An evidential network forensics analysis model with adversarial capability and layering

With increasing crimes and attacks being committed online by adversaries from remote sites, it is vital for law enforcement and public security that forensics investigation into the nature and source of these network attacks be effective and successful in bringing the criminals to justice. The network forensics investigation process is complex and processing-intensive such as sifting through network traffic and examining them for evidence, thus it is desirable to approach this task systematically and efficiently with as much structure as is feasible. This paper proposes a model for network forensics analysis that captures appropriately defined adversarial capability and structured by a layered approach to investigation. The former approach eliminates the need to presume on the adversarys behaviour and is independent of specific attack styles, thus is generic; while the latter approach facilitates a more network-intuitive and modular investigation process. We discuss the layered approach and propose the forensics model by defining adversarial capabilities and the experiment setting played between an adversary, a collection of node instances and a forensics analyst. We apply the model in our investigation against samples of traffic captured and show the feasibility of this model on two common network attack instances. Results of evidence collected and conclusions confirm that analysis based on this model is objectively done, and trustworthy evidence successfully gathered and produced.