Detail publikace

Netfox Detective: A tool for advanced network forensics analysis

PLUSKAL Jan, MATOUŠEK Petr, RYŠAVÝ Ondřej, KMEŤ Martin, VESELÝ Vladimír, KARPÍŠEK Filip a VYMLÁTIL Martin. Netfox Detective: A tool for advanced network forensics analysis. In: Proceedings of Security and Protection of Information (SPI) 2015. Brno: Univerzita Obrany, 2015, s. 147-163. ISBN 978-80-7231-997-8.
Název česky
Netfox Detective: Nástroj pro síťovou forenzní analýzu
Typ
článek ve sborníku konference
Jazyk
angličtina
Autoři
Pluskal Jan, Ing., Ph.D. (UIFS FIT VUT)
Matoušek Petr, doc. Ing., Ph.D., M.A. (UIFS FIT VUT)
Ryšavý Ondřej, doc. Ing., Ph.D. (UIFS FIT VUT)
Kmeť Martin, Ing. (UIFS FIT VUT)
Veselý Vladimír, Ing., Ph.D. (UIFS FIT VUT)
Karpíšek Filip, Ing. (UIFS FIT VUT)
Vymlátil Martin, Ing. (FIT VUT)
Klíčová slova

síťová forenzní analýza, forenzní nástroj, analýza síťového provozu, webové emaily, SIP, RTP

Abstrakt

Network forensics is a process of capturing, collecting and analysing network data for the purposes of information gathering, legal evidence, or intrusion detection. The new generation internet opens novel opportunities for cybercrime activities and security incidents using network applications. Security administrators and LEA (Law Enforcement Agency) officers are challenged to employ advanced tools and techniques in order to detect unlawful or unauthorized activities. In case of serious suspicion of crime activity, network forensics tools and techniques are used to find out legal evidences in a captured network communication that prove or disprove suspects participation on that activity.
Today, there are various commercial or free tools for network forensics analysis available, e.g., Wireshark, Network Miner, NetWitness, Xplico, NetIntercept, or PacketScan. Many of these tools lack the ability of successful reconstruction of communication when using incomplete, duplicated or corrupted input data. Investigators also require an advanced automatic processing of application data that helps them to see real contents of conversation that include chats, VoIP talks, file transmission, email exchange etc.
Our research is focused on design and implementation of a modular framework for network forensics with advanced possibilities of application reconstruction. The proposed architecture consists of (i) input packet processing, (ii) an advanced reconstruction of L7 conversations, and (iii) application-based analysis and presentation of L7 conversations. Our approach employs various advanced reconstruction techniques and heuristics that enable to work even with corrupted or incomplete data, e.g. one-directional flows, missing synchronization, unbounded conversations, etc.
The proposed framework was implemented in a tool Netfox Detective developed by our research group. This paper shows its architecture from functional and logical point of view and its application on reconstruction of web mail traffic, VoIP and RTP transmissions. č

Rok
2015
Strany
147-163
Sborník
Proceedings of Security and Protection of Information (SPI) 2015
Konference
Security and Protection of Information 2015, Brno, CZ
ISBN
978-80-7231-997-8
Vydavatel
Univerzita Obrany
Místo
Brno, CZ
BibTeX
@INPROCEEDINGS{FITPUB10863,
   author = "Jan Pluskal and Petr Matou\v{s}ek and Ond\v{r}ej Ry\v{s}av\'{y} and Martin Kme\v{t} and Vladim\'{i}r Vesel\'{y} and Filip Karp\'{i}\v{s}ek and Martin Vyml\'{a}til",
   title = "Netfox Detective: A tool for advanced network forensics analysis",
   pages = "147--163",
   booktitle = "Proceedings of Security and Protection of Information (SPI) 2015",
   year = 2015,
   location = "Brno, CZ",
   publisher = "University of Defence in Brno",
   ISBN = "978-80-7231-997-8",
   language = "english",
   url = "https://www.fit.vut.cz/research/publication/10863"
}
Soubory
Nahoru