recent trends and challenges of network … · recent trends and challenges of network forensic...

7
International Journal of Advanced Computational Engineering and Networking, ISSN: 2320-2106, Volume-3, Issue-12, Dec.-2015 Recent Trends And Challenges Of Network Forensic Frameworks And Process Models 47 RECENT TRENDS AND CHALLENGES OF NETWORK FORENSIC FRAMEWORKS AND PROCESS MODELS 1 NISHIKANT R. KHAIRE, 2 RAJIV V. DHARASKAR, 3 VILAS M. THAKARE 1 Research Scholar, S.G.B. Amaravati University, Amaravati, India 2 Former Director, Disha Education Society (DIMAT), Raipur, India 3 Professor and Head, SGB Amravati University, Amravati, India E-mail: 1 [email protected] Abstract- Network forensics is a very dynamic and well researched domain of digital forensics. New devices such as mobile phones, smart TVs, gamming consoles are added to the network, and so are the varied applications running on them. Technology, protocols these devices use are diverge and so are the malicious activities and crime related to them. This diversity, complexity and intelligent criminal brains offers tough challenge to the researchers of this domain. In such a fast changing scenarios and technological advancement it is very crucial for the researchers to stay current and to be verse with the future direction of research. This paper explores the efforts made by the domain researchers and understand the challenges offered by network forensics and the road ahead. Keywords- Network Forensics; NFATS; Network Forensics Process Model; Network Forensics Analysis; Digital Forensics. I. INTRODUCTION Computer forensics is the application of computer investigation and analysis techniques in the interests of determining potential legal evidence. Computer forensic science is the science of acquiring, preserving, retrieving, and presenting data that has been processed electronically and stored on computer media. Network forensics is a subfield of computer forensics. Network forensics is basically about monitoring, capturing, analysing the network traffic and investigating the security policy violations [1]. Introduction of new applications (P2P data transfer, Internet chat [2], cloud storage for personal and business information etc.) and devices ( smart TVs, gamming console etc.) in a network domain and so the nature of malicious, criminal activities related to them [37] have posed new challenges to the network forensics researchers. Network forensics tools gathers information related to the activities perform by the applications and on the devices. By analysing this information attack scenarios and traces of malicious act are to be found out. The information gathered from systems or digital sources is used to: 1. provide conclusive descriptions regarding the exploited security weaknesses and design mistakes, the generated system damages, the real source and identities of attackers in the network, and the details of steps executed by the occurred attack scenario; 2. build irrefutable proofs from the collected information to convict attackers who committed the attack for their malice; 3. study the attackers’ trends and motives and take the accurate security measures to prevent the identified attack scenarios from succeeding in the future. Purpose 1 and 3 defines the ‘General Network Forensics’ and forensics aim at purpose 2 is called as ‘Strict Network Forensics’. Computer forensics must be practiced responsibly otherwise, there is a risk of destroying vital evidences or forensic evidence ruled inadmissible in the court of law. Therefore digital/network forensic researchers have put forward the precise process models to carry out the forensics procedure. Also exponentially increasing quantum of data to be analysed in search of the evidences, force the researchers to discover the techniques to automate the analysis process and design the supporting tools. Study presented in this paper review the current network forensics process models and existing acquired-information analysis techniques and also enlist the future research trend. The paper is structured as follows. Section 2 presents literature review of various network forensics process models. In section 3, techniques to automate the process of network forensics are discussed. Section 4 talks about network forensics research challenges. Section 5 concludes the paper. II. NETWORK FORENSICS PROCESS MODELS Digital forensics is a multi-stage process and every stage is very precisely calibrated so that evidence collection and processing methodology must ensure the reliability and admissibility of the evidence in court of law. As we moved on from standalone computers to network and mobile in home and business our computer forensics process has enhanced to accommodate the transition. The first attempt to apply digital forensic science to networked environments was taken up as one of the objectives in the first Digital Forensic Research Workshop (DFRWS) (Palmer, 2001) and a framework was proposed. The framework includes the following

Upload: tranque

Post on 19-Jul-2018

218 views

Category:

Documents


0 download

TRANSCRIPT

International Journal of Advanced Computational Engineering and Networking, ISSN: 2320-2106, Volume-3, Issue-12, Dec.-2015

