Research On Network Forensic Technology

As an important branch of computer forensics, network forensics has attracted significant attention. Current research has focused on the forensic architecture or local problem case studies. Despite progress, there still lacks systematic theory and methodology. Combining the intrusion detection and intrusion tolerance technology with network forensic technology, the key technologies, including the design of the network forensic architecture, anti-forensic technology, feature selection of forensic data, association analysis, cooperation forensic and data erasing, are studied systematically. The solutions to these problems are proposed. The main contributions of this dissertation are summarized as follows:Firstly, the classification of computer forensics is proposed. The paper systematically discusses the process of the network forensic, the forensic analysis technology, system realization technology, and the direction of future development in computer forensics. The system design based on intrusion tolerance, network monitoring and related techniques is proposed and analyzed.Secondly, anti-forensic technology is studied. The paper clearly defines the methodology and research area of computer anti-forensics. The main techniques of computer anti-forensics, including data erasing, data hiding, data encryption, data obfuscation and data transformation, have been researched and compared. The research demonstrates that computer anti-forensics should be an important topic of the forensic science research.Thirdly, this paper discusses the feasibility of integrating intrusion detection system with the network forensic system. Current network forensic system has an important drawback which operates based on the assumption that the system was still in reliable working state when intrusion incidents occurred. So it overlooks the effects of various system status on forensic investigations. The important idea of including system operating status as forensic evidence is proposed for the first time. Combining intrusion detection technology and intrusion tolerance system, SITAR, the network forensic system called INFS which has the capability of intrusion tolerance has been designed. The paper analyzes the system working theory including the system intrusion tolerance mechanism, forensic controlling and security transmission mechanism based on SMP, forensic agent and anti-trace agent mechanism, and discusses the forensic methods corresponding to various system statuses. INFS has five statuses: normal, susceptible to attack, attacked, function degradation and invalidation protection. It enables the ability to adjust forensic evidence collection reflecting the different degrees of the system compromise which enormously reduces required evidence storage. The various forensic states also serve as an important indicator of the severity of unauthorized activities.Fourthly, this paper studies how to discover electronic evidence in massive data flow. From the view of multiple statistics, the feature extracting method for forensic data has been proposed based on ANN-PCA. Through the research on classification of the association rules mining, this paper defines a new concept called extra association rules mining and classifies the association rules as three categories which are the positive, negative and extra association rules. The algorithm mining extra association rules, IFAAR, is also proposed. The algorithm does not generate frequent items; it performs association analysis with massive data efficiently. Consequently the application of the association rules mining is extended.Fifthly, a new concept called cooperation forensics is proposed. It is defined as to find cause relationship from all available resources of the target system by means of associating, reasoning and analysis. This concept can help recreate crime scene activity and connect the chain of evidence. Through analysis of the alert correlation technology which is the latest development of intrusion detection, the CFA algorithm combined with alert correlation, Bayesian network learning and probability function dependency is proposed. CFA is able to analyze and correlate multiple data sources and recreate the crime scenario.Finally, by studying privacy protection and data erasing technology of anti-forensic techniques, a new data erasing scheme called GRLLs is proposed based on m sequence theory of extending frequency communication and RLL code theory of disk coding. The scheme is used for data erasing after forensic investigation. The GRLL scheme is widely applicable, fast, and secure.