IDENTIFICATION OF SOURCE MACHINE USING ATTRIBUTION BY NETWORK FORENSIC CAPTURING

Abstract

Networks have been an essential part of our information infrastructure which enables us to perform various critical operations. The vast amount of data traveling is a potential source which can be examined & investigated to find crucial evidence for e-crimes. Network forensic is an investigation technique which looks at network traffic to find substantial evidence in support of the dubious incidents. The work presented here takes a specific problem of identifying source machine after network address translation is done. Network address translation (NAT) is the process of modifying network address information in datagram packet headers while in transit across a traffic routing device for the purpose of remapping a given address space into another. This poses a great challenge for forensic analysis because it is difficult to attribute observed traffic into discrete hosts. The algorithm thus developed relies on the combination of number of unique characteristics (attributes) specific to a source offered by each layer of the OSI model, allowing identification of source machines. The attribution method used is much better than other approaches like IP Traceback where IP is at the epicenter for all the processes. Here identification does not take IP. into consideration & hence its possible for addresses to dynamically change (by using DHCP) without effecting the algorithm. The program developed follows the process framework of forensic analysis. In a step-by- step process it captures the network traffic which is then segregated to extract relevant information pertaining to the event concerned. It is then analyzed using attribution algorithm to find the source of each packet streams and the results are displayed in graphical form which is easy to represent and understand.