Recent Trends And Challenges Of Network Forensic Frameworks And Process Models

47

RECENT TRENDS AND CHALLENGES OF NETWORK FORENSIC FRAMEWORKS AND PROCESS MODELS

1NISHIKANT R. KHAIRE, 2RAJIV V. DHARASKAR, 3VILAS M. THAKARE

1Research Scholar, S.G.B. Amaravati University, Amaravati, India

2Former Director, Disha Education Society (DIMAT), Raipur, India

3Professor and Head, SGB Amravati University, Amravati, India

E-mail: [email protected]

Abstract- Network forensics is a very dynamic and well researched domain of digital forensics. New devices such as mobile phones, smart TVs, gamming consoles are added to the network, and so are the varied applications running on them. Technology, protocols these devices use are diverge and so are the malicious activities and crime related to them. This diversity, complexity and intelligent criminal brains offers tough challenge to the researchers of this domain. In such a fast changing scenarios and technological advancement it is very crucial for the researchers to stay current and to be verse with the future direction of research. This paper explores the efforts made by the domain researchers and understand the challenges offered by network forensics and the road ahead. Keywords- Network Forensics; NFATS; Network Forensics Process Model; Network Forensics Analysis; Digital Forensics. I. INTRODUCTION Computer forensics is the application of computer investigation and analysis techniques in the interests of determining potential legal evidence. Computer forensic science is the science of acquiring, preserving, retrieving, and presenting data that has been processed electronically and stored on computer media. Network forensics is a subfield of computer forensics. Network forensics is basically about monitoring, capturing, analysing the network traffic and investigating the security policy violations [1]. Introduction of new applications (P2P data transfer, Internet chat [2], cloud storage for personal and business information etc.) and devices ( smart TVs, gamming console etc.) in a network domain and so the nature of malicious, criminal activities related to them [37] have posed new challenges to the network forensics researchers. Network forensics tools gathers information related to the activities perform by the applications and on the devices. By analysing this information attack scenarios and traces of malicious act are to be found out. The information gathered from systems or digital sources is used to:

1. provide conclusive descriptions regarding the exploited security weaknesses and design mistakes, the generated system damages, the real source and identities of attackers in the network, and the details of steps executed by the occurred attack scenario;

2. build irrefutable proofs from the collected information to convict attackers who committed the attack for their malice;

3. study the attackers’ trends and motives and take the accurate security measures to prevent the identified attack scenarios from succeeding in the future.

Purpose 1 and 3 defines the ‘General Network Forensics’ and forensics aim at purpose 2 is called as ‘Strict Network Forensics’. Computer forensics must be practiced responsibly otherwise, there is a risk of destroying vital evidences or forensic evidence ruled inadmissible in the court of law. Therefore digital/network forensic researchers have put forward the precise process models to carry out the forensics procedure. Also exponentially increasing quantum of data to be analysed in search of the evidences, force the researchers to discover the techniques to automate the analysis process and design the supporting tools. Study presented in this paper review the current network forensics process models and existing acquired-information analysis techniques and also enlist the future research trend. The paper is structured as follows. Section 2 presents literature review of various network forensics process models. In section 3, techniques to automate the process of network forensics are discussed. Section 4 talks about network forensics research challenges. Section 5 concludes the paper. II. NETWORK FORENSICS PROCESS MODELS Digital forensics is a multi-stage process and every stage is very precisely calibrated so that evidence collection and processing methodology must ensure the reliability and admissibility of the evidence in court of law. As we moved on from standalone computers to network and mobile in home and business our computer forensics process has enhanced to accommodate the transition. The first attempt to apply digital forensic science to networked environments was taken up as one of the objectives in the first Digital Forensic Research Workshop (DFRWS) (Palmer, 2001) and a framework was proposed. The framework includes the following

International Journal of Advanced Computational Engineering and Networking, ISSN: 2320-2106, Volume-3, Issue-12, Dec.-2015

Recent Trends And Challenges Of Network Forensic Frameworks And Process Models

48

stages: identification, preservation, collection, examination, analysis, presentation, and decision.

Table 1. Summarizes and compares network forensics process models proposed by numerous researchers.

