The biggest challenge is to manage the data generated during the process.
 Intrinsic anonymity of the IP.
 Address Spoofing.


Advantages:
 Network forensics helps in identifying security threats and vulnerabilities.
 It analyzes and monitors network performance demands.
 Network forensics helps in reducing downtime.
 Network resources can be used in a better way by reporting and better
planning.
 It helps in a detailed network search for any trace of evidence left on the
network.
Disadvantage:
 The only disadvantage of network forensics is that It is difficult to
implement.
NetFlow Analyzer: The advanced network forensics
tool
NetFlow Analyzer is a network forensic analysis tool that captures the raw data and provides you
with accurate insights about the bandwidth usage, security, and performance of your network. You
can leverage the tool to receive forensics reports that go back in time so you can determine the root
cause of bottlenecks and see how the patterns have changed. This can help you build policies and
restrict certain harmful traffic from penetrating your network.

5 Stages of a Digital Forensics

Investigation?
Digital forensics deals with the recovery, investigation and analysis of electronic data,

and is often used to unearth evidence in litigation cases, criminal cases, or in internal

investigations. Electronic data can provide critical evidence and clues in many cases,

and aid in the discovery of cybercrime, data theft, crypto crimes, security breaches,

instances of hacking, and more. Digital forensics play an instrumental role in getting to

the bottom of complex data challenges.

Digital forensic investigators use a variety of tools and software to conduct

investigations that can help to:

 Discover the source and cause of a cyberattack

 Identify whether a hack was perpetrated and how long the hacker had access

to the system

 Create a timeline of criminal events, such as unauthorized access or altering

of data

 Secure digital evidence

A digital forensic investigation can help identify and prove different kinds of

wrongdoing, including data theft or disclosure, internet abuse, network or system

breaches, espionage, and financial fraud.

In civil or criminal cases, it is crucial to carry out a structured and process-driven digital

forensics investigation, to ensure the integrity of the data and its admissibility in a court

of law. The core stages of a digital forensics investigation include:

1. Identification of resources and devices involved in the investigation

2. Preservation of the necessary data
3. Analysis
4. Documentation
5. Presentation

Data acquired in this way is permissible in court, and can be used as evidence to

support litigation cases.

Stages of a Digital Forensics Investigation

 Identification: Identifying what evidence is present, where it is

stored, and how it is stored (in which format). Electronic
devices can be personal computers, Mobile phones, PDAs,
etc.
 Preservation: Data is isolated, secured, and preserved. It
includes prohibiting unauthorized personnel from using the
digital device so that digital evidence, mistakenly or
purposely, is not tampered with and making a copy of the
original evidence.
 Analysis: Forensic lab personnel reconstruct fragments of
data and draw conclusions based on evidence.
 Documentation: A record of all the visible data is created. It
helps in recreating and reviewing the crime scene. All the
findings from the investigations are documented.
 Presentation: All the documented findings are produced in a
court of law for further investigations.
Some Tools used for Investigation:
Tools for Laptop or PC –
 COFFEE – A suite of tools for Windows developed by Microsoft.
 The Coroner’s Toolkit – A suite of programs for Unix analysis.
 The Sleuth Kit – A library of tools for both Unix and Windows.
Tools for Memory :
 Volatility
 WindowsSCOPE
Tools for Mobile Device :
 MicroSystemation XRY/XACT
APPLICATIONS
 Intellectual Property theft
 Industrial espionage
 Employment disputes
 Fraud investigations
 Misuse of the Internet and email in the workplace
 Forgeries related matters
 Bankruptcy investigations
 Issues concerned the regulatory compliance

Digital Forensics Investigation Stage 1:

Identification

The very first step in a digital forensics investigation is to identify the devices and

resources containing the data that will be a part of the investigation. The data involved

in an investigation could be on organizational devices such as computers or laptops, or

on users’ personal devices like mobile phones and tablets.

These devices are then seized and isolated, to eliminate any possibility of tampering. If

the data is on a server or network, or housed on the cloud, the investigator or

organization needs to ensure that no one other than the investigating team has access

to it.

