Design and Implementation of Computer and Network Forensics Framework

Abstract

With an exponential increase in the data size and complexity of various seized items to be investigated, existing methods of network and computer forensics are not very efficient when it comes to dealing with accuracy and detection ratio. Till the time a well-established forensic technique is developed to handle security threats, a much more sophisticated attacks strike on network. Traditional Intrusion Detection Systems (IDS) and forensics techniques used to detect and prevent malicious network behaviours, fail to handle new or zero day attacks. The accuracy of Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) is questionable, which can’t be trusted for forensics. Another important drawback with the exiting techniques, is their inability to tackle high velocity and huge amount of heterogeneous data. Cyber forensic investigation mechanism has volume constraint, while processing the fast growing data from Information and Communication Technology (ICT) infrastructure, including IoT based devices and platforms. Non-tangible sources often don’t have the limit of flowing data through them, especially through communication media. Hence, increasing the desperate requirement for an efficient benchmarking of big data analysis. Existing techniques exhibit inherent limitations in processing huge volume, variety, and velocity of data. It makes the process time-consuming and resource intensive. Available solutions to date have used an anomaly-based approach or have proposed approaches based on the deviation from a regular pattern. To tackle the seized bytes, authors have proposed an approach for big data forensics, with efficient sensitivity and precision. In order to maintain a balance between processing time and output efficiency, existing techniques put a limit on the amount of data under analysis, which results in a non-polynomial time complexity of these solutions. In this thesis, a scalable, practical framework to overcome the limitation to handle large volume, variety, and velocity of data, is proposed. The proposed architectural setup consists of the MapReduce framework on top of the Hadoop Distributed File System environment. The proposed framework demonstrates its capability to handle issues of storage and processing of big data using cloud computing infrastructure. In the presented work, a generalized forensic framework has been proposed that use Google’s programming model, MapReduce as the backbone for traffic translation, extraction, and analysis of dynamic traffic features. For the proposed technique, authors have used open source tools like Hadoop, Hive, and Mahout and R. Apart from being open source, these tools support scalability and parallel processing. Also, comparative analysis of globally accepted machine learning models of P2P malware analysis in mocked real-time is presented. Supervised machine learning (Random Forest based Decision Tree) algorithm has been implemented to demonstrate better sensitivity and specificity. For training and validating the model, CAIDA dataset [1] along with university network traffic samples from GitHub [2], with increasing size, has been taken. Results thus obtained confirm the superiority of the proposed framework, with an accuracy of 99%. The work encompasses computer and network forensics, which is being referred as cyber forensics, collectively in this thesis, due to the nature of the data being dealt and experimented.