Table 1. Various Network Forensic Process Models

International Journal of Advanced Computational Engineering and Networking, ISSN: 2320-2106, Volume-3, Issue-12, Dec.-2015

Recent Trends And Challenges Of Network Forensic Frameworks And Process Models

49

III. NETWORK FORENSICS FRAMEWORKS TCP/IP protocol suite is a the-facto standard for Internet communication. A very primary information source on the network is a TCP/IP packet. By capturing and analyzing packet(s), anomalies in user activities on the network can be discovered. Intrusion detection systems (IDS) generate alerts for the malicious activity based on the packet analysis and thus these alerts are the primary indicators of anomalous activities on the network and is taken as

one of the inputs to the network forensic system. These alerts are to be aggregated into hyperalerts by removing the redundant and false positive alerts. Correlation techniques are applied to group these hyperalrts for discovery of an individual malicious activity. Attack scenarios are created by correlating malicious activities. The visualization techniques and query-reply system facilitates investigators interaction with the system. Important frameworks are reviewed below.

International Journal of Advanced Computational Engineering and Networking, ISSN: 2320-2106, Volume-3, Issue-12, Dec.-2015

Recent Trends And Challenges Of Network Forensic Frameworks And Process Models

50

Attack events are logged in clients, distributed across the network at various locations. There is a need to collect these logs, fuse them and analyse on a central server. Client are spread over the network thus the distributed system based network forensic frameworks. ForNet, [22] a distributed network logging mechanism to aid digital forensics over wide area networks. ForNet has two functional components- SynApp and Forensic server. SynApp collects and stores network events and a Forensic Server, which is a centralized authority for a domain that manages a set of SynApps in that domain. A forensic server, in co-operation with SynApps receives queries from outside its domain and returns results back to the senders after authentication and certification. ForNet can identify network events like TCP connection establishment, port scanning, connection record details and uses bloom filters to track other events. Ren proposed a client-server architecture based reference model for distributed network forensics system [23]. The server captures network traffic, builds mapping topology database, filters, dumps and transforms the network traffic stream into database values, mines forensic database, and replays network behaviour. It also does network surveying, attack statistic analysis and visualization. The distributed agent clients integrate data from firewall, IDS, Honeynet and remote traffic. The goal of this model is dumping misbehaviour packets based on adaptive filter rules, analysing the overall cooperative database to discover the potential misbehaviour, and replaying the misbehaviour for forensic analysis. It can discover the profile of the attacker and obtain clues for further investigation. Ren and Jin further extended their previous model as distributed agent-based real-time network intrusion forensics system [24]. The goals of this framework include log system information gathering, adaptive capture of network traffic, active response for investigational forensics, integration of forensics data and storing the historical network misuse pattern. The four elements in the system are network forensics server, network forensics-agents, network monitor, and network investigator. Network forensic agents are engines of the data gathering, data extraction and data secure transportation. Network monitor is a packet capture machine which adaptively captures the network traffic. Network investigator is the network survey machine. Network forensics server integrates the forensics data, analyses it and launches an investigation program on the network investigator. The model can expedite the investigation of an incident and improve the ability of emergence response. Tang and Daniels proposed a simple framework for distributed forensics [25]. It is based on distributed

techniques providing an integrated platform for automatic evidence collection and efficient data storage, easy integration of known attribution methods and an attack attribution graph generation mechanism. The model is based on proxy and agent architecture. Agents collect, store, reduce, process and analyse data. Proxies generate the attack attribution graph and perform stepping stone analysis. This model aims at providing a method to collect, store and analyse forensic information. Wang et. al. developed a dynamical network forensics (DNF) model based on the artificial immune theory and the multi-agent theory [26]. The system provides a real-time method to collect and store data logs simultaneously, provide automatic evidence collection and quick response to network criminals. The system includes a Forensic Server and three agents namely Detector-Agent, Forensics-Agent and Response-Agent. The Detector-Agent captures real-time network data, matches it with intrusion behaviour and sends a forensics request message to the Forensics-Agent. The Forensics-Agent collects the digital evidence, creates a digital signature using a hash function and transmits the evidence to the Forensic Server. The Forensic Server analyses evidence and replays the attack procedure. Soft computing techniques have been used for analyse of the captured data and classify the attack data. Neural network and Fuzzy tools are used for validation of attack occurrence. Fuzzy logic based expert system for network forensics is proposed by [27]. The system can analyse computer crime in networked environments and make digital evidences automatically. It can provide analysed information for a forensic expert and reduce the time and cost of forensic analysis. The framework consists of six components. Traffic analyser captures network traffic and analyses it using sessionizing. Knowledge base stores rules which are used by the fuzzy inference engine. The rules are written for various attacks using linguistic variables and terms. Membership functions are defined for each fuzzy set and a crisp value of degree of membership is determined. Each input variables crisp value is first fuzzified into linguistic values. Fuzzy inference engine derives output linguistic values using aggregation and composition. Defuzzification defuzzifies the output values into crisp values and the forensic analyser decides whether the captured packets indicate an attack. Zhang et. al. propose network forensic computing based on Artificial Neural Network and Principal Component Analysis (ANN–PCA) [28]. Extraction of key features reduces storage by correlating the features with attacks. ANN–PCA techniques are used to identify all possible violations, extract features and build signatures for new attacks. Classification is done using FAAR algorithm to mine association rules

