Network Forensic Evidence Acquisition (NFEA) with Packet Marking

Internet crimes such as DDoS attack have seriously affected the businesses that have dependencies on computer networks such as the Internet. However, TCP/IP based networks have no protection against malicious packet modifications and attackers do exploit such vulnerabilities to attack others as well as forging IP packets to hide source IP address of attack packets, hence attackers could hinder the efforts to identify the real origin of attacks using Firewall, Intrusion Detection System and other traffic capturing tools. Therefore, having ability to trace back to the origin of the attack becomes an important part of incident investigation. There are number of trace back schemes available but their effective tracking range is up to the very first edge routers or even worse, data used by such methods could be forged and/or tricked, hence use of existing methods are limited for crimes investigation. Network Forensic Evidence Acquisition (NFEA) scheme proposed in this paper is a new trace back scheme that offers improved effective tracking range with consideration for providing admissible evidence. NFEA guarantees authenticity and integrity of tracking data collected based on Authenticated Evidence Marking Scheme (AEMS). AEMS also improves effective tracking range by producing tracking data at edge-routers, which also helps to minimize loss in overall network performance. Effect on edge-routers´ performance is also guaranteed using Flow-based Selection Marking Scheme (FSMS). An implementation of NFEA has been evaluated and the result shows that NFEA is viable to deploy in real networks.