Research On Data-Stream Reassembling Technology In High-Speed Network Forensics

With the increasing of network bandwidth and the popularity of high-speed LAN (local area network), the existing network forensics system may have information loss as a result of lacking data capture and analysis capacity. This weakens the persuasion and force adeffect of the evidence. Studying technologies about network forensics deeply to design and develop a HNFS (high-speed network real-time forensics system) has great significance to enhancing network protection capability and beating cyber-crime.Key technologies about high-network forensics including network forensics modules, data packet capture and load-balance are discussed.Combined with the need of high-speed network, the overall structure including logical and physical structure is described. An architecture benefiting from existed forensic model is designed and modules-division of the system is discussed. A load-balance strategy base on stream is designed after analyzing existed load-balance strategies. Against problems existed in network forensics, data-stream reassembling algorithm is discussed surrounding improving performance of reassembling. Three strategies are discussed based on the analysis of the characteristics of TCP (Transmission Control Protocol) Stream to ensure the performance of reassembling algorithm. They are buffer mechanism of building connection, integration of memory cache and file cache and connection recently accessed first respectively. Combining the merits of hash table and splay tree, Hash-Splay is given out based on analysis of several search algorithms to improve performance and ensure real-time property of stream reassembling algorithm.On the basis of the architecture design of HNFS, the implementation of some key technologies about data-stream reassembling is given out. Through experimental test, comparative analysis about searching time, stream-reassembling rate and lossless rate of the search algorithms are made.Simulation test and practical application indicate that the data-stream reassembling algorithm designed can meet the application requirements of high-speed network with high performance and it has practical value.