International Journal of Advanced Computational Engineering and Networking, ISSN: 2320-2106, Volume-3, Issue-12, Dec.-2015

Recent Trends And Challenges Of Network Forensic Frameworks And Process Models

51

and calculate the PCA values. Classification accuracy increases and information storage size decreases after feature extraction is performed using ANN–PCA. Neurofuzzy Techniques [29] have been used to address the challenges of enormous data to be logged and analysed for network forensic computing. The Neurofuzzy solution is based on Artificial Neural Network (ANN) and fuzzy logic and is used for evidence differentiation into normal and abnormal flows. ANNs are used in information processing to learn from the data and generalize a solution. Fuzzy logic is used to generate a grade of membership to different behaviours so that attacks are determined. Hierarchical clustering and soft computing techniques are applied for multistep attack detection and attack scenario creation [30]. Low level alerts from IDS are clustered to get hyperalerts using hierarchical clustering techniques. Pseudo Bayesian probability and self-organising map calculates the alert correlation index and dynamic threshold is used to construct alert correlation graph. By looking at these correlation graphs, an investigator can quickly identify the relationships that link together seemingly uncorrelated intrusion alerts, and can easily recognize complex attack strategies and identify their final targets. Automated analysis of network based evidence in response to cyberspace attacks is proposed in [31]. The two major challenges of network forensics, namely ‘complexity’ problem of analysing raw traffic data and ‘quantity’ problem of amount of data to analyse are addressed in his solution. The model integrates results of data logged by various tools into a single system that exploits computational intelligence to reduce human intervention. This integrated tool is referred as ‘automated network forensic’ tool. An isolated network of virtual machines is built into a Honeynet. Open source forensic tools are used for collecting data. The information produced by various tools in one stage is characterized and transformed for use by other tools in the succeeding stages. Time consuming and error prone processes are identified and automated. The data sets are partitioned, system is trained and then tested. Honeynets meet the expectations of forensic analysers but they cannot be used for investigative purposes as evidence generated is not valid in legal system. Wang and Daniels developed a graph-based approach toward network forensics analysis [32]. An evidence graph model facilitates evidence presentation and automated reasoning. The basic architecture consist of six modules: evidence collection module collecting digital evidence from heterogeneous sensors deployed, evidence pre-processing module transforms evidence into standardized format, attack knowledge base provides knowledge of known exploits, assets

knowledge base provides knowledge of the networks and hosts under investigation, evidence graph manipulation module generates the evidence graph and attack reasoning module performs semi-automated reasoning based on the evidence graph and the attack scenario is created. Rekhis develop a system for Digital Forensic in Networking (DigForNet) which is useful to analyse security incidents and explain steps taken by the attackers [33]. DigForNet uses the expertise of intrusion response teams and formal reasoning tools (I-TLA and I-TLC) to reconstruct potential attack scenarios. They integrate analysis performed by the IRT on a compromised system through the use of Incident Response Probabilistic Cognitive Maps (IRPCMs). They provide a formal method framework to identify potential attack scenarios using Investigation-based Temporal Logic of Actions (I-TLA). They generate executable potential attack scenarios and show progress of the attack using Investigation based Temporal Logic Model Checker (I-TLC), automatic verification tool. Unknown attacks are handled by generating hypothetical actions. Performance of all these framework is directly related to the performance of the IDS. Therefore further efforts have been put to abstract the user level activity from the TCP/IP level on the network [34]. A network forensics framework based on such technique is proposed by Joy et. al. [35]. Raftopoulos et. al. developed 138 good IDS (SNORT) signatures to improve the detection rate of the IDS and in addition, utilizes information of blacklisted host and google search tags [36]. IV. RESEARCH CHALLENGES Advances in digital technology and relatively gradual progress in network forensics posed new challenges to the researchers: An essential aim for a forensic investigator is to

determine how a crime was undertaken – in order to identify the actors involved, how the crime unfolded and to develop a chronology of the incident. The tools developed are for the investigator. The information provided by the tools has to be at very abstract level leaving behind the technical intricacies.