Digital Forensics Investigation Stage 2: Extraction

and Preservation

After the devices involved in an investigation have been seized and stored in a secure

location, the digital forensics investigator or forensics analyst uses forensic techniques

to extract any data that may be relevant to the investigation, and stores it securely.

This phase can involve the creation of a digital copy of the relevant data, which is

known as a “forensic image.” This copy is then used for analysis and evaluation, while
the original data and devices are put in a secure location, such as a safe. This prevents

any tampering with the original data even if the investigation is compromised.

Digital Forensics Investigation Stage 3: Analysis

Once the devices involved have been identified and isolated, and the data has been

duplicated and stored securely, digital forensic investigators use a variety of techniques

to extract relevant data and examine it, searching for clues or evidence that points to

wrongdoing. This often involves recovering and examining deleted, damaged or

encrypted files, using techniques such as:

 Reverse Steganography: a technique used to extract hidden data by

examining the underlying hash or string of characters representing an image

or other data item

 File or Data Carving: identifying and recovering deleted files by searching

for the fragments that deleted files may leave

 Keyword Searches: using keywords to identify and analyze information

relevant to the investigation, including deleted data

These are just some of the many techniques digital forensic investigators to unearth

evidence.

Digital Forensics Investigation Stage 4:

Documentation

Post analysis, the findings of the investigation are properly documented in a way that

makes it easy to visualize the entire investigative process and its conclusions. Proper

documentation helps to formulate a timeline of the activities involved in wrongdoing,

such as embezzlement, data leakage, or network breaches.

Digital Forensics Investigation Stage 5:
Presentation

Once the investigation is complete, the findings are presented to a court or the

committee or group that will determine the outcome of a lawsuit or an internal

complaint. Digital forensics investigators can act as expert witnesses, summarizing and

presenting the evidence they discovered, and disclosing their findings.

Forensics and Social Networking

Sites
Social networking site is defined as web-based services that allow individuals to:

 Create a public or semi-public profile

 Search or navigate through a list of users with whom they share a common
connection
 View connections of other users

Although social networking sites have their uses, there are several associated security
threats. The concerns regarding social networking sites are:

 Does the social networking site violate people’s intellectual property rights
 Whether these sites infringe the privacy of their own users
 Whether these sites promote fraudulent and illegal activities

Content preservation can be challenging given the dynamic, short-lived and often multi-
format nature of social media. There is generally no control over the content posted on
social media networking sites. High level of forensic skill is required to analyze and
quantify the preserved data to answer questions such as:

 Who posted the offending content?

 Is there a real live person to whom the offending content can be attributed even
when evidence exists?
 Can we identify the time frame associated with the posting of the offending
content?
  How much of the offending content exists across the entire social networking
platform?
 Is there other content that supports interpretation of the relevant content?
 How accurate is the reported physical location?

Security issues that are associated with social networking sites are:

 Corporate espionage
 Cross site scripting
 Virus and Worms
 Social networking site aggregators
 Phishing
 Network infiltration leading to data leakage
 ID theft
 Cyberbullying
 Content-Based Image Retrieval (CBIR)
 Spam
 Stalking

Digital Forensics techniques in social media networking are used to detect many types
of cyber-crimes like (figure 1) [2]:

 Photo-morphing- In this case, hackers morph the pictures of people and post
them to pornographic websites, or they may use them to blackmail them into
providing sexual or financial favors.
 Shopping Scams- Hackers post many fake retail ads on social networking sites,
and when users click on these ads, the cybercriminal obtains their personal
information.
 Cyberbullying- Cyberbullying is defined as the act of sending or posting obscene
or embarrassing messages or material online, as well as making threatening to
conduct violent actions.
 Link baiting- When scam artists use this tactic, they offer the victim a link that
tugs at their emotional investment in order to increase the likelihood of
exploitation. When the link is opened, it takes the user to a bogus landing page
that asks them to input their account credentials, and by this fake page, hackers
steal the user’s credentials.