Once an attack has been detected, the volume of data involved makes forensic analysis a challenging task.[31]

The Complexity Problem in Network forensics is that acquired data are typically at the lowest and most raw format, which is often too difficult for humans to understand.

The Quantity Problem in Network Forensics is that the amount of data to be analysed can be very large.[31]

International Journal of Advanced Computational Engineering and Networking, ISSN: 2320-2106, Volume-3, Issue-12, Dec.-2015

Recent Trends And Challenges Of Network Forensic Frameworks And Process Models

52

CONCLUSIONS Applications of the digital devices are diverse in nature and their use for malicious and criminal activities is growing exponentially. Monitoring and securing traces of such activities on the device is not reliable. New techniques are to be researched to determine user activity on network level. New digital devices such as smart televisions, play stations are introduces on the network whose functionalities are diverse and protocol used are different. Network forensics process models and corresponding frameworks are to be developed to accommodate these latest devices. Existing forensics technology is to be made more efficient and sophisticated to meet the current technological challenges. REFERENCES

[1] Gary, P. (2001) “A Road Map for Digital Forensic

Research”, Technical Report DTRT0010-01, DFRWS, November 2001.

[2] Nirkhi, S.M.; Dharaskar, R.V.; Thakre, V.M., "Analysis of online messages for identity tracing in cybercrime investigation," in Cyber Security, Cyber Warfare and Digital Forensic (CyberSec), 2012 International Conference on , June 2012 pp.300-305.

[3] Pilli, E.S., R.C. Joshi, and R. Niyogi, Network forensic frameworks: Survey and research challenges. Digital Investigation, 2010. 7(1-2): p. 14-27.

[4] Alharbi, S., et al., The Proactive and Reactive Digital Forensics Investigation Process: A Systematic Literature Review Information Security and Assurance, 2011, Springer Berlin Heidelberg. p. 87-100.

[5] Grobler, C.P., C.P. Louwrens, and S.H. von Solms. A Multi-component View of Digital Forensics. in Availability, Reliability, and Security, 2010. ARES '10 International Conference on. 2010.

[6] Reith M, C.C., Gunsch G An Examination of Digital Forensic Models. International Journal of Digital Evidence, 2002. 1(3): p. 12.

[7] Carrier, B. and E.H. Spafford, Getting Physical with the Digital Investigation Process. International Journal of Digital Evidence, 2003. 2(2): p. 20.

[8] Stephenson, P., A COMPREHENSIVE APPROACH TO DIGITAL INCIDENT INVESTIGATION, in Information Security Technical Report, E.A. Technology, Editor 2003. p. 42-54.

[9] Mandia, K. and C. Prosise, Incident response and computer forensics. 2 ed2003, New York: McGraw-Hill/Osborne. 507.

[10] Baryamureeba, V. and F. Tushabe. The Enhanced Digital Investigation Process Model. in Proceeding of Digital Forensic Research Workshop. 2004. Baltimore, MD.

[11] Carrier, B.D. and E.H. Spafford, An event-based digital forensic investigation framework, in Proceeding of the 4th Digital Forensic Research Workshop DFRWS20042004. p. 11-13.

[12] Rogers, M.K., et al., Computer Forensics Field Triage Process Model. Journal of Digital Forensics, Security and Law, Vol. 1(2), 2006. 1(2): p. 19-37.

[13] Ciardhuáin, S.Ó., An Extended Model of Cybercrime Investigations. International Journal of Digital Evidence, 2004. 3(1): p. 1-22.

[14] Beebe, N.L. and J.G. Clark, A hierarchical, objectives-based framework for the digital investigations process. Digital Investigation, 2005. 2(2): p. 147-167.

[15] Wei, R. and J. Hai. Modeling the network forensics behaviors. in Security and Privacy for Emerging Areas in

Communication Networks, 2005. Workshop of the 1st International Conference on. 2005.

[16] Kohn, M., J. Eloff, and M. Olivier, Framework for a digital forensic investigation, in Proceedings of Information Security South Africa (ISSA) 2006 from Insight to Foresight Conference2006.

[17] Kent, K., et al., Guide to Integrating Forensic Techniques into Incident Response, 2006: . p. 1-121.

[18] Ricci S.C, I., FORZA - Digital forensics investigation framework that incorporate legal issues. Digital Investigation, 2006. 3, Supplement (0): p. 29-36.

[19] Khatir, M., S.M. Hejazi, and E. Sneiders. Two-Dimensional Evidence Reliability Amplification Process Model for Digital Forensics. in Digital Forensics and Incident Analysis, 2008. WDFIA '08. Third International Annual Workshop on. 2008.

[20] Freiling, F.C. and B. Schwittay. A Common Process Model for Incident Response and Computer Forensics. in Proceedings of Conference on IT Incident Management and IT Forensics. 2007. Germany.

[21] Yong-Dal, S. New Digital Forensics Investigation Procedure Model. in Networked Computing and Advanced Information Management, 2008. NCM '08. Fourth International Conference on. 2008.

[22] Shanmugasundaram K, Memon N, Savant A, Bronnimann H. ForNet: a distributed forensics network. In: Proceedings of the second international workshop on mathematical methods models and architectures for computer networks security (MMM–ACNS 2003), LNCS 2776. Springer; 2003. p.1–16.

[23] Ren W. On the reference model of distributed cooperative network forensics system. In: Proceedings of the sixth international conference on information integration and webbased application & services (iiWAS2004), Jakarta, Indonesia; 2004a, p. 771–5.

[24] Ren W, Jin H. Distributed agent-based real time network intrusion forensics system architecture design. In: Proceedings of the IEEE 19th international conference on advanced information networking applications (AINA 2005), p. 177–82.

[25] Tang Y, Daniels TE. A simple framework for distributed forensics. In: Proceedings of the 25th IEEE international conference on distributed computing systems (ICDCS 2005); June 2005, p.163–9.

[26] Wang D, Li T, Liu S, Zhang J, Liu C. Dynamical network forensics based on immune agent. In: Proceedings of the international conference on natural computation (ICNC 2007), vol. 3; Aug. 2007. 651–656.

[27] Kim J, Kim M, Noh BN. A fuzzy expert system for network forensics. In: Proceedings of the international conference on computational science applications (ICCSA 2004), LNCS 3043. Springer; 2004. p. 175–82.

[28] Zhang Y, Ren Y, Wang J, Fang L. Network forensic computing based on ANN–PCA. In: Proceedings of the international conference on computational intelligence and security workshops (CISW 2007); 2007, p. 942–5.

[29] Anaya EA, Nakano-Miyatake M, Meana HMP. Network forensics with neurofuzzy techniques. In: Proceedings of the 52nd IEEE international Midwest symposium on circuits and systems (MWSCAS 2009); 2–5 Aug. 2009, p. 848–52.

[30] Marchetti, M., Colajanni, M., & Manganiello, F. Framework and Models for Multistep Attack Detection. International Journal of Security and Its Applications, Oct. 2011. 5(4), 73-90.

[31] Merkle LD. Automated network forensics. In: Proceedings of the conference on genetic and evolutionary computation (GECCO 2008); 2008, p. 1929–32

[32] Wang W, Daniels TE. A graph based approach towards network forensics analysis. ACM Transactions on Information and System Security (TISSEC) Oct. 2008; 12(1).

[33] Rekhis S, Krichene J, Boudriga N. DigForNet: digital forensic in networking. In: Proceedings of the IFIP TC-11

International Journal of Advanced Computational Engineering and Networking, ISSN: 2320-2106, Volume-3, Issue-12, Dec.-2015

Recent Trends And Challenges Of Network Forensic Frameworks And Process Models

53

23rd international information security conference, IFIP, vol. 278. Springer; Sept. 2008. 637–651.

[34] Gugelmann, D., Gasser, F., Ager, B., & Lenders, V. (2015). Hviz: HTTP (S) traffic aggregation and visualization for network forensics. Digital Investigation, 12, S1-S11.

[35] Joy, D., Li, F., & Furnell, S. M. A user-oriented network forensic analyser: The design of a high-level protocol analyser.2014.

[36] Raftopoulos, E., & Dimitropoulos, X. Understanding network forensics analysis in an operational environment. In Security and Privacy Workshops (SPW), May 2013 IEEE; p. 111-118. IEEE.

[37] Ahmed, R., & Dharaskar, R. V. (2012, March). Study of mobile botnets: An analysis from the perspective of efficient generalized forensics framework for mobile devices. In IJCA Proceedings on National Conference on Innovative Paradigms in Engineering and Technology (NCIPET 2012) ncipet (15) (pp. 5-8).